​*Building New Data Tool: Cyber Fist* Cyber Fist adds fuzzy search capability across a big chunk of our dataset. While still in early development, it’s clear how much additional knowledge it can unlock which until now, has been buried deep inside our Neo4j dataset. Cyber Fist will integrate with our automation’s Hunter module, allowing for simultaneous research and the reshaping of data. It’s funny how crisis can fuel critical innovation as that was the case here.
 

#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​*Warning CVE-2021-26868 Publicly Available Exploit Code* Our Counter Cyber Intelligence (CCI) Automation has just ingested exploit code that targets a Windows Graphics Component and injects shellcode into winlogon.exe, resulting in SYSTEM level privilege escalation. Below, we test the base exploit (injects cmd.exe) and then modify it to inject a Covenant C2 implant with SYSTEM-level integrity. Microsoft has released a patch for this vulnerability Mar. 9th and can be found in the follow-on resources below.
 
Exploit: https://github.com/mavillon/CVE-2021-26868/blob/main/CVE-2021-26868/exp/exp.cpp
 
MS Security Guidance: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26868
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​*Exploiting CVE-2021-26415 on Windows 10 for Privilege Escalation* Working with an interesting vector today which leverages crafting a malicious .msi package and utilizes a symlink attack, resulting in the creation of a new local user and adding them to the local administrators group. The user creation is triggered when someone launches an administrative PowerShell session and the command (net user FooBar P@ssw0rd /add ; net localgroup Administrators FooBar /add ) is loaded from “C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1”. This vector has been patched by Windows updates on 2021-04-13. All pertinent info can be found below:
 
PoC Author writeup: https://www.cloaked.pl/2021/04/cve-2021-26415/
 
BaitandSwitch Tool: https://github.com/googleprojectzero/symboliclink-testing-tools
 
Privileged File Operation Abuses: An introduction to privileged file operation abuse on Windows - Almond Offensive Security Blog
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​Both failure and experimentation have been instrumental in developing my offensive tradecraft skills. While not a red teamer by trade (I am an intelligence tool builder), being able to recreate tradecraft has always been important, validating the signals being generated from the automation that I build. One facet of our cyber intelligence, or counter cyber intelligence (CCI) to be more specific, are the detailed mappings of social structures within the commoditized exploit tool ecosystem. These data structures have the ability to anticipate which exploit tools and tradecraft may be combined with another, possibly being disparate at a surface glance but connected within our dataset by way of social, developer or technical relationships. It is these possible tradecraft combinations that then fuel our experimentation to ground-truth how the signals would behave if combined together. This writeup has been fueled by just such a scenario as we explore building a dropper that can bypass UAC (User Account Control) and persist through WMI, turned into shellcode and injected into a remote process. Testing was conducted on a Windows 10 box and with MDE (Microsoft Defender for Endpoint) installed, BlockMode and Automated Investigations enabled. While the attack was fully executed, MDE automated investigations caught up with us and eventually killed our fun. This is the story.
 
Lately, we have been zeroing in on a part of the kill chain that transpires right after an initial access event (like malicious macro downloads payload) has taken place and then finishing right before lateral movement. It is within this scope that we will operate for this writeup and build a dropper that will automate all aspects of the attack. Three months ago, many of our signals related to UAC bypass ran FUD (fully undetected) when tested on endpoints protected by MDE. As of late, Microsoft has stepped up their detection game and getting a FUD UAC bypass on an MDE protected endpoint, is difficult. In an attempt to combat this newfound blue team’s strength, we decided to build our exploitation logic so that it could be turned into shellcode via donut.exe (“Generates position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory”) and injected into various processes. Ultimately, the injected offensive logic is able to download additional payloads, bypass UAC, install WMI persistence and callback to Covenant C2 as NT AUTHORITY\SYSTEM. 

​

​Slippery.exe:
Slippery.exe’s primary purpose is to be turned into shellcode and injected into WmiPrvSE.exe, via process hollowing. It’s exploit logic is that of a dropper / UAC Bypass which executes an attack chain, culminating in SYSTEM level persistence. Let’s walk through some of its code.

​Slippery.exe Functionality:
Slippery.exe establishes HTTPS connections with ngrok and leverages the curl.exe binary found preinstalled in Windows 10, to download its payloads.

1. Using the command "ngrok http file:///C:\Users\user\Downloads" exposes an attacker's local file system (housing payloads to be downloaded) and makes payloads accessible from the public internet.
2. The https address that is created for the ngrok tunnel is then put into the C# code as a process start argument for curl.exe.
3. The process curl.exe is created with “process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden” to specify not to create a window with the starting of the process.

File Drops:
Slippery.exe has two defined download paths where it will drop files to disk:

1. C:\Users\Public
2. C:\Windows\System32\spool\drivers\color

Slippery.exe itself is executed within C:\Users\Public\Downloads, additionally downloading the file ClipEvent.ps1 to the same directory and then dropping files fontdrvx64.exe and wscRGB.ps1 to a user writeable folder contained within C:\Windows\System32\spool\drivers\color\. The files fontdrvx64.exe and wscRGB.ps1 are the persistence payloads that are called by a WMI event subscription, which we will describe below. The thinking here was that if our UAC bypass was flagged (but not blocked from executing), MDE would articulate all associated processes, files and corresponding locations, triggering a human investigation of the affected items. In order to try and deceive the investigators and keep the persistent C2 channel active, Slippery.exe tries to break that clear investigation linkage by downloading the initial stages to the first path, downloading the persistence payloads to the second path and then attempting to obfuscate their execution relationship which will also be discussed below. Choosing the user writable subfolder within system32 was a good hiding spot before, but is now detected by MDE and in our case, initiated an automated investigation that inevitably led to the automation discovering and neutralizing the persistence payloads. The irony wasn’t lost on us that in actuality, it was this automated investigation that got us burned. Afterwards, I was thinking to keep all payloads together in Public\Downloads and then during WMI persistence execution (as SYSTEM), moving the WMI payloads into the protected folder to not raise the same alert. 

​The UAC Bypass:
Leveraging the native binary fodhelper.exe, Slippery.exe will bypass UAC by exploiting odd behaviors found within fodhelper.exe. This native binary is an "auto-elevated" binary and will look for additional process creation arguments, should certain registry keys exist. If those keys are created, fodhelper.exe will execute the command value which is contained within one of those keys (high-integrity context), thereby bypassing UAC. We wrote some very basic C# code to exploit this vulnerability which was based on trending vectors, articulated within our CCI dataset. The bypass code achieves the following:
​

1. Create subkey: CurrentUser\Software\Classes\ms-settings\Shell\Open\command
2. Set Value DelegateExecute: ""(blank)
3. Set Value (Default) "": C:\Users\Public\Downloads\ClipEvent.ps1
4. Start process fodhelper.exe with hidden window

Persistence & Hiding Execution Relationships:
So, this method was really about dismantling the forensic relationship between the initial execution and the persistence mechanism because we knew the UAC bypass method would get flagged. In the end, we were caught on the decision to write to a protected folder as an unprivileged user, coupled with the UAC bypass that indeed was flagged. None the less, we feel this strategy applied slightly differently could be highly effective and run FUD. The exploit logic for persistence will be discussed in two parts; the initial part that registers the persistence and then the second part which details what the persistence does.
 
Persistence Logic (ClipEvent.ps1):
To gain persistence on this endpoint ClipEvent.ps1 opted for an old favorite and that was a WMI event subscription. One difference here is that we decided not to use mofcomp.exe to register an event subscription as that vector is detected by MDE, now. Instead, we crafted a PowerShell approach which did the following:
​

1. Create an Event Filter for ProcessStartTrace on process rdpclip.exe
2. Create a CommandLineEventConsumer which would launch a PowerShell Script
3. Create FilterToConsumerBinding

​Persistence Payload Logic (wscRGB.ps1):
wscRGB.ps1 is a tiny script that is meant to start the process injector (fontdrvx64.exe) which injects Covenant C2 implant shellcode as NT AUTHORITY\SYSTEM. Its secondary function is to delete the initial files that were dropped to Public\Downloads.

​Execution Relationship Obfuscation:
Our idea was to download the first process injector (containing the UAC bypass) and the first ps1 script (responsible for WMI persistence) into Public\Downloads and the second injector (Covenant implant) and ps1 script (WMI payload for the CommandLineEventConsumer) into a user writable folder, within system32. The rationale was that if our UAC bypass was alerted on, investigators would have a harder time connecting the dots between it and the resulting process injection, stemming from a sub folder in system32 with no clear execution linkage. We broke up the execution relationship by not passing execution directly from the process responsible for bypassing UAC (Slippery.exe’s logic injected into WmiPrvSE.exe) and registering WMI persistence. Instead, Slippery.exe would initially kill process rdpclip.exe (in case it was already active) and then at the end of its logic, start rdpclip.exe which would then trigger the WMI permanent event subscription, therby firing the second injector connecting back to the C2 as SYSTEM. Remember, part of the WMI payload’s logic (wscRGB.ps1) was to delete ClipEvent.ps1 (registers the WMI event subscription) which would clearly articulate the directory of the WMI payload to be executed by the “CommandLineEventConsumer.” That being said, defenders could still see the resulting WMI payload location by inspecting tools such as ScriptBlock Logging or the AMSI content output in MDE (shown below). Additionally, due to the fact we got lit up for dropping a file to a protected folder which was user writeable, the automation was able to see the injected process (Dropper/UAC bypass) WmiPrvSE.exe now connected with the WMI payloads in system32 we were trying to obfuscate (also shown below).

Process Injector (Process Hollowing (fontdrvx64.exe & SM.exe))
For the injector we used a modified version of a payload discussed at Defcon 27, “Writing custom backdoor payloads with C#,” which can be found below. Both fontdrvx64.exe and SM.exe were identical injectors, except for the shellcode that they injected. SM.exe was responsible for injecting the initial dropper/UAC bypass and fontdrvx64.exe was the persistent injector hidden within “C:\Windows\System32\spool\drivers\color\, responsible for injecting the Covenant implant.”

(defcon27_csharp_workshop/2.cs at master · mvelazc0/defcon27_csharp_workshop · GitHub)

​Conclusions:
In this round of experimental testing, MDE really ate our lunch for us but we learned quite a bit. Some key takeaways are as follows:
 

1. C:\Windows\System32\spool\drivers\color\ is not a safe zone anymore
2. Accessing that protected folder after WMI execution (as SYSTEM) may have neutralized that alert
3. The creation of registry key: CurrentUser\Software\Classes\ms-settings\Shell\Open\command is heavily monitored by MDE and a great detection point for this specific UAC bypass
4. Use more reflection rather than on-disk payloads :)
5. As always, keep experimenting and have fun!

​*Why Regular Antivirus is not Enough: A Roll-Your-Own UAC Bypass vs Regular AV & MDE* Building a UAC bypass in C# that leverages fodhelper.exe and right off the bat, it bypasses regular AV. When executed against MDE, the bypass gets about two seconds of life. MDE detects on the behavior associated with changing the registry values which are needed for this bypass. It goes to show you why just regular AV isn’t enough these days. Some neat things coming up to try with this bypass, with the intent to get it to run FUD against the MDE. We jumped off these codes found below:
 
UAC bypass 1:
https://gist.github.com/netbiosX/a114f8822eb20b115e33db55deee6692
 
UAC bypass 2: https://github.com/0xyg3n/UAC_Exploit
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*C# Dropper: Attack Chain Fully Executed + Detailed Blue Perspective of the Attack Timeline (MDE BlockMode Auto Investigations)* We got the dropper almost there with only one detection on the UAC bypass which MDE wrongly classified as blocked. This itself was a bit of a battle as MDE completely blocks the stock UAC bypass from executing. The incident starts with the dropper assessing the executing process’s SID and escalating if not Administrator, dropping files to disk via ngrok (https), injecting shellcode for the first C2 callback in high integrity and then installing WMI persistence with ProcessStartTrace on WinStore.app.exe, which injects shellcode and calls back to the C2 as SYSTEM, every time the Windows store is launched. We modified and utilized the commoditized tooling found below (unmodified versions).
 
0xyg3n/UAC_Exploit: https://github.com/0xyg3n/UAC_Exploit
 
EDRGoesBrrr: https://github.com/NVISOsecurity/brown-bags/tree/main/DInvoke%20to%20defeat%20EDRs/DemoDInvokeLoader
 
donut: https://github.com/TheWover/donut
 
Covenant: https://github.com/cobbr/Covenant
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*C# Dropper, D/Invoke Direct System Calls + Shellcode Injection* Round 2 with an edited version of Jean-Francois Maes’s code (EDRGoesBrrr) which utilizes the direct system call functionality. This functionality can be very broadly defined as retrieving a syscall number for a Windows function (located on disk from within ntdll.dll) and then placing that corresponding syscall number on the eax register and entering the kernel directly. By not having to use the Windows function located within ntdll.dll, it is possible to bypass EDR hooks that may be present in that corresponding function – you go underneath the EDR’s hooks in ntdll.dll. This was then added to the dropper I am working on which tested FUD against MDE (BlockMode and Automated Investigations enabled).
 
EDRGoesBrrr-source:https://github.com/NVISOsecurity/brown-bags/blob/main/DInvoke%20to%20defeat%20EDRs/DemoDInvokeLoader
 

*C# Dropper, D/Invoke Manual Mapping(ntdll.dll) + Shellcode Injection* After a really good talk by Jean-Francois Maes, I wanted to try his code’s functionality (EDRGoesBrrr) with a dropper that I’m working on. The dropper opens an HTTPS tunnel with ngrok, downloads an edited version of his injector which leverages D/Invoke to manually map ntdll.dll (avoiding any hooks) and then injects a Covenant implant into RDP clipboard monitor. I did use the NuGet package for D/Invoke which didn’t seem to cause any problems. No alerts in MDE but there was an informational warning in the timeline regarding the parent PID spoofing. Testing was done on MDE (BlockMode + Automated Investigation).
 
 
Talk (EDR Mechanics / Evasion Techniques): Defeating EDR's using D/Invoke - YouTube

 
EDRGoesBrrr(source):brown-bags/DInvoke to defeat EDRs/DemoDInvokeLoader at main · NVISOsecurity/brown-bags · GitHub
​

*Cyber Mongol’s Adversary Tradecraft Simulator (Faza Agent): Check Privs, Elevate to High, Impair Telemetry, DLL Inject C2 Implant (High), Persist WMI(SYSTEM)* The Faza Agent utilizes Cyber Mongol’s Counter Cyber Intelligence (CCI) to pull in real, on-trend, commoditized tradecraft that tests advanced defenses. Faza will be available as an integration for Microsoft for Endpoint’s Evaluation Lab and additionally, a standalone offering.

We are still working on the mechanics of the agent and fully expected that we’d get busted by the EDR, flagging on the UAC bypass we are using. Faza’s current functionality is to check the integrity level of the process, bypass UAC, inject Covenant grunt for 1st C2 channel, disable MDE telemetry, add persistence with a WMI event subscription and then connect back to the C2 as SYSTEM, when the event subscription is triggered (starting Win store process).

 Currently, Faza is in its infancy but I thought it would be interesting to share as we build it out.

​
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​*Step 2 - Custom FUD Dropper in C#: Privilege Escalation Logic Added* Continuing the build on the dropper that can pull in commoditized tooling that our engine sees signals on, I wrote the logic that would assess the current SID and determine if the process was in medium or high integrity. If in medium, the logic branches off and downloads a UAC bypass (commoditized tooling) before it injects a Covenant grunt, resulting in a high integrity context. The dropper ran good against standard Defender AV (undetected) but was burned against MDE EDR (medium integrity injection still worked), which was to be expected. I still have some OpSec work to do on the dropper’s UAC bypass before it is ready to tackle the big dog (MDE EDR) and run FUD.
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*Custom FUD Dropper in C#: RED/BLUE Perspectives*I wrote a custom dropper in C# that reaches back to adversary infrastructure via ngrok, downloads a DLL injector, looks for and(or) starts rdpclip.exe and then injects a Covenant C2 implant into that process. The dropper ran completely undetected and even passed two cloud delivered security scans (“Your administrator requires a security scan”). Testing was conducted against the MDE stack (AV/EDR (BlockMode AutoRemediation)).
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*Trending LSASS Dumper Paired with ngrok Exfiltration* Sensors have been observing growing human momentum behind MirrorDump which is bound to a highly amplified social structure, directly connected to other significant and effective exploit tools – making adversary adoption of MirrorDump highly probable.  MirrorDump is an LSASS dumping tool that uses a dynamically compiled LSA plugin to grab a handle to lsass and API hooking for capturing the resulting dump in memory. We paired this with our ngrok dropper from a few days ago but MirrorDump is getting flagged for signature (AV) which we haven’t rectified yet. The video shows the functionality of the dropper, LSASS dumper and the exfil of the memory dump with no endpoint protections enabled and then with the full MDE stack. With a bit more work to evade signature detections, this could be an extremely effective vector. Lastly, this would need to be paired with a Privilege Escalation to dump LSASS (we just launched from admin).
 
MirrorDump: https://github.com/CCob/MirrorDump
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Part1: 

​*Custom Dropper Using ngrok to Expose Victim Filesystem over HTTPS* Without leveraging a high integrity context, the dropper is able to download ngrok (SmartScreen normally flags this binary) and executes it in a way that makes the file system, where it was executed, available publicly through an HTTPS tunnel. We used a VBS script to kick off the dropper, making it execute the .cmd file without an output window. GotIt.txt was just simulated data to be exfiltrated but this dropper will be paired with a trending LSA dump technique, in the coming days. Testing was against Microsoft Defender for Endpoint (BlockMode + Automated Investigations) - zero detections. Advanced adversaries such as APT33, APT34 and APT 39 (sub-group of APT34) use ngrok quite skillfully, in order to meet various objectives.

FoxKitten Campaign: https://lnkd.in/eNaYvuJ

#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*Dropper to DLL Injection: Red / Blue* This is part of a larger attack-chain that I am building out and wanted to share along the way. As usual, the simulation begins right after an initial access event has transpired but before execution of the dropper. The dropper (requirements.cmd) then goes ahead and starts the rdpclip.exe process in case it’s not active, parses for the process’s PID, setup.exe injects a DLL (Covenant C2 grunt) into process rdpclip.exe and that process then reaches out to the C2. Planning to add to this – some PrivSec, impairing defenses, persistence and an obfuscated C2 infrastructure.
 
Microsoft Defender for Endpoint (EDR+BlockMode+AutomtedInvestigations) vs Dropper->Start rdpclip.exe->Find PID->DLL Injection(Implant(Medium))->rdpclip.exe->CovenantC2==Zero alerts but there is always evidence…let’s have a look.
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Today we setup an interesting simulation that tested Microsoft Defender for Endpoint in a standard deployment (without ASR but with things like BlockMode enabled), then tried out their new EvaluationLab where endpoints come hardened per Microsoft’s specs and also tested an unnamed IR team’s ability to detect based on their automation and hands-on-keyboard skills. 
​

Scenarios
After an extremely engaging conversation with a colleague who spent years in the intelligence service, I wanted to employ some of the real-world tactics that he had observed nation states utilizing. One thing that he said that really stuck with me was, “Most of the time [APTs] they will operate in Medium integrity,” as to only use as much privilege as needed to complete an objective. My colleague went on to explain that other times they will create “noise” elsewhere to distract from their real intention. It was these thoughts that inspired our testing today, we wanted to give the defense automation some exercise but also the humans that knew activity was coming and were on alert for it.
 
As with all Cyber Mongol simulations, we look to our CCI automation to let us know where there is human activity in the opensource or commoditized tradecraft ecosystem. We selected a PE injection which would memory map another process injector (utilizing callbacks) to inject a Covenant C2 implant into “c:\Windows\System32\manage-bde.exe,” which is the legitimate process for BitLocker. This would be our sneakiness to attempt to fool the skilled humans that were tasked to find us.
 
So now, if we are going to mimic the conversation I had with my colleague, we would need some loud and proud movements that would draw the human’s attention away from what we actually wanted to accomplish. We would basically try to accomplish the same goal stated above but in a high integrity context. For this we saw that UACME (very popular tradecraft for UAC bypass) had some recent additions and decided to use the following code, (https://github.com/hfiref0x/UACME/blob/master/Source/Akagi/methods/azagarampur.c). We were counting on the fact that because this tradecraft was added to a social structure with such a large social amplification, getting it noticed by the defenders would be relatively a sure thing – but also kill us for MDE automation.
 
Lastly, we wanted to test two flavors of Microsoft Defender for Endpoint. The first would be a more standard deployment with BlockMode and automated investigations enabled but not utilizing things like Attack Surface Reduction methods. The second test would be using Microsoft Defender for Endpoint’s EvaluationLab where all the defense bells and whistles are enabled by default.
 
 
Conclusions 
IR Team: The team did well at articulating the UAC bypass that injected a Covenant Grunt in high integrity but were unable to thoroughly convey our true intentions (medium integrity injection resulting in C2 comms through manage-bde.exe). They did see that the dropper interacted with the legitimate Bitlocker process from the suspect directory and reached out to our already burned IP address, instead of using something nice like proxying through an Azure/Microsoft domain.
 
Microsoft Defender for Endpoint Standard Deployment: In this configuration, Microsoft Defender for Endpoint was unable to block any execution but did articulate the UAC bypass and the PE re-mapping of manage-bde.exe. Ultimately, the automated investigation found the PE injection to be benign.
 
Microsoft Defender for Endpoint EvalutionLab Config: Full shutdown of our operation – zero execution. Well done!

*Leaking Information via PDF Metadata* I just read an extremely interesting paper (below) on exploiting metadata found in various document types, specifically to enumerate an organization. We built a quick test by putting together a simple Hunter signature to search for publicly published PDF files (major cybersecurity company) and then parsed the PDF’s metadata for information that could be used on campaign. An adversary could easily create similar automation and then extract usable information like usernames and file paths used to create the document, software used, patching habits for that software and more. I’m not too proud to admit that we haven’t been sanitizing our metadata either…which we will definitely start to.

Paper: https://lnkd.in/ekFdRf3


#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

In this scenario, we are working with a customer’s EDR independent of any Microsoft native or Microsoft cloud delivered security technologies. We are assuming initial access has taken place, accompanied with a download event to “C:\Windows\System32\spool\drivers\color” folder, which only requires regular user access to write to. First to fire is MS-printcolor.exe (UAC bypass) which hands execution to colorconf.cmd (batch file) that executes with high integrity. The batch file fires mofcomf.exe which registers a persistent WMI event subscription (colorwheel.mof), finally executing a SYSTEM level C2 channel anytime the WinStore.App.exe process is executed. Any day with WMI is a fun day!



#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​*Callback Shellcode Injection: Undetected by Microsoft for Endpoint * Our intelligence engine has seen recent human momentum behind an older technique that seems to be picking up steam again – callback shellcode injection. The technique uses a native Windows function (in this case EnumSystemGeoID) which is handed a memory address containing shellcode and then executed. The curious thing was that the MSE timeline registered our execution as a “CreateRemoteThread” API call which wasn’t used. I’m still wrapping my head around the technical details so this may be due to my own misunderstanding of how “EnumSystemGeoID” works. Regardless, quite effective! Similar Lazarus tactics were recently analyzed by nccgroup and the analysis can be found below.
 
Docs Callbacks: /var/log/notes (ropgadget.com)
 
EnumSystemGeoID: https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemgeoid
 
Lazarus Analysis: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam
 

​*Great Cobalt Strike Resource* While writing backend code to build and analyze more complex social structures between exploit tools and their authors, we came across a tradecraft cluster with significant Cobalt Strike depth. White paper coming soon that details all the special things our tech does.
 
The center of the cluster is a great resource, find below:
 
 
Awesome-CobaltStrike: https://github.com/zer0yu/Awesome-CobaltStrike
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam
 

The engine found shellcode injection techniques that are extremely simple and unquestionably effective. I think I am in love….

​
​#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Dump Lsass with SharpMiniDump NTFS transactions + UAC bypass + Exfil .dmp file to Dropbox. Overall, MDE BlockMode did a good job articulating this vector in the device timeline. Utilizing SharpMiniDump NTFS transactions (a fork of b4rtik/SharpMiniDump) to avoid writing the dump file to disk and exfiltrating it out to an awaiting Dropbox, made a big difference in avoiding being blocked from executing. The UAC bypass (Medium.exe) executes enough to drop into high-integrity and fire SharpMiniDump (SMD.exe). It took forever to upload the .dmp file to Dropbox - which eventually lost out to my patience (killed process before .dmp file finished). With some work, this may be a good vector.

Lsass Dumper: https://lnkd.in/eD3m2gu

UAC Bypass: https://lnkd.in/dwXdNiE


#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Migrator.exe -->CreateProcess CMD.exe<--Fibs.exe<-- InjectShellcode-->C2 Callback
 
Sensors picked up a new PEx64 injector that maps an .exe into the memory space of a legitimate process. We had some problems getting it working with our shellcode injector which injects a Covenant C2 Grunt into itself but managed to get it working with the system binary cmd.exe. While providing better OpSec when compared to spawning a random process with a sketchy location path, a better legitimate process can be found (cmd made network connection to xxx.xxx.x.x – not great). No Detections on the MDE stack (BlockMode Auto-Remediation Group). We will share the resources we used for this attack after some upcoming client work.
 
PE-Injection Info (MITER): https://attack.mitre.org/techniques/T1055/002/
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 

Intro
Deriving intelligence from sensors that register human momentum within the security ecosystem serves us well, granting insight into how adversaries may, or currently are attacking IT systems. It allows us to triage signals we feel are impactful and pose a real chance of slipping through the cracks of advanced security stacks, gaining execution. Operator tradecraft intelligence is also quite useful as it articulates what opensource exploit systems are in vogue and may be combined for greater effect. Advanced adversaries are rapidly embracing opensource software and for good reason. Opensource software provides much more anonymity when compared to custom malware development, the lead-time between offensive campaigns is reduced, innovation is greatly expanded, and the flying of false flag operations is possible. Nevertheless, this is not the scope of todays blog, utilizing trending UAC bypasses and combining them with an APT favorite (WMI) to gain persistence, is. Let’s dig in.
 
In the upcoming testing, we assume some type of initial access which results in the download and execution of our maliciousness. Our testing will then pick up at that point, deciding on proper evasion for the execution (actually gaining execution) and elevating privileges to persist on the endpoint after a reboot. In the blue team’s corner, we have Microsoft’s Defender for Endpoint (MDE) which is available for those customers using E/3 – E/5 licensing for Windows 10. We have configured the EDR in BlockMode and have enabled automated remediation for the machine group containing the endpoints. The overall attack architecture is as follows:
 
Attack 1:
Muffin.exe(UAC bypass) -> GetMoving.cmd(Elevated) -> mofcomp.exe(persistence) -> WmiPrvSe.exe -> Fibres2.exe(NT SYSTEM) -> Covenant C2(C&C)
 
Attack 2:
MeFirst(UAC bypass) -> WMIpers.cmd(Elevated) -> EventSubWMI.ps1(persistence) -> WmiPrvSe.exe -> script.ps1 -> Fibres.exe(NT SYSTEM) -> Covenant C2(C&C)

Executing Shellcode via Process Fibers
So, first thing we needed to do is figure out what we would execute after achieving a high integrity context – thank you trending UAC bypasses. One of the most common categories of behaviors our passive sensing technologies ingest are T1055 - Process Injections. Process injections are a great form of defense evasion as they (in a very broad sense), overtake a portion of a process’s memory and then inject their malicious intent into that process’s memory space. There are many different flavors of process injection, each with their own benefits and operational security considerations. Lately, our team has been utilizing trending process hollowing techniques (creating a process in a suspended state -> injecting shellcode -> resuming suspended process and executing shellcode) to achieve our goals but the MDE stack has caught on to these shenanigans. Our team turned to one of our newer intelligence capabilities (The Hunter Module) which utilizes Cyber Mongol’s advanced signatures to go out and find relevant operator tactics on the open internet. In this case, we put together signatures made up of API calls, text features, system binaries and associated privileges, to find shellcode injectors which utilize process fibers to execute shellcode within a process. Rooting through the treasure trove of returned data, we indeed found suitable candidates that would covertly inject shellcode into the memory space of a process.

GetMoving.cmd​
Ok, now that that is sorted, let’s start at the beginning of “Attack 1”…executing the initial UAC bypass (Muffin.exe) that will pass on its own elevated token, to the rest of our attack chain. This UAC bypass utilizes the Microsoft signed binary ComputerDefaulst.exe which possesses an AutoElevate attribute, set to true. The bypass creates a process which inherits the high integrity context of its parent process, in our case Muffin.exe spawns GetMoving.cmd (which orchestrates the rest of our attack) and passes on its associated privileges. Something to note, the user account must be part of the local administrators group for this bypass to work. Luckily, this user configuration can be quite prevalent, in our experience.  
 
GetMoving.cmd has three purposes.

1. To set PowerShell “Set-ExecutionPolicy Unrestricted”
2. Utilize elevated PowerShell to execute mofcomp.exe and register a WMI permanent event subscription (StickAround.mof) for persistence in SYSTEM context
3. Lastly, utilize elevated CMD to execute Fibres2.exe and inject itself with Covenant C2 implant shellcode, in high integrity (initial C&C channel).

​
We also added some basic OpSec by changing PoC code that requires pop-up Windows / User input and added code to relevant cpp console applications, “ShowWindow(GetConsoleWindow(), SW_HIDE);” hiding console windows. We left the console window open for GetMoving.cmd so that we could have a look at our .mof file being ingested. Lastly, we simulated a victim harmlessly opening up the Windows Store. 

WMI Persistence
​Now would be a great time to chat about the WMI persistence portion of the attack – Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003) . During our testing this week we tried two different UAC bypass techniques that have been trending, both producing similar results. They each produced alerts in MDE of varying degrees, but none were blocked from executing. Similarly, we employed two different ways of achieving WMI persistence through subscription, with only one of these techniques alerted on (mofcomp.exe). Without getting too deeply into the weeds here (deep dive), our intention was to register WMI persistence that would connect back to our Covenant C2 channel, every time the Windows Store application was launched. Of notable mention, WmiPrvSe.exe is the parent process for WMI subscription execution and this results in an integrity level of NT SYSTEM, for the resulting subscription’s action (fiber injection Covenant C2 Implant). Good score!
​
The noisier of the two tactics we employed to register WMI event subscriptions was to use mofcomp.exe. this Windows binary parses a .mof file (StickAround.mof) and creates a WMI permanent event subscription based on the file.
​

1. StickAround.mof created a trace event (Query = "SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName=\"WinStore.App.exe\"") that looks for the Windows Store application being launched.
2. It then registers a “CommandLineConsumer” that directly executes our fiber injector (Fibres2.exe), which injects itself with shellcode that calls back to our Covenant C2 channel (CommandLineTemplate = "cmd /C C:\\Users\\Public\\Fibres2.exe").
3. Lastly, a binding between the event and consumer is created.

The much quieter way of registering a WMI event subscription (contrasted against the MDE stack) was to utilize PowerShell’s native ability to interact with WMI directly. Here, we used the attack architecture depicted above in “Attack 2” which possesses a few key differences when compared to "Attack 1."

1. Utilize a PowerShell script (instead of mofcomp.exe) to register a WMI event subscription (same event as Attack 1).
2. The event consumer, “commandLineConsumer” would fire another PowerShell script (script.ps1) that would then execute the fiber injection (fibres.exe), every time the Windows Store application was launched.
3. None of the basic OpSec modifications were taken that were described above.

This method was highly effective and was not blocked or flagged by the security stack. The only alert that was generated could actually have been misleading to an incident responder, alerting that the UAC bypass was fully remediated and blocked from executing (this UAC alert happened in both attack scenarios). A busy SOC analyst may have triaged this alert as “investigate later,” depending on their current priorities – afterall, they would have thought the compromise was rectified by the automation. 

​Both “Attack 1” and “Attack 2” resulted in an initial C&C channel in high integrity and a persistent channel with SYSTEM level integrity. None of these attacks were blocked from completing but “Attack 1” certainly generated more alerts that would get the operation burned. 

After completing a week of testing (UAC bypasses + fiber shellcode injection), we put together a few signatures for the Hunter module that would find more shellcode injectors, utilizing process fibers (they are extremely effective). The data we ingested was awesome, with a few great intel finds that we plan to analyze in the coming days.
 

 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Our last bit of UAC bypass tactics research ends off with combining the use of trusted directories using trailing spaces "c:\windows \system32\" and a shellcode injector utilizing process fibers, inevitably resulting in a C2 channel with high integrity. What’s interesting about these trending UAC bypasses our CTI engine has been articulating is that MS doesn’t seem to consider them a security boundary. Users that are running with local admin privs (which happens quite a bit) is a big win for an adversary if combined with other evasion tradecraft such as process injection, which we show here. This tactic has a fairly easy detection which is to hunt for any directories with trailing spaces. None the less, it is an effective way to execute malicious code with high integrity, as shown by executing a Covenant implant.
 
Bypass: shubham0d/UAC-bypass-using-dll-injection: A small project to bypass UAC in windows 10/8/7 using dll injection technique (github.com)
 
Blog: Hijacking DLLs in Windows (wietzebeukema.nl)
 
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam