cracking the perimeter with sharpshooter
play

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 - PowerPoint PPT Presentation

Mar 10, 2024 •335 likes •802 views

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell: Offensive Security @ MDSec Responsible for *BEST, STAR and TIBER services Twitter : @domchell Projects: SharpShooter LyncSniper

  1. Cracking the Perimeter with SharpShooter Dominic Chell June 2019

  2. # whoami • Dominic Chell: • Offensive Security @ MDSec • Responsible for *BEST, STAR and TIBER services • Twitter : @domchell • Projects: • SharpShooter • LyncSniper • SharpPack • PowerDNS • Chameleon

  3. OUTLINE • Background • “Free Styling” with SharpShooter • SharpShooter Overview • Exploring AMSI • Reconnaissance • Macro Support • Delivery • Tradecraft • Sandbox Evasion • Detection / Prevention • Staging

  4. BACKGROUND • Establishing initial access can often be complex • Increased focus from defenders on PowerShell attacks • Easy to signature both statically and with process spawn chains • AMSI provides engines direct access to memory • Rise of sandboxing tech, “Next Gen Anti-Virus”, EDR and EDP • Increased difficulties introducing payloads to environments • Red teaming is getting harder!

  5. OVERVIEW: SharpShooter • Internally developed tool; SharpShooter • Successful on a number of adversary simulations • Some success in bypassing traditional and “Next Gen” security controls

  6. OVERVIEW: SharpShooter

  7. OVERVIEW: SharpShooter • Staged and stageless payload creation framework for Windows based Scripting file formats: • HTML Applications • JavaScript • VBScript • Windows Script Files • VBA and Excel4 Macro Support • Arbitrary execution of CSharp source • Anti-Sandboxing and HTML Smuggling

  8. OVERVIEW: SharpShooter • Script payloads execute DotNet using DotNetToJScript • Staged payloads: • Arbitrary CSharp source code is retrieved via DNS or web • CSharp source code is compiled and executed using reflection

  9. RECONNAISSANCE • Targeted reconnaissance provides better chance of success • Payload should be targeted for correct version of DotNet framework • If executing in-process shellcode, it should correspond to the target’s architecture • Alternatively, an x86 process can be spawned and injected in to

  10. RECONNAISSANCE • Reconnaissance e-mail with image and system profiling links • Embed in e-mail: <img src=“http://attacker.net/logo.png?uid=1234” /> • Monitor web logs for results: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.6366; ms-office; MSOffice 16)

  11. DELIVERY • Delivery can leverage the “HTML smuggling” technique from @buffaloverflow • RC4 encrypted file decrypted in the browser using JavaScript’s WebCrypto APIs • navigator.mssaveBlob forces the browser to save the decrypted blob locally • Proxy sees text/html or attachment rather than the content type of the payload (e.g. text/vbscript ) • SharpShooter provides two pre-defined template examples

  12. SANDBOX EVASION • Attempts to avoid automated analysis, inspired by CheckPlease: • Domain keying • Domain member • Sandbox artefacts • Bad MACs • Debugging

  13. SANDBOX EVASION • Obtaining Active Directory name example:

  14. SANDBOX EVASION • Obtaining Active Directory name example:

  15. DEMO: PALO ALTO TRAPS

  16. DETECTION STATUS • Shortly after release signatures began to emerge • Defender AMSI signature detects all DotNetToJScript • Proclaimed dead by @subTee

  17. DETECTION STATUS

  18. DETECTION STATUS

  19. SharpShooter RESURRECTION

  20. ANTIMALWARE SCAN INTERFACE • Microsoft introduced AMSI in Windows 10 • Standard interface to provide file, memory and stream scanning for any application • Analysis at the scripting engine therefore access to the plain, deobfuscated code • Supported in PowerShell, Windows Script Host, JavaScript and VBScript and Office VBA macros

  21. ANTIMALWARE SCAN INTERFACE

  22. ANTIMALWARE SCAN INTERFACE

  23. ANTIMALWARE SCAN INTERFACE • Mid-April 2018 @subTee released “SquiblyTwo” attack • Script execution through Stylesheets using wmic.exe • Defender AMSI did not trigger

  24. COM STAGING • Updates to SharpShooter to include “COM Staging” and XSL / SCT generation • Several known COM methods allow command execution: • Outlook.CreateObject, • WScript.Run, • Shellbrowserwindow.Document.Application.Run, • WMI StartWin32Process • Leverage COM to execute wmic.exe or regsvr32.exe on the command line to perform “Squiblydoo” and “SquiblyTwo” attacks

  25. COM STAGING COM Interface wmic.exe / Remotely Hosted HTA, JS, VBS (Outlook, WScript, regsvr32.exe XSL or SCT WMI etc)

  26. FREE STYLING WITH SharpShooter

  27. FREE STYLING WITH SharpShooter • Research in to COM objects supporting XSL processing identified Microsoft.XMLDOM interface • Inline and remotely hosted transformation of XML against a given stylesheet, providing following benefits: • No command line execution, • Regsvr32.exe has known IOCs e.g. User-Agent, • XSL retrieval via HTTP/HTTPS • AMSI not supported in scriptlets; added early 2019 • Later used by @bohops to bypass WDAC in CVE-2018-8492

  28. FREE STYLING WITH SharpShooter

  29. DEMO: WINDOWS DEFENDER XSL

  30. AMSI BYPASSES • @Tal_Liberman discovered an AMSI bypass using the “ AmsiEnable ” registry key ( HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable ) • Requires the user to “open” the payload twice: • First pass checks the registry to determine if the key is set and if not set it • Second pass opens the payload from the user’s download folder

  31. AMSI BYPASSES

  32. AMSI BYPASSES • @tiraniddo discovered a DLL hijacking vulnerability in AMSI • The technique prevents LoadLibrary from loading the AMSI.dll by convincing it that it’s already loaded • The scripting engine is unable to find the AMSI DLL exports and fails safe • Copy wscript.exe to known location with name amsi.dll and run the script file

  33. AMSI BYPASSES • @Tal_Liberman discovered another bypass in AMSI by patching the amsi.dll ’s exported functions • AmsiScanBuffer handles the buffer that is being scanned • Function patched in memory to return AMSI_RESULT_CLEAN • mov eax, 0x80070057; retn

  34. DEMO: DEFENDER AMSI BYPASS

  35. MACRO SUPPORT • In Feb 2019, SharpShooter added additional support for VBA and Excel 4.0 macros • VBA support introduced using XMLDOM and XSL technique • @StanHacked discovered a legacy feature of Office to execute macros using Excel 4.0 • Excel 4.0 does not support AMSI and not recognised by many EDR/EDP solutions • SharpShooter generates an SLK file to directly execute shellcode in Excel

  36. DEMO: MACRO EXECUTION

  37. TRADECRAFT • Default SharpShooter templates do not employ OpSec tradecraft, stageless template: • Allocates memory EXECUTE_READWRITE for shellcode execution • Executes shellcode “in process”, e.g. mshta.exe performing C2 • Spawns from the default parent, e.g. wscript.exe launched from chrome.exe • Indicators discussed in detail by defenders: • https://countercept.com/blog/analyzing-sharpshooter-part-1/ • https://countercept.com/blog/analyzing-sharpshooter-part-2/

  38. TRADECRAFT • Reducing memory indicators is a trivial step: • Firstly allocate memory using PAGE_READWRITE • Reset the page permissions to PAGE_EXECUTE_READ using VirtualProtect

  39. TRADECRAFT • Reducing process indicators can be achieved using injection: • Spawn innocuous process e.g. iexplore.exe • Inject shellcode using chosen technique, e.g. ALPC , SetThreadContext , CreateRemoteThread etc.

  40. TRADECRAFT • Parent PID spoofing can be performed using UpdateProcThreadAttribute • CreateProcess using STARTUPINFOEX struct

  41. DEMO: TRADECRAFT

  42. DETECTION • Staged mode CSharp compilation using CodeDom with the CompilerParameters.GenerateInMemory = true; parameter • Command line logging: • csc.exe invocation • nslookup.exe for DNS delivery • Modifications to AmsiEnable registry key for AMSI bypasses

  43. PREVENTION • Endpoint prevention strategies: • Device Guard code integrity policy • Application whitelisting, block mshta.exe etc. • Modify default handlers for scripting extensions • Network: • Outbound DNS filtering • Monitor for HTML Smuggling, e.g. WebCrypto APIs

  44. CONCLUSIONS • Windows Scripting file formats provide a number of interesting opportunities for initial access • Leveraging COM these can be harnessed for code execution using scriptlets and execution cradles • Creating weaponised tools raises ethical dilemmas, particularly when observed in the wild • Red team research/tooling can however provide a rare opportunity to raise the bar in detection at scale

  45. REFERENCES • SharpShooter available from https://github.com/ mdsecactivebreach/SharpShooter • Thanks to the following people: • @tiraniddo: DotNetToJScript • @Arno0x0x: EmbedInHTML • @buffaloverflow: Demiguise • @arvanaghi and @ChrisTruncer: CheckPlease • @subTee: Squiblydoo/Two • @StanHacked: Excel4.0 research

  46. QUESTIONS

Recommend

Subtraction Starter: 1. 4573 - 1282 = 2. 7808 - 1921 = 3. Amy has saved 45.37 in her piggy

Subtraction Starter: 1. 4573 - 1282 = 2. 7808 - 1921 = 3. Amy has saved 45.37 in her piggy

Area and Perimeter.notebook May 13, 2020 Steps To Success: LO - To calculate the perimeter I can calculate the perimeter of a 2D shape by adding all of its sides together of a range of 2D shapes I can accurately measure the lengths of a 2D

1.18k views • 65 slides
Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay Brain T2-Hyperintensity Sachs Stem Pelizaeus- B12 Metabolism U-Fibres Merzbacher Hypomyelination T1-Hypointensity CSF Salla LEUKODYSTROPHY

918 views • 62 slides
IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code:

IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code:

IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code: Value for Money Rickard Mills Council Member, IAPF THANK YOU SPONSOR Cracking the DC Code: Value for Money HOUSEKEEPING Cracking the DC Code:

1.04k views • 54 slides
twenty six diagonal cracking shear f c http://www.bam.de concrete construction:

twenty six diagonal cracking shear f c http://www.bam.de concrete construction:

A RCHITECTURAL S TRUCTURES : Concrete in Compression F ORM, B EHAVIOR, AND D ESIGN ARCH 331 crushing D R. A NNE N ICHOLS vertical cracking S PRING 2018 tension lecture twenty six diagonal cracking shear f c

137 views • 3 slides
The perimeter and area of both a rhombus and a parallelogram can be found by applying the

The perimeter and area of both a rhombus and a parallelogram can be found by applying the

D AY 118 P ERIMETER AND AREA OF A RHOMBUS AND A PARALLELOGRAM ON XY - PLANE I NTRODUCTION The perimeter and area of rhombi and parallelograms have been dealt with in earlier lessons. Both the area and perimeter of these quadrilaterals can

437 views • 15 slides
DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger

DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger

DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger Pirk Eleni Petraki Strato Idreos Stefan Manegold Martin Kersten EVALUATING RANGE PREDICATES COMPLEXITY ON PAPER Scanning: O(n) Sorting:

910 views • 43 slides
Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of

Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of

Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of this presentation (if you stay awake), you will: Goals Setting Up Checking Injection Understand the different types of wireless keys

447 views • 13 slides
Designing for durability and strength Cracking &amp; durability Local studies on corrosion &amp;

Designing for durability and strength Cracking &amp; durability Local studies on corrosion &amp;

Designing for durability and strength Cracking &amp; durability Local studies on corrosion &amp; cracking Other aspects Presented by: Professor Mark Alexander Concrete Materials and Structural Integrity Research Unit (CoMSIRU)

718 views • 29 slides
PicoCrack: The Art of Efficient Cracking FPGAs (Field Programmable Gate Arrays) allow custom

PicoCrack: The Art of Efficient Cracking FPGAs (Field Programmable Gate Arrays) allow custom

PicoCrack: The Art of Efficient Cracking FPGAs (Field Programmable Gate Arrays) allow custom silicon to be implemented easily. The result is a chip that can be built specifically for cracking passwords. This presentation focuses on uncovering

606 views • 47 slides
From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO

From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO

From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO AT&amp;T eamoroso@att.com Page 1 Sandbags Piled in Front of AT&amp;T Building 12/15/41 Page 2 Original Perimeter Objective (Circa 1995)

946 views • 61 slides
Distributed GPU password cracking Alexander Kasabov &amp; Jochem van Kerkwijk System and

Distributed GPU password cracking Alexander Kasabov &amp; Jochem van Kerkwijk System and

Distributed GPU password cracking Alexander Kasabov &amp; Jochem van Kerkwijk System and Network Engineering { akasabov | jkerkwijk } @os3.nl February 2, 2011 Outline Introduction Password cracking Graphics processing unit Distributed

501 views • 16 slides
Physical and Metallurgical Analysis Aids in Understanding Recovery Boiler Tube Cracking

Physical and Metallurgical Analysis Aids in Understanding Recovery Boiler Tube Cracking

Physical and Metallurgical Analysis Aids in Understanding Recovery Boiler Tube Cracking November, 2014 PdM Technology Infrared Thermography Gas Find IR Example of LNG Leak Safety Minute Economizer Tube Cracking Assessment

447 views • 18 slides
PERIMETER CENTER ZONING CITY OF DUNWOODY Welcome Project introduction Image

PERIMETER CENTER ZONING CITY OF DUNWOODY Welcome Project introduction Image

PERIMETER CENTER ZONING CITY OF DUNWOODY Welcome Project introduction Image preference exercise Next steps Agenda Craft new zoning/design standards Focus on unique character of perimeter center Implement

404 views • 14 slides
ramp. Photo 2. Looking along the guardrail. Cracking has protruded through asphalt patch,

ramp. Photo 2. Looking along the guardrail. Cracking has protruded through asphalt patch,

SHOP SLIDE Photo 1. Cracking across the footpath at the end of the Hwy 2 off ramp. Photo 2. Looking along the guardrail. Cracking has protruded through asphalt patch, with a drop depression in the asphalt and significant bow in the

247 views • 10 slides
Rufus King Park: Additional Entrances and Perimeter Fence Reconstruction Located located along

Rufus King Park: Additional Entrances and Perimeter Fence Reconstruction Located located along

Rufus King Park: Additional Entrances and Perimeter Fence Reconstruction Located located along Jamaica Avenue between 150th &amp; 153rd Streets, in the Borough of Queens. October 31, 2016 Parks Capital Design Grand Central Parkway Perimeter

615 views • 28 slides
Seamless Asphalt Pavement Preservation Featuring Types of asphalt failure Alligator cracking

Seamless Asphalt Pavement Preservation Featuring Types of asphalt failure Alligator cracking

36 th Annual Utah Asphalt Conference Seamless Asphalt Pavement Preservation Featuring Types of asphalt failure Alligator cracking Joint cracking Raveling Rutting Potholes Typical Repair Approaches Sawcut, removal, and

445 views • 27 slides
September 28, 2016 1 Cracking Drupal Security concepts and pitfalls Peter Wolanin Moshe

September 28, 2016 1 Cracking Drupal Security concepts and pitfalls Peter Wolanin Moshe

September 28, 2016 1 Cracking Drupal Security concepts and pitfalls Peter Wolanin Moshe Weitzman Track: PHP https://events.drupal.org/dublin2016/sessions/cracking-drupal Special thanks to Klaus Purer for creating the original talk and slides

683 views • 39 slides
3rd Grade Shapes and Perimeter 2015-11-10 www.njctl.org Slide 3 / 102 Slide 4 / 102 Table of

3rd Grade Shapes and Perimeter 2015-11-10 www.njctl.org Slide 3 / 102 Slide 4 / 102 Table of

Slide 1 / 102 Slide 2 / 102 3rd Grade Shapes and Perimeter 2015-11-10 www.njctl.org Slide 3 / 102 Slide 4 / 102 Table of Contents Area Click on a topic to Perimeter go to that section Lines, Rays and Line Segments Angles Area

525 views • 25 slides
PERIMETER: The Premier Office Market in Metro Atlanta PCIDs Standard Template; Updated: Oct 03,

PERIMETER: The Premier Office Market in Metro Atlanta PCIDs Standard Template; Updated: Oct 03,

PERIMETER: The Premier Office Market in Metro Atlanta PCIDs Standard Template; Updated: Oct 03, 2013 EVOLUTION OF Livable Center THE MARKET Sustainable Placemaking Congested Office District 1990s Suburbs/ Perimeter Mall early 1970s

415 views • 28 slides
Measuring perimeter of a discrete object Slopes and difference of column sums Optimization

Measuring perimeter of a discrete object Slopes and difference of column sums Optimization

Measuring perimeter of a discrete object Nataa Sladoje Introduction Main story Area coverage digitization Measuring perimeter of a discrete object Slopes and difference of column sums Optimization Local computations Rotations of the

1.03k views • 88 slides
Queuing under perimeter control: analysis and control strategy Mehdi Keyvan-Ekbatani, Rodrigo C.

Queuing under perimeter control: analysis and control strategy Mehdi Keyvan-Ekbatani, Rodrigo C.

Queuing under perimeter control: analysis and control strategy Mehdi Keyvan-Ekbatani, Rodrigo C. Carlson, Victor L. Knoop Serge P. Hoogendoorn and Markos Papageorgiou 10 de novembro de 2016 1 / 22 Perimeter control What is it? 2 / 22

743 views • 22 slides
City of Red LodgeProposed Special Improvement District April 12, 2018 Great West Engineering

City of Red LodgeProposed Special Improvement District April 12, 2018 Great West Engineering

City of Red LodgeProposed Special Improvement District April 12, 2018 Great West Engineering Dorsey &amp; Whitney LLP 1 Existing Conditions Existing pavement experiencing: block cracking, large transverse cracking, alligator cracking, and

342 views • 15 slides
Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Chapter 8 Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers

291 views • 7 slides
Chloride-Induced Stress Corrosion Cracking Tests and Example Aging Management Program Darrell S.

Chloride-Induced Stress Corrosion Cracking Tests and Example Aging Management Program Darrell S.

Chloride-Induced Stress Corrosion Cracking Tests and Example Aging Management Program Darrell S. Dunn NRC/NMSS/SFST Public Meeting with Nuclear Energy Institute on Chloride Induced Stress Corrosion Cracking Regulatory Issue Resolution Protocol

527 views • 26 slides

More recommend