1

Evading Defenses with Acidrain, Powershell, Github and Pastebin

Mike Poor and Jay Beale Adam Crompton, Tyler Robinson and John Sawyer

InGuardians

(bonus booth talk on Word macro-based exploitation and remote access tool)

Copyright 2015 InGuardians, Inc.

2 Copyright 2015 InGuardians, Inc.

Evasion Tactics •  Self-decrypting Python Droppers •  Powershell In-Memory Command and Control •  (Booth) Macro Execution and the Throwback

Remote Access Tool

•  Anti-virus vendor chosen: –  Symantec Endpoint Protection 12.1.16

3 Copyright 2015 InGuardians, Inc.

AcidRain •  We've never been caught by A/V with AcidRain •  Encrypts Python in AES-256

–  We use msfvenom's Python version of the Meterpreter •  Pyinstaller to create an EXE •  Methods of obtaining key

–  Keep the key in the payload –  Socket connect (nc –l) –  Web request (python SimpleHTTPServer)

•  This works for any Python code.

4 Copyright 2015 InGuardians, Inc.

AcidRain Modules •  System profiler

–  Mac, Linux, Windows –  Automated post-exploitation profiling commands –  Phones home, sends profiling output, cuts connection –  Reconnects after a pre-defined time

•  SOCKS4 proxy •  Bind shell •  Reverse shell

5 Copyright 2015 InGuardians, Inc.

Uses Pyinstaller •  Pyinstaller bundles python applications into a

single exe file. •  Run on Linux using Wine:

wine c:\\Python27\\python.exe /usr/share/pyinstaller/pyinstaller.py /home/user/hello.py --onefile

6 Copyright 2015 InGuardians, Inc.

Demo

AcidRain

(Video will be linked to from InGuardians website within one week)

7 Copyright 2015 InGuardians, Inc.

Puppet Master C2 Framework •  Powershell Command and Control (C2) via third

party widely-used services •  Current payloads:

–  Invoke-Github.ps1 –  Invoke-Pastebin.ps1

•  If these are blocked, we can create more, making the defenders play Whack-a-Mole!

•  Submitting these to @harmjoy for Empire inclusion

8 Copyright 2015 InGuardians, Inc.

Powershell Commands •  The attacker types powershell commands and

receives their output. •  This is incredibly powerful, as we can use all

the Powershell frameworks, our own commandlets or just start running commands.

9 Copyright 2015 InGuardians, Inc.

Github and Pastebin •  On Github, we create a "gist," a non-project

code publish –  All C2 data is comments on the gist.

•  On Pastebin, we create a paste. –  Expiration date is set to a short time, say, one

hour.

10 Copyright 2015 InGuardians, Inc.

Encryption •  Prereq: Powershell v2.0 and .NET version 4.0 •  Encryption Used: AES 256-bit using ConvertTo-

SecureString and ConvertFrom-SecureString commandlets

•  All commands and results are encrypted before posting to the third party page, to avoid divulging any data.

11 Copyright 2015 InGuardians, Inc.

1. How Does the C2 Func2on

Victim

Attacker Third Party Service

Pastebin Github

Beacon checks in for a new command with dynamic jitter rate

12 Copyright 2015 InGuardians, Inc.

2. How Does the C2 Func2on

Victim

Attacker Third Party Service

Pastebin Github

Attacker sends a command in a request to third party service's API

13 Copyright 2015 InGuardians, Inc.

3. How Does the C2 Func2on

Victim

Attacker Third Party Service

Pastebin Github

Attacker polls the third party service until a response is posted.

14 Copyright 2015 InGuardians, Inc.

4. How Does the C2 Func2on

Victim

Attacker Third Party Service

Pastebin Github

Beacon gets the command that the attacker stored in the post and runs on the host.

15 Copyright 2015 InGuardians, Inc.

5. How Does the C2 Func2on

Victim

Attacker Third Party Service

Pastebin Github

Beacon sends command output back to the third party service.

16 Copyright 2015 InGuardians, Inc.

6. How Does the C2 Func2on

Victim

Attacker Third Party Service

Pastebin Github

Attacker gets response from server.

17 Copyright 2015 InGuardians, Inc.

DEMO

Invoke-Pastebin.ps1 Invoke-Github.ps1

(Video will be linked to from InGuardians website within one week)

18 Copyright 2015 InGuardians, Inc.

Booth: Macro-Based Injection •  Threat actors don’t always use sophisticated

attacks. •  Why use a $10k 0-Day or reverse engineer a

protocol when a simple email will work. •  Microsoft Office Macro-Based Payload Injection

–  Great way to get an initial foothold or gain more access in the environment.

–  Utilize memory-based injections

19 Copyright 2015 InGuardians, Inc.

Executables Embedded in Macros

•  We use Office Developer Tools to create a macro containing an encrypted and base64-encoded payload.

•  We place the macro in a document, formatted as a regular .doc or .xls file. –  It does not have to be the .docm format.

•  The payload executes silently in the background. •  This payload could be an .EXE or a .DLL file.

20 Copyright 2015 InGuardians, Inc.

Additional A/V Evasion •  The macro can drop the payload to disk as a

compressed archive to help avoid detection. •  We can extract a DLL as a .log file in a hidden

directory and run it using rundll32.exe. •  In this case, we're going to place the Throwback

open source RAT onto the system via the macro.

21 Copyright 2015 InGuardians, Inc.

Payload and Persistence •  In this demo, the Throwback backdoor:

–  drops a .exe into a hidden directory as a hidden file –  runs this .exe, which deletes its on-disk file –  which in turn copies a second .exe to a different

hidden directory as a different hidden file. –  and creates a service and checks proxy settings to gain

Internet access to call home all using native Windows API calls.

22 Copyright 2015 InGuardians, Inc.

Throwback RAT •  We use the Throwback RAT as a long term

foothold in the organization. •  The RAT beacons home over HTTP(s) & DNS

using winhttp/wininet for proxy awareness. •  The backdoor is then used to pivot to other

boxes, where we deploy RAT’s on systems other than beaconing hosts, to retain access and avoid detection.

23 Copyright 2015 InGuardians, Inc.

DLL Execution: Cobalt Strike Beacon

•  Here, we place the Cobalt Strike Reverse HTTPS Beacon on the victim as perflib0.log and execute with rundll32.exe.

•  Run Mimikatz and hashdump for cleartext passwords and local hashes.

•  We could also use the beacon to spawn meterpreter in memory, use powershell, pivot, scan and attack.

24 Copyright 2015 InGuardians, Inc.

Injecting Shellcode into a Process

•  We also inject a meterpreter payload into an already-running process by generating raw shell code (perflib0.html) and inject it into a process.

•  This was not detected by AV.

25 Copyright 2015 InGuardians, Inc.

Steps in the Video 1 of 2

1.  Create a Word macro and e-mail to a SE victim. 2.  Victim opens the Word doc and approves

macro. 3.  Throwback binary starts, connects to PHP app. 4.  Get a process list to find process to inject in. 5.  Create Meterpreter shellcode (perflib0.html) 6.  Download Cobalt Strike (perflib0.log)

26 Copyright 2015 InGuardians, Inc.

Steps in the Video 2 of 2

7.  Instruct victim to rundll32 perflib0.log 8.  Instruct victim to download shellcode and inject

into PID 1560. 9.  Interact over Cobalt Strike. 10. Interact over Meterpeter session.

27 Copyright 2015 InGuardians, Inc.

Demo (Video will be linked to from InGuardians website within one week)

28 Copyright 2015 InGuardians, Inc.

Pivot, Pivot, Pivot •  With an initial foothold, the goal is to always

pivot and avoid detection. •  With good OPSec, you can maintain long-term

access as well as pivot and attack.

29 Copyright 2015 InGuardians, Inc.

Thank You Talk and Demo at our table at 3:30pm. We're always seeking to up our game, create cool tools and techniques, and share with our community. InGuardians is proud to sponsor the SANS Pentest HackFest.