Windows Malware Techniques

Lee Christensen@tifkin_

C:\> whoami

PS C:\> ls env:\

Where are we going?• Windows user-land malware development and design• Techniques for Windows environments• Detection techniques• I probably will forget to mention some of these….

• Not focusing on • Kernel malware/rootkits, anti-forensics, AV-evasion

Why discuss malware development and design?

Malware Dev: Defensive Perspective• Understanding the code helps you design your defenses• Malware development has its own pyramid of pain

Defensive Perspective• Understanding the code helps you design your defense• Malware development has its own pyramid of pain• Gives insight into the future

Malware Dev: Offensive Perspective• Understanding of tools• Gives you control - easy to adapt• Offensive in Depth• Writing malware is fun!

A remote administration tool (RAT) is a piece of software that allows a remote "operator" to control a

system as if he has physical access to that system.

A Good RAT• <REMOVED>

Memory Residency and Modular Design

Approaches to Modularity• <REMOVED>

DLL injection• <REMOVED>

LoadLibrary• <REMOVED>

LoadLibrary demo

Reflective DLL injection• <REMOVED>

Reflective DLL demo

Modular Malware Demo

Beaconing Malware

Windows API HTTP Cheatsheet• <REMOVED>

WinInet Example

DNS• Why DNS?• Not montitored as often• Routed through a trusted host• Great for low and slow

• Size considerations• TXT records (255 bytes max)• A records (4 bytes max)

Defensive Interjection!• What can we do to detect poorly designed HTTP-based malware?

• How about DNS malware?

• Not all comms are beaconing

Internal Pivoting and Comms• Goals• Get remote execution• Blend in• Limit egress hosts

Execution

Pass the hash• Pass the hash• Toolkit• Windows Credential Editor• Metasploit• SMBExec• psexec

Oldies but Goodies:Living Off The Land

At.exe

net use \\<ip>\c$ /user:<username> <password>

at \\<ip> <time> c:\users\\<user>\appdata\local\microsoft\backdoor.exe

Schtasks.exe

schtasks /create /s <ip> /u <user> /p <password> /ru <runasuser> /tr c:\backdoor.exe /tn run /sc once /st <starttime>

Wmic.exe

wmic /node:<ip> /user:<user> /password:<password> process call create c:\backdoor.exe

Other ways…• RDP• VNC• PowerShell Remoting

Internal Comm Channels

Named Pipe

A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe

clients. All instances of a named pipe share the same pipe name, but each instance has its own buffers and handles.

Named Pipe• <REMOVED>

Create a null SECURITY_DESCRIPTOR

<REMOVED>

Mail Slots• <REMOVED>

Named Pipes Demo

Attacking Active Directory

Detecting/Preventing Local Password Theft• Install KB2871997• Removes all plaintext creds from lsass except WDigest

• http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx• Add admin accounts to "Protected Users" AD group

• Kerberos authentication only• No account delegation (can't steal tokens)• AES for pre-authentication process

• Restricted Admin mode for RDP• Plaintext password never sent to server• Network logons on (prevents token stealing)

Preventing Local Password Theft - cont• LSASS Protected Process (Windows 8.1/2012 R2 and above)• https://technet.microsoft.com/en-us/library/Dn408187.aspx• Can be bypassed by via a driver

• Honey tokens• Idea by Mark Baggett• https://github.com/SMAPPER/MimikatzHoneyToken• Alert on usage

Pass the hash Protections• KB2871997• Adds GPO to disable remote network logons from local accounts

• Local Adminstrator Password Solution (LAPS)• Restrict inter-machine communications

Dumping the Domain’s Hashes

Old School – Code Execution on DCDump them from LSASS (Traditional hashdump)lsadump::lsa /injectlsadump::lsa /patch /name:krbtgt

Meterpreterpost/windows/gather/credentials/domain_hashdump• Parses the ESE Database using the built-in JetAPI

Ntds.ditInvoke-NinjaCopyPowerForensics (@jaredatkinson)Shadow copiesNtdsutil

Detection• Acesss to ntds.dit == Domain wide access• Who has admin rights on DC's?

• Restrict logon rights of admin accounts (they don't need to be able to logon everywhere)• Who has admin rights on admin PC’s? • Who has access to backups?• Who has access to virtualization infrastructure?

• Shadow Copy events• Sysmon - Injections into lsass.exe, powershell.exe, ntdsutil.exe• Network traffic - ntds.dit is not a small file…

DCSync – New Hotness for grabbing domain hashesDemo

DCSync Detection• Follow Sean Metcalf (@PyroTek3)• Unofficial documenter of Mimikatz functionality

• At the moment, enable Auditing of Directory Service Access• https://support.microsoft.com/en-us/kb/232714• Demo

Golden Tickets

Golden Tickets• Event IDs: 4624 (logon), 4672 (admin logon), 4634 (logoff)• Account Domain field is blank (should be DOMAIN)• Account Domain field is FQDN (should be DOMAIN)

Pay attention to what your tools are doing!!!

Golden Tickets• Event IDs: 4624 (logon), 4672 (admin logon), 4634 (logoff)• Account Domain field is blank (should be DOMAIN)• Account Domain field is FQDN (should be DOMAIN)• Account Domain field is "eo.oe.kiwi :)"