Hidden in Plain Sight? Blackhoodie 2018 Hidden in Plain Sight

Hidden in Plain Sight? Blackhoodie 2018 Hidden in Plain Sight

Hidden in plain sight? Blackhoodie 2018 Hidden in plain sight Essy - @casheeew 3rd time Blackhoodie attendee ( it’s addictive) I’m really just curious (: Hidden in plain sight Essy - @casheeew 3rd time Blackhoodie attendee ( it’s addictive) I’m really just curious (: The infamous shoulder of giants see credits at the end > rundll32 presentation.dll,Agenda - Attack-Kill-Chain - Tools - How do they work? - What is this in memory stuff? - How do we detect it? - Living off the land playground - Conclusion - Rabbitholes > rundll32 presentation.dll,Agenda - Attack-Kill-Chain - Tools - How do they work? - What is this in memory stuff? - How do we detect it? - Living off the land playground - Conclusion - Rabbitholes It’s been a long day You’ve heard a lot of stuff. Let’s try to keep it relaxed (: > msbuild.exe attack_killchain.csproj Recon Weaponize Deliver Exploit Install C2 Actions Tools & Techniques > InstallUtil.exe /U Tools.dll - … - Bloodhound - Metasploit Framework - PowerShell Empire - ... see https://github.com/emilyanncr/Windows-Post-Exploitation - Graph theory to reveal relationships in ADs - Goal: Quickly identify complex attack paths Bloodhound - Graph queries are build via Developed: 2016 Cypher Author: Andrew Robbins, - memberOf Rohan Vazarkar, - hasSession Will Schroeder - AdminTo - ACLs Technology: Javascript - CanRDP Electron - ... neo4j PS/C# ingestor - Red & Blue team tool Techniques: Visualize relationships Meterpreter - advanced multifunction payload Metasploit Framework - multi platform - encrypted communication Developed: 2003 Author: H.D. Moore Process injection - injects itself into a running Language: Ruby process - uses reflective DLL Technqiues: Public exploits, injection post exploitation - metsrv.dll’s header can be modules, auxiliary modified to be usable as modules, ... shellcode Modules - code_execution - collection - credentials PowerShell Empire - lateral_movement - management - persistence Developed: 2015 - privesc Author: Will Schroeder, - situational_awareness Matt Nelson, - trollsploit Justin Warner Process injection Language: Python,Powershell launcher code for the agent is embedded in the .DLL Technqiues: Post-Exploitation without powershell.exe After the initial payload all subsequent attacks are stored in memory But how does it work? (In)-Memory stuff & Code injection Techniques: - Remote DLL injection - Remote Shellcode injection - Reflective DLL injection - Process Hollowing - APC injections - Atombombing - Gargoyle (ROP/APCs) - Injection via Shims - Inline Hooking - <insert more rabbit holes here> (In)-Memory stuff & Code injection Techniques: - Remote DLL injection - Remote Shellcode injection - Reflective DLL injection - Process Hollowing Disk - APC injections - Atombombing - Gargoyle (ROP/APCs) - Injection via Shims - Inline Hooking - <insert more rabbit holes here> Remote DLL injection PROCESS_CREATE_THREAD PROCESS_VM_OPERATION PROCESS_VM_WRITE Our process Victim process OpenProcess() PAGE_READWRITE VirtualAllocEx() Typical API calls WriteProcessMemory(path) “C:\temp\evil.dll” OpenProcess VirtualAllocEx GetModuleHandle() WriteProcessMemory GetProcAddress() CreateRemoteThread CreateRemoteThread() LoadLibrary(“evil.dll”) -> LoadLibrary evil.dll --- LdrLoadDll (native) evil.dll Hidden in plain sight? Remote DLL injection - Detection examples - not easy to distinguish between malicious DLL and explicitly loaded DLLs in the victim process (‘LoadLibrary’) - injected DLL hides in plain side, just try - listdlls Typical API calls - Process Explorer - Process Hacker OpenProcess - it blends in with legitmate modules VirtualAllocEx WriteProcessMemory - Chances of detection are higher if we try to hide the DLL, e.g. - unlink its entry from _LDR_DATA_TABLE_ENTRY (ldrmodules) CreateRemoteThread - unpack and copy decompressed code to new memory region -> LoadLibrary - Modern detections track & flag ‘CreateRemoteThread’ --- LdrLoadDll (native) Remote DLL injection - Detection examples - not easy to distinguish between malicious DLL and explicitly loaded DLLs in the victim process (‘LoadLibrary’) - injected DLL hides in plain side, just try - listdlls Typical API calls - Process Explorer - Process Hacker OpenProcess - it blends in with legitmate modules VirtualAllocEx WriteProcessMemory - Chances of detection are higher if we try to hide the DLL, e.g. - unlink its entry from _LDR_DATA_TABLE_ENTRY (ldrmodules) CreateRemoteThread - unpack and copy decompressed code to new memory region -> LoadLibrary - Modern detections track & flag ‘CreateRemoteThread’ --- LdrLoadDll (native) not fancy enough, let’s move on... Remote Shellcode injection 1. Our process allocates memory in the victim process using ‘VirtualAllocEx’ with the Typical API calls ‘PAGE_EXECUTE_READWRITE’ protection 2. Our process transfers a block of code to the victim OpenProcess VirtualAllocEx process using ‘WriteProcessMemory’ 3. Our process calls ‘CreateRemoteThread’ and points the WriteProcessMemory CreateRemoteThread thread’s starting address to a function within the transferred block of code inside the victim process --- LdrLoadDll (native) Hidden in plain sight? Remote shellcode injection - Detection examples Tools to investigate: - Process Hacker - Process Explorer (Sysinternals) - listdlls (Sysinternals command-line utility) - Or use the Windows API functions (see CreateToolhelp32Snapshot) Typical API calls - Volatility plugin ‘malfind’ OpenProcess - look for readable, writeable and executable private memory VirtualAllocEx regions - regions will contain shellcode (or PE header) WriteProcessMemory - malfind displays hex dump and disassembly CreateRemoteThread --- LdrLoadDll (native) Remote shellcode injection - Detection examples Tools to investigate: - Process Hacker - Process Explorer (Sysinternals) - listdlls (Sysinternals command-line utility) - Or use the Windows API functions (see CreateToolhelp32Snapshot) Typical API calls - Volatility plugin ‘malfind’ OpenProcess - look for readable, writeable and executable private memory VirtualAllocEx regions - regions will contain shellcode (or PE header) WriteProcessMemory - malfind displays hex dump and disassembly CreateRemoteThread --- LdrLoadDll (native) still too easy...let’s try harder Reflective DLL injection responsible for loading itself implements minimal PE file loader Our process recv(evil.dll, buff) evil.dll Typical API calls Victim process CreateToolhelp32Snapshot VirtualAllocEx(sizeof(buff)) Context Process32First Process32Next WriteProcessMemory() evil.dll GetModuleHandle() OpenProcess GetProcAddress() ReflectiveLoad() VirtualAllocEx WriteProcessMemory CreateRemoteThread( ) ! CreateRemoteThread NtCreateThreadEx RtlCreateUserThread see https://github.com/stephenfewer/ReflectiveDLLInjection “[...], Empire has the ability to inject an agent into another process using ReflectivePick to load up the .NET common language runtime into a process and execute a particular PowerShell command, all without starting a new powershell.exe process!” see https://www.powershellempire.com/?page_id=273 “ [...] a reflective DLL based on Stephen Fewer's method. It imports/runs a .NET assembly into its memory space that supports the running of Powershell code using System.Management.Automation. Due to its' reflective property, it can be injected into any process using a reflective injector and allows the execution of Powershell code by any process” see https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick Hidden in plain sight? Reflective DLL injection - Detection examples - Again: primary signal: Memory events - several larger RWX sections mapped into the process - allocation size - allocation history - thread information - allocation flags - Volatility plugin ‘malfind’ - look for RWX pages How Windows Defender ATP does it: https://cloudblogs.microsoft.com/microsoftsecure/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/ > !address -F:PAGE_EXECUTE_READWRITE Reflective DLL injection - Detection examples - Again: primary signal: Memory events - several larger RWX sections mapped into the process - allocation size - allocation history - thread information - allocation flags - Volatility plugin ‘malfind’ - look for RWX pages How Windows Defender ATP does it: https://cloudblogs.microsoft.com/microsoftsecure/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/ Well, well, well. Can we get fancier? > !address -F:PAGE_EXECUTE_READWRITE Legitimate process is loaded to act as a container for hostile code Process Hollowing* 1. Create a process in suspended state 2. Call ‘ZwUnmapViewSection’ to un-reserve the memory 3. Allocate memory using ‘VirtualAlloc’ 4. Write data to the process memory using ‘WriteProcessMemory’ 5. Get the thread context via ‘GetThreadContext’ 6. Modify it and set the desired context via ‘SetThreadContext’ 7. Call ‘ResumeThread’ to start the process Typical API calls C:\Windows\system Malware (no file 32\calc.exe association needed) ZwUnmapViewOfSection NtUnmapViewOfSection PID 1337 PID 1337 WriteProcessMemory NtCreateSection NtCreateSectionEx SetThreadContext unchanged PEB PEB ResumeThread unchanged ntdll.dll ntdll.dll VirtualProtectEx unchanged kernel32.dll kernel32.dll * see links at the end for a PoC Hidden in plain sight? Process Hollowing - Detection examples - Volatility - dlllist - ldrmodules - malfind # Show suspicious memory protection - Hollowfind plugin # finds discrapancy in the VAD and PEB Investigation Hollow Process Injection Using Memory Forensics ← take a look here $ python vol.py -f victim.vmem dlllist -p

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    47 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us