Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
1 like193 views
The document discusses various techniques used in cyber attacks, including data exfiltration, privilege escalation, and strategies to evade detection via security descriptors and PowerShell logging. It highlights the importance of understanding Active Directory vulnerabilities and methods to remove traces of intrusions. The author also shares references and resources for further reading on the topic.
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
- 1. Try {stuff} Catch {hopefully not} Evading Detection & Covering Tracks Security Weekly, Oct 25th 2018 Yossi Sassi CyberArt CyberArtSecurity.com WindowsSecurity.biz
- 2. Whoami Y1nTh35h3ll • ADProtector // Oriental Rock Bouzoukitarist • Co-Founder @ CyberArt, Advisory Board @ Javelin Networks • Security researcher, White hat hacker (Banks, Military), Musician • ~30 years experience – Networking, IT, Programming • Ex-Technology Group Manager @ Microsoft (~8 years), coded Windows Server Support Tools; Ex-CTO @ public companies
- 3. Stealth reconnaissance Data exfiltration Cleanup 81 2 3 4 5 6 7 9 Privilege escalationInitial exploitation Intelligence gathering Establish foothold Initial attack Enable persistence Enterprise recon Lateral Movement Escalate privileges Gather and encrypt data Extract data Phishing emails are sent to the group Red team searches for focused attack targets Red team gets access into the organization Local privileged access is obtained Internal network hunt after domain-level elevated privileges Attain access to domain-level elevated privileges account Obtain access to all domain-level accounts Identify trophy data Data exfiltration of trophies onto a secured location Removal of attack evidence from all systems Recon Red team accesses physical environment 10 Remove evidence
- 4. To Admin or Not to Admin? • Security descriptors may matter more than group memberships * • Not convinced? • Check out harmj0y’s “Unintended risks of trusting AD” https://www.slideshare.net/harmj0y/the-unintended- risks-of-trusting-active-directory
- 5. GetChangesAll right aka DCSync • Request a DC to replicate AD objects, including user credentials, through GetNCChanges RPC • Look for DCSync right (DS-Replication-Get-Changes etc) on a domain user(s): • Typically used with Sync connectors (Azure, SharePoint) • Can also add this right to a regular user • Requires domain (or Enterprise) Admin • Limitations: Read only. No ability to inject data/modify without high chances of detection (PTH etc) *
- 6. DC Shadow • Feature in mimikatz located in the lsadump module • Simulates behavior of a DC via RPC to inject your data • Requires Domain (or enterprise) Admin • Online AD DB modify w/Bypass monitoring (SIEM/Evt Logs) • Can push AD changes/create backdoor without any logging: • SIDHistory (Add Enterprise Admins group SID), ntpwdHistory, WhenChanged, primaryGroup=519 ... • Erase traces (replication metadata, schemasignatureinfo...) • Turn off enhanced auditing by set ACL of AdminSDHolder
- 7. Event Logs • Clearing logs obviously not a practical move... • Stopping the event log service – also not cool • Not allowed on PTs, and easily detected • How about Terminating Event Log thread(s)? • Local admin required • Restart service will renew logging • Cons: Blue team can lookout for anomalies in number of event received over a period of time *
- 8. Protected Event Logging • Part of “PS <3 The Blue Team” document for PowerShell • Issue: logged content may contain sensitive data, e.g. a script may contain credentials, connection strings etc. • If an attacker later compromises a machine that has logged this data, he can use it for Recon etc. • Solution: Encrypt data that PowerShell writes to the event log using CMS*. • Later you can decrypt and analyze logs once moved to a more secure and centralized location
- 10. Protected Event Logging • Using defense for Offense – think Ransomware for Event Logs • Requires local admin *
- 11. PowerShell Auditing & Logging • MS did some great stuff – Script Block Logging, Module Logging, Constrained Language, Transcriptions.. and more • Downgrade to v2.0 when possible, or move to .NET/other • Invisi-Shell, our (Javelin’s) latest research bypass it ALL, including AMSI • Check out Omer Yair’s github, DerbyCon talk, or here at Security Weekly • https://securityweekly.com/2018/10/13/omer-yair- javelin-pauls-security-weekly-578/
- 12. • Registry, Prefetch … • … and a bunch of other places
- 13. Some thoughts about persistence • Anything that can be related to process/service/wmi event/regkey etc – can be detected (or terminated) • Javelin’s approach (ADProtect) • In-memory “dissolvable agent” • Note: ADProtect also detects current DCSync users AND when new ones added, among other AD vulnerabilities, misconfigurations & excessive permissions
- 14. Finally {} • Security descriptors may go further than memberships • Defending as an attacker, attacking as a defender • It’s all about the Yin Yang, folks
- 15. References & Resources (1/2) • Y1nTh35h3ll Github – Code from this session, and some more – https://github.com/YossiSassi • More on DC Sync – https://adsecurity.org/?p=1729 • DC Shadow explanation – https://blog.alsid.eu/dcshadow-explained-4510f52fc19d • https://www.dcshadow.com/ • Invoke-Phant0m (Event log thread termination) – https://github.com/hlldz/Invoke-Phant0m
- 16. • Powershell <3 the Blue Team – best practices for auditing & logging – https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue- team/ • Invisi-Shell – Bypass all Powershell security features – https://github.com/OmerYa/Invisi-Shell, or twitter: https://twitter.com/Yair_Omer • Javelin Networks - ADProtect – www.Javelin-networks.com References & Resources (2/2)