Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating...

SESSION ID:SESSION ID:

#RSAC

Rotem Salinas

Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats

HTA-R11

Senior Security ResearcherRSA [email protected]@rotemsalinas

Uri Fleyder-KotlerAdvanced Threats Research Lab ManagerRSA [email protected]@ufleyder

#RSAC

Houston We Have a Problem

2

Agentless/non malware attacks is a rapidly growing threat

Attackers are implementing stealthier methods to bypass defenses

#RSAC

Research Goals

3

GoalsFind a way to assess a script’s “maliciousness” automaticallyDo it without the potential harm of infectionMake it fast!

Narrow the problem spaceVBA PowershellNot focused on the code extraction

The same concepts can apply to similar problems

#RSAC

The “Imaginary Engine”

4

How can we develop such 1337 imaginary engine

Problem solving in 3 basic stepsAnalyzeBrainstormingImplementation

#RSAC

The First Step – Malware Analyst Standpoint

5

DetermineExecution

FlowDeobfuscate

Find Suspicious

Activity

Traditional Static Analysis Approach

#RSAC

Perception Test – What Attackers Do?

6

#RSAC

The First Step – Understanding The Attacker’s Mindset

7

#RSAC

The First Step – Understanding The Attacker’s Mindset

8

#RSAC

The First Step – The Attacker’s Main Objectives

9

Objectives Indicators

Code execution Prerequisite, Spawning New Processes/Threads

Persistency Disk operations, Registry operations

Stealth OS manipulation

Enumeration Registry operations, Enumeration

Command & Control / Data Exfiltration Network operations

Lateral Movement Network operations, Enumeration

#RSAC

Case Study – Dridex Campaign

10

Peaked during 2015-2016

Used Macro in Office Documents to deploy Dridex variants

Targeted many companies and financial entities around the world

Delivered in a large scale Spam/Spear-Phishing campaigns

#RSAC

Case Study – Dridex Campaign

11

#RSAC

Case Study 1 – Dridex Campaign

12

Entrypoint – This is where the code starts its execution

Non-Linear Code Execution - GoTo jumping to labels

#RSAC


13

COM Object Creation

#RSAC


14

URL De-Obfuscation + Http Request Creation

#RSAC


15

Sending GET request

Initializing ADODB object to write file to disk

#RSAC


16

Writing Response Body Data to disk

#RSAC


17

Executing Downloaded File

#RSAC

Case Study – Anunak/Carbanak

18

Financial APT

Only 1 submission to VT

Attributed to Anunak Cybergang

Final payloadVBS/PowershellPE Executable

See Full Analysis in Appendix

#RSAC

The Second Step – Brainstorming

19

Common approaches pros and consHooking— Use available source code or patch existing dll/exe— Inserting code that would sink certain expressions— Remove potentially harmful code

Taint Analysis / Symbolic Execution— Implement an engine that would emulate the language interpreter— The engine should evaluate each line of code— Instead of invoking potentially harmful expressions it would sink them

#RSAC

We Have a Winner!

20

Symbolic ExecutionPros— Cannot harm the machine in any way (even if we missed

something)— We know exactly how it works. NO Reverse Engineering!— Not limited to specific platform/OS

Cons— Hard to Implement— Might lack some language functionality

#RSAC

Symbolic Execution: Double Sweep Method

21

First sweepGlobal context— Global variables— Code

Function declarationsExternal DLL declarations

#RSAC

Symbolic Execution: Double Sweep Method

22

Second sweepFunction code - starts with EntrypointFollows execution flowExecutes stubs instead of built-in language functionsEvaluates expressions— Math— String manipulation— Logical expressions (condition evaluation)

#RSAC

Implementation Details

23

PythonPyParsingDave Beazley’s (Python guru) PLY – Python Lex Yacc— Lex – lexical analysis/tokenizer— Yacc (Yet Another Compiler Compiler) – Syntax Analyzer

BNF – Backus Naur Form

Where to start RTFM

#RSAC

Lexical Analyzer (Tokenizer)

24

TokensLanguage keywordsImmediate values— Strings— Integer/numeric values— Floating point values— Arrays/compound data-types

Identifiers – variable names, function names, object namesOperators – math, bitwise, logical, string manipulation

* Diagram courtesy of David Beazley

#RSAC

Syntax Analyzer (Parser)

25

Parses a language syntax according to the tokenized output from the lexer

The language syntax/grammar is defined by multiple functions

Each function represents a BNF expression and will pass the parsed/extracted values to the next function inline according to the BNF statement


#RSAC

PLY Lex Example

26


#RSAC

PLY Lex Example

27


#RSAC

PLY Lex Example

28


#RSAC

PLY Lex Example

29


#RSAC

PLY Lex Example

30


#RSAC

PLY Lex Example

31


#RSAC

PLY Lex Example

32


#RSAC

PLY Lex Example

33


#RSAC

Tokenizer Demo

34

#RSAC

PLY Yacc Example

35


#RSAC

PLY Yacc Example

36


#RSAC

PLY Yacc Example

37


#RSAC

PLY Yacc Example

38


#RSAC

PLY Yacc Example

39


#RSAC

Engine Design Overview

40

Scoring

Blacklist (score++)

Whitelist (score--)

A higher score -> more malicious

If score >= threshold Then isMalicious = True;

#RSAC

Obfuscation As Heuristics

41

Obfuscation can be a strong indicator for malicious behavior

ExamplesObject returned from function call

Object created from function call return value string

#RSAC

Obfuscation As Heuristics – More Examples

42

More ExamplesSelf modifying code (during runtime)

Data read from controls embedded in the document is considered suspicious

#RSAC

Demo The Engine

43

#RSAC

The Age Old Question of FP vs. FN

44

False positives

False negatives

Decide what works best for you!

#RSAC

Lessons Learned

45

ChallengesCondition evaluationRecursion limit

LessonsWhen in doubt bruteforce!Use the language specification guide as a guideline rather than implementingevery language feature that exists

#RSAC

Apply

46

DIY 1: Develop It Yourself

DIY 2: Deploy In Your OrganizationNetworkEndpoint

Use for your investigations

#RSAC

Q&ARotem Salinas Uri Fleyder-Kotler

[email protected]

@ufleyder

[email protected]

@rotemsalinas

#RSAC

VBA Indicators of Suspicious Activity

48

File System OperationsCOM Objects: Scripting.FileSystemObject, ADODB.StreamCmd – output redirect/copy/del/moveOpen builtin functionImporting External DLLs - URLMON

Network OperationsCOM Objects: Microsoft.XMLHTTP, WinHttp.WinHttpRequest

OS ManipulationImporting External DLLs – KERNEL32WMI Objects

RegistryImporting External DLLs – ADVAPI32

#RSAC


49

EnumerationWMI ObjectsCmd – net share/net use/ipconfig/environment variables

Obfuscation

Self Modifying CodeEvalCodeModule

Obfuscation Beyond Reasonable Doubt

#RSAC


50

COM Object Creation

WMI Objects Creation

Self Modifying CodeEvalCodeModule

Built-In Functions

Importing External DLL

Obfuscation Beyond Reasonable Doubt

#RSAC

VBA – COM Object Creation – Network Activity

51

Rule of thumb - If your Office Documents are communicating you are in serious troubleNetwork Activity - COM Objects

Microsoft.XMLHTTPMSXML2.SERVERXMLHTTP.6.0MSXML2.SERVERXMLHTTPMSXML2.XMLHTTPWinHttp.WinHttpRequest.5.1WinHttp.WinHttpRequestInternetExplorer.Application

#RSAC

VBA – COM Object Creation – Network Activity

52

Microsoft.XMLHTTP

WinHttp.WinHttpRequest.5.1

#RSAC

VBA – COM Object Creation – File System Activity

53

Scripting.FileSystemObject

ADODB.Stream

#RSAC

VBA – COM Object Creation – Command Execution

54

WScript.Shell

Shell.Application

#RSAC

VBA – COM Object Creation – Obfuscation

55

XStandard.Base64

MSXML2.DOMDocument.3.0

MSXML2.DOMDocument

#RSAC

VBA – Built-In Functions

56

CreateObject – Create COM object by String Object NameGetObject – Create WMI/COM objectEval – Covered In Self-ModifyingExecuteGlobal – VBS specificCallByName – Calls a Function/Method by string nameShell – Executes a CommandEnviron – Evaluates Environment VariablesKill – Deletes a FileApplication.Run – Calls a Function by String Name

#RSAC

VBA – WMI Object Creation

57

winmgmts:impersonationLevel=impersonate}!\.\root\cimv2

Examples.

.

#RSAC

VBA – Self-Modifying Code – Code Module

58

CodeModule – Allows modifications of the VBA code

#RSAC

VBA – Self-Modifying Code – Eval

59

Eval - Evaluates an expression and executes it code

ExecuteGlobal

#RSAC

VBA – Open Built-In Function

60

Write to File with Open Built-In Function

#RSAC

VBA – Importing External DLL

61

Win32 API

Examples.

.

#RSAC

Appendix – Case Study 1 A - Dridex

62

Entrypoint – This is where the code starts its execution

Non-Linear Code Execution - GoTo jumping to labels

#RSAC


63

COM Object Creation

#RSAC


64

URL De-Obfuscation + Http Request Creation

#RSAC


65

Sending GET request

Initializing ADODB object to write file to disk

#RSAC


66

Writing Response Body Data to disk

#RSAC


67

Executing Downloaded File

#RSAC

Appendix – Case Study 1 B - Dridex

68

Defining Globals

Entrypoint

#RSAC


69

Create obfuscated COM object

#RSAC


70

Create more obfuscated COM objects

#RSAC


71

Deobfuscate URL and create GET request

#RSAC


72

Send GET request

#RSAC


73

Receive Response Body and write to File

#RSAC


74

Save To Disk

Execution

#RSAC

Appendix – Case Study 2 - Ananuk

75

Entrypoint

De-obfuscate

#RSAC


76

Beacon and Deploy final Payload

De-Obfuscate

#RSAC


77

Beacon Command & Control – Phase 1

Deobfuscate

#RSAC


78

Beacon Command & Control – Phase 2

Deobfuscate

#RSAC


79

Deploy Base64 Payload

Write Base64 Decoded Payloadto Temp Path

Execute Payload

#RSAC


80

Analyzing Payload 1

Payload is an iconUsed for credibility

Attempts to gain persistency on the Victim’s machine both by using knownAutorun registry paths and by creating

A scheduled task using the schtasks command

#RSAC

Appendix – Powershell Indicators of Suspicious Activity

81

.NET Objects.NET ReflectionAdd-TypeNew-Object

WinAPI32 DLL LoadingWMI Objects

Invoke-WmiMethod

Command ExecutionInvoke-Command

COM ObjectsNew-Object –Com

#RSAC

Appendix – Powershell Obfuscation

82

Obfuscation Methods

Base64

SecureString

Custom Decoding Methods

#RSAC

Powershell Techniques - .NET Reflection

83

Example 1 – LoadWithPartialName

Example 2 - LoadName

#RSAC

Powershell Techniques - Add-Type .NET code injection

84

Creation of a new type/class using .NET code

Creating an instance of the class and invoking it’s Start method

#RSAC

Powershell Techniques – New-Object

85

Creating an object instanceIn this example System.Net.WebClient instance is created in order to download a file

#RSAC

Powershell Techniques - Invoke-WmiMethod

86

Using WMI for enumeration and system maniupulationIn this case creating a key in the windows registry

#RSAC

Powershell Techniques - DLL loading

87

Resolving Native Win32 API functions

$module = “kernel32.dll”

API Function to be resolved

#RSAC

Powershell Techniques - New-Object -com

88

Similarly to the COM objects in VBAThe same COM objects can be used in Powershell using this command

#RSAC

Powershell Techniques Obfuscation

89

Obfuscation methods in PowershellAdding Ticks (Escapes special characters but ignored if used non-special characters) + Lowercase/UppercaseString Concatenation/ManipulationGet-Command + WildCards + AliasesInvoke-Expression

#RSAC

Powershell Techniques Obfuscation - Base64

90

Base64 using .NET classes

CertUtilBy Executing the certutil tool as a commandcertutil -decode encodedInputFileName decodedOutputFileName

#RSAC

Case Study 3 – Targeted Spear Phishing Campaign

91

Javascript outer script with obfuscated strings

Base64 encoded payloadsEach string in the list is reversed

A list of string includingcommands and base64

Encoded payloads

#RSAC


92

Deploys 3 Powershell scripts on the victims machine

Payload 1 – .NET code injection using Add-Type

Creation of a new type/class using .NET code

Creating an instance of the class and invoking it’s Start method

#RSAC


93

Payload 2 – .NET code injection using Add-Type like the 1st payload

Imports multiple Win32 api functions using .NET

#RSAC


94

Payload 3 – Downloads TOR Proxifier as scheduled task

#RSAC

Case Study 4 – Powersploit + Invoke-Obfuscation

95

Open source project available on GitHub

PowerSploit includes capabilities such as:Shellcode injectionReflective DLL injectionWMICode executionMimikatz – NTLM/LM password dump

Invoke-Obfuscation is a Powershell code obfuscation framework developed by Daniel Bohannon

Date post:	18-Mar-2018
Category:	Documents
Upload:	phamdien
View:	216 times
Download:	2 times