I'll See Your Missile and Raise You A MIRV: An overview of the Genesis Scripting Engine

Presented at DEF CON 26 (2018), Aug. 10, 2018, 5 p.m. (45 minutes).

Typically, the activities of a malware attack occur on an execution timeline that generally consists of 3 segments-the vector, the stage, and the persistence. First, a vector, or method of exploitation is identified. This could be anything from logging in over a credentialed method like RDP or SSH and running a malicious payload directly, to exploiting a memory corruption vulnerability remotely. Second, that access is leveraged into running malicious code that prepares the victim for the deployment of persistence (commonly "implant"). While segments one and three have been extensively automated, a effective automated utility for deploying persistence in a dynamic and unified context has yet to present itself.

Enter the Genesis Scripting Engine.

The Genesis Scripting Engine, or Gscript for short, is a framework for building multi-tenant executors for several implants in a stager. The engine works by embedding runtime logic (powered by the V8 Javascript Virtual Machine) for each persistence technique. This logic gets run at deploy time on the victim machine, in parallel for every implant contained with the stager. The Gscript engine leverages the multi-platform support of Golang to produce final stage one binaries for Windows, Mac, and Linux.

This talk will consist of an overview of the origins of the project, a technical deep dive into the inner workings including the modified Javascript VM, a walk through of the CLI utility, and examples of how we've leveraged Gscript in the real world.

Multiple demos involving practical application scenarios will be presented, as well as an opportunity for audience members to submit their own implants and have them built into a hydra on stage in a matter of minutes.


Presenters:

  • Alex Levinson - Senior Security Engineer
    Alex Levinson is a Senior Security Engineer at Uber with experience in red teaming, software engineering, and incident response. Outside of Uber, he is a core member of the red team for the National Collegiate Cyber Defense Competition (CCDC), as well as the Competition Director for the Collegiate Penetration Testing Competition (CPTC). Previously, Alex worked as a Senior Consultant and Development Manager at Lares Consulting. @alexlevinson, github.com/gen0cide, alexlevinson.wordpress.com
  • Dan Borges - Hacker
    Dan Borges is an information security professional with over 15 years in computer science. Dan participates in a number of cyber security competitions each year, from being on the National CCDC Red Team, to leading a Blue Team in Pros Versus Joes, and helping run the Collegiate Penetration Testing Competition (CPTC). He has been publishing a blog on infosec education for more than 10 years. @1jection

Links:

Similar Presentations: