Run the payload commands
An attacker can craft malicious payload in however means but when it comes to execution attacker approach would change as it depends on various factors. In this blog we’ll how we can execute the payload & it can be detected and prevented by incident handlers.
Red Team: Attack vectors and Techniques
Once the payload is delivered, execution of those payloads varies upon the attacker perspective and crafted payload. However payload waits for the instructions from C2 either to dump credentials or perform internal reconnaissance.
Noisy execution can catch the malicious payload or malware so it is highly important to perform payload execution without generating leaving traces and below are different types by which execution happens.
1) Using Built-in O.S utilities like PowerShell, cmd, wmi, winrm, rundll32, net, regsvr32, ftp, curl, msbuild, mshta, certutil, wscript and so on. In most of the cases we have seen some of these utilities are not allowed in organizations either by configuring AppLocker or using A.V tools but still there are ways these can be bypassed for payload execution. Check Lolbins for more info.
rundll32.exe advpack.dll,LaunchINFSectionEx myinf.inf,,c:\temp\os.cab — This launches payload in memory & command is same for both legit and non-legit cases, Identifying those create chaos.
wmic process call create cmd
WMI used for internal reconnsaince, PrivEsc, Lateral Movement, Persistence, C&C
In some cases PowerShell remoting often invokes WMIPRVSE.EXE generates the same alert when triggered for legit and non-legit cases which obscure the detective patterns.
2) Binaries: Anything that is said free is not free and you are the product for those free services, this was the 1st keynote we have been taught during CEH classes, Many free products when providing installation packages bundle other softwares(exe/dll/msi) or additional software components and user without noticing them installs those. Here comes the real challenge for blue teamers because any part of the code(dll/exe/msi) would have been vulnerable and that leads to escalate privileges for read teamers.
Powershldll.dll — the read teamers almighty :-) gives us PowerShell even it is blocked, during my assessment windows defender quarantined the moment it landed on machine, Rather I used base64 & certutil to bypass the detection.
base64 Powershdll.dll > b64Powershdl.txt
certutil -decode Pb64Powershdl.txt output.dll, (later using windows utilities which mentioned above execute them)
NOTE: Add some random bytes to the dll to circumvent (that will be added into .bss section)
3) Using Scripts: We have seen how effective VBS Script is in earlier blog, So scripting technologies like PS, JS, Bat, .NET, provides greater functionality in executing payloads. Interacting PS with .NET gives more functionality & leaves less traces of red teaming activities. PowerSploit offers variety of payloads that we can directly inject into processes.
Add-Type cmdlet is used to extend the PS functionality with the help of .NET
Eg:- We can add WINSCP functionality in PS
4) Assembly Code: Faster in execution & allows complex jobs to run in a simpler way. How does attackers creates exploits? They reverse engineer a program & perform some experiments by fuzzing to identify the misuse of program execution flow. We can write shell codes in the high level language but they might not work for some cases, so assembly language is preferred for this.
Vivek — Pentester Academy has course on this where he explained in detailed way.
Shellcode varies from O.S to O.S, Let’s say Linux provides direct way to interface with the kernel through the int 0x80 but windows doesn’t.
Shellstorm — A repository for various shellcode payloads.
5) Other standard codes like C, C++ and C# have been used in attacking scenarios due to the potentiality they (C, C++) allow direct access to low-level resource, and I have heard about byte code was also used in some stages of attack yet not clear on that, but keep noted that using bytecode(Java) we can compromise the machine.
During my internship I have seen cases where source code was dropped onto the machine and used windows utilities csc.exe & cvtres.exe (which allow compiling a payload) to create a malicious dll which was later executed using rundll32.exe.
6. Sysinternals Tools:
Sysinternals tools which are Microsoft signed binaries are helpful for both red and blue-teamers, but out of all some are in red-teamers arsenal.
a) PSExec — Execute commands on remote systems, mostly used in post-exploitation.
b) Procdump — Dumps process memory, Can be ported to PowerShell Scripts.
c)PSLogggedOn — Remotely determine who logged on
d) ADExplorer — Navigates the A.D Database
e) AccessEnum — Enumerate NTFS Permissions, Excellent tool for identifying Writable Share locations.
f) AccessChk — Evaluate host for privilege escalation, Discover windows service permissions.
Check if any antivirus running:
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
Out of all these techniques, my favorites are anything that makes use of native APIs, COM & DCOM Objects and MOF files
BLUE TEAM: Detective and Preventive Controls
Some of the Detective and preventative controls for this blog are same as in earlier blog.
Endpoint level:
1. Purchase Threat Detection & Prevention tools — Installing A.V tools mitigates the chance of machine getting compromised and if unfortunately happens, atleast it will detect so that we can perform necessary actions to remediate.
2. Implementing Secure Group Policies like a) Disallow Removable Media b)Restrict Software Installations c) Follow the principle of least privilege d) Control Access to CMD e) Disable Guest Account f) Password length g)Password age limit h) Disabling Anonymous SID Enumeration in A.D h) Moderating access to control panel, I just mentioned few but there are many policies an organization can implement.
3. Installing security patches (Microsoft release the security patches once in every month & core security patches of any 0-day exploits ASAP)
4. Configuring AppLocker and Whitelisting and blacklisting applications based on organization dependency.
5. Implementing SIEM in an organization and integrating with other threat detection sources and monitoring those alerts. (If possible configure sysmon to SIEM)
Process level:
1. Preparation is the effective key in identifying & responding. Training end users at regular intervals and providing awareness on cyberattacks can help the organization against cyberattacks.
2. Train staff on the latest security threat and security tools.
