Lazarus Group Covert Shellcode Execution Technique: ASATA has located and profiled a really interesting shellcode technique which was inspired by Lazarus Group. At its core, the technique uses a list of UUID string values and then converts that to binary shellcode, allocates memory and executes that shellcode. Windows APIs utilized are UuidFromStringA and EnumSystemLocalesA to accomplish that, avoiding all the usual suspects like VirtualAlloc, WriteProcessMemory, CreateThread and standard shellcode generators.
Shellcode Loader: https://github.com/pwn1sher/uuid-loader Blog: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/ UuidFromStringA: https://docs.microsoft.com/en-us/windows/win32/api/rpcdce/nf-rpcdce-uuidfromstringa EnumSystemLocalesA: https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemlocalesa #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 11/28/2021 Parent PID Spoofer & injectorParent PID Spoofer / injector: Inject into ApplicationFrameHost.exe UNDETECTED by MDE Automation but offensive behavior articulated in MDE device timeline. REALITY: A human defender regularly checking MDE device timeline would be all over this tradecraft. Regardless, as usual, I learned a lot by playing with the tradecraft for myself.
Parent PID Spoofing in C# (Used in video): https://github.com/mvelazc0/defcon27_csharp_workshop/blob/master/Labs/lab8/1.cs #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam Leaking Kernel Memory from User Space Using NtQuerySystemInformation as a Low Priv User I read an interesting blog (found below) on exploiting an Arbitrary Write NULL vulnerability which utilized NtQuerySystemInformation as a low privilege user to leak SYSTEM addresses/pointers (handle information). Finding this interesting, I turned to ASATA to see how prevalent this API call was in privilege attacks - extremely! Now I wanted to test this for myself, I wanted to see how a low privileged user could access kernel memory (handle/object data) from user space, using NtQuerySystemInformation and the SYSTEM_HANDLE_INFORMATION structure. I used ASATA to search for some suitable called versions of NtQuerySystemInformation (either in CPP or C#), finally settling on a function found in Jean-Francois’s SharpHandler (found below). After creating my binary, I had a look at what MDE saw and interestingly enough, there was a benign warning for anomalous memory allocation "NtProtectVirtualMemory," but no alerts (possible detection opportunity for this kind of attack). Knowing that I hadn't imported this function, it looks like NtQuerySystemInformation calls NtProtectVirtualMemory to change memory permissions and allow access from user space to kernel memory. I tried to confirm this with WinDBG but it is almost unusable since upgrading to Windows 11 – buggy! In the video I show you how I rapidly investigated the prevalence of this technique, quickly assembling a binary utilizing ASATA’s ability to search over a million offensive functions, show the results of my binary contrasted against ProcessHacker and then have a look at the binary in MDE's timeline. Write Null (blog): https://wafzsucks.medium.com/hacksys-extreme-vulnerable-driver-arbitrary-write-null-new-solution-7d45bfe6d116 Listing Open Handles and Finding Kernel Object Addresses (Blog): https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/get-all-open-handles-and-kernel-object-address-from-userland SharpHandler: https://github.com/jfmaes/SharpHandler Undocumented SYSTEM_HANDLE_INFORMATION: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle.htm #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *New Signal: Visual Studio Cobalt Strike BOF Template - Visualized by ASATA* ASATA has become interested (because of growing human momentum) and ingested a repo (securifybv/Visual-Studio-BOF-template) which streamlines the offensive extensibility of Cobalt Strike through templating Beacon Object Files, or BOFs. ASATA has profiled Windows functions and parameters within these templates and example code by MITRE ID type, articulating the different offensive behaviors they represent. The recent (~1 year) trend of porting Windows tradecraft to BOFs is making tradecraft more accessible to less sophisticated operators – this repo exemplifies that. Some of the very same COM interfaces we have been investigating (based on ASATA offensive trend analytics) have been put into this template’s example functionality. Something we learned while investigating this repo is the ability to utilize a COM interface (IAppIdPolicyHandler) to enumerate AppLockerPolicy, instead of PowerShell Get-AppLockerPolicy. This is actually a quite obscure tactic (in our dataset anyway) as we only show one instance of it while searching across a million offensively called Windows functions. BOF Templates: https://github.com/securifybv/Visual-Studio-BOF-template AppLocker Policy Enumeration in C (Blog): https://ntamonsec.blogspot.com/2020/08/applocker-policy-enumeration-in-c.html #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 11/12/2021 COM InterfacesCoCreateInstance is a pivotal API in the creation of COM objects. When used maliciously and with various parameters (referencing different interfaces), functionality that resides in things like TaskScheduler, BITS, WMI, etc can be accessed via COM and used for things like persistence and privilege elevation. Below, some links to the documentation for the interfaces we see accessed frequently in offensive tools. ITaskScheduler: https://docs.microsoft.com/en-us/windows/win32/api/mstask/nn-mstask-itaskscheduler IFileOperation: https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nf-shobjidl_core-ifileoperation-copyitem IBackgroundCopyManager: https://docs.microsoft.com/en-us/windows/win32/api/bits/nn-bits-ibackgroundcopymanager IWbemLocator: https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nn-wbemcli-iwbemlocator Creating an Object with COM: https://docs.microsoft.com/en-us/windows/win32/learnwin32/creating-an-object-in-com HD Video: https://youtu.be/T6wLOVepnAA #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 11/4/2021 Down the Rabbit Hole with COMRabbit Hole: Looking into COM-Hijacking, I got lost down a rabbit hole and learned some cool things about CoCreateInstance which is utilized within offensive tooling to load COM objects and also access WMI functionality. In this video I will be using the analysis tools WinDbg, ASATA & ProcMon to check out some aspects about offensive COM usage.
I’m hoping some of these linked resources can be useful jump-off points. Much more to explore… #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *A New Video Series Building Offensive Security Tools and Testing Against EDR* In the coming weeks, we will be launching a video series where we use our ASATA research interface to build some awesome offensive security tools, mostly in C# and CPP. As many of you know, I am an intelligence tool developer by trade and don’t have formal skill as a red team operator. I will be leveraging ASATA’s half-a-million, analyzed, offensive functions to help me build these tools for which I have no previous experience in building. Whether you are a red teamer that wants to see how to build some interesting stuff or are a defender that wants a deeper understanding of how this stuff works…this series will be for you. We will focus on Windows tradecraft, building a process ghoster in C#, a phantom dll injector and some other interesting OSTs.
HD Video: https://lnkd.in/eGDTSNth #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *Module Overloading /Phantom DLL Injection: Totally Undetected by Defender for Endpoint* Our automation has noticed an interesting signature (NtCreateSection + SEC_IMAGE) trend over the last 12 months. Offensive Security Tools are leveraging a type of process hollowing called Module Overloading, or Phantom DLL Injection which have OpSec advantages like using a payload with legitimate file backed memory; in this case a Microsoft signed module (BingOnlineServices.dll). Another operator advantage is negating the use of classic +RWX memory protections, instead assuming the protections of the legitimate dll. Below you can find some OST’s we are tracking that leverage the NtCreateSection API call + SEC_IMAGE flag. process_ghosting: https://github.com/hasherezade/process_ghosting process_doppelganging: https://github.com/hasherezade/process_doppelganging phantom-dll-hollower-poc: https://github.com/forrest-orr/phantom-dll-hollower-poc DInvoke: https://github.com/TheWover/DInvoke Blog Post: https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *Proxy Command Execution/DLL Injection Via SyncAppvPublishingServer.vbs > PowerShell > rundll32 > Bad.dll vs Microsoft Defender for Endpoint* This builds off a post I did yesterday, a colleague of mine () commented and asked about the above vector and endpoint detections. I tested the above vector without MDE protection just to see the mechanics and then secured with MDE. You can find the resources I used to facilitate this attack, below. DLL: https://github.com/mvelazc0/defcon27_csharp_workshop/blob/master/Labs/lab6/ShellcodeInjectionDll/ShellcodeInjection.cpp SyncAppvPublishingServer.vbs: https://mp.weixin.qq.com/s/Ud7TbeMJb8fsRlaGHWhBww #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *PANDEMIC Counter Cyber Intelligence Automation* Neo4j – Elastic – Custom Automation - Our next generation product ASATA will be powered by PANDEMIC counter cyber intelligence automation. We have put together a bit of a video to showcase some of the backend capabilities as we are using it to apply for a cyber security accelerator, cohort intake this fall. I thought it would be cool to share this information with our awesome followers as well. We really do appreciate all of you!! Great things are coming very soon!! (Whitepaper): https://www.cybermongol.ca/uploads/1/1/9/8/119816416/cyber_mongol_counter_cyber_intelligence.pdf #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam FUD UAC Bypass on an MDE Protected Endpoint via Profiling DLL
“The .NET Framework can be made to load a profiling DLL or a COM component DLL via user-defined environment variables and CLSID registry entries, even when the process is elevated. This behavior can be exploited to bypass UAC in default settings on Windows 7 to 10.” Our team is quite impressed with the amount of operationalized counter cyber intelligence (CCI) we are able to distill from our data, after the Cyber Fist search upgrade. MDE has done a pretty good job mitigating UAC bypasses but we were able to use a technique found using Cyber Fist that ran FUD. Full details can be found below: Blog1: https://3gstudent.github.io/Use-CLR-to-bypass-UAC Blog2: https://offsec.almond.consulting/UAC-bypass-dotnet.html #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 5/16/2021 DLL Function Proxying*DLL Function Proxying* I started playing with this technique after finding a fair bit of intel within our dataset, while testing our new search interface (internal tool). For those that aren’t familiar with this vector, a malicious dll replaces the functionality of a legitimate dll, proxying legitimate functionality and executing malicious code (in this case shellcode). While we did test this on an MDE protected endpoint, some assumptions were made. FileZilla client (latest version) would have to be installed and a UAC bypass needed to access program files. Regardless, the point was just to investigate how function proxying works so that a more comprehensive vector could be developed.
SharpDllProxy: https://github.com/Flangvik/SharpDllProxy #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 5/9/2021 Cyber Fist: Fuzzy Search*Building New Data Tool: Cyber Fist* Cyber Fist adds fuzzy search capability across a big chunk of our dataset. While still in early development, it’s clear how much additional knowledge it can unlock which until now, has been buried deep inside our Neo4j dataset. Cyber Fist will integrate with our automation’s Hunter module, allowing for simultaneous research and the reshaping of data. It’s funny how crisis can fuel critical innovation as that was the case here.
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *Warning CVE-2021-26868 Publicly Available Exploit Code* Our Counter Cyber Intelligence (CCI) Automation has just ingested exploit code that targets a Windows Graphics Component and injects shellcode into winlogon.exe, resulting in SYSTEM level privilege escalation. Below, we test the base exploit (injects cmd.exe) and then modify it to inject a Covenant C2 implant with SYSTEM-level integrity. Microsoft has released a patch for this vulnerability Mar. 9th and can be found in the follow-on resources below.
Exploit: https://github.com/mavillon/CVE-2021-26868/blob/main/CVE-2021-26868/exp/exp.cpp MS Security Guidance: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26868 #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *Exploiting CVE-2021-26415 on Windows 10 for Privilege Escalation* Working with an interesting vector today which leverages crafting a malicious .msi package and utilizes a symlink attack, resulting in the creation of a new local user and adding them to the local administrators group. The user creation is triggered when someone launches an administrative PowerShell session and the command (net user FooBar P@ssw0rd /add ; net localgroup Administrators FooBar /add ) is loaded from “C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1”. This vector has been patched by Windows updates on 2021-04-13. All pertinent info can be found below:
PoC Author writeup: https://www.cloaked.pl/2021/04/cve-2021-26415/ BaitandSwitch Tool: https://github.com/googleprojectzero/symboliclink-testing-tools Privileged File Operation Abuses: An introduction to privileged file operation abuse on Windows - Almond Offensive Security Blog #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam Both failure and experimentation have been instrumental in developing my offensive tradecraft skills. While not a red teamer by trade (I am an intelligence tool builder), being able to recreate tradecraft has always been important, validating the signals being generated from the automation that I build. One facet of our cyber intelligence, or counter cyber intelligence (CCI) to be more specific, are the detailed mappings of social structures within the commoditized exploit tool ecosystem. These data structures have the ability to anticipate which exploit tools and tradecraft may be combined with another, possibly being disparate at a surface glance but connected within our dataset by way of social, developer or technical relationships. It is these possible tradecraft combinations that then fuel our experimentation to ground-truth how the signals would behave if combined together. This writeup has been fueled by just such a scenario as we explore building a dropper that can bypass UAC (User Account Control) and persist through WMI, turned into shellcode and injected into a remote process. Testing was conducted on a Windows 10 box and with MDE (Microsoft Defender for Endpoint) installed, BlockMode and Automated Investigations enabled. While the attack was fully executed, MDE automated investigations caught up with us and eventually killed our fun. This is the story. Lately, we have been zeroing in on a part of the kill chain that transpires right after an initial access event (like malicious macro downloads payload) has taken place and then finishing right before lateral movement. It is within this scope that we will operate for this writeup and build a dropper that will automate all aspects of the attack. Three months ago, many of our signals related to UAC bypass ran FUD (fully undetected) when tested on endpoints protected by MDE. As of late, Microsoft has stepped up their detection game and getting a FUD UAC bypass on an MDE protected endpoint, is difficult. In an attempt to combat this newfound blue team’s strength, we decided to build our exploitation logic so that it could be turned into shellcode via donut.exe (“Generates position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory”) and injected into various processes. Ultimately, the injected offensive logic is able to download additional payloads, bypass UAC, install WMI persistence and callback to Covenant C2 as NT AUTHORITY\SYSTEM. Slippery.exe: Slippery.exe’s primary purpose is to be turned into shellcode and injected into WmiPrvSE.exe, via process hollowing. It’s exploit logic is that of a dropper / UAC Bypass which executes an attack chain, culminating in SYSTEM level persistence. Let’s walk through some of its code. Slippery.exe Functionality: Slippery.exe establishes HTTPS connections with ngrok and leverages the curl.exe binary found preinstalled in Windows 10, to download its payloads.
File Drops: Slippery.exe has two defined download paths where it will drop files to disk:
The UAC Bypass: Leveraging the native binary fodhelper.exe, Slippery.exe will bypass UAC by exploiting odd behaviors found within fodhelper.exe. This native binary is an "auto-elevated" binary and will look for additional process creation arguments, should certain registry keys exist. If those keys are created, fodhelper.exe will execute the command value which is contained within one of those keys (high-integrity context), thereby bypassing UAC. We wrote some very basic C# code to exploit this vulnerability which was based on trending vectors, articulated within our CCI dataset. The bypass code achieves the following:
Persistence & Hiding Execution Relationships: So, this method was really about dismantling the forensic relationship between the initial execution and the persistence mechanism because we knew the UAC bypass method would get flagged. In the end, we were caught on the decision to write to a protected folder as an unprivileged user, coupled with the UAC bypass that indeed was flagged. None the less, we feel this strategy applied slightly differently could be highly effective and run FUD. The exploit logic for persistence will be discussed in two parts; the initial part that registers the persistence and then the second part which details what the persistence does. Persistence Logic (ClipEvent.ps1): To gain persistence on this endpoint ClipEvent.ps1 opted for an old favorite and that was a WMI event subscription. One difference here is that we decided not to use mofcomp.exe to register an event subscription as that vector is detected by MDE, now. Instead, we crafted a PowerShell approach which did the following:
Persistence Payload Logic (wscRGB.ps1): wscRGB.ps1 is a tiny script that is meant to start the process injector (fontdrvx64.exe) which injects Covenant C2 implant shellcode as NT AUTHORITY\SYSTEM. Its secondary function is to delete the initial files that were dropped to Public\Downloads. Execution Relationship Obfuscation: Our idea was to download the first process injector (containing the UAC bypass) and the first ps1 script (responsible for WMI persistence) into Public\Downloads and the second injector (Covenant implant) and ps1 script (WMI payload for the CommandLineEventConsumer) into a user writable folder, within system32. The rationale was that if our UAC bypass was alerted on, investigators would have a harder time connecting the dots between it and the resulting process injection, stemming from a sub folder in system32 with no clear execution linkage. We broke up the execution relationship by not passing execution directly from the process responsible for bypassing UAC (Slippery.exe’s logic injected into WmiPrvSE.exe) and registering WMI persistence. Instead, Slippery.exe would initially kill process rdpclip.exe (in case it was already active) and then at the end of its logic, start rdpclip.exe which would then trigger the WMI permanent event subscription, therby firing the second injector connecting back to the C2 as SYSTEM. Remember, part of the WMI payload’s logic (wscRGB.ps1) was to delete ClipEvent.ps1 (registers the WMI event subscription) which would clearly articulate the directory of the WMI payload to be executed by the “CommandLineEventConsumer.” That being said, defenders could still see the resulting WMI payload location by inspecting tools such as ScriptBlock Logging or the AMSI content output in MDE (shown below). Additionally, due to the fact we got lit up for dropping a file to a protected folder which was user writeable, the automation was able to see the injected process (Dropper/UAC bypass) WmiPrvSE.exe now connected with the WMI payloads in system32 we were trying to obfuscate (also shown below). Process Injector (Process Hollowing (fontdrvx64.exe & SM.exe)) For the injector we used a modified version of a payload discussed at Defcon 27, “Writing custom backdoor payloads with C#,” which can be found below. Both fontdrvx64.exe and SM.exe were identical injectors, except for the shellcode that they injected. SM.exe was responsible for injecting the initial dropper/UAC bypass and fontdrvx64.exe was the persistent injector hidden within “C:\Windows\System32\spool\drivers\color\, responsible for injecting the Covenant implant.” (defcon27_csharp_workshop/2.cs at master · mvelazc0/defcon27_csharp_workshop · GitHub) Conclusions: In this round of experimental testing, MDE really ate our lunch for us but we learned quite a bit. Some key takeaways are as follows:
*Why Regular Antivirus is not Enough: A Roll-Your-Own UAC Bypass vs Regular AV & MDE* Building a UAC bypass in C# that leverages fodhelper.exe and right off the bat, it bypasses regular AV. When executed against MDE, the bypass gets about two seconds of life. MDE detects on the behavior associated with changing the registry values which are needed for this bypass. It goes to show you why just regular AV isn’t enough these days. Some neat things coming up to try with this bypass, with the intent to get it to run FUD against the MDE. We jumped off these codes found below:
UAC bypass 1: https://gist.github.com/netbiosX/a114f8822eb20b115e33db55deee6692 UAC bypass 2: https://github.com/0xyg3n/UAC_Exploit #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *C# Dropper: Attack Chain Fully Executed + Detailed Blue Perspective of the Attack Timeline (MDE BlockMode Auto Investigations)* We got the dropper almost there with only one detection on the UAC bypass which MDE wrongly classified as blocked. This itself was a bit of a battle as MDE completely blocks the stock UAC bypass from executing. The incident starts with the dropper assessing the executing process’s SID and escalating if not Administrator, dropping files to disk via ngrok (https), injecting shellcode for the first C2 callback in high integrity and then installing WMI persistence with ProcessStartTrace on WinStore.app.exe, which injects shellcode and calls back to the C2 as SYSTEM, every time the Windows store is launched. We modified and utilized the commoditized tooling found below (unmodified versions).
0xyg3n/UAC_Exploit: https://github.com/0xyg3n/UAC_Exploit EDRGoesBrrr: https://github.com/NVISOsecurity/brown-bags/tree/main/DInvoke%20to%20defeat%20EDRs/DemoDInvokeLoader donut: https://github.com/TheWover/donut Covenant: https://github.com/cobbr/Covenant #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *C# Dropper, D/Invoke Direct System Calls + Shellcode Injection* Round 2 with an edited version of Jean-Francois Maes’s code (EDRGoesBrrr) which utilizes the direct system call functionality. This functionality can be very broadly defined as retrieving a syscall number for a Windows function (located on disk from within ntdll.dll) and then placing that corresponding syscall number on the eax register and entering the kernel directly. By not having to use the Windows function located within ntdll.dll, it is possible to bypass EDR hooks that may be present in that corresponding function – you go underneath the EDR’s hooks in ntdll.dll. This was then added to the dropper I am working on which tested FUD against MDE (BlockMode and Automated Investigations enabled).
EDRGoesBrrr-source:https://github.com/NVISOsecurity/brown-bags/blob/main/DInvoke%20to%20defeat%20EDRs/DemoDInvokeLoader *C# Dropper, D/Invoke Manual Mapping(ntdll.dll) + Shellcode Injection* After a really good talk by Jean-Francois Maes, I wanted to try his code’s functionality (EDRGoesBrrr) with a dropper that I’m working on. The dropper opens an HTTPS tunnel with ngrok, downloads an edited version of his injector which leverages D/Invoke to manually map ntdll.dll (avoiding any hooks) and then injects a Covenant implant into RDP clipboard monitor. I did use the NuGet package for D/Invoke which didn’t seem to cause any problems. No alerts in MDE but there was an informational warning in the timeline regarding the parent PID spoofing. Testing was done on MDE (BlockMode + Automated Investigation).
Talk (EDR Mechanics / Evasion Techniques): Defeating EDR's using D/Invoke - YouTube EDRGoesBrrr(source):brown-bags/DInvoke to defeat EDRs/DemoDInvokeLoader at main · NVISOsecurity/brown-bags · GitHub 4/5/2021 The Faza Agent by Cyber Mongol*Cyber Mongol’s Adversary Tradecraft Simulator (Faza Agent): Check Privs, Elevate to High, Impair Telemetry, DLL Inject C2 Implant (High), Persist WMI(SYSTEM)* The Faza Agent utilizes Cyber Mongol’s Counter Cyber Intelligence (CCI) to pull in real, on-trend, commoditized tradecraft that tests advanced defenses. Faza will be available as an integration for Microsoft for Endpoint’s Evaluation Lab and additionally, a standalone offering.
We are still working on the mechanics of the agent and fully expected that we’d get busted by the EDR, flagging on the UAC bypass we are using. Faza’s current functionality is to check the integrity level of the process, bypass UAC, inject Covenant grunt for 1st C2 channel, disable MDE telemetry, add persistence with a WMI event subscription and then connect back to the C2 as SYSTEM, when the event subscription is triggered (starting Win store process). Currently, Faza is in its infancy but I thought it would be interesting to share as we build it out. #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *Step 2 - Custom FUD Dropper in C#: Privilege Escalation Logic Added* Continuing the build on the dropper that can pull in commoditized tooling that our engine sees signals on, I wrote the logic that would assess the current SID and determine if the process was in medium or high integrity. If in medium, the logic branches off and downloads a UAC bypass (commoditized tooling) before it injects a Covenant grunt, resulting in a high integrity context. The dropper ran good against standard Defender AV (undetected) but was burned against MDE EDR (medium integrity injection still worked), which was to be expected. I still have some OpSec work to do on the dropper’s UAC bypass before it is ready to tackle the big dog (MDE EDR) and run FUD.
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *Custom FUD Dropper in C#: RED/BLUE Perspectives*I wrote a custom dropper in C# that reaches back to adversary infrastructure via ngrok, downloads a DLL injector, looks for and(or) starts rdpclip.exe and then injects a Covenant C2 implant into that process. The dropper ran completely undetected and even passed two cloud delivered security scans (“Your administrator requires a security scan”). Testing was conducted against the MDE stack (AV/EDR (BlockMode AutoRemediation)).
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *Trending LSASS Dumper Paired with ngrok Exfiltration* Sensors have been observing growing human momentum behind MirrorDump which is bound to a highly amplified social structure, directly connected to other significant and effective exploit tools – making adversary adoption of MirrorDump highly probable. MirrorDump is an LSASS dumping tool that uses a dynamically compiled LSA plugin to grab a handle to lsass and API hooking for capturing the resulting dump in memory. We paired this with our ngrok dropper from a few days ago but MirrorDump is getting flagged for signature (AV) which we haven’t rectified yet. The video shows the functionality of the dropper, LSASS dumper and the exfil of the memory dump with no endpoint protections enabled and then with the full MDE stack. With a bit more work to evade signature detections, this could be an extremely effective vector. Lastly, this would need to be paired with a Privilege Escalation to dump LSASS (we just launched from admin).
MirrorDump: https://github.com/CCob/MirrorDump #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam Part1:
*Custom Dropper Using ngrok to Expose Victim Filesystem over HTTPS* Without leveraging a high integrity context, the dropper is able to download ngrok (SmartScreen normally flags this binary) and executes it in a way that makes the file system, where it was executed, available publicly through an HTTPS tunnel. We used a VBS script to kick off the dropper, making it execute the .cmd file without an output window. GotIt.txt was just simulated data to be exfiltrated but this dropper will be paired with a trending LSA dump technique, in the coming days. Testing was against Microsoft Defender for Endpoint (BlockMode + Automated Investigations) - zero detections. Advanced adversaries such as APT33, APT34 and APT 39 (sub-group of APT34) use ngrok quite skillfully, in order to meet various objectives. FoxKitten Campaign: https://lnkd.in/eNaYvuJ #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam |