Windows Malware Techniques
-
Upload
lee-christensen -
Category
Technology
-
view
55 -
download
1
Transcript of Windows Malware Techniques
Windows Malware Techniques
Lee Christensen@tifkin_
C:\> whoami
PS C:\> ls env:\
Where are we going?• Windows user-land malware development and design• Techniques for Windows environments• Detection techniques• I probably will forget to mention some of these….
• Not focusing on • Kernel malware/rootkits, anti-forensics, AV-evasion
Why discuss malware development and design?
Malware Dev: Defensive Perspective• Understanding the code helps you design your defenses• Malware development has its own pyramid of pain
Defensive Perspective• Understanding the code helps you design your defense• Malware development has its own pyramid of pain• Gives insight into the future
Malware Dev: Offensive Perspective• Understanding of tools• Gives you control - easy to adapt• Offensive in Depth• Writing malware is fun!
A remote administration tool (RAT) is a piece of software that allows a remote "operator" to control a
system as if he has physical access to that system.
A Good RAT• <REMOVED>
Memory Residency and Modular Design
Approaches to Modularity• <REMOVED>
DLL injection• <REMOVED>
LoadLibrary• <REMOVED>
LoadLibrary demo
Reflective DLL injection• <REMOVED>
Reflective DLL demo
Modular Malware Demo
Beaconing Malware
Windows API HTTP Cheatsheet• <REMOVED>
WinInet Example
DNS• Why DNS?• Not montitored as often• Routed through a trusted host• Great for low and slow
• Size considerations• TXT records (255 bytes max)• A records (4 bytes max)
Defensive Interjection!• What can we do to detect poorly designed HTTP-based malware?
• How about DNS malware?
• Not all comms are beaconing
Internal Pivoting and Comms• Goals• Get remote execution• Blend in• Limit egress hosts
Execution
Pass the hash• Pass the hash• Toolkit• Windows Credential Editor• Metasploit• SMBExec• psexec
Oldies but Goodies:Living Off The Land
At.exe
net use \\<ip>\c$ /user:<username> <password>
at \\<ip> <time> c:\users\\<user>\appdata\local\microsoft\backdoor.exe
Schtasks.exe
schtasks /create /s <ip> /u <user> /p <password> /ru <runasuser> /tr c:\backdoor.exe /tn run /sc once /st <starttime>
Wmic.exe
wmic /node:<ip> /user:<user> /password:<password> process call create c:\backdoor.exe
Other ways…• RDP• VNC• PowerShell Remoting
Internal Comm Channels
Named Pipe
A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe
clients. All instances of a named pipe share the same pipe name, but each instance has its own buffers and handles.
Named Pipe• <REMOVED>
Create a null SECURITY_DESCRIPTOR
<REMOVED>
Mail Slots• <REMOVED>
Named Pipes Demo
Attacking Active Directory
Detecting/Preventing Local Password Theft• Install KB2871997• Removes all plaintext creds from lsass except WDigest
• http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx• Add admin accounts to "Protected Users" AD group
• Kerberos authentication only• No account delegation (can't steal tokens)• AES for pre-authentication process
• Restricted Admin mode for RDP• Plaintext password never sent to server• Network logons on (prevents token stealing)
Preventing Local Password Theft - cont• LSASS Protected Process (Windows 8.1/2012 R2 and above)• https://technet.microsoft.com/en-us/library/Dn408187.aspx• Can be bypassed by via a driver
• Honey tokens• Idea by Mark Baggett• https://github.com/SMAPPER/MimikatzHoneyToken• Alert on usage
Pass the hash Protections• KB2871997• Adds GPO to disable remote network logons from local accounts
• Local Adminstrator Password Solution (LAPS)• Restrict inter-machine communications
Dumping the Domain’s Hashes
Old School – Code Execution on DCDump them from LSASS (Traditional hashdump)lsadump::lsa /injectlsadump::lsa /patch /name:krbtgt
Meterpreterpost/windows/gather/credentials/domain_hashdump• Parses the ESE Database using the built-in JetAPI
Ntds.ditInvoke-NinjaCopyPowerForensics (@jaredatkinson)Shadow copiesNtdsutil
Detection• Acesss to ntds.dit == Domain wide access• Who has admin rights on DC's?
• Restrict logon rights of admin accounts (they don't need to be able to logon everywhere)• Who has admin rights on admin PC’s? • Who has access to backups?• Who has access to virtualization infrastructure?
• Shadow Copy events• Sysmon - Injections into lsass.exe, powershell.exe, ntdsutil.exe• Network traffic - ntds.dit is not a small file…
DCSync – New Hotness for grabbing domain hashesDemo
DCSync Detection• Follow Sean Metcalf (@PyroTek3)• Unofficial documenter of Mimikatz functionality
• At the moment, enable Auditing of Directory Service Access• https://support.microsoft.com/en-us/kb/232714• Demo
Golden Tickets
Golden Tickets• Event IDs: 4624 (logon), 4672 (admin logon), 4634 (logoff)• Account Domain field is blank (should be DOMAIN)• Account Domain field is FQDN (should be DOMAIN)
Pay attention to what your tools are doing!!!
Golden Tickets• Event IDs: 4624 (logon), 4672 (admin logon), 4634 (logoff)• Account Domain field is blank (should be DOMAIN)• Account Domain field is FQDN (should be DOMAIN)• Account Domain field is "eo.oe.kiwi :)"