Masafumi Takeda ## Threat Intelligence of Abused Public Post-Exploitation Frameworks Internet Initiative Japan Inc. Masafumi Takeda ----- ###### • Masafumi Takeda – SOC member since 2018 – Experience in building and operating SOC infrastructure and EDR e al ation ###### • Tomoya Furukawa – SOC member since 2017 – Experience in SIEM management ----- ### • Authors of Post-Exploitation Frameworks have made their source code publicly available #### – Attackers can use them without any financial cost ### • Some Post-Exploitation Frameworks that the attackers used are not listed in MITRE ATT&CK database • Indicators of some Post-Exploitation Frameworks listed in MITRE ATT&CK database have not been analyzed ----- ### • Authors of Post-Exploitation Frameworks have made their source code publicly available #### – Attackers can use them without any financial cost ### • Some Post-Exploitation Frameworks that the attackers used are not listed in MITRE ATT&CK database • Indicators of some Post-Exploitation Frameworks listed in MITRE ATT&CK database have not been analyzed ## 1. Investigating frameworks that are not listed in MITRE ATT&CK database 2. Analyzing indicators related to MITRE ATT&CK h i ----- |Tactics|Description| |---|---| |Execution|The adversary is trying to run malicious code| |Persistence|The adversary is trying to maintain their foothold| |Privilege Escalation|The adversary is trying to gain higher-level permissions| |Defense Evasion|The adversary is trying to avoid being detected| |Credential Access|The adversary is trying to steal account names and passwords| |Discovery|The adversary is trying to figure out your environment| |Lateral Movement|The adversary is trying to move through your environment| |Collection|The adversary is trying to gather data of interest to their goal| |Command and Control|The adversary is trying to communicate with compromised systems to control them| |Exfiltration|The adversary is trying to steal data| ----- ### • Introduction of techniques that many Post-Exploitation Frameworks have in common #### – In this presentation, we will introduce some "Execution" and "Persistence" techniques ### • Indicators based on their source code #### – They might be recorded in Windows event logs ----- # Surveying Post-Exploitation Tools ----- ### • Lists C&C tools • Listed 139 tools as of December 2023 #### – Commercial and deleted tools are also listed ----- ### • 22% of the tools (31 tools) has been abused ##### Not #### Abused ##### Abused 78% 22% ----- ### • 22% of the tools (31 tools) has been abused • 87% of the abused tools (27 tools) are published on GitHub ###### Not Public 13% ##### Not #### Abused ##### Abused 78% 22% #### Public ##### Not #### Abused ##### Abused 78% 22% ----- ### 1. Source code is publicly available 2. Abuse cases has been reported 3. At least five of the “Tactics” in MITRE ATT&CK apply to the target #### – To exclude tools with limited functionality from the analysis ----- ### 1. Source code is publicly available 2. Abuse cases has been reported 3. At least five of the “Tactics” in MITRE ATT&CK apply to the target #### – To exclude tools with limited functionality from the analysis Target Frameworks #### • AsyncRAT • Covenant • DcRat • Empire #### • Havoc • Koadic • Merlin #### • PoshC2 • Quasar • Sliver ----- # Introducing Target Frameworks ----- |on information|Col2| |---|---| |Framework|Evaluated Version (Release Date)| |AsyncRAT|v0.5.8 (10/17/2023)| |Covenant|v0.6 (08/18/2020)| |DcRat|v1.0.7 (05/06/2021)| |Empire|v5.7.3 (10/17/2023)| |Havoc|No release version (08/25/2023)| |Koadic|No release version (01/03/2022)| |Merlin|v2.0 (11/06/2023)| |PoshC2|v8.1 (08/01/2022)| |Quasar|v1.4.1 (05/13/2023)| ###### Sli 1 5 41 (07/12/2023) ----- ### • Written in C#, published in 2019 • Latest version is v0.5.8(published on 10/17/2023) • Listed in the MITRE ATT&CK database – [https://attack.mitre.org/software/S1087/](https://attack.mitre.org/software/S1087/) ### • Features #### – Based on Quasar – Added defense evasion features such as Process Injection or disabling AV ### • Example threat report #### – OneNote Documents Increasingly Used to Deliver Malware, [https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware](https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware) ----- ### • Written C#, published in 2019 • Latest version is v0.6(published on 08/18/2020) #### – Development is stopped since 04/22/2021 ### • Not listed in the MITRE ATT&CK database • Features #### – Contains many launcher types – SharpSploit is utilized in many features ### • Example threat report #### – Operation RestyLink: APT campaign targeting Japanese companies, [https://jp.security.ntt/tech_blog/102hojk](https://jp.security.ntt/tech_blog/102hojk) ----- ### • Written in C#, published in 2021 • Latest version is v1.0.7 (published on 05/06/2021) #### – This repository is archived because it was abused ### • Not listed in the MITRE ATT&CK database • Features #### – Based on AsyncRAT – Added some features such as ransom ### • Example threat report #### – OnlyDcRatFans: Malware Distributed Using Explicit Lures of OnlyFans Pages and Other Adult Content, [https://www.esentire.com/blog/onlydcratfans-malware-distributed-using-explicit-lures-of-onlyfans-pages-and-other-adult-content](https://www.esentire.com/blog/onlydcratfans-malware-distributed-using-explicit-lures-of-onlyfans-pages-and-other-adult-content) ----- ### • Written as PowerShell scripts, published in 2019 #### – BC Security develops Empire since 2020 (v3.0) ### • Latest version is v5.8.4 (published on 12/22/2023) • Listed in MITRE ATT&CK database – [https://attack.mitre.org/software/S0363/](https://attack.mitre.org/software/S0363/) ### • Features #### – A launcher needs to start an agent ###### • Launcher is available in five file types #### – May expand its functionality with modules – Built-in Covenant ### • Example threat report #### – OnlyDcRatFans: Malware Distributed Using Explicit Lures of ----- ### • Written in C, published in 2022 • Not version controlled #### – Main branch is updated in 2023 ### • Not listed in the MITRE ATT&CK database • Features #### – Execution with BOF (Beacon Object File) – Thorough detection evasion – May expand functionality with modules ### • Example threat report #### – Malware Disguised as Document from Ukraine's Energoatom Delivers Havoc Demon Backdoor, https://www.fortinet.com/blog/threat ----- ### • Written in Python, published in 2017 #### – Agent is written in JScript/VBScript ### • The latest version was published in 2021 #### – Its development is still active ### • Listed in the MITRE ATT&CK database – [https://attack.mitre.org/software/S0250/](https://attack.mitre.org/software/S0250/) ### • Features #### – Most operations are executed using Windows Script Host – This framework can use SSL and TLS for secure communications ### • Example threat report #### – The Cyber Attack "kiya" Targets the Construction Industry, ----- ### • Written in Go, published in 2017 • Development is still active in 2023 #### – Latest version is v2.1.1(published on 01/05/2024) ### • Not listed in the MITRE ATT&CK database • Features #### – Cross-platform – May expand functionality by using external attack tools as modules ### • Example threat report #### – MerlinAgent: новий open-source інструмент для здійснення кібератак у відношенні державних організацій України (CERT- UA#6995, CERT-UA#7183), https://cert.gov.ua/article/5391805 ----- ### • Written in Python, published in 2016 • Latest version is v8.1 (published on 08/01/2022) • Listed in MITRE ATT&CK database – [https://attack.mitre.org/software/S0378/](https://attack.mitre.org/software/S0378/) ### • Features #### – Multiple agent formats ###### • C++ DLL, Shellcode, DotNet2JS, Executable, Msbuild, CSC, macOS JXA Dropper, Python2 Dropper • Cross-platform ### • Example threat report #### – オープンソースのツール「PoshC2」を悪用した新たな標的型攻撃を確認 (Japanese), https://www lac co jp/lacwatch/people/20190213 001770 html ----- ### • Written in C#, published in 2015 #### – xRAT, its predecessor, was published in 2014 ### • Latest version is v1.4.1 (published on 05/13/2023) • Listed in MITRE ATT&CK database – [https://attack.mitre.org/software/S0262/](https://attack.mitre.org/software/S0262/) ### • Features #### – Operation by GUI – General RAT functions ### • Example threat report #### – OneNote Documents Increasingly Used to Deliver Malware, [https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware](https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware) ----- ### • Written in Go, published in 2019 • Latest version is v1.5.41(published on 07/12/2023) • Listed in the MITRE ATT&CK database – [https://attack.mitre.org/software/S0633/](https://attack.mitre.org/software/S0633/) ### • Features #### – Cross-platform – Can use mTLS and DNS as a C&C protocol – May expand functionality with Armory modules ### • Example threat report #### – Sliver C2 Being Distributed Through Korean Program Development Company, https://asec.ahnlab.com/en/55652/ ----- |Col1|Execution|Persistence|Privilege Escalation|Defense Evasion|Credential Access|Discovery|Lateral Movement|Collection|Command and Control|Exfiltration|Impact| |---|---|---|---|---|---|---|---|---|---|---|---| |Quasar|||||||||||| |Empire|||||||||||| |Merlin|||||||||||| |AsyncRAT|||||||||||| |Sliver|||||||||||| |Covenant|||||||||||| |PoshC2|||||||||||| |DcRat|||||||||||| |Koadic|||||||||||| ----- #### Quasar |Col1|Execution|Persistence|Privilege Escalation|Defense Evasion|Credential Access|Discovery|Lateral Movement|Collection|Command and Control|Exfiltration|Impact| |---|---|---|---|---|---|---|---|---|---|---|---| |Quasar|||||||||||| |Empire|||||||||||| |Merlin|||||||||||| |AsyncRAT|||||||||||| |Sliver|||||||||||| |Covenant|||||||||||| |PoshC2|||||||||||| |DcRat|||||||||||| |Koadic|||||||||||| ----- #### Lateral Movement capability ### • Quasar, AsyncRAT and DcRat have a remote desktop capability #### – This capability is classified as "Lateral Movement" on MITRE ATT&CK database ### • But their remote desktop capabilities are used against the compromised device • We classified their remote desktop capabilities as "Remote Access Software", which is one of "Command and Control" techniques ----- # Threat Intelligence ~ Execution ~ ----- ###### Technique Count Frameworks |Windows Command Shell|10/10|• AsyncRAT • Covenant • DcRat • Empire • Koadic • Havoc • Merlin • PoshC2 • Quasar • Sliver| |---|---|---| #### PowerShell 9/10 ###### • AsyncRAT • Covenant • DcRat • Empire • Havoc • Merlin • PoshC2 • Quasar ----- |Technique|Count|Frameworks| |---|---|---| |Native API|4/10|• Empire • Havoc • Merlin • Sliver| |Command Interpreter|1/10|• Empire| |WMI|1/10|• Koadic| ----- ###### Technique Count Frameworks |Windows Command Shell|10/10|• AsyncRAT • Covenant • DcRat • Empire • Koadic • Havoc • Merlin • PoshC2 • Quasar • Sliver| |---|---|---| #### PowerShell 9/10 ###### • AsyncRAT • Covenant • DcRat • Empire • Havoc • Merlin • PoshC2 • Quasar ----- ### • Usage #### – Remote shell ###### • AsyncRAT, DcRat, Quasar, Sliver #### – Command execution ###### • Koadic, Havoc, Merlin, Covenant #### – Launcher execution ###### • Empire, PoshC2 ### • Indicators #### – Parent process – Command line ----- |Framework|Parent Process|Command Line| |---|---|---| |AsyncRAT||"cmd"| |DcRat||"cmd"| |Quasar||"cmd" /K chcp | |Sliver||C:¥Windows¥System32¥cmd.exe| ----- |Framework|Parent Process|Command Line| |---|---|---| |AsyncRAT||"cmd"| |DcRat||"cmd"| |Quasar||"cmd" /K chcp | |Sliver||C:¥Windows¥System32¥cmd.exe| ----- |Framework|Parent Process|Command Line| |---|---|---| |AsyncRAT||"cmd"| |DcRat||"cmd"| |Quasar||"cmd" /K chcp | |Sliver||C:¥Windows¥System32¥cmd.exe| ----- ###### public static void StarShell() { ProcessShell = new Process() { StartInfo = new ProcessStartInfo("cmd") { UseShellExecute = false, CreateNoWindow = true, RedirectStandardOutput = true, RedirectStandardInput = true, RedirectStandardError = true, WorkingDirectory = Path.GetPathRoot(Environment.GetFolderPath(Environment.SpecialFolder.System)) } }; ----- |Item|Value| |---|---| |Parent Process|| ###### Command "cmd" Line ----- |Framework|Parent Process|Command Line| |---|---|---| |Havoc||/c | |Koadic|rundll32.exe|C:¥Windows¥system32¥cmd.exe /q /c chcp & 1> %LocalAppData% ¥Temp¥.txt 2>&1"| ||regsvr32.exe|| ||wmic.exe|| #### Merlin #### (default) C:¥Windows¥system32¥cmd.exe /c ----- |Framework|Parent Process|Command Line| |---|---|---| |Havoc||/c | |Koadic|rundll32.exe|C:¥Windows¥system32¥cmd.exe /q /c chcp & 1> %LocalAppData% ¥Temp¥.txt 2>&1"| ||regsvr32.exe|| ||wmic.exe|| #### Merlin #### (default) C:¥Windows¥system32¥cmd.exe /c ----- ###### else if ( InputCommands[ 0 ].compare( "shell" ) == 0 ) { if ( InputCommands.length() > 1 ) { ### Arguments only ###### auto Program = QString("c:¥¥windows¥¥system32¥¥cmd.exe"); auto Args = QString( "/c " + JoinAtIndex( InputCommands, 1 ) ).toUtf8().toBase64(); // InputCommands[ 1 ].; TaskID = CONSOLE_INFO( "Tasked demon to execute a shell command" ); CommandInputList[ TaskID ] = commandline; SEND( Execute.ProcModule( TaskID, 4, "0;FALSE;TRUE;" + Program + ";" + Args ) ) } } ----- ###### case DEMON_COMMAND_PROC_CREATE: PUTS( "Proc::Create" ) { <…snip…> ----- |Item|Value| |---|---| |Process Name|cmd.exe| ###### Command /c Li ----- [https://github.com/HavocFramework/Havoc/blob/main/client/Source/Havoc/Demon/ConsoleInput.cpp#L876-L895](https://github.com/HavocFramework/Havoc/blob/main/client/Source/Havoc/Demon/ConsoleInput.cpp#L876-L895) ----- |Framework|Parent Process|Command Line| |---|---|---| |Havoc||/c | |Koadic|rundll32.exe|C:¥Windows¥system32¥cmd.exe /q /c chcp & 1> %LocalAppData% ¥Temp¥.txt 2>&1"| ||regsvr32.exe|| ||wmic.exe|| #### Merlin #### (default) C:¥Windows¥system32¥cmd.exe /c ----- ### • Koadic has 6 types of stagers #### – Stagers download a Koadic agent from a C&C server and execute it ### • The agent’s process is one of rundll32.exe, regsvr32.exe or wmic.exe |Stager|Agent Process| |---|---| |stager/js/mshta|rundll32.exe| |stager/js/rundll32_js|| |stager/js/disk|| |stager/js/bitsadmin|| |stager/js/regsvr|regsvr32.exe| ----- [https://github.com/offsecginger/koadic/blob/main/data/stager/js/stdlib.js#L952-L957](https://github.com/offsecginger/koadic/blob/main/data/stager/js/stdlib.js#L952-L957) ###### try { var readout = ~OUTPUT~; if (readout) { var output = Koadic.shell.exec("~FCMD~", "~FDIRECTORY~¥¥"+Koadic.uuid()+".txt"); } ----- |Item|Value| |---|---| |Parent Process|• rundll32.exe • regsvr32.exe • wmic.exe| ###### Command C:¥Windows¥system32¥cmd.exe /q /c chcp & ----- |Framework|Parent Process|Command Line| |---|---|---| |Havoc||/c | |Koadic|rundll32.exe|C:¥Windows¥system32¥cmd.exe /q /c chcp & 1> %LocalAppData% ¥Temp¥.txt 2>&1"| ||regsvr32.exe|| ||wmic.exe|| #### Merlin #### (default) C:¥Windows¥system32¥cmd.exe /c ----- |Framework|Parent Process|Command Line| |---|---|---| |Empire|(default) cmd.exe|(default) powershell.exe -nop -ep bypass -w 1 -enc | |PoshC2||powershell -exec bypass - Noninteractive -windowstyle hidden - e | ----- |Framework|Parent Process|Command Line| |---|---|---| |Empire|(default) cmd.exe|(default) powershell.exe -nop -ep bypass -w 1 -enc | |PoshC2||powershell -exec bypass -Noninteractive -windowstyle hidden -e | ----- [https://github.com/BC-SECURITY/Empire/blob/main/empire/server/stagers/windows/launcher_bat.py#L120-L128](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/stagers/windows/launcher_bat.py#L120-L128) ----- ----- |Item|Value| |---|---| |Parent Process|cmd.exe| ###### Command Li ###### (default) powershell.exe -nop -ep bypass -w 1 ----- [https://github.com/nettitude/PoshC2/blob/master/poshc2/server/payloads/Payloads.py#L145-L148](https://github.com/nettitude/PoshC2/blob/master/poshc2/server/payloads/Payloads.py#L145-L148) ----- |Item|Value| |---|---| |Parent Process|cmd.exe| ###### Command powershell -exec bypass -Noninteractive -windowstyle hidden ----- ###### Technique Count Frameworks |Windows Command Shell|10/10|• AsyncRAT • Covenant • DcRat • Empire • Koadic • Havoc • PoshC2 • Quasar • Sliver| |---|---|---| #### PowerShell 9/10 ###### • AsyncRAT • Covenant • DcRat • Empire • Koadic • Havoc • PoshC2 • Quasar ----- ### • Usage #### – Remote shell ###### • Sliver #### – Command and script execution ###### • Koadic, Havoc, Merlin, AsyncRAT, DcRat, Quasar #### – Launcher execution ###### • Empire, Covenant ### • Indicators #### – Command line ----- |Framework|Command Line| |---|---| |Sliver|C:¥Windows¥System32¥WindowsPowerShell¥v1.0¥ powershell.exe" -NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding] ::UTF8"| ----- ### • Sliver can execute PowerShell as a remote shell using the "shell" command #### – If PowerShell does not exist, it will execute cmd.exe ### • Warns that it is not a recommended command ----- |Item|Value| |---|---| |Parent Process|| ###### C:¥Windows¥System32¥WindowsPowerShell¥v1.0¥powershell.exe" Command N E i C d [C l ] O E di [T UTF8E di ] ----- #### indicator matrix |Framework|Command Line| |---|---| |AsyncRAT|powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -FilePath '"%TEMP%¥[a-z] {6}.ps1"'| |DcRat|| |Havoc|-C | ----- #### from a C&C Server |Framework|Command Line| |---|---| |AsyncRAT|powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -FilePath '"%TEMP%¥[a-z] {6}.ps1"'| |DcRat|| |Havoc|-C | ----- ### • AsyncRAT and DcRat can receive and execute files from the C&C server using the 'SendFile' feature on the C&C Server • When 'To Disk' is selected, the script is written to a file, and it will be executed using PowerShell ----- ###### string fullPath = Path.Combine(Path.GetTempPath(), Methods.GetRandomString(6) + unpack_msgpack.ForcePathObject("Extension").AsString); <…snip…> If (unpack_msgpack.ForcePathObject(“Extension”).AsString.ToLower().EndsWith(".ps1")) { Process.Start(new ProcessStartInfo { FileName = "cmd", Arguments = $"/c start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -FilePath {"'" + "¥"" + fullPath + "¥"" + "'"} & exit", CreateNoWindow = true, <…snip…> }); ----- ###### FileName = "cmd"%Temp%¥[a-z]{6}., Arguments = $"/c start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -FilePath {"'" + "¥"" + fullPath + "¥"" + "'"} & exit", CreateNoWindow = true, <…snip…> }); ----- ###### string fullPath = Path.Combine(Path.GetTempPath(), Methods.GetRandomString(6) + unpack_msgpack.ForcePathObject("Extension").AsString); <…snip…> If (unpack_msgpack.ForcePathObject(“Extension”).AsString.ToLower().EndsWith(".ps1")) { Process.Start(new ProcessStartInfo { FileName = "cmd", Arguments = $"/c start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -FilePath {"'" + "¥"" + fullPath + "¥"" + "'"} & exit", CreateNoWindow = true, <…snip…>cmd.exe /c start /b powershell -ExecutionPolicy Bypass }); -WindowStyle Hidden -NoExit -FilePath