2. Overview
◦ Introductions
◦ Adversary Emulation
◦ Lessons From “Bad Guys”
◦ Post-Ex Features
▫ Analysis of Bad Guy Use
▫ Lessons Learned
▫ Proof Of Concept
◦ Defending Against Post-Ex
◦ Conclusion
3. $whoami
◦ Justin Warner
▫ Manager - Offensive Services, ATD
▫ Former USAF Guy
▫ Interest: red team, reverse engineering,
PowerShell, and studying tradecraft
◦ Chris Ross
▫ Penetration Tester/Red Teamer - ATD
▫ Python EmPyre Developer
▫ Interest: Replicate adversarial tradecraft in
PowerShell and Python
4. Inspiration For This Talk
◦ Richard Wartell (@Wartotell) - Malware
Is Hard, Let’s Go Shopping!
◦ Offensive toolsets
▫ Matt Graeber (@mattifestation) - PowerSploit
Project
▫ Josh Pitts (@midnite_runr) - BDF Proxy
▫ Jamieson O'Reilly - Mimikittenz
◦ Lots of red team engagements
6. Adversaries
◦ Adversary - One’s opponent in a conflict
◦ Threat - The potential for the occurrence
of a harmful event
▫ The source and means of harm
◦ This is the entity on the other side of the
playing field
▫ A wide range of entities and abilities
▫ A lot can be learned by studying them
9. Adversary Emulation
◦ A type of red teaming that focuses on
the emulation of a specific adversary
▫ Utilize intel to model the adversary
▫ Highly realistic tools
▫ Attempt to behave as they have before
▫ Many strengths
◦ Some weaknesses to this approach
▫ Risk of handcuffing the red team
▫ Easy to study tools, hard to emulate
tactics/techniques (lack of intel)
10. Diamond Model
The Diamond Model of Intrusion Analysis - Chris Betz, Sergio Caltagirone, Andrew Pendergast
Axiom 1: “For every intrusion event there exists an adversary taking a step
towards an intended goal by using a capability over infrastructure against a
victim to produce a result”.
11. Post-Exploitation
◦ Post-Exploitation - The actions taken by
an adversary after exploitation
◦ Some example actions:
▫ Recon
▫ Privilege Escalation
▫ Credential Abuse
▫ Lateral Spread
▫ Additional Exploitation
▫ Sensitive Data Access
▫ Exfiltration
12. Malware Repurposing
◦ The process of
analyzing malware
with the intent of
reusing techniques,
code, or actual
samples
◦ Relax… somebody
else has done the
work so you don’t
have to
14. Learning From “Bad Guys”
◦ Benefits:
▫ Highly realistic (based on real events)
▫ Continuous tool ideas - “Hackers gonna Hack”
▫ They have solved the problem for you
◦ Downsides:
▫ Can be a significant effort to emulate
▫ Not always easy to translate techniques into usable
assessment methods
▫ Risk of focusing too much on known methods
▫ Limit creativity
16. See Cool Stuff
◦ Where can we see cool stuff?
▫ APT Reports
▫ VirusTotal API
▫ Private malware sources
▫ Network defenders (for internal teams)
▫ VirusShare
◦ What are we trying to get our hands on?
▫ Raw samples
▫ IOCs and other obvious defensive sigs
▫ Technical discussion over TTPs (intel)
17. Analyze Cool Stuff
◦ Malware analysis and RE skills will be
useful but are not required
▫ Plenty of technical threat reporting to help
guide your development
◦ Learning RE is fun!
“Practical Malware Analysis”
“The IDA Pro Book”
Endless hours reading assembly and
controlling bad guy tools
◦ Consider the value of generic TTP
discussion rather than tool specifics
19. Research Alternatives
◦ Are there other APIs or pre-built libraries
that will allow you to accomplish this
technique?
▫ Will be useful to be familiar with WinAPI
▫ .NET assemblies will have many things
implemented for you
◦ Is there a project that already
implemented a certain technique?
▫ If it is not “representative” enough, might not
consider it an alternative
20. Implement Cool Stuff
◦ Don’t work too hard…
▫ No need to learn C/C++ unless you are truly
strict on replicating
▫ Live off the land!
◦ Why are we such PS fanboys?
▫ Native to Win7 and above
▫ Direct API access through reflection
▫ When used appropriately, memory only
capabilities can be created
▫ Easy to prototype, dev, test, and deploy in a
rapid manner
21. Tool Disclaimer
◦ These tools are POCs written to
demonstrate concepts
▫ Not all of them will be actively supported
◦ Use at your own risk… learn the
language and review the code!
▫ Even better, start similar projects or contribute
back to these
22. Hot Cam & Hot Mic
Oh the things you will see...
1
23. Examples In Wild
◦ Microphone
▫ LuxNetRAT - “Over the Counter” RAT
https://brage.bibsys.no/xmlui/bitstream/handle/11
250/198379/KTGardasen.pdf
MCISendString to issue commands to the
backend interface
◦ Webcam
▫ RocketKitten - MPK Shell
Simplistic custom backdoor
VFW capCreateCaptureWindow API call to create
a hidden capture window
SendMessage to the new capture window to
control the camera actions
24. How it Works - MCI Hot Mic
Multimedia Command Interface - Device independent method of
controlling multimedia devices
MCI
“open new Type waveaudio Alias
SecretName”
“record SecretName”
“save SecretName”
“close SecretName”
MCISendString
Sleep
26. Alternatives?
◦ Video
▫ Most of the tools we saw utilized DirectX and
DirectShow to accomplish Video Capture
There is a .NET assembly for this!
▫ What does MS say about VFW:
◦ Audio
▫ We analyzed a bunch of tools that used native
WinMM methods instead of MCI
27. MCI Hot Mic
◦ Get-MicrophoneAudio in PowerSploit
“dev” branch
▫ Utilizes pure reflection in PowerShell to call
Win32 API in Winmm.dll
▫ Writes “wav” file to disk at specified location
▫ No compression
https://github.com/PowerShellMafia/Power
Sploit/blob/dev/Exfiltration/Get-
MicrophoneAudio.ps1
28. RocketKitten VFW Mockup
◦ Get-VFWSnapshot
▫ Logically similar mockup of
camera functionality in the
MPK backdoor
▫ Utilizes PSReflect from Matt
Graeber to expose Win32 APIs
▫ BUT… causes user interaction
almost every time (unless
camera is activated)
https://github.com/sixdub/BSidesDC2016/bl
ob/master/Get-VFWSnapshot.ps1
29. ...When We Listen To M$
◦ Get-DXWebcamVideo.ps1
▫ Utilizes DirectShow .NET and DirectX Capture
Library
All credit to the original authors:
DirectX Capture - Brian Low - Public Domain
DirectShow .NET - Unknown - LGPL
▫ Captures video and audio
▫ Supports compression and video tuning
https://github.com/xorrior/RandomPS-
Scripts/blob/master/Get-
DXWebcamVideo.ps1
31. Examples In Wild
◦ T9000 Malware - “tyeu.dat”
▫ Used in APAC region for targeted attacks
◦ Malware is used to gather screenshots
from active user and Skype for Desktop
data
▫ Heavy anti-analysis features :(
▫ Thread 1 - desktop screenshots
▫ Thread 2 - targeted window screenshots
▫ Thread 3 - Skype monitoring via API
Video snapshots
Audio recordings
Call log
32. How it Works 1/2
1. RegisterWindowMessage
SkypeControlAPIAttach
SkypeControlAPIDiscover
2. SendMessageTimeout
Custom WindowProc Function
4. Messages filtered
3. Skype Alert
33. How It Works 2/2
RINGING
INPROGRESS
FINISHED
CALL
34243
HotSexyBod12
3
“GET CALL 34243
PARTNER_HANDLE”
“HotSexyBod123”
“ALTER CALL 34243
SET_OUTPUT FILE=out.wav”
“ALTER CALL 34243
SET_CAPTURE_MIC FILE =mic.wav”
Status
Call Logged
34. Skype Controller
◦ Start-SkypeRecorder
▫ Heavily adapted from T9000 malware
and other third party software.
▫ Utilizes pure .NET reflection to create
a window and send messages.
▫ User interaction will be required upon
request to connect to the Skype
Desktop API.
https://github.com/sixdub/BSidesDC2016/blo
b/master/SkypeRecorder.ps1
36. Example In Wild
◦ FLASHFLOOD Malware
▫ APT30 aka NaikonAPT
◦ Profiles host and packages up selected files
▫ Uses timestamps to measure change
▫ Uses deflate compression with slight mod
◦ Gathers:
▫ Windows Address Book (WAB) info
▫ All .lnk files from recent docs
▫ All files matching predefined patterns from:
Connected drives (USBs)
Desktop
Temp internet files
Temp
38. Alternate Techniques?
◦ Eventing Options:
▫ FindFirstChangeNotification - Win32 API to
utilize asynchronous eventing to alert on file
changes
▫ System.IO.FileSystemWatcher - .NET class
that monitors file system changes
https://gist.github.com/HarmJ0y/4034d935a3386b96f3a
c
▫ WMI Eventing to detect change
◦ Numerous options available for
storage/compression/encryption
▫ Will Schroeder’s (@harmj0y) Out-
EncryptedStore function
39. FileSystemWatcher Exfil
◦ Utilizes Start-FileSystemMonitor
▫ Slight tweaks to make it dump output
◦ Combine with the following
▫ Out-EncryptedStore - BETTER OPTION
Custom capability
Uses RSA/AES as desired
http://www.harmj0y.net/blog/redteaming/offen
sive-encrypted-data-storage
▫ Write-FlashfloodFile
Replicates algorithm in FLASHFLOOD
https://github.com/sixdub/BSidesDC2016/blo
b/master/Write-FlashfloodFile.ps1
41. Examples In Wild
◦ NaikonAPT / APT30
▫ “Lateral movements included copying over and
remotely setting up winpcap across desktop
systems… then remotely setting up AT jobs to
run”
◦ RocketKitten
▫ MPK Shell
Raw sockets to sniff TCP/UDP
◦ Duqu 2.0
▫ Dropped WinPCAP driver in VFS and loaded
to inject MDNS replies
42. How it Works - WinPCAP
1- Install WinPCAP “Silently” 2- Utilize WinPCAP For Capture
● Pcap_open
● Pcap_compile
● Pcap_setfilter
● Pcap_dumpopen
● pcap_dump
sc.exe create npf ...
%WINDIRsystem32 drivers
npf.sys
packet.dll
wpcap.dll
pthreadvc.dll
secretdump.pcap
43. Research
◦ Numerous other methods can be used to
capture/trace packets:
▫ Windows Filtering Platform Drivers
▫ Event Tracing for Windows (ETW)
◦ Inveigh uses raw sockets to spoof
▫ Kevin Robertson (@Kevin_Robertson)
◦ Previous work by Alex Rymdeko
@killswitch_GUI
◦ Several .NET assemblies help us with
WinPCAP in PowerShell
44. WinPCap Mockup
◦ Get-WinPCapCapture
▫ Utilizes Packet.NET and SharpPCap
assemblies to accomplish capture
Credit to those authors!
▫ Comes with Install and Remove function for
“hot” loading of WinPCAP
▫ Allows you to add filters
▫ Stops capture when:
Timeout is hit
Size limit is reached
https://github.com/sixdub/BSidesDC2016/blob/master
/Get-WinPCapCapture.ps1
46. Mitigation
◦ There is not a single trick to prevent post-
exploitation actions
▫ “Users gonna use” - @enigma0x3
▫ PowerShell != Enemy
◦ Use industry “best practice”
▫ Heavy auditing of environments
◦ You don’t need next-gen if you don’t
defend the current-gen
▫ http://www.leeholmes.com/blog/2014/12/08/maslo
ws-hierarchy-of-security-controls/
47. “
“Every contact leaves a trace”
◦ Locard's Exchange Principle
So go find the trace...
What about threat hunting?
48. Conclusion
◦ Realistic threat replication must properly
model threats
▫ Realistic tactics (study intel)
▫ Observed techniques
▫ Similar behavior or procedures
◦ There are plenty of creative Post-Ex
techniques to use
▫ Don’t be so square… :)
◦ You are defending against a human
▫ OPSEC is rarely perfect, hunt for trace evidence