Ge#ng&Windows&to&Play&with&Itself A"Hacker’s"Guide"to"Windows"API"Abuse" " Brady"Bloxham" Founder/Principal"Security"Consultant" @silentbreaksec" hCp://www.silentbreaksecurity.com" hCp://www.blacksquirrel.io"" Background •  Shorten"the"gap"between" penetraHon"test"and"actual"aCack" •  Few"covert"persistence"tools" •  Reduce"reliance"on"Metasploit" Got&a&lot&to&cover •  DLL"InjecHon" •  Persistence" •  Throwback" •  Lots"of"demos"along"the"way" DLL&Injec?on •  TradiHonal"methods" •  CreateRemoteThread()" •  NtCreateThreadEx()" •  RtlCreateUserThread()" •  NtQueueApcThread"()" •  Can"blue"screen"certain"OSes" •  Code"Cave" •  Suspend"process" •  Inject"code" •  Change"EIP"to"locaHon"of"injected"code" •  Resume"process" •  Difficult"on"x64" AddMonitor() •  +" •  Injects"into"spoolsv.exe" •  Doesn’t"require"matching"" architecture" •  Easy"to"use" •  \" •  Dll"must"be"on"disk" •  Requires"administrator"privs" Dll&Injec?on&Demo Persistence •  Lots"of"persistence"in"Windows" •  Service"" •  Run"keys" •  Schtasks" •  …" •  And"lots"sHll"to"find…" •  Lots"of"techniques" •  Process"monitor" •  Hook"LoadLibrary()" Persistence •  1st"Technique" •  Requires"VMware"Tools"be"installed" •  Just"drop"a"dll"to"disk" •  c:\windows\system32\wbem\ntdsapi.dll" •  Note:"Dll"must"export"same"funcHons"as"" real"ntdsapi.dll" •  2nd"Technique" •  VMware"patched"in"ESXi"5.5" •  Requires"VMware"Tools"be"installed"" •  Just"drop"a"dll"to"disk" •  c:\windows\system32\wbem\tpgenlic.dll" •  c:\windows\system32\wbem\thinmon.dll" Windows( Persistence •  3rd"Technique" •  HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\" •  Create"a"new"key"" •  Create"a"new"value"named"Driver"with"the"dll"name" •  Create"as"many"as"you"like" Persistence&Demo Windows&API&HTTP&Cheatsheet •  WinHTTP" •  Intended"for"services" •  Does"not"pull"user"proxy"seings" •  Supports"impersonaHon" •  WinINet" •  More"robust"in"proxy"environment"" •  Variety"of"flags"that"enable/disable"funcHonality"automaHcally" •  Prompts"user"for"password"if"authenHcaHon"is"required" •  Uses"IE"seings" What&is&Throwback? •  C++"HTTP/S"beaconing"backdoor" •  PHP"control"panel"w/"MySQL"backend" •  Built"for"stealth" •  Persistence"built\in" •  Dll"" •  Exe" Infected(User ( Proxy(/(Firewall ThrowbackLP Attacker ThrowbackLP Throwback&Features •  Robust"proxy"detecHon" •  Distributed"LPs"" •  Uses"MSGRPC"to"generate"MSF"payloads" •  RC4"encrypted"comms"" •  Implements"reflecHve"dll"injecHon" •  String"encrypHon" Throwback Throwback&Demo Going&Forward… •  Community"based"project!!!" •  Create"modules" •  Keylogger,"Mimikatz,"Hashdump,"etc." •  Various"transport"methods" •  AddiHonal"persistence"techniques" •  ModificaHon"of"comms" The&End&Shameless&Plug •  Interested"in"wriHng"custom"malware/backdoors?" •  Dark"Side"Ops:"Custom"PenetraHon"TesHng" •  Blackhat"Europe"and"East"Coast"Trainings" •  Pen"test"networks"from"your"browser" •  hCps://www.blacksquirrel.io" " •  Silent"Break"Security" •  Blackbox/Red"Team"Pen"TesHng" •  brady@silentbreaksecurity.com" •  @silentbreaksec" •  hCps://github.com/silentbreaksec"