tired of playing exploit kit whack-a-mole? let's automate
TRANSCRIPT
![Page 1: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/1.jpg)
TIRED OF PLAYING EXPLOIT KIT WHACK-A-MOLE? LET’S AUTOMATE
![Page 2: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/2.jpg)
BSidesSF 2017
SYN
Anjum Ahuja (@jack8daniels2) Threat Researcher at Endgame Background in network security and large-scale data analysis
![Page 3: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/3.jpg)
BSidesSF 2017
ACK
Joe Desimone (https://github.com/endgameinc/Maxwell) Chris Donaher & Chan Kim Brad (@malware_traffic) Kafeine (@kafeine)
![Page 4: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/4.jpg)
BSidesSF 2017
ATTACK STAGES
INFECTEXPLOITREDIRECT
Malvertising
Compromised
Discover & exploit
vulnerabilities
Drop payload
![Page 5: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/5.jpg)
BSidesSF 2017
ATTACK CHAIN
Malvertising
Compromised
One or more Gates
EK landing page
![Page 6: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/6.jpg)
BSidesSF 2017
EXISTING APPROACHES
Sandbox based solution• Cost of VM management
JavaScript debugging & DOM inspection• Manual
Can we do better?
![Page 7: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/7.jpg)
BSidesSF 2017
AUTOMATE THE BREAKPOINTS(?)
Headless browsers• PhantomJS (Webkit Qt 5.5)• SlimerJS (Firefox 50)
page.injectJs(filename) page.onResourceRequested(requestData, networkRequest) page.onResourceReceived(response) page.settings.userAgent = ”whatever"
![Page 8: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/8.jpg)
BSidesSF 2017
JS FUNCTION HOOKING
![Page 9: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/9.jpg)
BSidesSF 2017
REDIRECT
• Injected iframe• 302 redirect• window.location redirect
Malicious Ad
Compromised
![Page 10: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/10.jpg)
BSidesSF 2017
GATE
Filter out unwanted traffic Hosted at throw away domains - link shortener, dynamic DNS Client side checks – browser/OS fingerprint, detect AV, sandbox, headless
browsers(!) Server side checks – Geo, IP, cookies Obfuscated and/or encrypted code
One or more Gates
![Page 11: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/11.jpg)
BSidesSF 2017
GATE
![Page 12: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/12.jpg)
BSidesSF 2017
BROWSER FINGERPRINTING
![Page 13: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/13.jpg)
BSidesSF 2017
DECRYPTION
![Page 14: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/14.jpg)
BSidesSF 2017
BROWSER FINGERPRINTING (RIG-V)
![Page 15: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/15.jpg)
BSidesSF 2017
DON’T PANIC
Replicate IE’s window object• Expand function hooking to Function prototype, DOM Manipulation, String
manipulation, Event handlers• Override the navigator, navigator.plugins & navigator.mime_types
![Page 16: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/16.jpg)
BSidesSF 2017
ATTRIBUTE ACCESS HOOKS
![Page 17: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/17.jpg)
BSidesSF 2017
CALLSTACK
![Page 18: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/18.jpg)
BSidesSF 2017
PLUGINS
CVE-2013-7331The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes
![Page 19: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/19.jpg)
BSidesSF 2017
PROXY OBJECTS
The Proxy object is used to define custom behavior for fundamental operations (e.g. property lookup, assignment, enumeration, function invocation, etc.).
target = new Proxy(target, handler);
![Page 20: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/20.jpg)
BSidesSF 2017
ACTIVEX USING PROXY OBJECTS
![Page 21: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/21.jpg)
BSidesSF 2017
FOR GOOD MEASURE
Inject Mouse eventspage.sendEvent(mouseEventType[, mouseX, mouseY, button='left'])
Inject Keyboard events page.sendEvent(keyboardEventType, keyOrKeys, [null, null, modifier])
![Page 22: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/22.jpg)
BSidesSF 2017
FINAL OUTPUT
Call stack with function calls with arguments and responses Attribute access Plugins and ActiveX interaction Cookies Contents of DOM (iframes, objects) Navigations requests
![Page 23: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/23.jpg)
BSidesSF 2017
POST PROCESSING Signatures
• Navigation requests• DOM objects• Arguments to document.write and function prototypes• Decryption keys (?)
But we can do better
![Page 24: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/24.jpg)
BSidesSF 2017
POST PROCESSING
Invisible/off-screen text blocks with weird entropy data Alternate calls to string.charCodeAt() and string.fromCharCode() Function constructors! ActiveX objects looking for AVs XMLDOM ActiveX objects looking for file paths Bigram analysis on JS code to detect obfuscation
• Convolutional neural nets should work even better
![Page 25: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/25.jpg)
BSidesSF 2017
SUMMARY
Fast Low interaction honeypot Ability to spoof its way through gates Understand Exploit Kit TTP Gather exploit artifacts Match signatures for known EKs
![Page 26: Tired of playing exploit kit whack-a-mole? Let's automate](https://reader035.vdocuments.mx/reader035/viewer/2022062522/58abc7521a28ab68068b509d/html5/thumbnails/26.jpg)
BSidesSF 2017
FIN/RST
Questions?