4. Where are we going?
• Windows user-land malware development and design
• Techniques for Windows environments
• Detection techniques
• I probably will forget to mention some of these….
• Not focusing on
• Kernel malware/rootkits, anti-forensics, AV-evasion
6. Malware Dev: Defensive Perspective
• Understanding the code helps you design your defenses
• Malware development has its own pyramid of pain
7.
8. Defensive Perspective
• Understanding the code helps you design your defense
• Malware development has its own pyramid of pain
• Gives insight into the future
9. Malware Dev: Offensive Perspective
• Understanding of tools
• Gives you control - easy to adapt
• Offensive in Depth
• Writing malware is fun!
10.
11. A remote administration tool (RAT) is a piece of
software that allows a remote "operator" to control a
system as if he has physical access to that system.
25. DNS
• Why DNS?
• Not montitored as often
• Routed through a trusted host
• Great for low and slow
• Size considerations
• TXT records (255 bytes max)
• A records (4 bytes max)
26. Defensive Interjection!
• What can we do to detect poorly designed HTTP-based malware?
• How about DNS malware?
• Not all comms are beaconing
27. Internal Pivoting and Comms
• Goals
• Get remote execution
• Blend in
• Limit egress hosts
36. Named Pipe
A named pipe is a named, one-way or duplex pipe for
communication between the pipe server and one or more pipe
clients. All instances of a named pipe share the same pipe name, but
each instance has its own buffers and handles.
42. Detecting/Preventing Local Password Theft
• Install KB2871997
• Removes all plaintext creds from lsass except WDigest
• http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
• Add admin accounts to "Protected Users" AD group
• Kerberos authentication only
• No account delegation (can't steal tokens)
• AES for pre-authentication process
• Restricted Admin mode for RDP
• Plaintext password never sent to server
• Network logons on (prevents token stealing)
43. Preventing Local Password Theft - cont
• LSASS Protected Process (Windows 8.1/2012 R2 and above)
• https://technet.microsoft.com/en-us/library/Dn408187.aspx
• Can be bypassed by via a driver
• Honey tokens
• Idea by Mark Baggett
• https://github.com/SMAPPER/MimikatzHoneyToken
• Alert on usage
44. Pass the hash Protections
• KB2871997
• Adds GPO to disable remote network logons from local accounts
• Local Adminstrator Password Solution (LAPS)
• Restrict inter-machine communications
46. Old School – Code Execution on DC
Dump them from LSASS (Traditional hashdump)
lsadump::lsa /inject
lsadump::lsa /patch /name:krbtgt
Meterpreter
post/windows/gather/credentials/domain_hashdump
• Parses the ESE Database using the built-in JetAPI
Ntds.dit
Invoke-NinjaCopy
PowerForensics (@jaredatkinson)
Shadow copies
Ntdsutil
47. Detection
• Acesss to ntds.dit == Domain wide access
• Who has admin rights on DC's?
• Restrict logon rights of admin accounts (they don't need to be able to logon everywhere)
• Who has admin rights on admin PC’s?
• Who has access to backups?
• Who has access to virtualization infrastructure?
• Shadow Copy events
• Sysmon - Injections into lsass.exe, powershell.exe, ntdsutil.exe
• Network traffic - ntds.dit is not a small file…
48. DCSync – New Hotness for
grabbing domain hashes
Demo
49. DCSync Detection
• Follow Sean Metcalf (@PyroTek3)
• Unofficial documenter of Mimikatz functionality
• At the moment, enable Auditing of Directory Service Access
• https://support.microsoft.com/en-us/kb/232714
• Demo
52. Golden Tickets
• Event IDs: 4624 (logon), 4672 (admin logon), 4634 (logoff)
• Account Domain field is blank (should be DOMAIN)
• Account Domain field is FQDN (should be DOMAIN)
54. Golden Tickets
• Event IDs: 4624 (logon), 4672 (admin logon), 4634 (logoff)
• Account Domain field is blank (should be DOMAIN)
• Account Domain field is FQDN (should be DOMAIN)
• Account Domain field is "eo.oe.kiwi :)"
Understanding the code help you design your defenses
Windows APIs (WinInet, Code Injection)
Malware developers have their own pyramid of pain
Easy to change comm signatures. Hard to change injection technique
Easy to change dropper/stage1 malware. Hard to rewrite credential extraction tool
Insight into where malware will be going in the future
A lot of the code used by malware is developed and released by the good guys (Mimikatz, Metasploit, PowerSploit, etc.)
Understanding the code help you design your defenses
Windows APIs (WinInet, Code Injection)
Gives you an understanding of your tools
Do you know what your tools are doing?
Are your tools OpSec safe?
Gives you control - easy to adapt
SEP and Meterpreter staging
Offensive in Depth
Having a completely custom RAT comes in handy