Upload
ctruncer
View
1.423
Download
3
Embed Size (px)
Citation preview
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
By: @ChrisTruncer and @Evan_Pena2003
@ChrisTruncerSys Admin turned Red TeamerOpen Source DeveloperTrooper
2
@Evan_Pena2003Open Source DeveloperRed Team Lead for West CoastFormer sysadmin
3
Whats this talk about?Device guard!Code integrity policies PowerShell Constrained Language mode Introduction of a way to live off the landData EncodingC2 Data StorageCommands
4
Device Guard5
Device GuardDefensive technology built into Windows 10
and Server 2016A change from antivirus technologies where
apps are trusted unless flagged as maliciousYou now explicitly state which applications
are trusted6
Device GuardNew application whitelisting bypass
published?Dont trust that application anymore!
Matt Graeber is curating a baseline code integrity policy blocking offending applications
7https://github.com/mattifestation/DeviceGuardBypassMitigationRules
Code Integrity PoliciesYou define trusted applications by creating
Code Integrity policiesUpon creating code integrity policies, they
can be deployed via:GPOSCCM
8
Code Integrity Policies Code integrity policies are largely based on
digital signatures For unsigned applications, you can deploy
catalog files which can be tied into code integrity policies
9
Code Integrity PoliciesCatalog files will need to be updated every
time an application is updatedIf using digital signatures, this wont be
a problemCode integrity policies typically are XML
files converted into a binary10
Code Integrity PoliciesYour code integrity policies themselves
should also be signedThis can help prevent modification by
users/attackers with administrative rights
11
Creating Code Integrity Policies The easiest way to create code integrity
policies is through PowerShell Carlos Perez and Matt Graeber have created
walkthroughs for creating a code integrity policy
12
https://gist.github.com/darkoperator/7d5b85354c0343c7554ehttp://www.exploit-monday.com/2016/09/introduction-to-windows-device-guard.html
Creating Code Integrity Policies Largely, you will use the New-CIPolicy
cmdlet and specify the file rule levels for defining trusted applicationsFile hashFile namePublisherFilePublisher 13
14
Creating Code Integrity Policies Convert XML code integrity policy to a
binary fileConvertFrom-CIPolicy
Deploy in audit modeNon-blockingGenerates events
15
Creating Code Integrity Policies After having deployed in audit modeReview event logsMake any rule modifications as neededDeploy in enforcement mode
16
PowerShell Constrained Language Mode Device Guard auto-configures PowerShell to
run in Constrained Language modePure PowerShell elements are allowed,
but the types are limited.Net methods are only allowed on the
permitted types17
18
Attackers Perspective How can we operate on a Device Guard
protected system?Develop a bypassThis will be effective at first, but
could potentially be blocked via CI Policy.This takes R&D 19
Attackers Perspective How about living off the land?
We know the applications most likely to be whitelistedPowerShell, WMI, etc.
Can they be chained together to attack systems in a useful manner?
20
WMImplantInvoke-WMImplant
21
WMImplantDeveloped in PowerShellDesigned to exclusively operate with WMIThe mechanism to trigger actionsThe C2 channel itselfData storage :)
Menu and commands are reminiscent of Meterpreter - except all WMI based
22
First, Thanks Thanks to the incredibly smart Matt Graeber,
Willi Ballenthin, and Claudiu Teodorescu Their research is what spurred my interest in
WMIWithout their research, I may have never
developed this capability
23https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
Whats WMI?WMI == Windows Management
Instrumentation Installed and enabled by default in Windows
since Windows 2000 Enables administrators to query local and
remote systems for management purposes
24
WMImplant and Device GuardWMImplant was developed exclusively
against Device Guard protected systemsRemember ConstrainedLanguage
Mode? - Were great friends with it :)
25
WMImplant and Device Guard Data storage and encoding were problems in
the initial development stages.We want to be able to upload or
download files, run commands, etc.What if all data that we might need to
manipulate isnt just text?26
WMImplant and Device Guard We discovered that encoding and data
storage were problems we were going to need to solve to write an effective post-exploitation tool
27
EncodingInvoke-WMImplant
28
WMImplant and Encoding The first method of encoding data? Base64!
[Convert]::ToBase64String()Only one problem...
29
30
Encoding - Back to the Drawing BoardBase64 is outWe havent seen a pure PowerShell
based Base64 encoding/decoding function
WMImplant can be encoder agnostic, anything that works can be used.So lets turn to Daniel Bohannon 31
WMImplant and Encoding - [Int[]][Char[]] $encode = [Int[]][char[]]$input -Join ','
Breaks input into an array of char, then converts each char into an intIt works with binary and text files - in
constrained mode $decoded = [char[]][int[]]$encode.Split(',') -
Join '' 32
33
WMImplant Encoding and Storage
Awesome! We can now encode and
decode data in a Constrained Language compliant manner.
Next Question: where should it be stored?
34
WMImplant and Data Storage The initial version of WMImplant used the
system registry to store dataWe can easily create and modify registry
values remotelyThis can be done over WMI with the
StdRegProv35
WMImplant and Data Storage Registry Pro:
Not limited to a very small size limitations
Registry Con:Lots of parsers for analyzing a systems
registry36
WMImplant and Data Storage This led to a conversation with Matt
Dunwoody discussing APT 29 tacticsThey were creating custom WMI
classes, adding properties, and storing data in WMI properties.
Lets try to recreate this!37
WMImplant and Data Storage - New WMI Class Lucky for us, Matt Graeber already
published code that does this!
38https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
WMImplant and Data Storage - New WMI ClassBut theres a
problem...
39
40
WMImplant and Data Storage - WMI Property FailWMI class creation is allowed within
Constrained Language ModeWMI property creation is not It looks like this idea wont work
Unless...41
WMImplant and Data Storage - Existing Classes! What about if we look at existing WMI classes? Are their properties writable? Can they accept a string type or any
length? Can the property be modified in Constrained
Language Mode?Wont blue screen the box?
42
WMImplant and Data Storage - Existing Classes! Modified an existing script to:
Enumerate all WMI classesEnumerate all properties within each
classFind properties of type string that are
writable43https://gist.github.com/ChrisTruncer/f3fe3f04b9fdd1310507363f8bdad8be
WMImplant and Data Storage - Existing Classes! This returned a somewhat limited number of
propertiesSome only allowed a fixed (small)
length of dataOthers would error when modifying the
property value.44
WMImplant and Data Storage - Then, there was one However, this did identify a class that weve
not seen beforeWin32_OSRecoveryConfiguration
This class is used to specify the type of information that is collected when the system crashes.
45
46
WMImplant and Data Storage - Then, there was one It does have a single property which is
writable, and is a stringDebugFilePath - The location where
Windows places a memory dump following an operating system crash.
47
48
WMImplant and Data Storage - DebugFilePath It looks as if it should only accept a file path
location It looks as if it would be limited in the length
of data it accepts Thats what it looks like...
49
50
WMImplant and Data Storage - DebugFilePathAwesome!Demonstrates we can write arbitrary strings
to the DebugFilePath propertyOur encoder can work with this!What about length..?
51
52
WMImplant and Data Storage - DebugFilePath This gives us everything we need!Writeable string propertyWriteable in Constrained ModeNot fixed in length (256+ MB)Doesnt blue screen the box :)
53
WMImplant and Data Storage - C2 Comms1.Query the remote machines DebugFilePath
property to receive its original value2.Use WMI to execute a command (ipconfig)
on the targeted machine3.Encode the results of the command and store
it in the DebugFilePath property
54
WMImplant and Data Storage - C2 Comms4. Query the remote system (from attacking machine) to receive DebugFilePath value5. Decode the value and display the results6. Set the DebugFilePath property back to its original value.
55
WMImplant - C2 CommsMost of WMImplants commands will not
require data storageIn this case, results are retrieved with
likely a single WMI query If storage is required, the previous C2
communications methodology is followed
56
WMImplant CommandsInvoke-WMImplant
57
WMImplant - CommandsBroken up by what they do:Meta FunctionsFile OperationsLateral MovementProcess ManipulationSystem ManipulationLog Analysis
58
WMImplant - Meta Functions help exit change_user - change current user context
for all commands gen_cli - generate command line command
to run non-interactively59
60
gen_cli
change_user
WMImplant - File Operations cat - read file contents download - downloads file from target ls - directory and file listing ninjacopy - copy any file search - search for file or extension upload - upload file to target
61
62
cat
63
search
WMImplant - Uploads and Downloads These are the only commands that still use
the registry for data storageThis is due to not knowing the size of
potential uploads or downloadsAlso due to unknown size limits of the
WMI property (tested up to 256 MB)64
WMImplant - Uploads1.Read and encode file that will be uploaded2.Store in remote systems registry3.Start PowerShell on remote system via WMI4.Read and decode registry value5.Write decoded results to user-specified file
location65
WMImplant - Lateral Movement Facilitation command_exec - Run command and receive
output enable_wdigest - Set UseLogonPassword
key enable_winrm - enables WinRM remote_posh - Runs PowerShell script on
target and receives output 66
67
remote_posh
68
Detecting Malicious WMIWMI vs. WMI
69
Actively Monitor WMI1. Use WMI Query Language (WQL) to identify Recently created _EventConsumer
events (persistence)WMI-based process executions
2. Creates an Event Filter (condition) to perform an action if any of the above WQL conditions are true
70
Actively Monitor WMI3. Creates an Event Consumer (action), to log details of
the newly created __EventConsumer or executed processa. Set it to log all data to the event log with specific
event ID and event name b. Very high fidelity!c. Feed these logs to a SIEM - SNARE or universal
forwarder. Then ALERT!71
Automating the Process - WMIMonitorMandiant WMIMonitor PowerShell Script
found here:https://github.com/realparisi/WMI_MonitorDetailed blog post here:
https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html
72
The Result (Persistence)
73
The Result (Command Execution
74
Scale Detection with More SignaturesUpRoot IDShttps://github.com/Invoke-IR/Uproot
Includes ~14 signatures instead of 2Centralized logging so if you have a smaller
budget...1 agent instead of 1000+ agents.
75
WMImplant - Future Work Implement whitelisting bypasses Examine the changing defensive landscape
and identify means to repurpose existing tools
76
WMImplant - Where to get itWMImplant -
https://github.com/ChrisTruncer/WMImplantQuestions?@ChrisTruncer@Evan_Pena2003
77