your systems friend to secure empire – your best - jared and will.pdf · python!) based remote...
TRANSCRIPT
![Page 1: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/1.jpg)
Empire – Your best Friend to Secure Your Systems
@harmj0y@jaredcatkinson
![Page 2: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/2.jpg)
I am @harmj0yOffensive Engineer and Red Teamer
Developer: Veil-Framework, PowerView, PowerUp, Empire/Empyre, BloodHound
Speaker: DEF CON, BlueHat IL, DerbyCon, et al.
Other: Microsoft PowerShell/CDM MVP, BlackHat Trainer
Hello!
![Page 3: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/3.jpg)
I am @jaredcatkinsonForensicator, Incident Responder, and Hunter
Developer: PowerForensics, Uproot IDS
Speaker: 44CON, BSides DC, PowerShell Summit, PS Conference EU
Other: U.S. Air Force Hunt Team, Microsoft PowerShell/CDM MVP, BlackHat Trainer
Hello!
![Page 4: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/4.jpg)
Offensive and Defensive Philosophy
Building an Empire
Uprooting the Adversary
PowerForensics
Demos!
tl;dr
![Page 5: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/5.jpg)
Offensive and Defensive Philosophy
1
![Page 6: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/6.jpg)
“
“Fundamentally, if someone wants to get in, they’re getting in…accept
that. What we tell clients is: Number one, you’re in fight,
whether you thought you were or not. Number two, you almost
certainly are penetrated.”
Michael HaydenFormer Director of NSA & CIAMicrosoft Enterprise Cloud Red Teaming Whitepaper
![Page 7: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/7.jpg)
◉ For offense:○ Focus on post-exploitation○ “Blend with the noise” to slip under the blue team’s
detections
◉ For defense:○ Proactively hunt for malicious actors○ “Blend with the noise” to slip under the actor’s
detections
“Assume Breach”
![Page 8: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/8.jpg)
◉ Focus on blending in with normal host and network actions
◉ For offense:○ Utilize built in capabilities○ Powershell.exe, WMI, msbuild, netsh, etc.
◉ For defense:○ WMI, ETW○ Raw disk handles to minimize the trust required for
other build in actions that may tip your hand
Living Off the Land
![Page 9: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/9.jpg)
◉ “Microsoft’s post-exploitation language” -@obscuresec
◉ PowerShell provides, out of the box:○ Full .NET access○ Direct access to the Win32 API○ Ability to assemble malicious (or defensive) binaries
and capabilities in memory○ Default installation on Windows 7+!
Why PowerShell?
![Page 10: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/10.jpg)
◉ We want to show how to how PowerShell can be used to both break and secure your enterprise systems
◉ We will walk through some of PowerShell Empire’s offensive capabilities, Uproot’s intrusion detections, and using PowerForensics’ post-analysis abilities
Our Goal
![Page 11: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/11.jpg)
Building An EmpireWith PowerShell
2
![Page 12: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/12.jpg)
◉ Empire would not be possible without the help and phenomenal work from:○ PowerSploit by @mattifestation, @obscuresec and
@JosephBialek○ Posh-SecMod by @Carlos_Perez○ UnmanagedPowerShell by @tifkin_○ Mimikatz by @gentilkiwi and Vincent LE TOUX
◉ Everyone who contributed modules, bugs, fixes, and time! You all rock!
First Things First
![Page 13: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/13.jpg)
What Is Empire?
◉ Empire is a fully-featured PowerShell (and Python!) based remote access trojan (RAT) released at BSides LV 2015
◉ Provides a rich set of post-exploitation actions in line with the “assume breach” philosophy
![Page 14: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/14.jpg)
Why Build This?
◉ Started as a thought exercise!
◉ We wanted to:○ Provide a rapidly extensible platform to integrate
offensive/defensive PowerShell work○ Build a platform that’s easily customizable○ Train defenders on the capabilities of offensive
PowerShell!
![Page 15: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/15.jpg)
![Page 16: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/16.jpg)
![Page 17: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/17.jpg)
^ the guy who invented PowerShell
![Page 18: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/18.jpg)
◉ Asynchronous communications○ GET/POST tasking structure
◉ We care about crypto!○ “Perfect forward secrecy” w/ encrypted key exchange
◉ Modularity○ Common module format w/ a variety of options○ Post-exploitation modules can be loaded and removed
live
Empire Design Decisions
![Page 19: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/19.jpg)
Empire Capabilities
◉ code_execution - ways to run more code◉ collection - post exploitation data collection◉ credentials - collect and use creds◉ lateral_movement - move around the network◉ management - host management and auxiliary◉ persistence - survive the reboot◉ privesc - escalation capabilities◉ situational_awareness - network awareness◉ trollsploit - have fun with defenders :)
![Page 20: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/20.jpg)
![Page 21: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/21.jpg)
![Page 22: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/22.jpg)
Empire 2.0
Empire/EmPyre
Wanted one single controller for our Python Linux/OS X agents and PowerShell agents.
Modularize C2
Expandable listeners that you can drag/drop into the framework for additional transports.
Code Rot
Fix our past mistakes and build a foundation for the future viability of the project.
![Page 23: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/23.jpg)
![Page 24: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/24.jpg)
Modular C2
◉ Previously, listeners were hard integrated into the code base, adding transports was extremely difficult
◉ Now listeners are encapsulated in self-contained modules○ Allows you to drag/drop modules into the
framework just like post-exploitation modules
◉ Can even use third-party sites like...
![Page 25: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/25.jpg)
![Page 26: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/26.jpg)
Uproot IDS3
![Page 27: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/27.jpg)
WMI Introduction
◉ Windows Management Instrumentation◉ Microsoft’s Implementation of Common Information
Model Standard◉ Allows administrators to query system information:
○ System○ Applications○ Hardware○ Networks
◉ PowerShell allows simple interface○ Get-WmiObject○ Get-CimInstance
![Page 28: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/28.jpg)
WMI Event Subscriptions
◉ WMI interface for monitoring changes to the model◉ Classes built specifically for event monitoring◉ Subscriptions are persistent
○ Maintained in the WMI Repository
◉ Built with troubleshooting in mind, but:○ Attackers leverage for persistence○ Defenders leverage for Intrusion Detection
◉ Three parts to a subscription:○ Filter○ Consumer○ Binding
![Page 29: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/29.jpg)
Uproot Introduction
◉ Intrusion Detection System Leverages WMI Permanent Event Subscriptions to detect:○ General System Information○ Introduction of Persistence○ Lateral Movement
◉ Abstracts complexity of permanent WMI Event Subscriptions○ Register-PermanentWmiEvent
◉ Reports Events via:○ Windows Event Log (Ideal)○ HTTP POST (Splunk or ELK)○ Flat Log File
![Page 30: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/30.jpg)
◉ Real time monitoring (Push vs. Pull)○ Pull - Query data from a centralized point ○ Push - Endpoint agent sends data to centralized location
◉ Removes blind spots between “pulls”◉ Monitoring is distributed to endpoints instead of server◉ Requires some sort of presence (agent) on the endpoint◉ Built in monitoring capabilities
○ WMI Event Subscriptions○ Event Tracing for Windows (ETW)
Intrusion Detection
![Page 31: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/31.jpg)
Basics - Filter
◉ __EventFilter○ defines the event to detect using WMI Query Language (WQL)
◉ Event filter example:○ SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2○ SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName LIKE
'%chrome%'○ SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE
TargetInstance ISA 'Win32_Service' and TargetInstance.State = 'Running‘○ SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE
TargetInstance ISA 'Win32_StartupCommand'
![Page 32: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/32.jpg)
Basics - Consumer
◉ __EventConsumer○ ActiveScriptEventConsumer
■ runs a predefined script in an arbitrary scripting language○ CommandLineEventConsumer
■ starts an arbitrary process in the local system○ LogFileEventConsumer
■ writes customized strings to a text log file○ NTEventLogEventConsumer
■ logs a specific message to the operating system event log○ SMTPEventConsumer
■ sends an email message by using Simple Mail Transfer Protocol (SMTP)
![Page 33: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/33.jpg)
Basics - Binding
◉ __FilterToConsumerBinding○ Registration of permanent event consumers to relate an instance
of the __EventConsumer to an instance of __EventFilter
Binding
Filter Consumer
![Page 34: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/34.jpg)
Forensicating with PowerShell
4
![Page 35: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/35.jpg)
◉ PowerShell Module for Live Forensic Investigation◉ Binary Module (Compiled C# DLL)◉ Minimizes Use of Operating System APIs◉ .NET Core Compatible (Windows, MacOS, *nix)◉ Currently Parses:
○ NTFS and FAT Data Structures○ Windows Specific Data Structures
■ Windows Registry■ Windows Event Log■ Scheduled Jobs■ Prefetch Files
PowerForensics Introduction
![Page 36: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/36.jpg)
Design Decisions
◉ Forensically sound◉ Parse raw disk structures◉ Don’t alter NTFS timestamps◉ Can execute on a live (running) host◉ Operationally fast
○ Collect forensic data in seconds or minutes
◉ Modular capabilities○ Cmdlets perform discrete tasks and can be tied together for
more complicated tasks
◉ Capable of working remotely
![Page 37: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/37.jpg)
Getting the Data
◉ Create read handle to Physical Disk/Logical Volume○ CreateFile API (Windows)○ Open API (Mac/*nix)
◉ Read from the Handle○ FileStream Read Method
![Page 38: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/38.jpg)
Forensic Timelining
◉ Investigate file system activity temporally◉ Aggregate artifacts from different sources:
○ Master File Table○ UsnJrnl○ Registry○ Prefetch○ Event Logs
![Page 39: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/39.jpg)
PowerForensics Portable
◉ Allows PowerForensics to be run on remote system◉ Loads the PowerForensics Assembly in Memory◉ Assembly exposes public API to query data
![Page 40: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/40.jpg)
Attacking and Defending with PowerShell
5
![Page 41: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/41.jpg)
![Page 42: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/42.jpg)
Other Detections
![Page 43: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/43.jpg)
PreviousTalks
http://bit.ly/2kFItwg
![Page 44: Your Systems Friend to Secure Empire – Your best - Jared and Will.pdf · Python!) based remote access trojan (RAT) ... Binary Module (Compiled C# DLL) Minimizes Use of Operating](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac71ac57f8b9a12608e9b27/html5/thumbnails/44.jpg)
Any questions ?You can find us at
◉ @harmj0y (will [at] harmj0y.net)◉ @jaredcatkinson (jared [at] invoke-ir.com)
Thanks!