Empire Your best Friend to Secure

Transcription

1 Empire Your best Friend to Secure

2 Hello! I Offensive Engineer and Red Teamer Developer: Veil-Framework, PowerView, PowerUp, Empire/Empyre, BloodHound Speaker: DEF CON, BlueHat IL, DerbyCon, et al. Other: Microsoft PowerShell/CDM MVP, BlackHat Trainer

3 Hello! I Forensicator, Incident Responder, and Hunter Developer: PowerForensics, Uproot IDS Speaker: 44CON, BSides DC, PowerShell Summit, PS Conference EU Other: U.S. Air Force Hunt Team, Microsoft PowerShell/CDM MVP, BlackHat Trainer

4 tl;dr Offensive and Defensive Philosophy Building an Empire Uprooting the Adversary PowerForensics Demos!

5 1 Offensive and Defensive Philosophy

6 Fundamentally, if someone wants to get in, they re getting in accept that. What we tell clients is: Number one, you re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated. Michael Hayden Former Director of NSA & CIA Microsoft Enterprise Cloud Red Teaming Whitepaper

7 Assume Breach For offense: Focus on post-exploitation Blend with the noise to slip under the blue team s detections For defense: Proactively hunt for malicious actors Blend with the noise to slip under the actor s detections

8 Living Off the Land Focus on blending in with normal host and network actions For offense: Utilize built in capabilities Powershell.exe, WMI, msbuild, netsh, etc. For defense: WMI, ETW Raw disk handles to minimize the trust required for other build in actions that may tip your hand

9 Why PowerShell? Microsoft s post-exploitation language -@obscuresec PowerShell provides, out of the box: Full.NET access Direct access to the Win32 API Ability to assemble malicious (or defensive) binaries and capabilities in memory Default installation on Windows 7+!

10 Our Goal We want to show how to how PowerShell can be used to both break and secure your enterprise systems We will walk through some of PowerShell Empire s offensive capabilities, Uproot s intrusion detections, and using PowerForensics post-analysis abilities

11 2 Building An Empire With PowerShell

12 First Things First Empire would not be possible without the help and phenomenal work from: Posh-SecMod UnmanagedPowerShell Mimikatz and Vincent LE TOUX Everyone who contributed modules, bugs, fixes, and time! You all rock!

13 What Is Empire? Empire is a fully-featured PowerShell (and Python!) based remote access trojan (RAT) released at BSides LV 2015 Provides a rich set of post-exploitation actions in line with the assume breach philosophy

14 Why Build This? Started as a thought exercise! We wanted to: Provide a rapidly extensible platform to integrate offensive/defensive PowerShell work Build a platform that s easily customizable Train defenders on the capabilities of offensive PowerShell!

15

16

17 ^ the guy who invented PowerShell

18 Empire Design Decisions Asynchronous communications GET/POST tasking structure We care about crypto! Perfect forward secrecy w/ encrypted key exchange Modularity Common module format w/ a variety of options Post-exploitation modules can be loaded and removed live

19 Empire Capabilities code_execution - ways to run more code collection - post exploitation data collection credentials - collect and use creds lateral_movement - move around the network management - host management and auxiliary persistence - survive the reboot privesc - escalation capabilities situational_awareness - network awareness trollsploit - have fun with defenders :)

20

21

22 Empire 2.0 Empire/EmPyre Wanted one single controller for our Python Linux/OS X agents and PowerShell agents. Modularize C2 Expandable listeners that you can drag/drop into the framework for additional transports. Code Rot Fix our past mistakes and build a foundation for the future viability of the project.

23

24 Modular C2 Previously, listeners were hard integrated into the code base, adding transports was extremely difficult Now listeners are encapsulated in self-contained modules Allows you to drag/drop modules into the framework just like post-exploitation modules Can even use third-party sites like...

25

26 3 Uproot IDS

27 WMI Introduction Windows Management Instrumentation Microsoft s Implementation of Common Information Model Standard Allows administrators to query system information: System Applications Hardware Networks PowerShell allows simple interface Get-WmiObject Get-CimInstance

28 WMI Event Subscriptions WMI interface for monitoring changes to the model Classes built specifically for event monitoring Subscriptions are persistent Maintained in the WMI Repository Built with troubleshooting in mind, but: Attackers leverage for persistence Defenders leverage for Intrusion Detection Three parts to a subscription: Filter Consumer Binding

29 Uproot Introduction Intrusion Detection System Leverages WMI Permanent Event Subscriptions to detect: General System Information Introduction of Persistence Lateral Movement Abstracts complexity of permanent WMI Event Subscriptions Register-PermanentWmiEvent Reports Events via: Windows Event Log (Ideal) HTTP POST (Splunk or ELK) Flat Log File

30 Intrusion Detection Real time monitoring (Push vs. Pull) Pull - Query data from a centralized point Push - Endpoint agent sends data to centralized location Removes blind spots between pulls Monitoring is distributed to endpoints instead of server Requires some sort of presence (agent) on the endpoint Built in monitoring capabilities WMI Event Subscriptions Event Tracing for Windows (ETW)

31 Basics - Filter EventFilter defines the event to detect using WMI Query Language (WQL) Event filter example: SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2 SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName LIKE '%chrome%' SELECT * FROM InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Service' and TargetInstance.State = 'Running SELECT * FROM InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_StartupCommand'

32 Basics - Consumer EventConsumer ActiveScriptEventConsumer runs a predefined script in an arbitrary scripting language CommandLineEventConsumer starts an arbitrary process in the local system LogFileEventConsumer writes customized strings to a text log file NTEventLogEventConsumer logs a specific message to the operating system event log SMTPEventConsumer sends an message by using Simple Mail Transfer Protocol (SMTP)

33 Basics - Binding FilterToConsumerBinding Registration of permanent event consumers to relate an instance of the EventConsumer to an instance of EventFilter Filter Consumer Binding

34 4 Forensicating with PowerShell

35 PowerForensics Introduction PowerShell Module for Live Forensic Investigation Binary Module (Compiled C# DLL) Minimizes Use of Operating System APIs.NET Core Compatible (Windows, MacOS, *nix) Currently Parses: NTFS and FAT Data Structures Windows Specific Data Structures Windows Registry Windows Event Log Scheduled Jobs Prefetch Files

36 Design Decisions Forensically sound Parse raw disk structures Don t alter NTFS timestamps Can execute on a live (running) host Operationally fast Collect forensic data in seconds or minutes Modular capabilities Cmdlets perform discrete tasks and can be tied together for more complicated tasks Capable of working remotely

37 Getting the Data Create read handle to Physical Disk/Logical Volume CreateFile API (Windows) Open API (Mac/*nix) Read from the Handle FileStream Read Method

38 Forensic Timelining Investigate file system activity temporally Aggregate artifacts from different sources: Master File Table UsnJrnl Registry Prefetch Event Logs

39 PowerForensics Portable Allows PowerForensics to be run on remote system Loads the PowerForensics Assembly in Memory Assembly exposes public API to query data

40 5 Attacking and Defending with PowerShell

41

42 Other Detections

43 Previous Talks

44 Thanks! Any questions? You can find us (will [at] (jared [at] invoke-ir.com)