DUALITY – Advanced Red Team Persistence through Self-Reinfecting DLL Backdoors... - Faisal Tameesh

hey folks thank you so much that was an awesome intro I love your style dude all right so so yeah this title is titled uh or this talk is titled Duality Advanced R team persistence through self- reinfecting dll back doors for un yielding control there's a lot of words there I know uh and I hope they all Mak sense in the end because I still don't know what they mean uh but maybe we'll both figure it out here in a bit so uh a little bit about me and my name is fasel tamish technical director I uh spent half my time doing uh security research to support our red team Ops uh at Aon and basically it's kind of like a

consultancy within Aon that does you know pent testing and red teaming and I do the research to kind of make our red team shine a little more and be have a higher chance of being successful I have a couple of Cs and in my spare time I love training Jiu-Jitsu and mu Tai does anybody here do Jiu-Jitsu all right just infos has some folks you know so I got to ask I also love to hunt and I love playing guitar and producing music uh you can actually find some of my music on Spotify under Primal cerebral so there's my uh little music thing anyway let's start out with a little war story I want you guys to

imagine with me that you are on a red team and uh you've obtained a foothold through a physical vector and that is one of your very talented colleagues she is absolutely amazing at obtaining access to wherever she wants really uh she can talk herself into anywhere and uh to do that we've targeted an office building kind of like in a downtown area we're going to uh try to you know the way those buildings work is the first floor FL has a turn Styles where you would use something like a badge you'd get through the turn Styles and then you uh get into the elevator and then maybe you'd have to use your badge there and eventually

get to the floor and sometimes you have to badge into different places depending on their security Now if you guys heard me say the word badge multiple times that was very intentional so we really need to use a badge cloner and that's something that we use heavily during these types of engagements uh in order to get somewhere so uh she's able to clone somebody bad just by talking to them and having her tote back you know within one or two feet of that person usually those folks have their badges you know on their belt or something like that kind of an easy clone and then um from there when she gets to the floor between a couple of

workstations uh and network ports uh she's able to get a couple of footholds and so far they're entirely undetected she's able to egress herself out of the building so no physical detections and plugging things into the network port uh the way that it works and the way we have our Hardware set up it's pretty hard to detect um and also uh there is an an unlocked workstation so we were able to drop a form of initial access Cobalt strike so uh now it's your turn to play You're the Cyber operator uh behind this red team kind of supporting it from the back and you have an objective your objective is to compromise the CEO's machine stealthily

for long-term information collection you're looking for information that might inform the company's Financial direction for basically insider trading and this is absolutely illegal don't do that but I'm just saying this is what your objective is and we're trying to simulate getting to that point and being able to collect that kind of information we're going to need to persist on that machine for extended durations so we can't do the thing where you have internal network access and you just um you know use whatever wmi exec or Ps exec or your custom variant of those to gain code execution on the machine we actually want to be on the machine in case that person's not connected to the

VPN and let's say they're traveling they're not connected we still want that continuous persistence on that person's machine the laptop is equipped with a AV and EDR solution that will detect common implant loading persistence uh loading and persistence techniques so things like registry keys Auto star directories SK scheduled tasks it turns out that for that specific user is an enactive Directory Group that is very heavily monitored for common persistence techniques okay the sock is pretty locked in on lbass and for folks that haven't done pen testing or red teaming those are basically windows binaries and scripts that you can use to indirectly execute some code to load an implant Ms build is one example run dll is another

and there's quite a few of them now it turns out if a machine never runs one of those L bass and then random it just runs one that could be a heris for detection the EDR itself interestingly in this case does not Auto quarantine novel portable executables on touching disc and this is something that a lot of edrs and AVS do out of the box the moment you touch dis uh it's going to check the reputation of the binary and it's going to try to make sure that uh you know if it's signed by some kind of certificate that the certificate is not blacklisted Etc and sometimes they just run it through sandboxes and it takes a

while so really depends on the EDR but that's really in the most aggressive settings and sometimes you into environments where that's kind of toned down and you don't have that kind of immediate response the EDR is going to detect CIS calls from weird memory addresses and again um CIS calls are basically a way to bypass uh how the EDR hooks one of the primary dlls that's used for interacting with the operating systems operating system which is ntdll.dll and we basically need our tradecraft to be flexible in between Ops or sometimes within the op itself depending on what we're targeting signed backdoor dlls will likely get deleted on program updates and this is because let's imagine the

scenario let's say we backdoor FFM peg. dll for Microsoft teams which um is a dependency uh what happens when we on the next team's update it's gone you lose your back door so if you back door one dll no matter how advanced it is the next time teams updates which isn't like a week or two you lose your uh persistence technique and we want to persist for way longer than that okay so let's define our problem statement we want to execute from trusted memory space uh we could do and what to do that we're going to do some variants of side loading there are quite a few uh sub techniques for side loading what vulnerability really allows

us to do that and this is the main takeaway of this talk uh if you're really like what how can I put this into one sentence most programs don't check for dependency Integrity when they're loading in dlls They Don't Really Care you know they lean a lot on the AV and EDR solutions to make sure that the dlls that are going to be loaded or not are not malicious or malicious and then the EDR is just going to delete that dll or prevent the executable the main executable from actually executing by the way do I am I loud on the speakers I can't really hear myself out there okay cool thank you okay we want since we're backdooring

multiple DLS we want to plant custom shared logic between all the back doors so they can do things like reinfect each other and they have this kind of smart Hive Behavior between them reinfecting each other ends up being one cool thing you can do but you can actually end up doing quite a few things with that the back doors themselves they have to execute and not disrupt the the original program logic or memory stability that means that if I load a dll even if I bring my implant up I don't want the main program to crash first of all that's it's not going to be usable so we need program continuity and the second thing is we actually need to inject into

a different process from that main one that's loading the dll because loading dlls especially uh if you interfere with a dll main loading process is very finicky in Windows so there's a lot of things you have to work around like if DL main takes too long or if you allocate too much memory or if you do different things from the dll main uh especially through your injected code it's going to basically hang the program any operations on the victim host when we're staging these backd door DLS either when we're grabbing them or putting them in we we need to make sure the Stager doesn't do anything too crazy besides besides uploading downloading files and copying moving or deleting

that's because staging and payload detonation for your implant when they're too close together is actually a heuristic for EDR so if you have a Stager that let's say it's Powershell or let's say it's an HTA file that then runs some Powershell which then does like process injection or something like that that itself since it's so close to the staging process is a heuristic and helps inform the EDR that something funky is going on so separating the St aging from the payload detonation as much as possible uh gives us the ability to be stealthier so we want the ability to use this for persistence and it turns out we can use this for initial access as well

and I'm going to cover that here in just a little bit even though the talk is kind of centered out the persistence idea but once you understand the idea of Duality and the methodology you can do a lot with it so let's look at some current options before I decided to come up with my own thing I was like okay what's already out there so the first option is uh going to be the backdoor Factory the backd door Factory is uh a kind of popular piece of work actually it's very cool uh there was a black hat talk about it and there are some advantages to it it supports different architecture so you can back door

windows Linux Mac whatever you like and it operates at the assembly level which is what we want and I'm going to touch on why that's necessary with some modifications you probably could Implement Duality like features but the workflow does not include easyc to polymorphic assembly generation basically the way the back door Factory works is you have some folder you put in your assembly code that you want to back door to put into the DLS that you're trying to back door it just goes and grabs the assembly and puts it where it needs to go and you don't really have too much control in the workflow of how that assembly is generated and what you can do after you compile the assembly

and I'm going to touch on Duality does a lot with that so repurposing the back door Factory is possible but it's probably going to be more work than just designing something from scratch with that said the back door Factory was a huge inspiration so thank you to Josh pittz uh also known as the midnight Runner so the second option here is dll proxy so theoretically you can implant any logic you like via d proxies and this is kind of a a more of a modern uh technique actually that's used by Red teams these days the logic itself is written at a higher level than assembly something like C and with some compiler in Linker magic and helper scripts you

can end up uh backdooring dlls in a manner where it proxies certain function calls executes malicious code and hands it over to the original dll like nothing happened now dll proxying is great but keep in mind that Beyond some EDR bypass Jiu-Jitsu we are really interested in highly polymorphic machine code because we want to do things like control flow officiation dead code insertion instruction substitution all that fun stuff to make our code really hard to reverse and really hard to Signature especially between different iterations so like a payload generator different iterations makes it really hard to Signature that piece of malare okay so there is implicit power in assembly this is kind of the typical

workflow for uh DL appr proxying you have a process it loads a dependency in this case it's math. dll which exports a bunch of functions so you can call add subtract and all that but when you're dll proxying you actually you you call in this proxy dll and one of these functions is going to be replaced with some malicious function and then you can when when that function ends up getting called with the same name it's going to basically execute the malicious code and then either terminate right there or hand it over to the the function that's supposed to be called so it's going to proxy it on any other function that's called is immediately going to go to

where it's supposed to go because we're not backdooring those functions so note here that we have two dlls on the system we have the proxy and the original uh and also there are some limitations to proxy dling that become more clear as we cover Duality more in a bit so without further Ado let me introduce act Duality so this is a logo that I made an illustrator in 30 minutes hope you guys like it if Brian made a logo he'd be able to do something much better than that but uh this is what I could come up with and those basically those are the two um icons or symbols for U DLS and the idea behind the logo is that the

dlls know of each other's presence in the operating system they're checking for their infection State and if they're no longer there they're respawning The Duel so and by the way it's Duality like there's two but actually turns out you can use the same thing you can back door like 10 or whatever arbitrary number of dlls and they all check on each other we'll touch more on that in a bit so there's really three major components to Duality there's the target machine interaction script which is going to be uh in this case like duality. CNA which is basically an aggressor script for Cobalts it's a it's the script aggressor script is the scripting language for Cobalt strike and you can use that in uh

ways to automate things that you want Cobalt strike to do so duality. CNA is the persistent script that helps you use Duality uh as you're operating from within a Cobalt strike context this is with regards to persistence you can also have a Powershell oneliner and this is is actually going to be released but the oneliner itself is going to be easily detectable by more advanced EDR and then you can actually Implement your own custom Stager the Powershell oneliner and the Stager are for initial access and uh the Powershell oneliner can still evade uh any of the lower AVS and edrs but if you want to be able to evade the more advanced stuff you probably want to write your own Stager

we're we're not going to release the more advanced stagers just because we try to keep our trade craft at like n minus one we try to share with the community but at the same time it takes a lot of time to do this research uh so we try to keep like what we release at n minus one and but you can take all that knowledge or all that uh methodology and slightly modify it and improve it a little bit and you can pretty much get to what we use uh inside for our own red teams the second component here is a c program which is going to actually do the backdooring once you upload the dlls

it's going to perform the backdooring by relying on the shell coat C file that is pre-written the shell coat C file is a program written in carefully written C and I'll touch on why that is is because you don't have the C run time basically so you're you're writing position independent code you're going to compile that down uh the C program is going to compile that down and then inject it into the dlls to back door them and then the Stager or the persistent script is going to grab those TLS and slide them in where they need to go for the programs that uh you're backdooring okay so in general what does Duality do if we're just trying to

rephrase it in a much simpler manner it bro it back doors a set of dependency dlls each dll is aware of every other duel and there's three modes of operation Singularity is when you have only one dll back doored and this is the case for initial access you're probably going to back door one dll through your Stager slide it where it needs to be potentially respawn the program that you want to load that DL to immediately get your shell or you're going to give it some time and whenever the program gets naturally used it's going to spawn the shell for you then the second one is Duality and Duality is the minimum number of you need two dlls it's a

minimum number of DLS required to manifest The Duality phenomenon where the dlls check on each other and the third one is totality which is when you have more than two DLS so if you backd door say 10 dependency DLS in 10 different programs s then you're going to uh be able to you know whenever any of those programs runs it checks on the nine other dlls reinfect them if necessary and also brings one implant up not more than that so you don't spam your C2 server one other thing about Singularity too is it happens if total if Duality fails so for example if you have two you're down to two dlls one of them dies let's say because the program

gets entirely deleted from the system the other duel is no longer going to find the you know the its duel basically one of the DLS can't find its duel so then it understands that now it's by itself it's operating in Singularity mode each dll checks on all the other duels to reinfect them we already said that and then we're going to bring an implant up if it's not already up and any of the back door dlls can do that so how does the whole chain work let's speak in more practical terms here so let's say we have three programs we're trying to back door teams Slack and python we're going to grab a dependency from each of those programs fm. dll um

and actually for both programs they have the same dependency name and then we're going to have Python 31. dll and then we're also going to have uh the ntdll.dll from the same machine because Duality the the back end can actually add a section of a clean ndl that is unhooked from the same host that the Stager uploaded and we're going to refer to that when we're doing things like process injection so we bypass all EDR hooks for each dll we're going to use that c program is going to encrypt our C2 Shell Code that's all happening in the in the back end by the way which is uh basically a host controlled by the operator we're going to pack clean ntdll

into a section with a random name same thing with the C2 Shell Code that's encrypted and then we're going to SW we're going to swap out template variables in the Shell Code C file what what are the template variables well each dll needs to know where all the other dlls are so that's one example of template variable it's just an array of strings and then we're also going to tell it what are the names of the mutexes that are randomly generated during runtime uh to bring an implant up or to check if the other DLS are still infected so there's two things that we're doing there uh and there's a bunch of other things that you do with the

template variables finally the C program compiles the Shell Code file and injects it into the DLS so where's the duality in all of this um the secc file defines custom logic basically prior to process injection each back door dll it knows where all the other duels are that are dueled it checks on each duel for this thing called The Sign of the sign of the duel and what that essentially means is it's a little part in the D and it can be anything but in this case it's a section name and the other duels know that per dll there needs to be this specific section name in order to know that that duel is still infected if it's

not there we know that the dll has been cleansed so to speak so we need to perform a reinfection this that special section name is basically something that only the back door DLS know of each other if you try to write a signature for that and actually the first version of Duality intentionally hardcodes that section to a name of called do Duality because I'm hoping that AV and EDR out there do end up signatur that but in the second block post and neither of them are out yet going through legal takes a long time but uh in the second block post uh we're going to have tradecraft improvements and one of those tradecraft improvements is all the section names

are randomly generated per iteration of Duality backdoor DLS so it makes it really difficult to Signature specifically for that thing and we already talked about if a new dll is present because of a program update it's not infected we're going to reinfect it this is kind of the logic and I'm going to run through this because it's it's a little dry but I'm just going to try to point out some things that are interesting so the DL gets loaded we're going to check for this keep alive mutex really the key Point here is dl's get loaded and unloaded multiple times during a programed life cycle we don't want to keep reinfecting stuff and bringing implants up every time a DL is loaded

you're going to have like a 100 shells back in your C2 servers and you're going to DD yourself and you're going to lose and you lose the red team so we're not going to do that we're going to use a mutex we're going to do that every you know once every time a program any of the back door programs comes up and then if it you know if you shut down the program restart it we do that check again but we're not going to do it every time a dll gets loaded through the same program life cycle so we're going to back up duels we're going to check if they're still infected and we're going to reinfect

them otherwise we're going to check check for that implant mutex again we're going to keep one implant up if the implant has been brought up before and that mutex exists which by the way uh if you guys don't know what a mutex is think about it as like an operating system level flag it's a like a a thing that you set in the kernel that you're like hey this mutex is there you can use it for multiple things like running things in parallel but you can also just use it as a flag uh and so if that flag is up we know that that implant's been brought up before and so we're not going to bring it up again

okay and then at the end after we do our Shell Code based process injection and I say Shell Code based because that c program gets compiled down into Shell Code back doored into the dll and now the dll when it runs it has the Shell Code to perform process injection the Shell Code itself for the C2 is another section in the dll so the pipeline so we talked about the different components in general how's the pipeline working our aggressor script is grabbing the DL LLS or the web Stager is going to grab DLS this is in the case of persistence or initial access we're going to upload them to the back end the back end is

going to back door these those DLS with the secc file which is contains all our logic and our process injection technique and it's going to rely on that clean anti-d section which is present in each dll so when the malware runs we know that uh if we perform like CIS calls or indirect CIS calls we're not using any hooked version of ndl unless it's necessary so when I get to indirect CIS calls it turns out that using the CIS call from the ndl currently loaded in memory is very advantageous because when EDR does stack unwinding post a CIS call they can actually examine where that CIS call is coming from so sometimes you'll execute things with direct CIS calls but you'll

still get caught so there's ways around that and that becomes more pertinent when you're operating from the implant like if a CIS call came from somewhere in the Heap because you're you you loaded your implant in memory and you performed a Cy call and they did Stack unwinding it's like why is there a Cy call coming from the Heap that's almost 100% guarantee that something malicious is happening so it's a high fidelity indicator so with that uh the last thing is after we download those back door dlls our stagers just going to slide things where they need to go okay so let's look at what actually happens in memory uh when when this is this stuff is happening so the first

thing is we're going to patch the ENT Point although you can patch other you know function entry points basically but we're just going to patch dll in this case and all the arithmetic done by The Duality engine you can do that for any dll there's not really anything hard-coded in that sense so you pass in any dll it knows to then find a code Beach what's a code Beach so you guys know code caves right that's pretty common you have like uh some space in the code and between them you have two chunks of assembly that's pretty handy but there's something interesting that happened when you load a dll from dis to memory when Windows

loads that dll when it puts the sections in memory it's actually going to put them at a certain modulo away from each other let's say you load some section at address zero and the length of that section is I don't know 981 bytes it's not going to put the next section at 982 it's actually going to do it at a modulo of like a th000 or 10,000 hex something like that so that space between the section sections I a code Beach and the analogy there too is that memory isn't entirely allocated so if you go too far in the code Beach some of that is allocated but you're going to run into unallocated memory before the

next section and if you execute code there your program is going to crash but the nice thing about code beaches is usually there's a lot of space so it's a nice place to put in your pre- shell coat stub and what that's doing is saving the register States and then it's calculating the address to where the malicious Duality section is so that it can jump to it now if we look from a zoomed out perspective we can see three sections here that have random names in the first block post like I said earlier The Duality section is going to be called Duality intentionally to be signatured and then in the next block post we randomize the names of the sections

between every iteration of backd door dlls that way you can't just signature on the section and then in the third iteration we're GNA expand the text section and cram all the code the malicious code in the text section and do all the wiring we need to make sure that it actually executes in the text section so it looks like there's not even any added sections the memory permissions for executable sections are already set when the dll is there so we're not doing any virtual protect during runtime we're not changing permissions which is something that could be detected by EDR this is kind of what it looks like in the C program so we use a library

called PE net and Peet is uh a program that allows you to manipulate pees portable executables so exes are dlls and I built on top of that so we can add and write to these sections during runtime on the fly when we prepare the Shell Code C file when I said replace some template variables in there remember we have the array of dlls that we need to know about where all the other ones are we need to know the decryption key for our Shell Code and we need to know things like uh the the mut text names that we're also generating on the Fly there's a few other things there but we don't need to

go through those the secc program like I said before is written mindful C it performs process injection but it's customizable by the operations AR architect so you can use different forms of process injection uh and basically you can have your tradecraft be flexible so it's not just set in stone when you create one assembly listing you can recreate the assembly listing from that C file so basically you can write your process injection in C and then dynamically compile it to Shell Code and then inject it we can't use the C runtime again because we're writing position independent code we can't guarantee that the C runtime is loaded and we can't use string references they have to be inline because we're going to

have our position independent code as just one chunk of Shell Code we can't refer to something like an R data section or anything like that in the executable so we need to make sure that a string reference are going to be in the same chunk of position independent code and this actually gets converted into Pic using a program called mazm shc by hasher ad uh she's an awesome U malware uh she focuses in the field of malware and writes a bunch of tooling for that and it ends up being that we can actually use that for Duality to perform our position independent code compilation so to go from C to position position independent code really awesome

project and U thank you hasher at for that the other thing the SEC program does is it dynamically resolves function pointers from the packed clean ndl section so each dll is going to dynamically figure out where that clean ndl section is in memory and then it's going to look for the functions that we want to use and then it's going to give you a pointer an address hey this is the function that you want this is a clean version of the function that you want you don't have to rely on the dll currently in me sorry on anti-d currently in memory let's say teams loads FFM Peg teams also has ndl in memory that ndl is hooked but instead

teams when it loads your FFM malicious fm. dll that's going to have a clean ntdll section that your malware refers to to bypass EDR hooks so why clean atdl for folks that uh don't uh R team or write malware the ndl on Windows in every process unless there are exceptions is hooked that means when you call ntdll all it's doing is setting up a CIS call identifier and then performing the CIS call but prior to that the stack is getting set up with a bunch of arguments so if you place a jump statement at the beginning of that function call the in the ndl and jump to an EDR uh dll the the EDR can then

examine the stack and see what like if you call create remote thread and you have things in the stack which is where you pass your arguments U or R8 R9 depending on which uh architect you're using fast Call Etc it can examine the registers and the stack and say hey are we going to do something malicious that's connected to something previously done like if we do a a virtual alloc in a remote process and then eventually do a create remote thread that's going to be a clear indicator that something weird is happening and some folks try to unhook on the Fly they're like I'm going to remove Hooks and stuff but EDR actually checks to see if the hooks are

still present sometimes especially within short time frames of spawning a new process so what I like to do is just grab a clean version of ntdll and pack it since we have the ability to do that we never have to worry about that so we're just going to pack our way out of it now I don't I don't really expect you guys to be able to read this I'm sorry this is but the point here is that there are these this is the carefully written C file and there are these functions that start with an underscore those were resolved by another function that enables you to just call a function like this and end up getting the

equivalent of an indirect CIS call from The Duality context and so you don't have to the function that does that for you is already there you don't have to go out of your way to think about how do indirect CIS calls work but we're just going to do a quick crash course on indirect CIS calls in case you weren't aware of how they work essentially let's say you're trying to interact with the operating system trying to get a handle on something let's say it's a mutex eventually uh in ntdll the sync for all the calls you're going to go through kernel 32 kernel base you're going to end up in ntdll and ntdll is going to have this function

called n open all the stack and stuff is set up before you get there in terms of what what do you want to what do you open a handle to Etc but anti enti open and ndl is setting up a csol identifier and calling cisal it's really two things it's not that hard sisol sound fancy all it's doing is just doing that now what is a CIS call right so we're operating in user mode this is where we can do all of our hey I I request something from the kernel when I perform a CIS call I hand execution over to the kernel which has access to other things that user mode doesn't have access to

okay so when you do a direct CIS call it means you're grabbing that assembly stub of instructions the op codes to set up the register with the correct CIS call identifier and perform the CIS call but performing an indirect s sorry the issue with that is if let's say you perform a direct CIS call and the EDR can examine your stack after the CIS call okay so this is going to be the same issue that we had when EDR just hooked into dll we thought that if we bypass that hook and just got to the CIS call we can no longer worry about that but indirect CIS calls allow you to jump instead of having that CIS call and the

direct CIS call we're going to jump to the actual ndls CIS call in memory that means when the EDR unwinds a stack it says where is that CIS call coming from it's coming from the legit location the actual ntid loaded in like teams. exe which has the hook there but instead of going through the hook we're just going through the CIS and this is basically the code that does it and um there's one function there called create jump on code and the reason I'm showing that is because well you'll see in the next slide actually we have to redefine things like the C runtime function so we can't just use mem copy we have to

Define our own mem copy because that's something that's available typically in C but we can't use that in position independent code so we Define we redefine parts of the C runtime so that we can use them in our position independent code now see how up here we have this is what it's going to look like if you call something like n open we're going to load some csol identifier into our register and then we're eventually going to call it CIS call and it's going to be based on this identifier like 3F is associated with n open for example when we do indirect CIS calls we're going to replace that last CIS call with a jump that jump is going to

be into the actual ntdll of the current process this is the this is what we're loading into R14 and we're going to jump to that address and guess what that address is that address is the CIS call in ntdll so that's an indirect CIS call that way when the EDR post CIS call examines your stack it's like where's where are things coming from well they're coming from the actual uh ntdll in memory so that's how you bypass that's the first step to bypassing post we're kind of in the post csol era as malware developers and R teamers and there's even more Advanced Techniques like stack spoofing and stack dispersion which is what the brute retel guy is

doing which basically you call like a win API it creates an entirely new thread with it its own stack and that new stack is dispersed from the original one where the malware is running so when they do stack and winding they can't actually see the uh the militia stuff that you're doing in the previous stack so I call that stack dispersion I don't I don't really think he gave it a name so when we compile this stuff in the C program again that's kind of our pipeline I'm just going to go this this looks like a lot let's look at the first this commented out thing this is really the whole command that we're running

we're going to run CL we're not going to do stack canaries or and we're going to we're going to create the full assembly and we're just going to compile it we're not going to try to link it and then we're going to run it through masm shc which is going to create our position independent code and then we're also after we do that intermediate in the intermediate process we're going to replace some things in the assembly listing such that it actually compiles down into position independent code because this is only necessary if you're going to end up if you're going to end up plinking like the short and offset flat things this is kind of in and how

the Pees are laid out in memory not really relevant to what we need for the pic so we're going to take those out when we link it we're not really linking against anything we're just creating an executable at the end and the text section of that executable is going to be your position independent code which is what we do in the next slide when we extract it at the end we extract the do text section which ends up being our position independent code we trim some zeros there because it ends up being a lot of trailing zeros we don't need for our pic now we have our position independent code what about code signing some AV and EDR will detect on S side

loading unsigned binaries well uh Cod signing is something that's going to be added it's in the work uh I'm not going to go through how you can obtain a signing certificate but if you're res if you're resourceful and you look you don't even have to look too hard uh you're going to find a lot of stuff even including the password not just the shirt you know so very very handy um it's easy to implement in the C pipeline after you back door the dll you sign it you have a little bit more trust from the edrs and this is basically how it would work it's just a command line that you run with a certificate and the password

in this case we're signing aexe but you can really sign whatever you want dot any portable executable including DLS so what about initial access we us all about that we talked about all this maybe slightly complex stuff with u persistence and compiling Shell Code can we use any of that for initial access because this is kind of a powerful Pipeline and the answer is yes we can reuse the same pipeline but we're going to need to use some smart Stager this is kind of the stage zero there's kind of a trend happening in the red team Community right now where they use these smart stagers it's not just running like a Powershell oneliner they're a bit more discret and they're

giving you information about the information information about the environment so that you can uh do some smarter stuff with your payloads so the Stager is going to enumerate low privileged dlls that means they're in locations where the current user can easily access and for things like teams and slack they end up dropping them an app data and you can just grab those d DLS as you like and back door them it's going to upload and download DLS it's going to swap out files where they need to go and it's going to force restart programs if you want an instant shell if there are no dlss to back door it can run a short lived run dl32 process if

you back door the right place in a dll such as dll main when you run run dll 32 turns out that it actually runs DL main momentarily you can point it to a function that doesn't even exist in the dll it'll be like can't find that entry point for that function but I executed DL main for you and you have your shell now so cool we'll just use run dl32 opsec considerations depending on the environment most of the time if you run shortlived run dl32 processes you're probably going to be fine if that tradecraft that's being run in that dll is actually uh clean and bypasses EDR hooks Etc doesn't spawn processes and allow the EDR to do like parent child

correlations hero sticks Etc um and the last thing here is loader agnostic but the demo uses pow shell so there's a demo I say loader agnostic that means you can code it in whatever you want you want to write it VB script go ahead but Powell is going to be kind of easy to demonstrate so Powershell isn't power shell dead what about opsc well actually no it's not uh but there's a lot more trip wires uh you know pow shells lock logging you have ampc you have etw and you have edrs hooking specific things in pow shell to get even more Telemetry out of it so it's kind of like walking through a Minefield would you

want to do it probably not but can you uh yeah yeah you can actually you can uh it's just going to be really difficult and so the Parell script itself is not doing anything more than just moving files around so really we're just like uploading downloading it just looks like a script that sis admin wrote kind of an involved script we're uploading downloading dlls and we're copying and moving so if you the the the thing that EDR detects on in the Powershell liner right now is that it uses a Bas 64 string so if you want to write like a one up just don't B 64 and code the payload really so okay the the

Powershell Stager in this case has no hard operating system interactions we're not doing process injection we're not touching LS literally uploading and downloading dlls the back end is doing all the hard work with backdooring the DLS with all the logic and bypassing EDR stuff and then the Stager is just sitting there and putting them where they need to go so what are some features of this web Stager the first thing is it's C2 agnostic and that you use off headers so that means that when you upload your shell code you can use whatever C2 you want cobal strike Mythic whatever you like uh and then when you upload the Shell Code it gives you this

identifier I call it a Shell Code prefix and you stick it in this web goey and then anything you use for the on liners or the web friendly version if you're trying to get web shells uh it's just going to inject that in there so that when it talks to the back end it knows what files to grab there's an o key that means after you do your staging you can revoke that o key and if they try to Stage your payload down again they can't you can create as many off kees as you want second cool thing all this backdooring and DL numeration and stuff takes like four or five minutes you really want to know what's

going on I hate just sitting there and be like am I going to get a shell in five minutes going to get a shell and you don't get a shell and you're like gosh I would have I wish I could have started something else in the meantime so it tells you what's going on when things are uploaded and all that and then at the end it'll give you a done signal it's like hey we uploaded the dlls we back door the DLS we downloaded them we put them where they need to go here's the done signal expect your shell if you asked for an immediate reboot of the program you're going to get your shell immediately if you did

not then uh it's going to come to you the next time the program gets naturally used when the payload detonates for the Stager you're going to get a bunch of information you're going to get information about the username name the user domain and the IP address the external IP address that's calling out is going to go through a short who is and then we're going to be able to tell what the registrant is so if you have something that detonates on Prem well and they own the IP address it's going to tell you hey it's coming from the right place and you can go ahead and click that red link and start doing all the fun stuff or if comes back and

you're like hm Microsoft Services I'm just going to reject that because it's probably a Sandbox so that's one option there the other thing is it can handle simultaneous detonation so let's say you have 15 people that get fished and three of them click we can handle backdooring and uploading and downloading for those three different users simultaneously we don't have to do it one person at a time now when you click that red link you get that back door choice there's two boxes for all the indices that it gives you one box is going to be the DL you on the back door the other one is the ex associated with that DL so we terminate all the processes and respawn

them if you leave that empty it just back door the DS and doesn't force reboot if you just put in a negative one here it's just going to grab a generic dll that we already have put it in and run it with run DL 32 this is in the event that there is nothing to back door you're like I just landed on the most vanilla Windows OS it doesn't even have bloat wear I don't know what I'm going to do so just run d32 Okay so let's do a little bit of the demo here the demo is one minute long but the whole process takes 5 minutes so I kind of jump around a bunch the first

step is to upload your shell code file and you give it the off key you can revoke it right after you do that and then when you upload it it gives you this Shell Code prefix okay so let's go through this I don't know if can you guys see this a little bit it's a little bright but uh this is basically with the interface looks like you put in the Shell Code prefix and then you can select the quick option the quick option is really handy because when you pick it and you generate an off key so you hit add um and this is going to jump around so I'm going to have to pause go back yeah so we generate it

gives you this Powershell oneliner that's going to use this Shell Code prefix or Shell Code identifier which correlates it with the file that you just uploaded if you select quick it's not going to bother giving you the opt for the DLS and stuff so let's say you're in a physical you just want to plug in a rubber ducky and you have quick selected when you generate your payload it's just going to go ahead and do the whole thing from start to finish using run DL 32 not even going to bother picking a dll or any of that because we're assuming that we're the operat the physical operator is plugging something in we're probably not going to get like

a Sandbox thing calling back but usually the sandbox thing happens if you do like email fishing it goes through a email sandbox and then they try to execute it and all that the other thing is is if they get the payload later on after this executes and then they can look through a Sandbox you might get kind of a Sandbox request but by then you would have already revoked the off key and they can't see it so um sorry let me there's what let me go through the demo video some more here so we select the off key in this case we're going to go ahead and copy it and then we're going to just go ahead

and and paste it over here and we go we hit enter and we look here we get our information and I redacted some of the there's like there's like this black box here that's just redacting information but this is what it looks like you have the link that you can click to go look at what DLS to back door information from where your Stager is calling in and then information about the username user domain machine name machine domain Etc just to give you a more educated guess on what's going on so in this case we're just going to hit reject I'm like I don't like this uh and then we're going to go ahead and run it again and I just

fast forward it to where I click on that red link and I'm going to look for python in this case so there's a python 311 dll uh I uploaded the python so this jumped really fast so what happened there is I put in the python dll uh index and I also put in the python exe so it Force restarts python so what happens is the Stager ran replace the python dll it killed all the python processes force restart Python and this is python starting taking a couple of seconds longer than usual cuz some funky stuff has happened in the background I.E getting your shell and eventually your shell calls back and python continues executing as normal with all the

functions in the dll so this is where we get our program continuity you get your long-term persistence and this is actually from an initial access perspective but it's the same pipeline that we use for persistence the persistence script is in the demo video that I posted on social media as like a hype teaser video uh if you're interested check it out it's on my profile um my Twitter my handle is Primal 0xf7 uh so feel free to go look at that video if you like for the pr I just for the interest of time I didn't includeed but that initial access video uses the same pipeline so that's all I had for you [Applause]

folks