Presented at BSides Las Vegas 2017

1. CheckPlease -
Payload-Agnostic
Implant Security
@Arvanaghi & @ChrisTruncer

2. Brandon Arvanaghi
Associate Consultant at Mandiant
Red teaming, reverse engineering, tool development
Vanderbilt University 2

3. Chris Truncer
Previous Sys Admin turned Red Team
West Coast Red Team Lead
Open Source Developer
Veil, EyeWitness, WMImplant
3

4. Pop Quiz
Which is more effective at stopping malicious
applications from executing?
1) Application Whitelisting
2) Application Blacklisting
4
@Arvanaghi
@ChrisTruncer

5. Pop Quiz
• Answer: Application Whitelisting!
• Rather than trying to figure out everything we don’t want to allow, we
identify what we do want
• Disallow all else!
• AppLocker on Windows 7, 8, 10
5
@Arvanaghi
@ChrisTruncer

6. Sandbox Detection
• A sandbox is a virtual environment designed to
monitor malware behavior
• Dynamic analysis
• Malware acts benign if it thinks it is being dynamically
analyzed
6
@Arvanaghi
@ChrisTruncer

7. Sandbox Detection
• Old thinking: sandboxes look a certain way, so let’s specifically check if we
are in a sandbox in our payloads
• Avoid running if it’s the case
• Registry keys and values, MAC addresses, limited RAM, etc.
• Can be useful!
7
@Arvanaghi
@ChrisTruncer

8. Implant
Security
8

9. Realization
• Trying to detect if you are in a sandbox is a form of
blacklisting!
• Identifying every kind of sandbox is too hard!
• Why do we write sandbox detection checks in the first place?
9
@Arvanaghi
@ChrisTruncer

10. Realization
We want our malware to run where
we expect.
Avoiding sandboxes is a byproduct of that.
10
@Arvanaghi
@ChrisTruncer

11. 11
@Arvanaghi
@ChrisTruncer

12. Workflow for Implant Security
1. Get initial access into domain
a. Limited information
2. Immediately exfiltrate domain data
a. We don’t dump creds initially, do we?
3. Never use a non-targeted payload again for that domain!
12
@Arvanaghi
@ChrisTruncer

13. The Problems with Pure Sandbox Detection
1. You are not that smart.
13

14. The Problems with Pure Sandbox Detection
1. You are not that smart.
Hard enough debugging failed payloads.
AV? RAT? Whitelisting? Hard to say.
14

15. The Problems with Pure Sandbox Detection
2. Uptick in VM usage
15

16. The Problems with Pure Sandbox Detection
2. Uptick in VM usage
VMs used to be indicative of sandboxes
Today, they are critical assets.
We want to target them!
16

17. The Problems with Pure Sandbox Detection
3. Sandboxes look like legacy systems
17

18. The Problems with Pure Sandbox Detection
3. Sandboxes look like legacy systems
Legacy systems are easiest to target
Blacklisting sandboxes means
missing out!
18

19. The Problems with Pure Sandbox Detection
4. Anti-Anti-VM
19

20. The Problems with Pure Sandbox Detection
4. Anti-Anti-VM
How many more Anti-s do you want?
• Attackers strike
• Defenders detect
• Attackers mod
• Goto 1
20

21. CheckPlease
21

22. Creating a Payload-Agnostic Repository
• Implant security modules are exclusively written in C!
• Or discussed abstractly
• Payload deliverance growing in non-standard languages
• Let’s make a centralized library implementing these
techniques in all languages!
22
@Arvanaghi
@ChrisTruncer

23. CheckPlease: Languages Supported
• C
23

24. CheckPlease: Languages Supported
• C
• C#
24

25. CheckPlease: Languages Supported
• C
• C#
• PowerShell
25

26. CheckPlease: Languages Supported
• C
• C#
• PowerShell
• Python
26

27. CheckPlease: Languages Supported
• C
• C#
• PowerShell
• Python
• Go
27

28. CheckPlease: Languages Supported
• C
• C#
• PowerShell
• Python
• Go
• Ruby
28

29. CheckPlease: Languages Supported
• C
• C#
• PowerShell
• Python
• Go
• Ruby
• Perl
29

30. 30
@Arvanaghi
@ChrisTruncer

31. 31
@Arvanaghi
@ChrisTruncer

32. Why don’t sandboxes follow all paths?
• Design decision for sandboxes
• Don’t have the computing power to follow all trees
32
@Arvanaghi
@ChrisTruncer

33. Why don’t sandboxes follow all paths?
Example problem:
if ($env:username -eq “USERNAME THAT WOULD NEVER EXIST”) {
# Expand into several branches of nonsense
# Goal: waste the sandbox’s time and resources
# Sandbox rendered useless
}
33
@Arvanaghi
@ChrisTruncer

34. Daddy
Issues
34

35. Parent Process
• Every time we launch a payload, we know exactly
what the parent process should be!
• Word document?
• PDF document?
• HTA application?
• Most languages support finding the ppid
• Use that to find the string name of process
35
@Arvanaghi
@ChrisTruncer

36. Parent Process: Python
36

37. Parent Process: PowerShell
37

38. Sleeping
I’m tired
38

39. Payload Sleeping
39
@Arvanaghi
@ChrisTruncer
• This is the first thing most people will try
• Making your code sleep an hour
• Should work right?
• Sandbox can’t keep resources running that long!
• Nope

40. Payload Sleeping
40
@Arvanaghi
@ChrisTruncer
• Developers obviously know this too
• Look for sleep calls and hook them
• Fast-forward any sleep call
• Immediately jump to next part of the code
• So… how can this be beaten?

41. Payload Sleeping
41
@Arvanaghi
@ChrisTruncer
• Outsource time requests to NTP servers!
• Request current time from NTP server
• Try to sleep for the requested amount of time
• Make another request for the current time from a
NTP server

42. Payload Sleeping
42
@Arvanaghi
@ChrisTruncer
• Alternative option
• Can you develop a function which take an
approximate amount of time to compute?
• Iterate over that function as many times as you’d
like to sleep.
• RemoveS the network dependency for the
check

43. 43
@Arvanaghi
@ChrisTruncer

44. Encryption
44

45. Encrypt with Targeted Indicators
• To protect our implant from running where we don’t
expect, we can encrypt it
• The key? An indicator from our targeted host
• MAC address
• Username + hostname
• Etc.
• Once again, sandbox is a BYPRODUCT!
45
@Arvanaghi
@ChrisTruncer

46. Encrypt with Targeted Indicators
• How does this work?
• Payload dynamically pulls system information
• System information is concatenated to generate
an encryption key
• If key is correct, decrypt data and run the real
code
• If not, assume on the wrong system and die
46
@Arvanaghi
@ChrisTruncer

47. Encrypt with Targeted Indicators
Ebowla is a great example of this in practice:
https://github.com/Genetic-Malware/Ebowla
47
@Arvanaghi
@ChrisTruncer

48. Delay-Analysis Module
• In the hands of a skilled reverse engineer, nothing is infallible
• That’s not the goal, just beat initial automated analysis
• This can start at the source code level
• Used Hyperion?
48
@Arvanaghi
@ChrisTruncer

49. Delay-Analysis Module
• Hyperion receives your “file” and outputs a different encrypted file
• The output is encrypted with no key stored inside
• Due to an artificially constrained keyspace, it brute forces itself
• Let’s recreate this!
49
@Arvanaghi
@ChrisTruncer

50. Delay-Analysis Module
• The Delay-Analysis Python script receives an input file
• Your source code
• Select the language your code is in
• Output is encrypted code which brute forces itself at runtime
50
@Arvanaghi
@ChrisTruncer

51. 51
Python: Delay Analysis
@Arvanaghi
@ChrisTruncer

52. 52
@Arvanaghi
@ChrisTruncer

53. 53

54. Targeted Code
Host Metadata
54

55. Process Names
• Easy to write code that enumerates running
processes
• Validate that no-blacklisted processes are running at
the same time
• Wireshark
• VMWare
• Process Explorer
• tshark
55
@Arvanaghi
@ChrisTruncer

56. Process Names
56
@Arvanaghi
@ChrisTruncer

57. Windows Updates
• The number of recent Windows updates can provide
information about the system
• How often it is patched
• Uptime
• Real users will likely update more than sandboxes
57
@Arvanaghi
@ChrisTruncer

58. Windows Updates
58
@Arvanaghi
@ChrisTruncer

59. Registry Size
• Do you know the approximate size of your system’s
registry?
• Fingerprint this information for an approximate size
within the targeted organization
• Validate it at runtime!
59
@Arvanaghi
@ChrisTruncer

60. 60
@Arvanaghi
@ChrisTruncer

61. User Activity
61
We all love users :)

62. User Interaction
• Reasons you want a user present
• Authed but don’t have user’s credentials
• Present a prompt to enter creds
• Watch them on VNC, see internal sites they navigate to
• Built-in cobalt strike
• Two-factor push notification
• Etc.
62
@Arvanaghi
@ChrisTruncer

63. Mouse Clicks
• Check for user presence via mouse activity
• If the mouse is registering clicks, it’s indicative of user activity
• Require a minimum number of clicks prior to executing the
“protected code”
63
@Arvanaghi
@ChrisTruncer

64. Python: Execute after “N” clicks Mouse Clicks
64
@Arvanaghi
@ChrisTruncer

65. PowerShell: Execute after “N” clicks Mouse
Clicks
65
@Arvanaghi
@ChrisTruncer

66. Mouse Position
• In addition to mouse clicks as one metric for user activity, track
mouse location
• Console can be broken down into (x,y) positions
• Perform a comparison of mouse location over a period of time
• 30 seconds?
• Should be near impossible to have the exact same location
66
@Arvanaghi
@ChrisTruncer

67. Go: Check Mouse Position
67
@Arvanaghi
@ChrisTruncer

68. Prompt Users!
• Users already get prompted for a variety of reasons, what’s one
more?
• They already just give us passwords, why not click a
button?
• Sole purpose is to require interactive use prior to code execution
• When run, the code will present the user with a pop-up, and will
wait to run
68
@Arvanaghi
@ChrisTruncer

69. Ruby: Prompt User
69

70. 70

71. What else can we want to target?
• Number of USB drives mounted on the system
• Number of web browsers
• Minimum number of processes
• Whether certain files exist on disk
• Whether specific Registry keys/values exist (think installed programs, etc.)
• The number of processors on the system
• The minimum RAM size
• The minimum disk size
• The size of the Registry
• Whether a DLL is loaded
• Whether a process is running
71

72. Porting to Your
Payload

73. Only Running on Targeted System
if ((Get-WMIObject -Class Win32_ComputerSystem).Domain -eq
$expectedDomain) {
}
73

74. Only Running on Targeted System
if ((Get-WMIObject -Class Win32_ComputerSystem).Domain -eq
$expectedDomain) {
if ($env:username -eq $expectedUsername) {
}
}
74

75. Only Running on Targeted System
if ((Get-WMIObject -Class Win32_ComputerSystem).Domain -eq
$expectedDomain) {
if ($env:username -eq $expectedUsername) {
if ($env:computername -eq $expectedHostname) {
}
}
}
75

76. Only Running on Targeted System
if ((Get-WMIObject -Class Win32_ComputerSystem).Domain -eq
$expectedDomain) {
if ($env:username -eq $expectedUsername) {
if ($env:computername -eq $expectedHostname) {
# Passed all checks, proceed!
}
}
}
76

77. Veil
• This is a great opportunity to contribute to Veil’s codebase
• Add in a means to automatically develop targeted payloads
• Merge the code and quick demo
77

78. 78

79. 79
THANKS!
Any questions?
https://github.com/Arvanaghi/CheckPlease
@Arvanaghi
@ChrisTruncer