2/26/2021 Social Structures: Cobalt Strike*Great Cobalt Strike Resource* While writing backend code to build and analyze more complex social structures between exploit tools and their authors, we came across a tradecraft cluster with significant Cobalt Strike depth. White paper coming soon that details all the special things our tech does.
The center of the cluster is a great resource, find below: Awesome-CobaltStrike: https://github.com/zer0yu/Awesome-CobaltStrike #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam The engine found shellcode injection techniques that are extremely simple and unquestionably effective. I think I am in love….
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam Dump Lsass with SharpMiniDump NTFS transactions + UAC bypass + Exfil .dmp file to Dropbox. Overall, MDE BlockMode did a good job articulating this vector in the device timeline. Utilizing SharpMiniDump NTFS transactions (a fork of b4rtik/SharpMiniDump) to avoid writing the dump file to disk and exfiltrating it out to an awaiting Dropbox, made a big difference in avoiding being blocked from executing. The UAC bypass (Medium.exe) executes enough to drop into high-integrity and fire SharpMiniDump (SMD.exe). It took forever to upload the .dmp file to Dropbox - which eventually lost out to my patience (killed process before .dmp file finished). With some work, this may be a good vector.
Lsass Dumper: https://lnkd.in/eD3m2gu UAC Bypass: https://lnkd.in/dwXdNiE #cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 2/18/2021 PE Injectionx64Migrator.exe -->CreateProcess CMD.exe<--Fibs.exe<-- InjectShellcode-->C2 Callback
Sensors picked up a new PEx64 injector that maps an .exe into the memory space of a legitimate process. We had some problems getting it working with our shellcode injector which injects a Covenant C2 Grunt into itself but managed to get it working with the system binary cmd.exe. While providing better OpSec when compared to spawning a random process with a sketchy location path, a better legitimate process can be found (cmd made network connection to xxx.xxx.x.x – not great). No Detections on the MDE stack (BlockMode Auto-Remediation Group). We will share the resources we used for this attack after some upcoming client work. PE-Injection Info (MITER): https://attack.mitre.org/techniques/T1055/002/ #cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 2/14/2021 Writeup: UAC Bypass -> WMI Persistence -> Process Fiber Shellcode Injection -> Covenant C2Intro Deriving intelligence from sensors that register human momentum within the security ecosystem serves us well, granting insight into how adversaries may, or currently are attacking IT systems. It allows us to triage signals we feel are impactful and pose a real chance of slipping through the cracks of advanced security stacks, gaining execution. Operator tradecraft intelligence is also quite useful as it articulates what opensource exploit systems are in vogue and may be combined for greater effect. Advanced adversaries are rapidly embracing opensource software and for good reason. Opensource software provides much more anonymity when compared to custom malware development, the lead-time between offensive campaigns is reduced, innovation is greatly expanded, and the flying of false flag operations is possible. Nevertheless, this is not the scope of todays blog, utilizing trending UAC bypasses and combining them with an APT favorite (WMI) to gain persistence, is. Let’s dig in. In the upcoming testing, we assume some type of initial access which results in the download and execution of our maliciousness. Our testing will then pick up at that point, deciding on proper evasion for the execution (actually gaining execution) and elevating privileges to persist on the endpoint after a reboot. In the blue team’s corner, we have Microsoft’s Defender for Endpoint (MDE) which is available for those customers using E/3 – E/5 licensing for Windows 10. We have configured the EDR in BlockMode and have enabled automated remediation for the machine group containing the endpoints. The overall attack architecture is as follows: Attack 1: Muffin.exe(UAC bypass) -> GetMoving.cmd(Elevated) -> mofcomp.exe(persistence) -> WmiPrvSe.exe -> Fibres2.exe(NT SYSTEM) -> Covenant C2(C&C) Attack 2: MeFirst(UAC bypass) -> WMIpers.cmd(Elevated) -> EventSubWMI.ps1(persistence) -> WmiPrvSe.exe -> script.ps1 -> Fibres.exe(NT SYSTEM) -> Covenant C2(C&C) Executing Shellcode via Process Fibers So, first thing we needed to do is figure out what we would execute after achieving a high integrity context – thank you trending UAC bypasses. One of the most common categories of behaviors our passive sensing technologies ingest are T1055 - Process Injections. Process injections are a great form of defense evasion as they (in a very broad sense), overtake a portion of a process’s memory and then inject their malicious intent into that process’s memory space. There are many different flavors of process injection, each with their own benefits and operational security considerations. Lately, our team has been utilizing trending process hollowing techniques (creating a process in a suspended state -> injecting shellcode -> resuming suspended process and executing shellcode) to achieve our goals but the MDE stack has caught on to these shenanigans. Our team turned to one of our newer intelligence capabilities (The Hunter Module) which utilizes Cyber Mongol’s advanced signatures to go out and find relevant operator tactics on the open internet. In this case, we put together signatures made up of API calls, text features, system binaries and associated privileges, to find shellcode injectors which utilize process fibers to execute shellcode within a process. Rooting through the treasure trove of returned data, we indeed found suitable candidates that would covertly inject shellcode into the memory space of a process. GetMoving.cmd Ok, now that that is sorted, let’s start at the beginning of “Attack 1”…executing the initial UAC bypass (Muffin.exe) that will pass on its own elevated token, to the rest of our attack chain. This UAC bypass utilizes the Microsoft signed binary ComputerDefaulst.exe which possesses an AutoElevate attribute, set to true. The bypass creates a process which inherits the high integrity context of its parent process, in our case Muffin.exe spawns GetMoving.cmd (which orchestrates the rest of our attack) and passes on its associated privileges. Something to note, the user account must be part of the local administrators group for this bypass to work. Luckily, this user configuration can be quite prevalent, in our experience. GetMoving.cmd has three purposes.
We also added some basic OpSec by changing PoC code that requires pop-up Windows / User input and added code to relevant cpp console applications, “ShowWindow(GetConsoleWindow(), SW_HIDE);” hiding console windows. We left the console window open for GetMoving.cmd so that we could have a look at our .mof file being ingested. Lastly, we simulated a victim harmlessly opening up the Windows Store. WMI Persistence Now would be a great time to chat about the WMI persistence portion of the attack – Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003) . During our testing this week we tried two different UAC bypass techniques that have been trending, both producing similar results. They each produced alerts in MDE of varying degrees, but none were blocked from executing. Similarly, we employed two different ways of achieving WMI persistence through subscription, with only one of these techniques alerted on (mofcomp.exe). Without getting too deeply into the weeds here (deep dive), our intention was to register WMI persistence that would connect back to our Covenant C2 channel, every time the Windows Store application was launched. Of notable mention, WmiPrvSe.exe is the parent process for WMI subscription execution and this results in an integrity level of NT SYSTEM, for the resulting subscription’s action (fiber injection Covenant C2 Implant). Good score! The noisier of the two tactics we employed to register WMI event subscriptions was to use mofcomp.exe. this Windows binary parses a .mof file (StickAround.mof) and creates a WMI permanent event subscription based on the file.
The much quieter way of registering a WMI event subscription (contrasted against the MDE stack) was to utilize PowerShell’s native ability to interact with WMI directly. Here, we used the attack architecture depicted above in “Attack 2” which possesses a few key differences when compared to "Attack 1."
This method was highly effective and was not blocked or flagged by the security stack. The only alert that was generated could actually have been misleading to an incident responder, alerting that the UAC bypass was fully remediated and blocked from executing (this UAC alert happened in both attack scenarios). A busy SOC analyst may have triaged this alert as “investigate later,” depending on their current priorities – afterall, they would have thought the compromise was rectified by the automation. Both “Attack 1” and “Attack 2” resulted in an initial C&C channel in high integrity and a persistent channel with SYSTEM level integrity. None of these attacks were blocked from completing but “Attack 1” certainly generated more alerts that would get the operation burned.
After completing a week of testing (UAC bypasses + fiber shellcode injection), we put together a few signatures for the Hunter module that would find more shellcode injectors, utilizing process fibers (they are extremely effective). The data we ingested was awesome, with a few great intel finds that we plan to analyze in the coming days.
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam Our last bit of UAC bypass tactics research ends off with combining the use of trusted directories using trailing spaces "c:\windows \system32\" and a shellcode injector utilizing process fibers, inevitably resulting in a C2 channel with high integrity. What’s interesting about these trending UAC bypasses our CTI engine has been articulating is that MS doesn’t seem to consider them a security boundary. Users that are running with local admin privs (which happens quite a bit) is a big win for an adversary if combined with other evasion tradecraft such as process injection, which we show here. This tactic has a fairly easy detection which is to hunt for any directories with trailing spaces. None the less, it is an effective way to execute malicious code with high integrity, as shown by executing a Covenant implant.
Bypass: shubham0d/UAC-bypass-using-dll-injection: A small project to bypass UAC in windows 10/8/7 using dll injection technique (github.com) Blog: Hijacking DLLs in Windows (wietzebeukema.nl) #cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam “Recorded Future expects further adoption of open source tools that have recently gained popularity, specifically Covenant, Octopus C2, Sliver, and Mythic." We have strung together some trending, open source tradecraft, utilizing a UAC bypass that has had significant human momentum behind it, showing the potential for serious compromise, with very little modification to the open source tool systems.
1. Modify UAC bypass to execute WMIPers.cmd with High integrity 2. WMIPers.cmd runs command “PowerShell Set-ExecutionPolicy Unrestricted” to change the execution policy 3. WMIPers.cmd executes EventSubWMI.ps1 (High Integrity required) to create a WMI permanent event subscription (SYSTEM). The subscription executes a script when the Windows Store app is opened, firing binary Fibre.exe (a shellcode injector utilizing process fibers to execute) 4. WMIPers.cmd also executes Fibre.exe to establish an initial C2 channel in High Integrity 5.The Windows Store app is opened, creating a second channel back to the C2 in SYSTEM context *Better OpSec needed (cleanup, windows, etc) for real engagement* #cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam Sensors ingested a new UAC bypass that leverages the AutoElevate attribute for Microsoft signed binary, ComputerDefaults.exe. We tested the bypass against Microsoft for Endpoint in BlockMode which was ineffective. More worrisome, the EDR showed that the threat had been “Blocked” which was inaccurate, as we were even able to execute the exact same binary (UAC bypass) multiple times, that remained on disk. This goes to show, technology still can’t take the place of trained humans required for post-investigation response.
UAC Bypass: 0xyg3n/UAC_Exploit: Escalate as Administrator bypassing the UAC affecting administrator accounts only. (github.com) #cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam |