# WHY ATTACKER TOOLSETS DO WHAT THEY DO ### (or.. “Reasons they just keep working”) ----- # OVER THE LAST YEAR #### 50+ engagements Good chunk of different verticals, industries, etc. Varying qualities and effectiveness of defenses Collective noun of different Threat Groups … but really? Similar tools and tactics ----- # THE MAGIC OF INTERPRETIVE DANCE #### Pick through this year’s interesting engagements Construct a convenient narrative Discuss the common blind-spots the tools keep leveraging Explore Reasons They Just Keep Working (RIJKW) ----- # OUR SCENARIO ----- # RTJKW #1: AD HOC DEPLOYMENTS #### Deploy and forget (bonus: default configurations) External teams not looping in the security team Third-party systems without patch management Cloud infrastructure: the new frontier of terrible ----- # THE VOLUME GAME #### Scan and exploit; because eventually it will work ----- # CHINACHOPPER POST #### Webshell all the things ----- ----- ----- # OWA: WHO NEEDS THE DC? #### ISAPI filter (.NET) ##### OwaAuth.Application_EndRequest() - Receives request after submitted - Extract username and password from login, save to text file - Parse traffic for magic key, password, and params for backdoor ----- ##### - List, read, write, delete, modify, files and directories - Timestomp file or directory - Download file from URL - Launch process - Connect, query, write to SQL server ----- # OUR SCENARIO… SO FAR ----- ----- ----- ----- |Col1|ACEHASH: ALL THE HASHES| |---|---| |Mimikatz|Custom-compiled PE executes sekurlsa:: logonpasswords command automatically| |Ace1|Custom DLL, uses samsrv.dll APIs to dump hashes from disk/registry| |Ace2|Custom DLL, based on WCE, uses msv1_0.dll APIs for LM/NTLM| |InjectMemDll|Inject above when required| # ACEHASH: ALL THE HASHES ###### Mimikatz Custom-compiled PE executes sekurlsa:: logonpasswords command automatically Ace1 Custom DLL, uses samsrv.dll APIs to dump hashes from disk/registry Ace2 Custom DLL, based on WCE, uses msv1_0.dll APIs for LM/NTLM InjectMemDll Inject above when required ----- ----- ----- ----- # OUR SCENARIO… SO FAR ----- # RTJKW #2: CREDENTIAL “ISSUES” #### Golden images are convenient, as is scripting installs Same local Admin passwords is … not great Failing to restrict local Admin over network Insecurely storing passwords on network ----- ###### "net" time /domain "net" start query "netstat" -an "ping" -n 1 www.nba.com "net" view /domain "net" localgroup administrators "net" user adm_it /domain "cmd" /c dir C:\users\ "net" group "Domain Admins" /domain "C:\Windows\system32\net1 group "Domain Admins" /domain "nltest" /trust_domain ----- ###### "cmd" /c dir \\10.16.2.208\c$ "dir \\10.16.2.208\c$ "net" use \\10.16.2.208\c$ "Changeme!" /user:CORP\CS_ADM_IT "C:\windows\temp\acehash64.exe -s adm_qa:CORP: AAD3B435B51404EEAAD3B435B51404EE:A5B440A4C4E1965E6F5905A08AF6F2DE "dir \\10.16.2.233\c$" "C:\windows\temp\acehash64.exe -s Administrator:123: AAD3B435B51404EEAAD3B435B51404EE:A67C071444ED771589B736189B08F2AD "dir \\10.16.2.208\c$" "C:\windows\temp\acehash64.exe -s Administrator:123: AAD3B435B51404EEAAD3B435B51404EE:A67C071444ED771589B736189B08F2AD "dir \\10.16.2.204\c$\inetpub\" ----- # OUR SCENARIO… SO FAR ----- # RTJKW #3: BOTTLENCK BRO? #### Chokepoints using (authenticating) proxies Central point to log, gather/apply intel, block, etc. Many basic RATs/Toolsets/Malware won’t work Unfettered internet access is a terrible idea ----- # POISON IVY #### Grandfather of Chinese targeted RATs (circa 2004) Custom TCP C&C protocol Still deployed, updated but only basic proxy support seen this year Volatility + Chopshop + metasploit modules available ----- ###### namesvrtwo.serveftp.com,8888 ga2a.no-ip.biz namesvrone.myftp.org,8989 exw.no-ip.info m2013.no-ip.org,443 60.235.12.64 update17.ignorelist.com,443 hack43mila.no-ip.biz sap123.no-ip.biz,3480 cool-t.no-ip.biz sap123.servehttp.com,5460 alnweer2009.no-ip.info statictwo.myftp.org,9999 alnweer2009.no-ip.org staticone.hopto.org,9898 test.no-ip.org banse.zapto.org,4444 sero.ddns.net gserverhost.no-ip.biz,6666 serix21.no-ip.biz gserverhost.myftp.org,5555 evil3322.no-ip.biz connektme.no-ip.org,6460 zxoo.no-ip.biz connektme.hopto.org,7539 m55m55m44.no-ip.org easyconnect.zapto.org,3333 easyconnect.no-ip.org,4444 ----- ----- # OUR SCENARIO… SO FAR ----- # RTJKW #4: DOMAIN SEPARATION #### Strict separation, limited accounts, hardcore logging Extends to shared infrastructure, third parties, BYOD Trying to avoid these points being like those really fun ball pits, but for privileged credentials ----- ----- # OUR SCENARIO… SO FAR ----- # RTJKW #5: POROUS FIREWALLS #### Don’t forget about the non-TCP protocols Unit test and regression test the perimeter Segmentation is a thing ----- ----- # EXPOSING YOUR BITS #### Windows update component for file transfer ----- # PLUGX #### Been around since 2011, actively developed Modular construction to evade sandboxing, etc. C&C via UDP, DNS over UDP, CUSTOM over TCP, HTTP, HTTPS, ICMP, customer over IP Plugin infrastructure ----- ----- ----- ----- ----- # PLUGINS #### - Read/write/enumerate files, registry - Download/execute files - Enumerate, read, write, inject, kill processes - Port forward/proxy traffic, enumerate network - Full SQL driver interface - RDP keylog screenshot video ----- # OUR SCENARIO… SO FAR ----- # RIJKW #6: INTERNAL BLINDNESS #### Some visibility inside the network is … useful Common for newer RATs to have P2P Routing traffic through the network to reach other targets ----- # RBDOOR #### Alternative to PlugX, full RAT functionality too Both 64 and 32 bit versions C&C via TCP, UDP, HTTP, HTTPS, ... Traffic relay is also built in ... ----- ----- ----- ----- ----- ----- ----- # RBDOOR ROUTING #### Everything done via IP/TCP header modification Main functionality: - Drop packets from blacklist - Route packets to new destination port in whitelist - Capture session cookies by routing to magic port ----- # NOT EVEN NORTON DSE WILL SAVE YOU #### Sometimes you just want to load your dodgy network driver on an x64 system DSE from Vista onwards “stops” that Unless … it doesn’t? ----- ----- # OUR SCENARIO… SO FAR ----- # TL; DR #### “APT”s - mostly not very A, but usually very P 80/20 of network security will thwart the average intruder The adversary reuses tools and tactics; if they get in, you should have home ground advantage. Use it. ----- # REFERENCES & QUESTIONCES #### DYNDNS LIST https://github. com/EmergingThreats/et-luajit-scripts DNSTUNNEL https://github.com/iagox86/dnscat2 FWUNIT http://fwunit.readthedocs.org/en/latest/ -----