Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000

By: @ChrisTruncer and @Evan_Pena2003

@ChrisTruncerSys Admin turned Red TeamerOpen Source DeveloperTrooper

2

@Evan_Pena2003Open Source DeveloperRed Team Lead for West CoastFormer sysadmin

3

Whats this talk about?Device guard!Code integrity policies PowerShell Constrained Language mode Introduction of a way to live off the landData EncodingC2 Data StorageCommands

4

Device Guard5

Device GuardDefensive technology built into Windows 10

and Server 2016A change from antivirus technologies where

apps are trusted unless flagged as maliciousYou now explicitly state which applications

are trusted6

Device GuardNew application whitelisting bypass

published?Dont trust that application anymore!

Matt Graeber is curating a baseline code integrity policy blocking offending applications

7https://github.com/mattifestation/DeviceGuardBypassMitigationRules

Code Integrity PoliciesYou define trusted applications by creating

Code Integrity policiesUpon creating code integrity policies, they

can be deployed via:GPOSCCM

8

Code Integrity Policies Code integrity policies are largely based on

digital signatures For unsigned applications, you can deploy

catalog files which can be tied into code integrity policies

9

Code Integrity PoliciesCatalog files will need to be updated every

time an application is updatedIf using digital signatures, this wont be

a problemCode integrity policies typically are XML

files converted into a binary10

Code Integrity PoliciesYour code integrity policies themselves

should also be signedThis can help prevent modification by

users/attackers with administrative rights

11

Creating Code Integrity Policies The easiest way to create code integrity

policies is through PowerShell Carlos Perez and Matt Graeber have created

walkthroughs for creating a code integrity policy

12

https://gist.github.com/darkoperator/7d5b85354c0343c7554ehttp://www.exploit-monday.com/2016/09/introduction-to-windows-device-guard.html

Creating Code Integrity Policies Largely, you will use the New-CIPolicy

cmdlet and specify the file rule levels for defining trusted applicationsFile hashFile namePublisherFilePublisher 13

14

Creating Code Integrity Policies Convert XML code integrity policy to a

binary fileConvertFrom-CIPolicy

Deploy in audit modeNon-blockingGenerates events

15

Creating Code Integrity Policies After having deployed in audit modeReview event logsMake any rule modifications as neededDeploy in enforcement mode

16

PowerShell Constrained Language Mode Device Guard auto-configures PowerShell to

run in Constrained Language modePure PowerShell elements are allowed,

but the types are limited.Net methods are only allowed on the

permitted types17

18

Attackers Perspective How can we operate on a Device Guard

protected system?Develop a bypassThis will be effective at first, but

could potentially be blocked via CI Policy.This takes R&D 19

Attackers Perspective How about living off the land?

We know the applications most likely to be whitelistedPowerShell, WMI, etc.

Can they be chained together to attack systems in a useful manner?

20

WMImplantInvoke-WMImplant

21

WMImplantDeveloped in PowerShellDesigned to exclusively operate with WMIThe mechanism to trigger actionsThe C2 channel itselfData storage :)

Menu and commands are reminiscent of Meterpreter - except all WMI based

22

First, Thanks Thanks to the incredibly smart Matt Graeber,

Willi Ballenthin, and Claudiu Teodorescu Their research is what spurred my interest in

WMIWithout their research, I may have never

developed this capability

23https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

Whats WMI?WMI == Windows Management

Instrumentation Installed and enabled by default in Windows

since Windows 2000 Enables administrators to query local and

remote systems for management purposes

24

WMImplant and Device GuardWMImplant was developed exclusively

against Device Guard protected systemsRemember ConstrainedLanguage

Mode? - Were great friends with it :)

25

WMImplant and Device Guard Data storage and encoding were problems in

the initial development stages.We want to be able to upload or

download files, run commands, etc.What if all data that we might need to

manipulate isnt just text?26

WMImplant and Device Guard We discovered that encoding and data

storage were problems we were going to need to solve to write an effective post-exploitation tool

27

EncodingInvoke-WMImplant

28

WMImplant and Encoding The first method of encoding data? Base64!

[Convert]::ToBase64String()Only one problem...

29

30

Encoding - Back to the Drawing BoardBase64 is outWe havent seen a pure PowerShell

based Base64 encoding/decoding function

WMImplant can be encoder agnostic, anything that works can be used.So lets turn to Daniel Bohannon 31

WMImplant and Encoding - [Int[]][Char[]] $encode = [Int[]][char[]]$input -Join ','

Breaks input into an array of char, then converts each char into an intIt works with binary and text files - in

constrained mode $decoded = [char[]][int[]]$encode.Split(',') -

Join '' 32

33

WMImplant Encoding and Storage

Awesome! We can now encode and

decode data in a Constrained Language compliant manner.

Next Question: where should it be stored?

34

WMImplant and Data Storage The initial version of WMImplant used the

system registry to store dataWe can easily create and modify registry

values remotelyThis can be done over WMI with the

StdRegProv35

WMImplant and Data Storage Registry Pro:

Not limited to a very small size limitations

Registry Con:Lots of parsers for analyzing a systems

registry36

WMImplant and Data Storage This led to a conversation with Matt

Dunwoody discussing APT 29 tacticsThey were creating custom WMI

classes, adding properties, and storing data in WMI properties.

Lets try to recreate this!37

WMImplant and Data Storage - New WMI Class Lucky for us, Matt Graeber already

published code that does this!

38https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

WMImplant and Data Storage - New WMI ClassBut theres a

problem...

39

40

WMImplant and Data Storage - WMI Property FailWMI class creation is allowed within

Constrained Language ModeWMI property creation is not It looks like this idea wont work

Unless...41

WMImplant and Data Storage - Existing Classes! What about if we look at existing WMI classes? Are their properties writable? Can they accept a string type or any

length? Can the property be modified in Constrained

Language Mode?Wont blue screen the box?

42

WMImplant and Data Storage - Existing Classes! Modified an existing script to:

Enumerate all WMI classesEnumerate all properties within each

classFind properties of type string that are

writable43https://gist.github.com/ChrisTruncer/f3fe3f04b9fdd1310507363f8bdad8be

WMImplant and Data Storage - Existing Classes! This returned a somewhat limited number of

propertiesSome only allowed a fixed (small)

length of dataOthers would error when modifying the

property value.44

WMImplant and Data Storage - Then, there was one However, this did identify a class that weve

not seen beforeWin32_OSRecoveryConfiguration

This class is used to specify the type of information that is collected when the system crashes.

45

46

WMImplant and Data Storage - Then, there was one It does have a single property which is

writable, and is a stringDebugFilePath - The location where

Windows places a memory dump following an operating system crash.

47

48

WMImplant and Data Storage - DebugFilePath It looks as if it should only accept a file path

location It looks as if it would be limited in the length

of data it accepts Thats what it looks like...

49

50

WMImplant and Data Storage - DebugFilePathAwesome!Demonstrates we can write arbitrary strings

to the DebugFilePath propertyOur encoder can work with this!What about length..?

51

52

WMImplant and Data Storage - DebugFilePath This gives us everything we need!Writeable string propertyWriteable in Constrained ModeNot fixed in length (256+ MB)Doesnt blue screen the box :)

53

WMImplant and Data Storage - C2 Comms1.Query the remote machines DebugFilePath

property to receive its original value2.Use WMI to execute a command (ipconfig)

on the targeted machine3.Encode the results of the command and store

it in the DebugFilePath property

54

WMImplant and Data Storage - C2 Comms4. Query the remote system (from attacking machine) to receive DebugFilePath value5. Decode the value and display the results6. Set the DebugFilePath property back to its original value.

55

WMImplant - C2 CommsMost of WMImplants commands will not

require data storageIn this case, results are retrieved with

likely a single WMI query If storage is required, the previous C2

communications methodology is followed

56

WMImplant CommandsInvoke-WMImplant

57

WMImplant - CommandsBroken up by what they do:Meta FunctionsFile OperationsLateral MovementProcess ManipulationSystem ManipulationLog Analysis

58

WMImplant - Meta Functions help exit change_user - change current user context

for all commands gen_cli - generate command line command

to run non-interactively59

60

gen_cli

change_user

WMImplant - File Operations cat - read file contents download - downloads file from target ls - directory and file listing ninjacopy - copy any file search - search for file or extension upload - upload file to target

61

62

cat

63

search

WMImplant - Uploads and Downloads These are the only commands that still use

the registry for data storageThis is due to not knowing the size of

potential uploads or downloadsAlso due to unknown size limits of the

WMI property (tested up to 256 MB)64

WMImplant - Uploads1.Read and encode file that will be uploaded2.Store in remote systems registry3.Start PowerShell on remote system via WMI4.Read and decode registry value5.Write decoded results to user-specified file

location65

WMImplant - Lateral Movement Facilitation command_exec - Run command and receive

output enable_wdigest - Set UseLogonPassword

key enable_winrm - enables WinRM remote_posh - Runs PowerShell script on

target and receives output 66

67

remote_posh

68

Detecting Malicious WMIWMI vs. WMI

69

Actively Monitor WMI1. Use WMI Query Language (WQL) to identify Recently created _EventConsumer

events (persistence)WMI-based process executions

2. Creates an Event Filter (condition) to perform an action if any of the above WQL conditions are true

70

Actively Monitor WMI3. Creates an Event Consumer (action), to log details of

the newly created __EventConsumer or executed processa. Set it to log all data to the event log with specific

event ID and event name b. Very high fidelity!c. Feed these logs to a SIEM - SNARE or universal

forwarder. Then ALERT!71

Automating the Process - WMIMonitorMandiant WMIMonitor PowerShell Script

found here:https://github.com/realparisi/WMI_MonitorDetailed blog post here:

https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html

72

The Result (Persistence)

73

The Result (Command Execution

74

Scale Detection with More SignaturesUpRoot IDShttps://github.com/Invoke-IR/Uproot

Includes ~14 signatures instead of 2Centralized logging so if you have a smaller

budget...1 agent instead of 1000+ agents.

75

WMImplant - Future Work Implement whitelisting bypasses Examine the changing defensive landscape

and identify means to repurpose existing tools

76

WMImplant - Where to get itWMImplant -

https://github.com/ChrisTruncer/WMImplantQuestions?@ChrisTruncer@Evan_Pena2003

77