Process Hollowing: Evade Win 10 1909 Security and Implant a Covenant C2 Grunt

Intro
At Cyber Mongol, we are in the business of forecasting and articulating trends in emerging adversary behaviors. One important aspect of behavior forecasting is ground truthing some of the emerging signals we see being articulated by our CTI engine. Over the last year, it has become increasingly more difficult to execute and evade on a Windows 10 endpoint, with off-the-shelf tooling. Being able to pull-off sophisticated operator tactics, with little to no modification to the underlying tradecraft, is important to our research because it signals to the likelihood an enterprise may encounter this vector. An effective technique to skirt modern defenses and achieve execution with just the knowledge of what tool systems to string together is quite advantageous for adversaries. Unsophisticated adversaries will utilize this knowledge for the obvious reason of reducing the associated skill barrier with an otherwise advanced technique that may not be otherwise accessible. Sophisticated adversaries may also utilize this same knowledge to mimic unsophisticated adversaries and make attribution more difficult. In this research, we string together tools that have been signaled by our CTI engine to get a Covenant C2 grunt (implant) to execute on a Win10E 1909 endpoint and bypass standard defenses in the Enterprise stack. 

​
​The Tools: Covenant C2
Covenant C2 is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers [1]. This opensource project is connected to one of the most influential development clusters associated with offensive .NET tradecraft. The efficacy of emerging tool systems can also be judged by other tool systems connected to the same development cluster. In this case, this tool walks among gods with the likes of Empire [2], Bloodhound [3] and Impacket [4] associated to the cluster

The Tools: donut​
Donut creates position-independent shellcode that loads .NET assemblies. This is a massive topic domain in itself and a great place to start, is to read the Wover’s blog post [5] which is a primer on the tool and .NET tradecraft. For this discussion, it will suffice just to know this tool enables us to take Covenant’s binary launcher(.exe) and create shellcode that will inject into a suspended process’s memory and gain execution while evading defenses. This is actually quite important tradecraft when operating with Covenant C2 as the framework does not possess the ability to generate shellcode natively, which is needed for more advanced attacks like process injection.


​The Tools: defcon27 Talk
Our sensors picked up chatter mid 2019 regarding a talk at defcon entitled “Writing custom backdoor payloads with C# [6]”. The resources surrounding this talk (lab guide and source code) are incredibly great to learn these advanced techniques from. They also make it fairly easy for an operator possessing an intermediate skillset to implement sophisticated tactics – provided they know how to slightly modify the vector articulated in the talk.


Technique: Process Hollowing (T1093)
Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to process Injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis [7]. Examples of advanced adversaries and tool systems that utilize process hollowing are Gorgon Group [8], Cobalt Strike [9] and Smoke Loader [10].​

Stringing It All Together
As stated above, the whole point of this exercise is to get a Covenant Grunt executed on a Windows 10 endpoint, without tripping defenses. It would stand to reason that the first step would then be to setup a Covenant C2 infrastructure as per your needs.

1. Once you have an infrastructure in place, generate a Covenant binary launcher and save the executable that is produced “GruntStager.exe”.
2. Next you will need to install donut. Create C# shellcode from the Covenant launcher(.exe) with the following options: setting architecture to x64 (-a 2), selecting C# for output (-f 7) and saving to a blank file called “GruntStager.bin”. The command to do this is: <command> donut.exe -a 2 -f 7 C:\Users\Administrator\Downloads\GruntStager.exe -o C:\Tools\GruntStager.bin</command>
3. Within the defcon27_csharp_workshop, navigate to the C# script contained in lab7, entitled 2.cs [11]. Here, we will need to edit the process to be manipulated (line 63) which we will set to “notepad.exe” and replace the byte array after “=” with the newly generated byte array thanks to donut, contained within “GruntStager.bin”.
4. Now let’s rename and compile that C# code using CSC.exe with this command: <command>c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe phallow.cs</command>
5. Deliver and execute the newly compiled binary to the target machine, evading Windows 10 standard enterprise security features.

1. https://github.com/cobbr/Covenant
2. https://github.com/EmpireProject/Empire
3. https://github.com/BloodHoundAD/BloodHound
4. https://github.com/SecureAuthCorp/impacket
5. https://thewover.github.io/Introducing-Donut/
6. https://github.com/mvelazc0/defcon27_csharp_workshop
7. https://attack.mitre.org/techniques/T1093/
8. https://attack.mitre.org/groups/G0078/
9. https://attack.mitre.org/software/S0154/
10. https://attack.mitre.org/software/S0226/
11. https://github.com/mvelazc0/defcon27_csharp_workshop/blob/master/Labs/lab7/2.cs