Hijacking .NET to Defend PowerShell

[Music]

[Music] okay welcome back for our next session we have Amanda rouso net hijacking to defend Powershell so here's Amanda can you guys hear me sorry I talk really low so my name is Amanda Russo and I'm actually uh M unicorn on Twitter but I'm a senior Mau researcher at endgame and I focus on both windows and OSX and sometimes Linux Mau I really love Mau and I have this little sticker up front if you want it says give me your Mau so I'm always asking people to give me their Mau but um so the goals of today is we all know poers shells in a lot of attacks so we want to run Powershell in a normal

environment because it guys use the same thing to do their setups right um we want to analyze de opic commands uh I'll explain that later um we want to remain stealthy in the environment and avoid any bypasses I'll talk about that um and allow an runtime analysis for either blocking or just regular detection and we want to make sure we can support par shell version 2 through five so there's this joke I have with like the Powershell guys that you know it's poers shell it's kind of a stupid joke but things I can do with Photoshop all right so I'm going to go over uh the attack history first just a like just a little overview uh try to go

over net bear with me I know if you already know net um I'm just going to run through it really quickly and highlight some of the points that are important and then I'm going to go over a poers shell specifically bypasses and all that stuff and then I'm going to talk about uh how I do c dll injection in some of the solutions that I'm going to talk about today so for my Solutions I have four different types I I went over Isle binary modification CLR profiling the J compiler hooking and cbase Method hooking so I'll talk about those as much as I can in 30 minutes so this is the timeline that I've put together of uh you know power

shell Frameworks and Par show M that has been used in the last couple years since 2012 so you can see par exploit uh everybody knows nishang the the offensive framework uh Power leaks which was one of the first used in uh using to Pivot for the payload being Fess and all that and then if you keep going down we remember power Duke I think it's the same guys who did the DNC hack so so so normally Powershell in actual campaigns is used to transition from the exploitation part of the the stage of the attack to the second stage which is the actual payload so it either becomes a payload or it act uh executes a

payload so some of these examples are power leaks uh Power sniff power Duke and some Hunter exploit kit variations oh and also another thing I'm known for making these terrible bad Mau pickup lines but it kind of helps you has you learn a little bit about what I'm talking about so it says hey girl do you like Po shell and imagine because it's Mr Robot themed for bsides right because I'd like to stay persistent in your memory so if you remember I said earlier a lot of there's a lot of Fess malare or Fess attacks based on Powershell so just so that you guys can wake up a little bit um so it's also known for obsc for

some of these attack if you can see like the invoke observation was made by offensive security researcher you can see the invoke command is actually in a whole bunch of different uh section strings um even the coin V it when you de off decompile the the the binary uh when you get the C code you can see that they're using different types of characters to change the actual names of the functions and on top of that there's these code protection applications if you're familiar with confuser X or confuser which was actually used in Coin Vault and then there's net reactor which is actually the um commercial version where it comes with string encryption anti- decompilation control full control

full flow observation and anti-tampering and you pay for that I think it's free now but uh you know it's kind of discerning when you're trying to look at the M all right and then we have well-known offensive Frameworks I'm sure you're familiar with power exploit niching PS attack and Par shell Empire I think par exploit was absorbed by par shell Empire a little bit so the same attacks are in there so what these are used for because power shell is really good at automating tasks uh it's used for post exploitation so it can do all these fun little things like analysis ofion priv escalation by administering Mimi cats uh lateral movement exfiltration and they can reflectively

load a PE in memory so so you can have a a PE in bytes and like within the the exploit and you can load that payload into memory without even touching the file system all right and of course they try to improve themselves over time so I have this lovely like view of what uh net looks like so I'm going to go over the CLR uh the jit strong named assemblies Eng gen assemblies uh decompiling net biners and finally the Intermediate Language so I don't know if you want to see that

again all right so the common language runtime Handler this is basically what makes doet cool is that it remains agnostic across uh different architectures because it uses this iil code that it manages to um do the the ground work and as I explained before in the diagram here when C code gets compiled it turns into IL code which we'll talk about and this all gets handled where the jit turns that into native machine code which is CPU instructions so you can see this is actually from Powershell itself when you decompile it you can look at the script block create this is what the C code looks like and this is what the equivalent I I code looks

like all right so what does the Justin Time Justin Time compiler do so when it actually gets a function which we call a method in in C uh it will go through it'll look up the the method in the data table create a memory block convert that IL code into normal CPU instructions save it in that memory block update where that memory block is in the method table and execute that code and return back to the compiler so when I say looking up that information I mean these different tables so in the beginning of an assembly file a DLo or at exe it'll have this information so the only ones we care about is module Def and member ref

and so keep in mind that these have like the names location offset locations or the tokens as I say on the side here of where everything is so uh this is just just to give you a hint I'm I'm guessing you guys are gonna get the slides later so what you have to do to Traverse these tables is basically like a link list so if you can download the compiler uh uh what is it called uh DB pdb files you can get the offsets to where the functions you need to use to start traversing the link list so just an example all right so Microsoft Intermediate Language code so I explained before the code that you saw

of the script block you could see that each is actually a couple bytes long for a knob or whatever and say you wanted to do a jump you can have the token which is a little Indian bite order um address or identifier and then the jump call there so this is kind of important when you're creating your own IL code to do the hooking itself like for instance I use that jump to do the trampoline for the hook all right and then a lot of the one of the other things is if you're trying to do sneaky code in I uh the jit optimizes the I instructions so say if you want to do a knop sled in in

freaking uh iil code they're going to remove all the knops because it's trying to optimize the the process so for all you offensive folks out there all right and another thing is when you uh arguments are actually pushed on the stack it's a stack slot so you can see here in the beginning of this function when you disassemble it you can see there's a Max stack of eight so this is where arguments and and and local variables will go so this is kind of important when you're trying to make the Prototype function for the hook and also um if you want to get the actual location of where the the the code is after Jed you can call the get

function pointer and I'll talk about that later all right deom compiling net buyers it's not as crazy as it is like as it seems there's a lot of tools out there already that allow you to decompile I mean shoot the SDK already comes with the disassembly exe and you can just look at the code there um do Peak DNS spy IL spy some of these are all open source I think net Peak um it's it's more of a commercialized version of it but it's not as handy as the others and this is an example of what net Peak looks like I actually use this one to go look at the system automation D which is

actually Powershell itself so you can just rumage through there and find the functions that you actually want to look for all right so another thing to keep in mind is uh strong name assembly so what does this mean means that they tried to Tamper proof uh these dlls that are you know globally accessed but they I I'll tell you how to bypass it in a second so they what they did is they with the Publishers public key and private key pair they created this little hash it's called the public key token within the top of the assembly right and then usually these gets placed into the global assembly cache which you can see the different locations here so

uh with weak assemblies it'll just look for the file name while globally cach assemblies will look for the actual uh signature all right so uh back in uh 2009 it was discovered that you know The NET Framework 3.5 service pack one you can actually bypass the strong name uh the strong name uh T like anti-tampering by just placing that into the the the folder location of GAC right and it would just look for the signature rather than actually validating that it it it's the same it's the right one on top of that you can disable with the registry key here if you want to check for uh strong names across all of them or if you want

to do it specifically for one application while you're building in like Visual Studio you can just put that into the configuration file which is nice if you're doing bad stuff but all right um engine assemblies so what is engine assemblies it means that it uses this exe to convert to to preit ilil code into native CPU instructions so why do they do that they thought the jit compiler was too slow because it it has to compile the first time it runs so it automatically creates these Navid image images in this like location and it'll First Look for this dll before it looks for this dll so you can identify the native image by the ni

at the end of the dll all right now we're to power shell okay so we know that we talked about net stuff so that's important because we're going to look at everything underneath system management. dll and monitor that okay um so we know that this dll is in the global cache as I said before um we know that pow shell can reflectively load assemblies so of course we want to monitor this part below um can run unsigned scripts well that means it can run locally so we can have something locally monitoring something and then a run scripts that are interpreted by base 64 string so by that account we need to monitor when the string gets

parsed all right so as I explained before I kind of hinted on the the functions that hold the the strings that are parsed into the actual code the script block is actually where the string gets parsed um but it's important to note that this script block changes from version to version so I have this nice little reference for reference table for you to know you know what version of Powershell goes with what version of net so you know how to create your payload all right here's another pickup line it's like hey girl do you like Power shell I can tell you do by the invoked expression I gave you so invoked expression so this is

actually very popular in a lot of the uh offensive uh Frameworks what it's basically doing is you can invoke commands through the runspaces library in a regular c um uh executable by actually using the globally cached assembly and just say using the PO shell dlll system management automation uh and then you can run that exe just to run scripts like from a normal input so how the hell are we going to monitor Powershell if a powershell.exe doesn't need to be needed to run the malicious Powershell scripts so that's what I mean by invoke expression and invoke command you can do this without um a power shell. exe so another crazy thing it can do is

invoke it can get Windows API so you can see here it's calling the system D and it's getting the get module handle and get module or get proc address so it can get the function right to Virtual address memory so this is actually taken from the power exploit framework invoke Shelf code so what what it's basically doing is it's getting that right to virtual memory address so it can write its shell code to the process's memory after it gets the handle of course so uh that brings me to the anti mow interface by Microsoft oh you can see it already did its thing there um it this was brought into Powershell 5 Windows 10 uh in 2015 and

so the whole point was to allow Windows Defender and third party applications like like AVG to uh scan the the script block when the codes gets invoked that what it does is it performs a security check goes to the amsi dll scan interface through Comm interface and RPC it sends it to Windows Defender to get scanned so what this provides is memory stream scan memory and stream scanning it looks at the code before it gets compiled right so this is already obsc and then when you want to detect uh C like the C usage of power shell you can because is it's already built into the system management automation D all right another cool feature so if

you use that decompiler I told you about you can go decompile man the system management dll and Microsoft already has these suspicious methods in the code itself so okay so they're using these as has the suspicious methods right so how do I look at those two without using amsi why because amsi can be bypassed um it was already shown like in nishang there's an amsi bypass that if you use if you CH you know use the string optic for specific variable names you can bypass Windows Defender all right and you can also disable amsi two different ways um you can use the power sh command MP preference you here for reference um and then you can do dll load hijacking was

found by another security researcher all you do is you create if you if you know the concept of DL load H hijacking it'll look for the assembly in the same folder that is being executed so in this case he was loading amsi dll but it's a dummy one you can see down here I don't know if you can see in the back there um it's just got a fake message box saying that it was load loed so when it fails over it just unloads the amsi dlog AL together all right and this one's tricky this one was from Matt Graber um so what it is is you can go using reflection you can go and change the values of things

that have already been uh triggered so in this case when amsi loads and this is actual code from amsi I pulled it out for you guys so when it initializes IT checks to see if it failed right here so what he's doing is he's changing that value to true so that it won't even load so you can do that in real time and unload amsi so that brings me to all the different methods uh make sure I'm on time so I'm going to talk about how I did the C injection just a high level overview um I'm planning to release a paper a research paper with this so it'll have more details but I just want to go over it so

you guys know um and then net rootkits with a binary modification uh CLR profiling the jit compiler hooking and cbase Method hooking so now that you know a little bit about net I'm sorry but uh you do now sorry I've only I've only been working with net since November so this is like a whirlwind of crazy for me um so I think I went too farad head there so what is the c d injection keep in mind that c does not have a dlll main so when you try to do inject your dll you're going to have to make that dll main so by using a c wrapper dll remember it's unmanaged code so you'll

have to manage the versions which I you know hinted before and from there you you stick that sucker as a bite array in in your resources and you can load that when you you need to so by using a dll injector or you know a filter driver which is common for AV you can inject that that wrapped dll into the target host and then figure out what version of CLR that they're using and so here's kind of like the code that I Ed to actually attach to the process's CLR um once I figure out the version I can use my co-create instance and access the host processes CLR and then I can grab the app domain because

in order for my my C Bin My C dll to actually run it has to be in the app domain of this host process so that's basically what this section of code is um it's grabbing the app domain and once I get the app domain I can add myself to um that app domain all right so that brings me to a different topic net rootkit binary modification so this was actually a 2009 black hat talk okay black hat talk for from Matula so what he did was he disassembled the the Isel uh insert their own function into the Isel you know writing the code itself reassemble it and place it overwriting the original D so if we were to do the same thing I

would overwrite the system management DLo with my hooked code that would load my own special like monitoring D so um as I explained before so there's a couple things that problem with this you need to make sure that it doesn't validate the signature cuz uh and also the the hash changes so if you have any type of wh listing or CER ver verification and you have your good like monitoring dll there it's not going to pass so you're going to have to make some type of like nice um environment for it to do that without having the attack or no but you're also putting something in the environment so that's another thing you change that dll that means the

attacker can get that dll and and and reverse it if they have it all right so how does how does this how does binary modification work so there's also a lot of open- source tools out there to avoid this human error because you don't want to mess up how your stuff gets on the stack how your hook works and what you start loading into into memory and all that so these net exploit net hook Library mono ciso which is more of the common one that I've seen and I've actually used it myself you can statically or dynamically modify the I code recompile everything and push it to the Target process so this is all the crap that you'll have to

go through in order to figure out how to get your assembly into the um same working memory of the the host process all right so luckily there's this cool API that Microsoft g.net it's called the CLR um performance monitoring API it's basically a way where you can create register your own C CLR profiler to access when a module is loaded and unloaded so it gives you like this uh function that you can add code in there to access like say if system automation dll Got Loaded you can say okay give me the handle to that dll so I can inject my app domain in inject into the app domain of that Target process when it

loaded so it's kind of a weird way because you have to register your dll normally like in the uh the the assembly so you already have one artifact in the assembly and you have to turn on the environment with environment variable says CLR profiler equals 1 so if the attacker knew that it was to one and that means I'm being monitored somehow um all right and then you do the same thing where you you use your C dll when your uh wrapped dll to do the hooking and when I mean hooking uh what I mean setting the hook so when you control how the function gets created you can dynamically create the trampoline so the original entry

point of the function you have your trampoline method so this is exactly what I'm talking about uh you rewrite that function's code and you have your hooked code here where you can do your monitoring and then from there it points back to the original Target and returns with the right information or you can like kill it if not you know depending on what type of logic you do all right so the next solution is jit compiler hooking so what this actually is is I am replacing functions of for my own functions in the J jet compiler itself so like I said before you have to use your C dll injection again and then once you're in you figure out what

version it is you replace the J compiler with uh the compile method and then you start doing your hooking code while it's being jitted so what does that look like okay so this is actually when um how you would use like easy hook to hook the actual compiler uh comp compile method and from there you can recompile IL code on the Fly and push it in memory as it's happening so you can do all that as soon as it starts jitting jitting not jitting so this is kind of like what the output looks like um this is run uh when I'm actually testing power exploits sharp pick you can see it's using the Run spaces here so this is is first when

it jits so you can monitor like when it's going through all these different methods as it's happening so this is when you would actually okay three five minutes uh when you can actually uh start following some of these methods and insert your hooks all right cbase method hooking the final one so instead of hooking on the jet level we want to hook when it gets down to the native CPU instructions so you're actually creating your normal you know assembly instructions to do the trampoline um so this was actually from uh topher's Defcon talk I think he did the black hat talk too he actually created offensive tool that would just overwrite uh code blocks in memory

because he had the ability to because memory locations were rwx so in this case we're doing something good and not bad unless you want to do it bad um or you want to overwrite that with good assembly instructions to do the hook rather than uh you know overwriting it with shell code which you could but I don't recommend it because you'll probably crash the program all right so how to do that so you use the pointer reflection as I explained before once you pre-compile the method using the prepare method you can get you call this function get function pointer and you can get the actual pointer as it exists in virtual memory and so but the problem is like I

explained before you don't want to crash it so you want to make sure you get the the how you need to understand how to convert iil code into uh assembly code and then figure out the arguments and then figure out how to do the Prototype so you have to do multiple layers deep like do net interception to make sure you get everything correct all right so the results so wow you really can't see the colors here uh so what I did was I laid out like what are the things the points that I wanted to get across um I can do run time analysis I can run on partial two and above I could do uh stealth

versus amsi you know I'm I'm doing something similar but um I'm making sure by using you know my injector properly or my filter driver properly I can inject without being known I'm there because I'm working on a lower level um any system artifacts uh I found that the jet the CLR profiling in the I binary um had some artifact so was like I don't know if I want to use it or not um does it have to have engine installed so another thing is if you have an engine native image um it'll bypass the jit compilation stage so all your efforts you're doing in the jit location is going is not going to work so you're

going to have to uninstall it so that makes a big difference when you're deploying into a customer environment all right and then at the same time requires signature validation like I explained before if you're trying to bypass a signature you need to make sure that you can in the environment and also difficulty I labeled everything in difficulty on this chart so what I came up with is like this would be my first choice in doing the solution uh the machine code manipulation the jet hooking which was really fun I think this one was my favorite but it would be uh less sneaky if I didn't if I couldn't do engine and then I binary modification because this

one's the the best and safest one you could do but it's also difficult if you don't do it safely depending on what like open source tool you use you know I would not probably not use mono seil I would probably just do it myself but um it's pretty much it so takeaways like I explained before you should intercept the actual power shell method rather than the script and then you want to stay stealthy uh do it right don't crash po shell please don't crash po shell um and then welcome to my net Hill all right any questions I don't know you know I just spent a couple months on it anyone else sure is there any

additional vors that had more time to look at oh yeah um you know I explored regular AIT hooking as well and I kind of want to go back to that um but it I think I'd probably focus more on a lower level even lower than that like the the native images but I only had a couple months so yeah my boss was like go research poell okay okay I'll start withn net

y that should yeah so n gen was mainly used for improving performance so if you were to pre-m preit the the the assembly then that means it doesn't have to go through the jet compiler which means it'll run faster CU you're but the only downside to that is you don't have the optimization per like per operating system no it'll just look for the next best thing like it has the load the d load order right yeah anything else okay awesome Amanda rouso thank you very much and from our sponsor Fitbit those of you who've been around recognize this a Fitbit for you oh wow awesome so more yeah wow how's that fit okay don't forget happy hour at 520 with

Salesforce sticker yeah get a sticker