Payload Delivery
Attackers must first find a method to deliver the malicious payload onto the victim’s computer. Attackers use the two-phase method in order to bypass defenses by keeping the actual payload — which is the part that actually causes damage to the victim. It’s incident handlers task to either stop at delivering payload or executing.
Red Team: Attack vectors and Techniques
The way of delivering payloads varies from target to target and they are countless. Attackers follow trial and error method while crafting & delivering them to achieve their goal which depends on following cases. It’s always better to use a payload which does not touches the disk and runs in the memory(Fileless malware) which make attack more stealthier.
1) Which O.S (Windows, Linux, MacOS)
2) Which framework (vbs, PowerShell, HTA, MSI, Jar, JavaScript, Python, Perl & Ruby last 3 needs preinstalled environment as well)
3) which Software target is using (MSOffice, OpenOffice & So on; because some software's has built-in functionality that can detect some payloads & trigger an alerts)
4) Depends on Anti Threat Tools
Some of the well-known tactics that attacker introduce when delivering payloads are Malicious links, Website components & Malicious files.
- Malicious links — Which I have had mentioned in earlier episode
- Website Components — This is important as most of users using internet and tricking them with some efforts would achieve attacker goal & also the present advanced attacks are more against the human element. Here I will add some of the techniques I have practiced when I was doing some internship in one of the Security Domain company.
2a) Java Applet — The java applet vector attack has one of the highest rates of success ratio that I have performed & even most of the attackers have, for the reason that java was used by almost all OS platforms. I have practiced various scenarios using SET kit while performing attacking scenarios. But be cautious that later versions of JAVA-8 needs skillful payload to evade A.V because of the approach(no Java applets will run unless the code is signed by recognized authority). The attack flow is as follows:
i) Develop a java applet & deploy it within a convincing web-based environment.
ii) Deploy a social engineering attack against the previously identified users(which we learnt on episode-1) to encourage them to visit the maliciously crafted website (Here the applet to execute on the target machine it’s needed to be signed which can be done by bare minimum social engineering on issuing company since there are many companies competing, so they will do a little verification).
iii)Upon execution, the applet must determine whether it’s on Windows, Linux or OSX environment and download the appropriate C2 agent. This will obviously involve some recoding of the C2.
2b) ClickOnce — ClickOnce is a .NET technology that supports deploying applications & allows users to install and run various applications by clicking a link on a web page.
“When someone asks me which are the best technologies(payloads) for attacking, I will add java & .NET framework due to the technology that these languages have adopted that facilitates attackers to get foothold on target which doesn’t make much noise.”
Attackers utilize the .appref-ms file as an OLE to deliver the payloads.
.appref-ms filetype is not flagged as malicious by Outlook & Gmail, attacker can make use of this methodology by attaching it directly to an e-mail to gain initial access upon code execution, As hyperlink delivery relies on the .application file and not .appref-ms. By providing the end user a direct link to the .application file, they could click the link to perform the required code execution via ClickOnce.
2c) HTA — It’s an HTML Microsoft Windows program capable of running scripting languages, such as VBScript or Jscript, executes the payload using MSHTA.EXE(windows), See the metasploit module
This technique requires target to click a link in the same method referenced in the prior section.
Try FruityC2 for practicing basic red team scenarios
2d) Browser Exploit: Browser exploits are often achieved by an attacker compromising an existing legitimate website and installing the exploit kit within it, or alternatively buying advertising space on a site and using code embedded within adverts to deploy the kits, which is known as ‘malvertising’. These techniques take advantage of traffic traversing to legitimate domains as well as providing a level of anonymity for the attacker. Depending on the browser exploits needs bit patience or time taking until you have a zero day for the latest browser (IE mostly). Below are the list of IE exploits in exploit-db.
2e) Forum Pages: Due to the nature of forum software, users are encouraged to upload content. A malicious user can leverage this to exploit vulnerabilities in the forum software and run their malicious code on the browsers of other visitors and drops a payload.
2f) Browser Add-On Exploit: If the browser cannot be exploited directly attackers choose to infect the host by targeting browser plugins. Vulnerabilities in plugins have historically offered the most successful infection rates and today’s exploit kits will normally target software such as Adobe’s Flash Player, Acrobat Reader, Microsoft’s Silverlight and Oracle’s Java.
In case, if attacker is unable to infect the victim through exploiting either the browser or browser plugin, he may stop the infection process or redirect the victim to a fake download page in order to achieve infection via deceptive user interaction.
This fallback technique relies on social engineering to trick the victim into willingly downloading a malicious payload disguised as a browser plugin or other legitimate software. This enables the attackers to bypass browser security measures and is just another way exploit kits adapt to network defenses.
2g) Common Internet facing applications/services: Any misconfigurations on internet facing services/applications provide access to an attacker which SaltStack RCE bug is an example. Two security flaws(authentication bypass & Directory traversal) were discovered on 2020 March. These vulnerabilities provides root access.
Most of red team operations not involved in creating malicious payload to compromise a machine, they look for organisations which don’t patch it’s assets asap even after release of patches which leads to compromise their organisation.
To Summarize the web components attack vector, I would say APT actors use strategic web compromises (SWCs), otherwise known as watering holes, which are sites that are strategically targeted for compromise as they are known to be visited by specific victims, and also tend to use their own custom-made exploit kits as part of their campaigns. Once attacker managed to gain access to legitimate website they need to ensure the victim is directed to exploit kit infrastructure & uses javascript to perform profiling script(check) if the victim’s browser and O.S are vulnerable to exploitation, criteria considered in profiling part.
i) Detect if the browser is being run on a VM or has certain security products installed
ii) O.S check (since some payloads are dependent on O.S)
iii) Browser check (version, Sandbox technology)
iv)Browser Plugins
3. Malicious Files
Delivering payloads by various file formats have been seen in most of red team activities, lets understand them here.
3a) Office Macros: This is well known & familiar technique to both Red & Blue teams and this still works while performing red team operations .Most macros written in VBA drops another payloads to trigger other stages of malware. I was very curious about macro attacks during my internship and here are the capabilities a VBA macro.
i)Downloads files ii)Creates files iii) Executes files iv) Executes files iv)Call any DLL v) Inject Shellcode vi)Call any ActiveX Object vii) Run as system command viii) Simulate keystrokes ix) Run Automatically.
Due to heavy success ratio in delivering malware's these are also known as vehicles of malware's. This method may not work in the modern office versions which contain security features that will protect from macros.
NOTE: Clicking on “Enable Content” is exactly as dangerous as launching an unknown executable file.
Eg: Well-known malware campaigns Emotet, Ursnif, Trickbot, Sandworm, etc.
3b) Office DDE exploits: DDE is a protocol which was developed to allow transportation of data between Microsoft office applications. Attackers abuses this and executes arbitrary code from Microsoft word without using macros or scripts but a necessary obfuscated payload would help to evade IDS.
Metasploit Framework has a module which can be used to deliver attacks via DDE
3c) Delivering EXE’s in PDF & Office or other Formats: PDFs are widely used business file format, which makes them a common target for malware attacks. The PDF reader itself contains a vulnerability or flaw that allows a file to execute malicious code. Remember that PDF readers aren’t just applications like Adobe Reader and Adobe Acrobat. Most browsers contain a built-in PDF reader engine that can also be targeted. In other cases, attackers might leverage AcroForms or XFA Forms, scripting technologies used in PDF creation that were intended to add useful, interactive features to a standard PDF document.
“One of the easiest and most powerful ways to customize PDF files is by using JavaScript.” (Adobe)
I was using peepdf when working on pdf attachment attacks.
Delivering a malware embedded into an exe file should be the last thing you should think of as a red teamer. Any exe downloaded from the internet would have to go through heavy inspection and continuous behavior monitoring
4) Physical Intrusion
Humans are most vulnerable when compared to any other attacking vectors if properly planned & intruders are also exist, So now concentrating on them-Physical intrusion, HID (Human Interface Device) facilitates in delivering payloads using USB Rubber Ducky & Bash bunny (Kudos to Hak5 team), even though flash drive access Is blocked these can emulate as key board and perform actions based on payload.
Softwares like konboot(windows login bypass tool) which doesn’t leave traces in addition to Rubber ducky works perfect in delivering payloads. You can also emulate android phone as a HID device using Kali Nethunter.
BLUE TEAM: Detective and Preventive Controls
As of now we have come across the ways how attacker can deliver payloads, to withstand the various attacking techniques i will be providing the defending strategies at Endpoint, Network and Process levels.
Endpoint Level:
Organizations/Individual presume that installing any A.V tools protects from being compromised, Yes that’s true but not really so, fact that any A.V tool can’t even protect your organization 100% which depends on various aspects (Product is not designed to detect & prevent such, Security providing company not having adequate info about client infrastructure, Issues in integration with other A.V or SIEM tools already existed on client machines, Unable to collect and corelate data from various sources).
1. The best practice is always maintaining the patches (Microsoft release the security patches once in every month & core security patches of any 0-day exploits ASAP)
Eg: April 2020 Patch Tuesday, 113 new security vulnerabilities — 2 of which were 0-day CVE-2020–1020, CVE-2020–0938
2. Purchase Threat Detection & Prevention tools — Installing A.V tools mitigates the chance of machine getting compromised and if unfortunately happens, atleast it will detect so that we can perform necessary actions to remediate.
3. Implementing Secure Group Policies like a) Disallow Removable Media b)Restrict Software Installations c) Follow the principle of least privilege d) Control Access to CMD e) Disable Guest Account f) Password length g)Password age limit h) Disabling Anonymous SID Enumeration in A.D h) Moderating access to control panel, I just mentioned few but there are many policies an organization can implement.
4. Implementing Mail Configurations such as POP, IMAP and SMTP for secure connections & certifications.
5. Implementing MS Office Security Settings that protects Microsoft Exchange Online, OneDrive, SharePoint Online and Teams.
6. Hardening web browsers such as Configure Content Settings, Passwords and forms settings, use secure protocols, Enabling pop-up blocker, Privacy settings, Automatically clearing history & cookie storage and moreover keeping your browser updated.
7. Implementing SIEM in an organization and integrating with other threat detection sources and monitoring those alerts.
Network Level:
1. Implement Email filters, configure thresholds and spam rules.
2. Implement web filtering / whitelisting or blacklisting ipaddress.
3. Caching is very important of Content Delivery Network (CDN), However securing caching providers is important.
4. Implement Authenticated HTTP Proxies so that restricted content will not be provided to the user until valid credentials are provided in a proxy-authorization header filed.
5. Implementing SIEM tools for analyzing the alerts can help to detect & also prevents further attacks if any rules are configured.
Process Level:
1. Preparation is the effective key in identifying & responding. Training end users at regular intervals and providing awareness on cyberattacks can help the organization against cyberattacks.
2. Train staff on the latest security threat and security tools.
