*Trending LSASS Dumper Paired with ngrok Exfiltration* Sensors have been observing growing human momentum behind MirrorDump which is bound to a highly amplified social structure, directly connected to other significant and effective exploit tools – making adversary adoption of MirrorDump highly probable. MirrorDump is an LSASS dumping tool that uses a dynamically compiled LSA plugin to grab a handle to lsass and API hooking for capturing the resulting dump in memory. We paired this with our ngrok dropper from a few days ago but MirrorDump is getting flagged for signature (AV) which we haven’t rectified yet. The video shows the functionality of the dropper, LSASS dumper and the exfil of the memory dump with no endpoint protections enabled and then with the full MDE stack. With a bit more work to evade signature detections, this could be an extremely effective vector. Lastly, this would need to be paired with a Privilege Escalation to dump LSASS (we just launched from admin).
MirrorDump: https://github.com/CCob/MirrorDump #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam Part1:
*Custom Dropper Using ngrok to Expose Victim Filesystem over HTTPS* Without leveraging a high integrity context, the dropper is able to download ngrok (SmartScreen normally flags this binary) and executes it in a way that makes the file system, where it was executed, available publicly through an HTTPS tunnel. We used a VBS script to kick off the dropper, making it execute the .cmd file without an output window. GotIt.txt was just simulated data to be exfiltrated but this dropper will be paired with a trending LSA dump technique, in the coming days. Testing was against Microsoft Defender for Endpoint (BlockMode + Automated Investigations) - zero detections. Advanced adversaries such as APT33, APT34 and APT 39 (sub-group of APT34) use ngrok quite skillfully, in order to meet various objectives. FoxKitten Campaign: https://lnkd.in/eNaYvuJ #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 3/23/2021 Dropper to DLL Injection: Red / Blue*Dropper to DLL Injection: Red / Blue* This is part of a larger attack-chain that I am building out and wanted to share along the way. As usual, the simulation begins right after an initial access event has transpired but before execution of the dropper. The dropper (requirements.cmd) then goes ahead and starts the rdpclip.exe process in case it’s not active, parses for the process’s PID, setup.exe injects a DLL (Covenant C2 grunt) into process rdpclip.exe and that process then reaches out to the C2. Planning to add to this – some PrivSec, impairing defenses, persistence and an obfuscated C2 infrastructure.
Microsoft Defender for Endpoint (EDR+BlockMode+AutomtedInvestigations) vs Dropper->Start rdpclip.exe->Find PID->DLL Injection(Implant(Medium))->rdpclip.exe->CovenantC2==Zero alerts but there is always evidence…let’s have a look. #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 3/19/2021 DeceptionToday we setup an interesting simulation that tested Microsoft Defender for Endpoint in a standard deployment (without ASR but with things like BlockMode enabled), then tried out their new EvaluationLab where endpoints come hardened per Microsoft’s specs and also tested an unnamed IR team’s ability to detect based on their automation and hands-on-keyboard skills.
Scenarios After an extremely engaging conversation with a colleague who spent years in the intelligence service, I wanted to employ some of the real-world tactics that he had observed nation states utilizing. One thing that he said that really stuck with me was, “Most of the time [APTs] they will operate in Medium integrity,” as to only use as much privilege as needed to complete an objective. My colleague went on to explain that other times they will create “noise” elsewhere to distract from their real intention. It was these thoughts that inspired our testing today, we wanted to give the defense automation some exercise but also the humans that knew activity was coming and were on alert for it. As with all Cyber Mongol simulations, we look to our CCI automation to let us know where there is human activity in the opensource or commoditized tradecraft ecosystem. We selected a PE injection which would memory map another process injector (utilizing callbacks) to inject a Covenant C2 implant into “c:\Windows\System32\manage-bde.exe,” which is the legitimate process for BitLocker. This would be our sneakiness to attempt to fool the skilled humans that were tasked to find us. So now, if we are going to mimic the conversation I had with my colleague, we would need some loud and proud movements that would draw the human’s attention away from what we actually wanted to accomplish. We would basically try to accomplish the same goal stated above but in a high integrity context. For this we saw that UACME (very popular tradecraft for UAC bypass) had some recent additions and decided to use the following code, (https://github.com/hfiref0x/UACME/blob/master/Source/Akagi/methods/azagarampur.c). We were counting on the fact that because this tradecraft was added to a social structure with such a large social amplification, getting it noticed by the defenders would be relatively a sure thing – but also kill us for MDE automation. Lastly, we wanted to test two flavors of Microsoft Defender for Endpoint. The first would be a more standard deployment with BlockMode and automated investigations enabled but not utilizing things like Attack Surface Reduction methods. The second test would be using Microsoft Defender for Endpoint’s EvaluationLab where all the defense bells and whistles are enabled by default. Conclusions IR Team: The team did well at articulating the UAC bypass that injected a Covenant Grunt in high integrity but were unable to thoroughly convey our true intentions (medium integrity injection resulting in C2 comms through manage-bde.exe). They did see that the dropper interacted with the legitimate Bitlocker process from the suspect directory and reached out to our already burned IP address, instead of using something nice like proxying through an Azure/Microsoft domain. Microsoft Defender for Endpoint Standard Deployment: In this configuration, Microsoft Defender for Endpoint was unable to block any execution but did articulate the UAC bypass and the PE re-mapping of manage-bde.exe. Ultimately, the automated investigation found the PE injection to be benign. Microsoft Defender for Endpoint EvalutionLab Config: Full shutdown of our operation – zero execution. Well done! 3/14/2021 Leaking Information via PDF Metadata*Leaking Information via PDF Metadata* I just read an extremely interesting paper (below) on exploiting metadata found in various document types, specifically to enumerate an organization. We built a quick test by putting together a simple Hunter signature to search for publicly published PDF files (major cybersecurity company) and then parsed the PDF’s metadata for information that could be used on campaign. An adversary could easily create similar automation and then extract usable information like usernames and file paths used to create the document, software used, patching habits for that software and more. I’m not too proud to admit that we haven’t been sanitizing our metadata either…which we will definitely start to.
Paper: https://lnkd.in/ekFdRf3 #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam In this scenario, we are working with a customer’s EDR independent of any Microsoft native or Microsoft cloud delivered security technologies. We are assuming initial access has taken place, accompanied with a download event to “C:\Windows\System32\spool\drivers\color” folder, which only requires regular user access to write to. First to fire is MS-printcolor.exe (UAC bypass) which hands execution to colorconf.cmd (batch file) that executes with high integrity. The batch file fires mofcomf.exe which registers a persistent WMI event subscription (colorwheel.mof), finally executing a SYSTEM level C2 channel anytime the WinStore.App.exe process is executed. Any day with WMI is a fun day!
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 3/5/2021 Callback Shellcode Injection*Callback Shellcode Injection: Undetected by Microsoft for Endpoint * Our intelligence engine has seen recent human momentum behind an older technique that seems to be picking up steam again – callback shellcode injection. The technique uses a native Windows function (in this case EnumSystemGeoID) which is handed a memory address containing shellcode and then executed. The curious thing was that the MSE timeline registered our execution as a “CreateRemoteThread” API call which wasn’t used. I’m still wrapping my head around the technical details so this may be due to my own misunderstanding of how “EnumSystemGeoID” works. Regardless, quite effective! Similar Lazarus tactics were recently analyzed by nccgroup and the analysis can be found below.
Docs Callbacks: /var/log/notes (ropgadget.com) EnumSystemGeoID: https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemgeoid Lazarus Analysis: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/ #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam |