Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating...

transcript

SESSION ID:SESSION ID:

Rotem Salinas

Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats

HTA-R11

Senior Security ResearcherRSA SecurityRotem.Salinas@rsa.com@rotemsalinas

Uri Fleyder-KotlerAdvanced Threats Research Lab ManagerRSA SecurityUri.Fleyder@rsa.com@ufleyder

Houston We Have a Problem

Agentless/non malware attacks is a rapidly growing threat

Attackers are implementing stealthier methods to bypass defenses

Research Goals

GoalsFind a way to assess a script’s “maliciousness” automaticallyDo it without the potential harm of infectionMake it fast!

Narrow the problem spaceVBA PowershellNot focused on the code extraction

The same concepts can apply to similar problems

The “Imaginary Engine”

How can we develop such 1337 imaginary engine

Problem solving in 3 basic stepsAnalyzeBrainstormingImplementation

The First Step – Malware Analyst Standpoint

DetermineExecution

FlowDeobfuscate

Find Suspicious

Activity

Traditional Static Analysis Approach

Perception Test – What Attackers Do?

The First Step – Understanding The Attacker’s Mindset

The First Step – The Attacker’s Main Objectives

Objectives Indicators

Code execution Prerequisite, Spawning New Processes/Threads

Persistency Disk operations, Registry operations

Stealth OS manipulation

Enumeration Registry operations, Enumeration

Command & Control / Data Exfiltration Network operations

Lateral Movement Network operations, Enumeration

Case Study – Dridex Campaign

Peaked during 2015-2016

Used Macro in Office Documents to deploy Dridex variants

Targeted many companies and financial entities around the world

Delivered in a large scale Spam/Spear-Phishing campaigns

Case Study – Dridex Campaign

Case Study 1 – Dridex Campaign

Entrypoint – This is where the code starts its execution

Non-Linear Code Execution - GoTo jumping to labels

COM Object Creation

URL De-Obfuscation + Http Request Creation

Sending GET request

Initializing ADODB object to write file to disk

Writing Response Body Data to disk

Executing Downloaded File

Case Study – Anunak/Carbanak

Financial APT

Only 1 submission to VT

Attributed to Anunak Cybergang

Final payloadVBS/PowershellPE Executable

See Full Analysis in Appendix

The Second Step – Brainstorming

Common approaches pros and consHooking— Use available source code or patch existing dll/exe— Inserting code that would sink certain expressions— Remove potentially harmful code

Taint Analysis / Symbolic Execution— Implement an engine that would emulate the language interpreter— The engine should evaluate each line of code— Instead of invoking potentially harmful expressions it would sink them

We Have a Winner!

Symbolic ExecutionPros— Cannot harm the machine in any way (even if we missed

something)— We know exactly how it works. NO Reverse Engineering!— Not limited to specific platform/OS

Cons— Hard to Implement— Might lack some language functionality

Symbolic Execution: Double Sweep Method

First sweepGlobal context— Global variables— Code

Function declarationsExternal DLL declarations

Symbolic Execution: Double Sweep Method

Second sweepFunction code - starts with EntrypointFollows execution flowExecutes stubs instead of built-in language functionsEvaluates expressions— Math— String manipulation— Logical expressions (condition evaluation)

Implementation Details

PythonPyParsingDave Beazley’s (Python guru) PLY – Python Lex Yacc— Lex – lexical analysis/tokenizer— Yacc (Yet Another Compiler Compiler) – Syntax Analyzer

BNF – Backus Naur Form

Where to start RTFM

Lexical Analyzer (Tokenizer)

TokensLanguage keywordsImmediate values— Strings— Integer/numeric values— Floating point values— Arrays/compound data-types

Identifiers – variable names, function names, object namesOperators – math, bitwise, logical, string manipulation

* Diagram courtesy of David Beazley

Syntax Analyzer (Parser)

Parses a language syntax according to the tokenized output from the lexer

The language syntax/grammar is defined by multiple functions

Each function represents a BNF expression and will pass the parsed/extracted values to the next function inline according to the BNF statement

PLY Lex Example

Tokenizer Demo

PLY Yacc Example

Engine Design Overview

Scoring

Blacklist (score++)

Whitelist (score--)

A higher score -> more malicious

If score >= threshold Then isMalicious = True;

Obfuscation As Heuristics

Obfuscation can be a strong indicator for malicious behavior

ExamplesObject returned from function call

Object created from function call return value string

Obfuscation As Heuristics – More Examples

More ExamplesSelf modifying code (during runtime)

Data read from controls embedded in the document is considered suspicious

Demo The Engine

The Age Old Question of FP vs. FN

False positives

False negatives

Decide what works best for you!

Lessons Learned

ChallengesCondition evaluationRecursion limit

LessonsWhen in doubt bruteforce!Use the language specification guide as a guideline rather than implementingevery language feature that exists

DIY 1: Develop It Yourself

DIY 2: Deploy In Your OrganizationNetworkEndpoint

Use for your investigations

Q&ARotem Salinas Uri Fleyder-Kotler

Uri.Fleyder@rsa.com

@ufleyder

Rotem.Salinas@rsa.com

@rotemsalinas

VBA Indicators of Suspicious Activity

File System OperationsCOM Objects: Scripting.FileSystemObject, ADODB.StreamCmd – output redirect/copy/del/moveOpen builtin functionImporting External DLLs - URLMON

Network OperationsCOM Objects: Microsoft.XMLHTTP, WinHttp.WinHttpRequest

OS ManipulationImporting External DLLs – KERNEL32WMI Objects

RegistryImporting External DLLs – ADVAPI32

EnumerationWMI ObjectsCmd – net share/net use/ipconfig/environment variables

Obfuscation

Self Modifying CodeEvalCodeModule

Obfuscation Beyond Reasonable Doubt

COM Object Creation

WMI Objects Creation

Self Modifying CodeEvalCodeModule

Built-In Functions

Importing External DLL

Obfuscation Beyond Reasonable Doubt

VBA – COM Object Creation – Network Activity

Rule of thumb - If your Office Documents are communicating you are in serious troubleNetwork Activity - COM Objects

Microsoft.XMLHTTPMSXML2.SERVERXMLHTTP.6.0MSXML2.SERVERXMLHTTPMSXML2.XMLHTTPWinHttp.WinHttpRequest.5.1WinHttp.WinHttpRequestInternetExplorer.Application

VBA – COM Object Creation – Network Activity

Microsoft.XMLHTTP

WinHttp.WinHttpRequest.5.1

VBA – COM Object Creation – File System Activity

Scripting.FileSystemObject

ADODB.Stream

VBA – COM Object Creation – Command Execution

WScript.Shell

Shell.Application

VBA – COM Object Creation – Obfuscation

XStandard.Base64

MSXML2.DOMDocument.3.0

MSXML2.DOMDocument

VBA – Built-In Functions

CreateObject – Create COM object by String Object NameGetObject – Create WMI/COM objectEval – Covered In Self-ModifyingExecuteGlobal – VBS specificCallByName – Calls a Function/Method by string nameShell – Executes a CommandEnviron – Evaluates Environment VariablesKill – Deletes a FileApplication.Run – Calls a Function by String Name

VBA – WMI Object Creation

winmgmts:impersonationLevel=impersonate}!\.\root\cimv2

Examples.

VBA – Self-Modifying Code – Code Module

CodeModule – Allows modifications of the VBA code

VBA – Self-Modifying Code – Eval

Eval - Evaluates an expression and executes it code

ExecuteGlobal

VBA – Open Built-In Function

Write to File with Open Built-In Function

VBA – Importing External DLL

Win32 API

Examples.

Appendix – Case Study 1 A - Dridex

Entrypoint – This is where the code starts its execution

Non-Linear Code Execution - GoTo jumping to labels

COM Object Creation

URL De-Obfuscation + Http Request Creation

Sending GET request

Initializing ADODB object to write file to disk

Writing Response Body Data to disk

Executing Downloaded File

Appendix – Case Study 1 B - Dridex

Defining Globals

Entrypoint

Create obfuscated COM object

Create more obfuscated COM objects

Deobfuscate URL and create GET request

Send GET request

Receive Response Body and write to File

Save To Disk

Execution

Appendix – Case Study 2 - Ananuk

Entrypoint

De-obfuscate

Beacon and Deploy final Payload

De-Obfuscate

Beacon Command & Control – Phase 1

Deobfuscate

Beacon Command & Control – Phase 2

Deobfuscate

Deploy Base64 Payload

Write Base64 Decoded Payloadto Temp Path

Execute Payload

Analyzing Payload 1

Payload is an iconUsed for credibility

Attempts to gain persistency on the Victim’s machine both by using knownAutorun registry paths and by creating

A scheduled task using the schtasks command

Appendix – Powershell Indicators of Suspicious Activity

.NET Objects.NET ReflectionAdd-TypeNew-Object

WinAPI32 DLL LoadingWMI Objects

Invoke-WmiMethod

Command ExecutionInvoke-Command

COM ObjectsNew-Object –Com

Appendix – Powershell Obfuscation

Obfuscation Methods

Base64

SecureString

Custom Decoding Methods

Powershell Techniques - .NET Reflection

Example 1 – LoadWithPartialName

Example 2 - LoadName

Powershell Techniques - Add-Type .NET code injection

Creation of a new type/class using .NET code

Creating an instance of the class and invoking it’s Start method

Powershell Techniques – New-Object

Creating an object instanceIn this example System.Net.WebClient instance is created in order to download a file

Powershell Techniques - Invoke-WmiMethod

Using WMI for enumeration and system maniupulationIn this case creating a key in the windows registry

Powershell Techniques - DLL loading

Resolving Native Win32 API functions

$module = “kernel32.dll”

API Function to be resolved

Powershell Techniques - New-Object -com

Similarly to the COM objects in VBAThe same COM objects can be used in Powershell using this command

Powershell Techniques Obfuscation

Obfuscation methods in PowershellAdding Ticks (Escapes special characters but ignored if used non-special characters) + Lowercase/UppercaseString Concatenation/ManipulationGet-Command + WildCards + AliasesInvoke-Expression

Powershell Techniques Obfuscation - Base64

Base64 using .NET classes

CertUtilBy Executing the certutil tool as a commandcertutil -decode encodedInputFileName decodedOutputFileName

Case Study 3 – Targeted Spear Phishing Campaign

Javascript outer script with obfuscated strings

Base64 encoded payloadsEach string in the list is reversed

A list of string includingcommands and base64

Encoded payloads

Deploys 3 Powershell scripts on the victims machine

Payload 1 – .NET code injection using Add-Type

Creation of a new type/class using .NET code

Creating an instance of the class and invoking it’s Start method

Payload 2 – .NET code injection using Add-Type like the 1st payload

Imports multiple Win32 api functions using .NET

Payload 3 – Downloads TOR Proxifier as scheduled task

Case Study 4 – Powersploit + Invoke-Obfuscation

Open source project available on GitHub

PowerSploit includes capabilities such as:Shellcode injectionReflective DLL injectionWMICode executionMimikatz – NTLM/LM password dump

Invoke-Obfuscation is a Powershell code obfuscation framework developed by Daniel Bohannon