Malware design - abusing legacy Microsoft transports and session architecture

Presented at DEF CON 31 (2023), Aug. 11, 2023, 4:30 p.m. (45 minutes)

The future isn’t certain, nor is the continued access to our compromised endpoints. At some point, every red team operator faces the gut-wrenching event of losing command and control (C2) access. This often occurs when post exploitation activity is detected and associated to the C2 process and channel. Further link analysis may lead to the discovery of other compromised endpoints, secondary C2, and compromised credentials. Needless to say, a single mistake can cause a huge disruption in access and even lead to the detriment of the entire engagement. This talk will present and demonstrate the methodologies and techniques built into Obligato, a covert implant tasking and communications framework, designed with the primary objectives of breaking process chaining events, disassociating network communication from the implant, providing a means for maintaining or regaining access, and evading dynamic analysis. Technical information will be explained and demonstrated at both high and low levels, so prior knowledge is not required. However, to get the most out of the talk, attendees are encouraged to have a basic understanding of general Windows architecture, networking, and programming concepts. REFERENCES: [1] Pyle, Ned. “The Beginning of the End of Remote Mailslots.” Tech Community, Microsoft, 8 Mar. 2023, https://techcommunity.microsoft.com/t5/storage-at-microsoft/the-beginning-of-the-end-of-remote-mailslots/ba-p/3762048. [2] Corporation, Microsoft. “[MS-Mail]: Remote Mailslot Protocol.” [MS-MAIL], Microsoft, 25 June 2021, https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-MAIL/[MS-MAIL].pdf. [3] Aggarwal, Avnish. “PROTOCOL STANDARD FOR A NetBIOS SERVICE.” IETF, RFC Editor, Mar. 1987, https://datatracker.ietf.org/doc/html/rfc1001. [4] ATT&CK, MITRE. “Enterprise Techniques.” Techniques - Enterprise , MITRE ATT&CK, MITRE ATTCK, 25 Oct. 2022, https://attack.mitre.org/techniques/enterprise/. [5] Yosifovich, Author Pavel. “Parent Process vs. Creator Process.” Pavel Yosifovich, 10 Jan. 2021, https://scorpiosoftware.net/2021/01/10/parent-process-vs-creator-process/. [6] Schwarz, Roland. “Thread Local Storage - the C++ WAY.” CodeProject, CodeProject, 28 Aug. 2004, https://www.codeproject.com/Articles/8113/Thread-Local-Storage-The-C-Way. [7] The Chromium Authors. “Chromium/thread_local_storage_win.Cc at Main · Chromium/Chromium.” GitHub, The Chromium Project, Jan. 2012, https://github.com/chromium/chromium/blob/main/base/threading/thread_local_storage_win.cc. [8] timb3r. “How to Find Hidden Threads - Threadhidefromdebugger - Antidebug Trick.” How to Find Hidden Threads - ThreadHideFromDebugger - AntiDebug Trick, Guided Hacking, 27 Dec. 2019, https://guidedhacking.com/threads/how-to-find-hidden-threads-threadhidefromdebugger-antidebug-trick.14281/. [9] Chappell, Geoff. “THREADINFOCLASS.” Threadinfoclass, Jan. 1997, https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ps/psquery/class.htm. [10] GrantMeStrength. “GetMailslotInfo Function (Winbase.h) - win32 Apps.” Win32 Apps , Microsoft Learn, 10 Oct. 2021, https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getmailslotinfo. [11] Alvinashcraft. “Impersonation Tokens - win32 Apps.” Win32 Apps , Microsoft Learn, 1 July 2021, https://learn.microsoft.com/en-us/windows/win32/secauthz/impersonation-tokens. [12] GrantMeStrength. “CreateProcessWithTokenW Function (Winbase.h) - win32 Apps.” Win32 Apps , Microsoft Learn, 2 Jan. 2023, https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw. [13] QuinnRadich. “WTSQUERYUSERTOKEN Function (WTSAPI32.H) - win32 Apps.” Win32 Apps , Microsoft Learn, 10 Dec. 2021, https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtsqueryusertoken. [14] Karl-Bridge-Microsoft. “PEB (Winternl.h) - win32 Apps.” PEB (Winternl.h) - Win32 Apps , Microsoft Learn, 31 Aug. 2022, https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb. [15] Yosifovich, Pavel. Windows 10 System Programming Part 1. Independently Published. [16] Yosifovich, Pavel. Windows 10 System Programming Part 2. Independently Published.

Presenters:

• R.J. "BeetleChunks" McDown - Principal Red Teamer
  R.J. McDown (BeetleChunks) is a computer scientist who has made a career out of hacking into numerous fortune 500 companies through consulting red team engagements and penetration tests. R.J. is an avid Python and C/C++ developer who has created custom tools for bypassing leading EDR solutions and OS based monitoring, including a tool released at DerbyCon 7 called RedSails. Every now and then R.J. turns his focus to developing fuzzing harnesses, which has led to the discovery of critical zero-day vulnerabilities in popular applications including Microsoft Outlook (CVE-2019-1199) and ManageEngine OpManager (CVE-2020-12116).

Links:

• https://forum.defcon.org/node/245731

Similar Presentations:

• DEF CON 31 (2023) / ndays are also 0days: Can hackers launch 0day RCE attack on popular softwares only with chromium ndays?
• DEF CON 31 (2023) / #NoFilter: Abusing Windows Filtering Platform for privilege escalation
• DEF CON 31 (2023) / A SSLippery Slope: Unraveling the Hidden Dangers of Certificate Misuse