SlideShare uma empresa Scribd logo

PIC your malware

•
•
CODE WHITE GmbH
CODE WHITE GmbH

Brucon2021 conference talk by CODE WHITE

Tecnologia
1 de 72
Baixar para ler offline
PIC Your Malware!
Whoami ➢Ben Heimerdinger and Sebastian Feldmann ➢Specialized on Offensive Tooling / Evasion ➢Code White Red Team (Ulm/Mannheim, Germany) 2
Syllabus ➢Concepts for fileless malware ⚫ Artifacts popular in memory PE loaders leave (Reflective DLL, Donut) ➢Leveraging position independent code (PIC) to avoid these artifacts ➢Tool release: Lsass dumping without ProcessAccess event (as PIC) ➢Solving some tedious problems of creating PIC ➢Protecting tools with self-decrypting PIC ➢Pipelining the build process 3
Fileless Malware and Memory Artifacts
Motivation for Fileless Malware ➢Development of malware is a complex software project ➢If analysts ever find your malware, all hard work is burned ➢Therefore, sophisticated malware has a ‘Plug and Play’ concept for most of its capabilities ⚫ Malware consists of a main module. Capabilities are then loaded on the fly ⚫ If one module is flagged it is easy to replace / only one module needs to be adapted 5
Motivation for Fileless Malware 6
Plug and Play ➢Back in the days, an extension was dropped as a DLL and loaded from disk ⚫ Problem 1: AV heuristics / automatic analysis of dropped files ⚫ Problem 2: Files left on the filesystem will be forgotten by operators ➢Malware authors started looking for ways to load extensions without ever touching dis ➢Back in the days, an extension was dropped as a DLL and loaded from disk ⚫ Problem 1: AV heuristics / automatic analysis of dropped files ⚫ Problem 2: Files left on the filesystem will be forgotten by operators ➢Malware authors started looking for ways to load extensions without ever touching disk 7
Fileless Malware ➢Monitoring of memory operations is prone to false positives and also resource intense. ⚫ DRM uses similar concepts for legitimate use ➢Many concepts for fileless malware: {Reflective DLL, sRDI/Donut, in memory .NET} ⚫ All of them have their drawbacks which enable analysts and security products to find them 8
Reflective DLL ➢Self loading DLL ⚫ First implemented by Stephen Fewer in 2011 ➢Regular DLL with one special export: ReflectiveLoader ⚫ Implements a PE loader: takes care of fixing IAT, Relocations and so on ⚫ Loader itself is fully position independent (PIC) ➢Malware needs to be able to find the ReflectiveLoader in memory ⚫ Requires additional code 9
Recap Reflective DLL 10
PE2Shellcode ➢Implementation of a PE Loader as pure PIC ⚫ PIC embeds a given a PE file which it loads and executes ⚫ No PE loader or LoadLibraryR has to be compiled into malware ➢PE are not actually converted they are just wrapped with a PIC PE loader ➢PE loader finds the embedded PE file and loads it in memory ➢PE – To – Shellcode - Concept ➢Example open source implementations: ⚫ https://github.com/hasherezade/pe_to_shellcode ⚫ https://github.com/TheWover/donut ⚫ https://github.com/monoxgas/sRDI 11
PIC PE Loader 12
Suspicious Memory Artifacts ➢PE loaders need to allocate more memory to load the PE file ⚫ Some sections need to be executable (.text segment) ➢Suspicious Memory Pages such as R(W)X ➢Private Committed and Executable Memory ⚫ VirtualAlloc ⚫ Not backed by a file on disk ⚫ R(W)X pages should only exist as part of a PE file ➢PE Header in private committed memory 13
Artifacts Reflective DLL ➢PE Header in private committed memory ➢Executable and private committed pages 14
Memory Artifacts Donut ➢Executable and private committed memory ➢Donut can wipe the PE header from memory ⚫ Header is in memory during loading ⚫ Rest of PE structure is still in memory. PESieve can find it [1] [1] https://github.com/hasherezade/pe-sieve 15
Artifacts with File Backed Memory ➢Try to first copy the PIC to file backed memory ➢Donut / RDLL does not stay where it was first copied to ➢Breaks concepts, like Phantom DLL Hollowing [1] (Forrest orr) [1] https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll- hollowing 16
Weakness of RDLL / Donut ➢In memory PE loaders leave memory artifacts ➢Some artifacts can be removed after loading ⚫ During loading, automated products have a timeframe to work with ➢In memory execution of .NET would mean constantly fighting AMSI ➢If the whole tool was PIC, there would never be a PE to load … 17
PIC Your Malware!
PIC Your Malware! ➢C code can be compiled to PE files living fully in its .text segment [1] ➢Extracting the .text segment means obtaining PIC ⚫ No need to load it, just place it in memory and jump to it ➢Conditions ⚫ No relocations ⚫ No other segments in use than .text ⚫ Uses string stacking and avoids global / static variables ⚫ Must be able to parse Dlls for function pointers ➢ [1] https://vxug.fakedoma.in/papers/VXUG/Exclusive/FromaCprojectthroughassemblytoshellcodeHasherezade.pdf 19
Position Independent Code 20
Position Independent Code ➢The .text segment of such a program is fully position independent ➢Stays where it is copied to ➢Can be executed like classic shellcode ⚫ Needs a host process ➢Bonus: can be encoded with any shellcode encoder to break signatures! ⚫ As long as no parameters are passed and you expect the shellcode to return properly 21
PIC in File Backed Memory ➢PIC stays where it is copied to ➢No PE loading necessary ➢No new memory allocated ➢No additional private committed pages ➢No PE header 22
Nothing is Fully Undetectable ➢Also not in memory ➢PIC helps reducing memory artifact fingerprint ➢Abnormal allocation of file backed memory itself can still be fingerprinted [1] ⚫ Prone to false positives ➢Analysts will still catch malicious behavior of processes ➢Let us try to avoid suspicious Sysmon events using PIC! [1] https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta 23
PIC Lsass Dumper
Lsass Dumper as PIC ➢If a process opens Lsass with PROCESS_ALL_ACCESS or PROCESS_VM_READ | PROCESS_QUERY_INFORMATION it is most likely going to dump Lsass ➢ProcessAccess event every time a process uses OpenProcess() ➢Defenders definitely monitor this event related to Lsass ➢What if we never open Lsass? 25
Avoiding ProcessAccess ➢Some benign processes already have a handle to Lsass (HandleHolder) ➢PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE ➢Clone the existing handle using NtDuplicateObject ➢Handle can then be used in a malicious context ➢Sysmon only throws ProcessAccess on HandleHolder ➢Lsass usually has a handle to itself ⚫ Open Lsass with access mask not revealing your true intention 26
Avoiding ProcessAccess ➢MiniDumpWriteDump from DbgHelp internally opens multiple new handles ➢@Rookuu__ [1] demonstrated the usage of ReactOS MiniDumpWriteDump to dump ➢However, also this function opens some new handles. ⚫ Replace EnumerateLoadedModulesW64() ➢Using ReactOS MiniDumpWriteDump + ReactOS EnumerateLoadedModulesW64() to dump Lsass using a cloned handle does not appear in Sysmon [1] https://github.com/rookuu/BOFs/tree/main/MiniDumpWriteDump 27
Introducing HandleKatz ➢HandleKatz enumerates processes for a suitable handle to dump Lsass ➢Clones handle and uses ReactOS Code (MiniDumpWriteDump + EnumerateLoadedModules) to dump the process without opening any new handle to Lsass ➢Then writes an obfuscated dump to disk ➢Uses direct syscalls ➢Fully PIC 28
HandleKatz 29
Power of PIC ➢Feel free to upload on VT or drop it to disk ➢HandleKatz can be encoded with SGN [1] ➢Different encoded versions of PIC perform the exact same complex task ⚫ Yet, they look completely different ➢Depending on the encoder, encoded version cannot take arguments or do not return properly 30
How to integrate HandleKatz ➢Comes with a header file for HandleKatz’s entry point ➢Simply cast pointer to the typedef of HandleKatz ➢Easy to integrate into your favorite C2 31
HandleKatz ➢Code + Compiled PIC can be found at https://github.com/codewhitesec/HandleKatz ➢Other PIC examples: https://github.com/thefLink/C-To-Shellcode-Examples ➢How to build and protect PIC? 32
Automating Creation and Protection
Source Files ➢2010 - @nickharbour - Writing Shellcode with a C Compiler ➢2013 - @mattifestation - Writing Optimized Windows Shellcode in C ➢2020 - @hasherezade - From a C project, through assembly, to shellcode ➢2021 - @passthehashbrwn - Dynamic payload compilation with mingw 34
PE vs. PIC Characteristic PE PIC Structure Structured in sections with different memory characteristics, separation of functions and data All in one binary blob Relocation Yes, will be calculated through the loading process of the OS No relocations, everything must be called relative to IP Imports External function calls are resolved through the loading process of the OS External functions can only be called after they are manually resolved 35
Position Independent Problems ➢Imports – External functions can only be called after they are manually resolved ➢Strings – Have to be {'s', 't', 'a', 'c', 'k', 's', 't', 'r', 'i', 'n', 'g', 's', 0}; [1] Hashes are often used to hide imports but are not applicable for other use cases ➢Global Data – Must be passed from one function to another → Especially a problem for our imports [1] https://www.fireeye.com/blog/threat-research/2016/06/automatically-extracting-obfuscated-strings.html 36
Position Independent Problems From MSDN to source code + Library Name 37
Position Independent Problems From MSDN to source code + Library Name python3 GenFunctionPointer.py https://docs.microsoft.com/en- us/windows/win32/api/synchapi/nf-synchapi-sleep → typedef void(__stdcall *p_Sleep)(DWORD dwMilliseconds); 38
Position Independent Problems Script generated code pattern CHAR SleepStr[] = { 0 }; //str: Sleep DeobfuscateString(SleepStr, SleepStr); GetProcAddrManMap(Kernel32, SleepStr, &ProcAddress, Api); Api->_Sleep = p_Sleep(ProcAddress); 39
Position Independent Problems Script generated code pattern CHAR SleepStr[] = { 0 }; //str: Sleep DeobfuscateString(SleepStr, SleepStr); GetProcAddrManMap(Kernel32, SleepStr, &ProcAddress, Api); Api->_Sleep = p_Sleep(ProcAddress); 40
Position Independent Problems Script generated code pattern CHAR SleepStr[] = { 0 }; //str: Sleep DeobfuscateString(SleepStr, SleepStr); GetProcAddrManMap(Kernel32, SleepStr, &ProcAddress, Api); Api->_Sleep = p_Sleep(ProcAddress); 41
Position Independent Problems Script generated code pattern CHAR SleepStr[] = { 0 }; //str: Sleep DeobfuscateString(SleepStr, SleepStr); GetProcAddrManMap(Kernel32, SleepStr, &ProcAddress, Api); Api->_Sleep = p_Sleep(ProcAddress); 42
Position Independent Problems Script generated code pattern CHAR SleepStr[] = { 0 }; //str: Sleep DeobfuscateString(SleepStr, SleepStr); GetProcAddrManMap(Kernel32, SleepStr, &ProcAddress, Api); Api->_Sleep = p_Sleep(ProcAddress); + Scripted the importing process of external functions + Write strings as they are + Make function pointers available everywhere → Api struct 43
Position Independent Problems Script generated code pattern Pre-build script obfuscate.py for string processing: 1) Find "INT ObfuscationKey" in source code and set random key value 2) Parse all files for string patterns, encode them with the obfuscation key and paste encoded version CHAR SleepStr[] = { 0 }; //str: Sleep → CHAR SleepStr[] = {18, 93, 21, 83, 66, -1}; //str: Sleep 44
Template Based Shellcode Gimme Shelter AVs have different triggers for in-memory scans, for example jumping to the start of an executable region after… ➢ allocating it (and filling it with data) (RWX) ➢ changing its characteristics (RW → RX) 45
Template Based Shellcode Gimme Shelter AVs have different triggers for in-memory scans, for example jumping to the start of an executable region after… ➢ allocating it (and filling it with data) (RWX) ➢ changing its characteristics (RW → RX) Self-decrypting shellcode as a wrapper to protect payloads 1) Place self-decrypting shellcode in RWX memory region 2) Execute it → hides payload (long enough) from memory scanner 46
Template Based Shellcode Self-decrypting shellcode pre-build script 47
Template Based Shellcode Self-decrypting shellcode pre-build script 48
Template Based Shellcode Self-decrypting shellcode Template 49 #define LOG 1 #define UK 0 #define DK 0 #define HK 0 #define PK 0 #if UK or DK or HK or PK or LOG [Active Preprocessor Block] #endif #if UK or DK or HK or PK [Inactive Preprocessor Block] #endif #if LOG [Active Preprocessor Block] #endif
Template Based Shellcode Self-decrypting shellcode Template 50 #define LOG 0 #define UK 1 #define DK 0 #define HK 0 #define PK 0 #if UK or DK or HK or PK or LOG [Active Preprocessor Block] #endif #if UK or DK or HK or PK [Active Preprocessor Block] #endif #if LOG [Inactive Preprocessor Block] #endif
Template Based Shellcode Self-decrypting shellcode Template 51 #define Parameter 1 #define _WIN64 1 #if Parameter extern"C" VOID prologue(CHAR *Args); extern"C" VOID mainAct(CHAR *Args); #if _WIN64 extern"C" VOID AlignRSP(CHAR *Args); #endif #else extern"C" VOID prologue(); extern"C" VOID mainAct(); #if _WIN64 extern"C" VOID AlignRSP(); #endif #endif
Template Based Shellcode Self-decrypting shellcode Template 52 #define Parameter 0 #define _WIN64 0 #if Parameter extern"C" VOID prologue(CHAR *Args); extern"C" VOID mainAct(CHAR *Args); #if _WIN64 extern"C" VOID AlignRSP(CHAR *Args); #endif #else extern"C" VOID prologue(); extern"C" VOID mainAct(); #if _WIN64 extern"C" VOID AlignRSP(); #endif #endif
Template Based Shellcode Self-decrypting shellcode post-build script 53
Template Based Shellcode Self-decrypting shellcode post-build script 54
Template Based Shellcode Suitable Memory Suitable memory is needed to run self-decrypting shellcode! And here we go again: in-memory artifacts  Is this really a problem? 55
Template Based Shellcode Suitable Memory Suitable memory is needed to run self-decrypting shellcode! And here we go again: in-memory artifacts  Is this really a problem? Short answer: No! ☺ Long answer: Depends - you must know what you’re doing! → PIC itself in RWX memory is hard to identify as malicious 56
Template Based Shellcode Gimme Suitable Memory Masking Malicious Memory Artifacts: Part I – III https://www.forrest-orr.net/blog ➢VirtualAlloc ➢VirtualProtect ➢Create PE with RWX section ➢Load DLL with RWX section ➢<Something> Hollowing ➢You name it ➢… 57
Template Based Shellcode Express Yourself – Just Say Yes! Run shellcode directly ➢Link into text section of loader PE ➢Execute without prior allocation ➢Not feasible for self-modifying code 58
Template Based Shellcode Express Yourself – Just Say Yes! Run shellcode directly ➢Link into text section of loader PE ➢Execute without prior allocation ➢Not feasible for self-modifying code Protection? ➢Obfuscation by replacing / inserting assembly instructions C → ASM → Obfuscation / Mutation → ASM → Binary [1] ➢Situational awareness by conditional jumps [1] https://vxug.fakedoma.in/papers/VXUG/Exclusive/FromaCprojectthroughassemblytoshellcodeHasherezade.pdf 59
Template Based Shellcode Loader PE Templates MinGW based approaches https://github.com/phra/PEzor https://github.com/optiv/ScareCrow ➢One MSVS solution, multiple configurations ➢Generic loader PE templates, mostly DLLs ➢Various exports ➢Various functionality (different hijacks / drop) ➢Shellcode payload as header ➢Some resource files for fun 60
Git Together 61
Git Together Why Gitlab CI/CD ➢Modularity ➢Flexibility ➢Parameterization ➢Ubiquitous 62
Git Together Gitlab CI/CD Pipelines ➢Logic in YAML files (and Python in our case) ➢Jobs define what to do For example, jobs that compile or process (obfuscate) ➢Stages define when to run the jobs For example, stages run different pre- or post-build evasion jobs after each other 63
Git Together .gitlab-ci.yml Example Handlekatz variables: CW_PROJECT: BruCon CW_PARAMETER: --pid 7688 CW_EVASION: Crypto LoaderGen CW_CRYPTO_KEY_USER: KevinSmith CW_CRYPTO_SANDBOX: 1 CW_CRYPTO_ITERATIONS: 100 CW_LOADER_TEMPLATE: EXE CW_LOADER_CONSOLE: 1 64
Git Together Build Configuration / Preparation 65
Git Together Build Configuration / Preparation 66
Git Together Build Configuration / Preparation 67
Git Together Pipeline Example Handlekatz 68
Git Together Pipeline Example Sharphound 69
Git Together C2 Integration Great talk about evasion CI/CD Dominic Chell - Offensive Development: Post Exploitation Tradecraft in an EDR World ➢Agents: Trigger pipeline process through CobaltStrike UI and download generated loader to your client ➢Tools / Payloads / Red Teaming as Code: Trigger pipeline process through the CobaltStrike UI and upload artifact to a running Agent 70
Demo C2 Integration 71
Thank you for your attention! Questions? Check out on Twitter: @danshaqfu @niph_ @theflinkk @b00n10

Recomendados

Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Red team vs Penetration Testing
Red team vs Penetration TestingRed team vs Penetration Testing
Red team vs Penetration Testingavioren1979
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Linux : PSCI
Linux : PSCILinux : PSCI
Linux : PSCIMr. Vengineer
 

Recomendados

Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Red team vs Penetration Testing
Red team vs Penetration TestingRed team vs Penetration Testing
Red team vs Penetration Testingavioren1979
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Linux : PSCI
Linux : PSCILinux : PSCI
Linux : PSCIMr. Vengineer
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryJoe Desimone
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Hybrid encryption
Hybrid encryption Hybrid encryption
Hybrid encryption ranjit banshpal
 
Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020
Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020
Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020Eric Lin
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Monitoring Dual Stack IPv4/IPv6 Networks
Monitoring Dual Stack IPv4/IPv6 NetworksMonitoring Dual Stack IPv4/IPv6 Networks
Monitoring Dual Stack IPv4/IPv6 NetworksVance Shipley
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Dll injection
Dll injectionDll injection
Dll injectionKarlFrank99
 
6. cryptography
6. cryptography6. cryptography
6. cryptography7wounders
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...PROIDEA
 

Mais conteĂşdo relacionado

Mais procurados

Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryJoe Desimone
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Hybrid encryption
Hybrid encryption Hybrid encryption
Hybrid encryption ranjit banshpal
 
Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020
Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020
Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020Eric Lin
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Monitoring Dual Stack IPv4/IPv6 Networks
Monitoring Dual Stack IPv4/IPv6 NetworksMonitoring Dual Stack IPv4/IPv6 Networks
Monitoring Dual Stack IPv4/IPv6 NetworksVance Shipley
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Dll injection
Dll injectionDll injection
Dll injectionKarlFrank99
 
6. cryptography
6. cryptography6. cryptography
6. cryptography7wounders
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 

Mais procurados (20)

Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
 
Hybrid encryption
Hybrid encryption Hybrid encryption
Hybrid encryption
 
Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020
Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020
Experience on porting HIGHMEM and KASAN to RISC-V at COSCUP 2020
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Monitoring Dual Stack IPv4/IPv6 Networks
Monitoring Dual Stack IPv4/IPv6 NetworksMonitoring Dual Stack IPv4/IPv6 Networks
Monitoring Dual Stack IPv4/IPv6 Networks
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
 
Dll injection
Dll injectionDll injection
Dll injection
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 

Semelhante a PIC your malware

AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...PROIDEA
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-stepMichelangelo van Dam
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapFelipe Prado
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Opersys inc.
 
Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Opersys inc.
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidVlatko Kosturjak
 
Headless Android
Headless AndroidHeadless Android
Headless AndroidOpersys inc.
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727csirac2
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiryVishwas N
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Lessons Learned Building a Container App Library
Lessons Learned Building a Container App LibraryLessons Learned Building a Container App Library
Lessons Learned Building a Container App LibraryAdnan Abdulhussein
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 

Semelhante a PIC your malware (20)

AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-step
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013
 
Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
 
Headless Android
Headless AndroidHeadless Android
Headless Android
 
MSHTMHell.pptx
MSHTMHell.pptxMSHTMHell.pptx
MSHTMHell.pptx
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiry
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Lessons Learned Building a Container App Library
Lessons Learned Building a Container App LibraryLessons Learned Building a Container App Library
Lessons Learned Building a Container App Library
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 

Último

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂşjo
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Último (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

PIC your malware

  • 2. Whoami ➢Ben Heimerdinger and Sebastian Feldmann ➢Specialized on Offensive Tooling / Evasion ➢Code White Red Team (Ulm/Mannheim, Germany) 2
  • 3. Syllabus ➢Concepts for fileless malware ⚫ Artifacts popular in memory PE loaders leave (Reflective DLL, Donut) ➢Leveraging position independent code (PIC) to avoid these artifacts ➢Tool release: Lsass dumping without ProcessAccess event (as PIC) ➢Solving some tedious problems of creating PIC ➢Protecting tools with self-decrypting PIC ➢Pipelining the build process 3
  • 4. Fileless Malware and Memory Artifacts
  • 5. Motivation for Fileless Malware ➢Development of malware is a complex software project ➢If analysts ever find your malware, all hard work is burned ➢Therefore, sophisticated malware has a ‘Plug and Play’ concept for most of its capabilities ⚫ Malware consists of a main module. Capabilities are then loaded on the fly ⚫ If one module is flagged it is easy to replace / only one module needs to be adapted 5
  • 7. Plug and Play ➢Back in the days, an extension was dropped as a DLL and loaded from disk ⚫ Problem 1: AV heuristics / automatic analysis of dropped files ⚫ Problem 2: Files left on the filesystem will be forgotten by operators ➢Malware authors started looking for ways to load extensions without ever touching dis ➢Back in the days, an extension was dropped as a DLL and loaded from disk ⚫ Problem 1: AV heuristics / automatic analysis of dropped files ⚫ Problem 2: Files left on the filesystem will be forgotten by operators ➢Malware authors started looking for ways to load extensions without ever touching disk 7
  • 8. Fileless Malware ➢Monitoring of memory operations is prone to false positives and also resource intense. ⚫ DRM uses similar concepts for legitimate use ➢Many concepts for fileless malware: {Reflective DLL, sRDI/Donut, in memory .NET} ⚫ All of them have their drawbacks which enable analysts and security products to find them 8
  • 9. Reflective DLL ➢Self loading DLL ⚫ First implemented by Stephen Fewer in 2011 ➢Regular DLL with one special export: ReflectiveLoader ⚫ Implements a PE loader: takes care of fixing IAT, Relocations and so on ⚫ Loader itself is fully position independent (PIC) ➢Malware needs to be able to find the ReflectiveLoader in memory ⚫ Requires additional code 9
  • 11. PE2Shellcode ➢Implementation of a PE Loader as pure PIC ⚫ PIC embeds a given a PE file which it loads and executes ⚫ No PE loader or LoadLibraryR has to be compiled into malware ➢PE are not actually converted they are just wrapped with a PIC PE loader ➢PE loader finds the embedded PE file and loads it in memory ➢PE – To – Shellcode - Concept ➢Example open source implementations: ⚫ https://github.com/hasherezade/pe_to_shellcode ⚫ https://github.com/TheWover/donut ⚫ https://github.com/monoxgas/sRDI 11
  • 13. Suspicious Memory Artifacts ➢PE loaders need to allocate more memory to load the PE file ⚫ Some sections need to be executable (.text segment) ➢Suspicious Memory Pages such as R(W)X ➢Private Committed and Executable Memory ⚫ VirtualAlloc ⚫ Not backed by a file on disk ⚫ R(W)X pages should only exist as part of a PE file ➢PE Header in private committed memory 13
  • 14. Artifacts Reflective DLL ➢PE Header in private committed memory ➢Executable and private committed pages 14
  • 15. Memory Artifacts Donut ➢Executable and private committed memory ➢Donut can wipe the PE header from memory ⚫ Header is in memory during loading ⚫ Rest of PE structure is still in memory. PESieve can find it [1] [1] https://github.com/hasherezade/pe-sieve 15
  • 16. Artifacts with File Backed Memory ➢Try to first copy the PIC to file backed memory ➢Donut / RDLL does not stay where it was first copied to ➢Breaks concepts, like Phantom DLL Hollowing [1] (Forrest orr) [1] https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll- hollowing 16
  • 17. Weakness of RDLL / Donut ➢In memory PE loaders leave memory artifacts ➢Some artifacts can be removed after loading ⚫ During loading, automated products have a timeframe to work with ➢In memory execution of .NET would mean constantly fighting AMSI ➢If the whole tool was PIC, there would never be a PE to load … 17
  • 19. PIC Your Malware! ➢C code can be compiled to PE files living fully in its .text segment [1] ➢Extracting the .text segment means obtaining PIC ⚫ No need to load it, just place it in memory and jump to it ➢Conditions ⚫ No relocations ⚫ No other segments in use than .text ⚫ Uses string stacking and avoids global / static variables ⚫ Must be able to parse Dlls for function pointers ➢ [1] https://vxug.fakedoma.in/papers/VXUG/Exclusive/FromaCprojectthroughassemblytoshellcodeHasherezade.pdf 19
  • 21. Position Independent Code ➢The .text segment of such a program is fully position independent ➢Stays where it is copied to ➢Can be executed like classic shellcode ⚫ Needs a host process ➢Bonus: can be encoded with any shellcode encoder to break signatures! ⚫ As long as no parameters are passed and you expect the shellcode to return properly 21
  • 22. PIC in File Backed Memory ➢PIC stays where it is copied to ➢No PE loading necessary ➢No new memory allocated ➢No additional private committed pages ➢No PE header 22
  • 23. Nothing is Fully Undetectable ➢Also not in memory ➢PIC helps reducing memory artifact fingerprint ➢Abnormal allocation of file backed memory itself can still be fingerprinted [1] ⚫ Prone to false positives ➢Analysts will still catch malicious behavior of processes ➢Let us try to avoid suspicious Sysmon events using PIC! [1] https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta 23
  • 25. Lsass Dumper as PIC ➢If a process opens Lsass with PROCESS_ALL_ACCESS or PROCESS_VM_READ | PROCESS_QUERY_INFORMATION it is most likely going to dump Lsass ➢ProcessAccess event every time a process uses OpenProcess() ➢Defenders definitely monitor this event related to Lsass ➢What if we never open Lsass? 25
  • 26. Avoiding ProcessAccess ➢Some benign processes already have a handle to Lsass (HandleHolder) ➢PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE ➢Clone the existing handle using NtDuplicateObject ➢Handle can then be used in a malicious context ➢Sysmon only throws ProcessAccess on HandleHolder ➢Lsass usually has a handle to itself ⚫ Open Lsass with access mask not revealing your true intention 26
  • 27. Avoiding ProcessAccess ➢MiniDumpWriteDump from DbgHelp internally opens multiple new handles ➢@Rookuu__ [1] demonstrated the usage of ReactOS MiniDumpWriteDump to dump ➢However, also this function opens some new handles. ⚫ Replace EnumerateLoadedModulesW64() ➢Using ReactOS MiniDumpWriteDump + ReactOS EnumerateLoadedModulesW64() to dump Lsass using a cloned handle does not appear in Sysmon [1] https://github.com/rookuu/BOFs/tree/main/MiniDumpWriteDump 27
  • 28. Introducing HandleKatz ➢HandleKatz enumerates processes for a suitable handle to dump Lsass ➢Clones handle and uses ReactOS Code (MiniDumpWriteDump + EnumerateLoadedModules) to dump the process without opening any new handle to Lsass ➢Then writes an obfuscated dump to disk ➢Uses direct syscalls ➢Fully PIC 28
  • 30. Power of PIC ➢Feel free to upload on VT or drop it to disk ➢HandleKatz can be encoded with SGN [1] ➢Different encoded versions of PIC perform the exact same complex task ⚫ Yet, they look completely different ➢Depending on the encoder, encoded version cannot take arguments or do not return properly 30
  • 31. How to integrate HandleKatz ➢Comes with a header file for HandleKatz’s entry point ➢Simply cast pointer to the typedef of HandleKatz ➢Easy to integrate into your favorite C2 31
  • 32. HandleKatz ➢Code + Compiled PIC can be found at https://github.com/codewhitesec/HandleKatz ➢Other PIC examples: https://github.com/thefLink/C-To-Shellcode-Examples ➢How to build and protect PIC? 32
  • 34. Source Files ➢2010 - @nickharbour - Writing Shellcode with a C Compiler ➢2013 - @mattifestation - Writing Optimized Windows Shellcode in C ➢2020 - @hasherezade - From a C project, through assembly, to shellcode ➢2021 - @passthehashbrwn - Dynamic payload compilation with mingw 34
  • 35. PE vs. PIC Characteristic PE PIC Structure Structured in sections with different memory characteristics, separation of functions and data All in one binary blob Relocation Yes, will be calculated through the loading process of the OS No relocations, everything must be called relative to IP Imports External function calls are resolved through the loading process of the OS External functions can only be called after they are manually resolved 35
  • 36. Position Independent Problems ➢Imports – External functions can only be called after they are manually resolved ➢Strings – Have to be {'s', 't', 'a', 'c', 'k', 's', 't', 'r', 'i', 'n', 'g', 's', 0}; [1] Hashes are often used to hide imports but are not applicable for other use cases ➢Global Data – Must be passed from one function to another → Especially a problem for our imports [1] https://www.fireeye.com/blog/threat-research/2016/06/automatically-extracting-obfuscated-strings.html 36
  • 37. Position Independent Problems From MSDN to source code + Library Name 37
  • 38. Position Independent Problems From MSDN to source code + Library Name python3 GenFunctionPointer.py https://docs.microsoft.com/en- us/windows/win32/api/synchapi/nf-synchapi-sleep → typedef void(__stdcall *p_Sleep)(DWORD dwMilliseconds); 38
  • 39. Position Independent Problems Script generated code pattern CHAR SleepStr[] = { 0 }; //str: Sleep DeobfuscateString(SleepStr, SleepStr); GetProcAddrManMap(Kernel32, SleepStr, &ProcAddress, Api); Api->_Sleep = p_Sleep(ProcAddress); 39
  • 40. Position Independent Problems Script generated code pattern CHAR SleepStr[] = { 0 }; //str: Sleep DeobfuscateString(SleepStr, SleepStr); GetProcAddrManMap(Kernel32, SleepStr, &ProcAddress, Api); Api->_Sleep = p_Sleep(ProcAddress); 40
  • 41. Position Independent Problems Script generated code pattern CHAR SleepStr[] = { 0 }; //str: Sleep DeobfuscateString(SleepStr, SleepStr); GetProcAddrManMap(Kernel32, SleepStr, &ProcAddress, Api); Api->_Sleep = p_Sleep(ProcAddress); 41
  • 42. Position Independent Problems Script generated code pattern CHAR SleepStr[] = { 0 }; //str: Sleep DeobfuscateString(SleepStr, SleepStr); GetProcAddrManMap(Kernel32, SleepStr, &ProcAddress, Api); Api->_Sleep = p_Sleep(ProcAddress); 42
  • 43. Position Independent Problems Script generated code pattern CHAR SleepStr[] = { 0 }; //str: Sleep DeobfuscateString(SleepStr, SleepStr); GetProcAddrManMap(Kernel32, SleepStr, &ProcAddress, Api); Api->_Sleep = p_Sleep(ProcAddress); + Scripted the importing process of external functions + Write strings as they are + Make function pointers available everywhere → Api struct 43
  • 44. Position Independent Problems Script generated code pattern Pre-build script obfuscate.py for string processing: 1) Find "INT ObfuscationKey" in source code and set random key value 2) Parse all files for string patterns, encode them with the obfuscation key and paste encoded version CHAR SleepStr[] = { 0 }; //str: Sleep → CHAR SleepStr[] = {18, 93, 21, 83, 66, -1}; //str: Sleep 44
  • 45. Template Based Shellcode Gimme Shelter AVs have different triggers for in-memory scans, for example jumping to the start of an executable region after… ➢ allocating it (and filling it with data) (RWX) ➢ changing its characteristics (RW → RX) 45
  • 46. Template Based Shellcode Gimme Shelter AVs have different triggers for in-memory scans, for example jumping to the start of an executable region after… ➢ allocating it (and filling it with data) (RWX) ➢ changing its characteristics (RW → RX) Self-decrypting shellcode as a wrapper to protect payloads 1) Place self-decrypting shellcode in RWX memory region 2) Execute it → hides payload (long enough) from memory scanner 46
  • 47. Template Based Shellcode Self-decrypting shellcode pre-build script 47
  • 48. Template Based Shellcode Self-decrypting shellcode pre-build script 48
  • 49. Template Based Shellcode Self-decrypting shellcode Template 49 #define LOG 1 #define UK 0 #define DK 0 #define HK 0 #define PK 0 #if UK or DK or HK or PK or LOG [Active Preprocessor Block] #endif #if UK or DK or HK or PK [Inactive Preprocessor Block] #endif #if LOG [Active Preprocessor Block] #endif
  • 50. Template Based Shellcode Self-decrypting shellcode Template 50 #define LOG 0 #define UK 1 #define DK 0 #define HK 0 #define PK 0 #if UK or DK or HK or PK or LOG [Active Preprocessor Block] #endif #if UK or DK or HK or PK [Active Preprocessor Block] #endif #if LOG [Inactive Preprocessor Block] #endif
  • 51. Template Based Shellcode Self-decrypting shellcode Template 51 #define Parameter 1 #define _WIN64 1 #if Parameter extern"C" VOID prologue(CHAR *Args); extern"C" VOID mainAct(CHAR *Args); #if _WIN64 extern"C" VOID AlignRSP(CHAR *Args); #endif #else extern"C" VOID prologue(); extern"C" VOID mainAct(); #if _WIN64 extern"C" VOID AlignRSP(); #endif #endif
  • 52. Template Based Shellcode Self-decrypting shellcode Template 52 #define Parameter 0 #define _WIN64 0 #if Parameter extern"C" VOID prologue(CHAR *Args); extern"C" VOID mainAct(CHAR *Args); #if _WIN64 extern"C" VOID AlignRSP(CHAR *Args); #endif #else extern"C" VOID prologue(); extern"C" VOID mainAct(); #if _WIN64 extern"C" VOID AlignRSP(); #endif #endif
  • 53. Template Based Shellcode Self-decrypting shellcode post-build script 53
  • 54. Template Based Shellcode Self-decrypting shellcode post-build script 54
  • 55. Template Based Shellcode Suitable Memory Suitable memory is needed to run self-decrypting shellcode! And here we go again: in-memory artifacts  Is this really a problem? 55
  • 56. Template Based Shellcode Suitable Memory Suitable memory is needed to run self-decrypting shellcode! And here we go again: in-memory artifacts  Is this really a problem? Short answer: No! ☺ Long answer: Depends - you must know what you’re doing! → PIC itself in RWX memory is hard to identify as malicious 56
  • 57. Template Based Shellcode Gimme Suitable Memory Masking Malicious Memory Artifacts: Part I – III https://www.forrest-orr.net/blog ➢VirtualAlloc ➢VirtualProtect ➢Create PE with RWX section ➢Load DLL with RWX section ➢<Something> Hollowing ➢You name it ➢… 57
  • 58. Template Based Shellcode Express Yourself – Just Say Yes! Run shellcode directly ➢Link into text section of loader PE ➢Execute without prior allocation ➢Not feasible for self-modifying code 58
  • 59. Template Based Shellcode Express Yourself – Just Say Yes! Run shellcode directly ➢Link into text section of loader PE ➢Execute without prior allocation ➢Not feasible for self-modifying code Protection? ➢Obfuscation by replacing / inserting assembly instructions C → ASM → Obfuscation / Mutation → ASM → Binary [1] ➢Situational awareness by conditional jumps [1] https://vxug.fakedoma.in/papers/VXUG/Exclusive/FromaCprojectthroughassemblytoshellcodeHasherezade.pdf 59
  • 60. Template Based Shellcode Loader PE Templates MinGW based approaches https://github.com/phra/PEzor https://github.com/optiv/ScareCrow ➢One MSVS solution, multiple configurations ➢Generic loader PE templates, mostly DLLs ➢Various exports ➢Various functionality (different hijacks / drop) ➢Shellcode payload as header ➢Some resource files for fun 60
  • 62. Git Together Why Gitlab CI/CD ➢Modularity ➢Flexibility ➢Parameterization ➢Ubiquitous 62
  • 63. Git Together Gitlab CI/CD Pipelines ➢Logic in YAML files (and Python in our case) ➢Jobs define what to do For example, jobs that compile or process (obfuscate) ➢Stages define when to run the jobs For example, stages run different pre- or post-build evasion jobs after each other 63
  • 64. Git Together .gitlab-ci.yml Example Handlekatz variables: CW_PROJECT: BruCon CW_PARAMETER: --pid 7688 CW_EVASION: Crypto LoaderGen CW_CRYPTO_KEY_USER: KevinSmith CW_CRYPTO_SANDBOX: 1 CW_CRYPTO_ITERATIONS: 100 CW_LOADER_TEMPLATE: EXE CW_LOADER_CONSOLE: 1 64
  • 70. Git Together C2 Integration Great talk about evasion CI/CD Dominic Chell - Offensive Development: Post Exploitation Tradecraft in an EDR World ➢Agents: Trigger pipeline process through CobaltStrike UI and download generated loader to your client ➢Tools / Payloads / Red Teaming as Code: Trigger pipeline process through the CobaltStrike UI and upload artifact to a running Agent 70
  • 72. Thank you for your attention! Questions? Check out on Twitter: @danshaqfu @niph_ @theflinkk @b00n10