Modern Initial Access and Evasion Tactics

Red Teamer’s Delight

Mariusz Banach
Red Team Operator at ING Tech Poland

@mariuszbit, github/mgeeky
beacon>
whoami
Agenda
» A Few Phishing Tricks

» Initial Access in 2022

» Typical Vectors

» Rise of Containerized Malware

» The Beauty of HTML Smuggling

» Evasion In-Depth
» Delivery

» Exploitation

» Installation

» Command & Control

» Exfiltration
 Disclaimer
» Initial Access & Evasion tactics effectiveness is very Company/vendor specific

» Quite hard to maintain absolute 0% detection rate in Mature, Highly Secured Environments

» No fancy new tactics in this Talk :<

» This talk shares my insights into engagements delivered with following Security Stacks:

» MS Defender For Endpoint + ATP

» MS Defender For Office365

» MS Defender For Identity

» McAfee AV

» CrowdStrike Falcon EDR

» Palo Alto Proxy

» BlueCoat Proxy
PHISHING
 Phishing

» Stay away of regular e-mail exchanges

» Stick more to Third-Party communication channels (LinkedIn, Chat, Contact Forms)

» Develop multi-step plausible pretexts

» CV/Resume in response to a real Job Offer, Customer Inquiry

» Investor Relations (IR) exchange leading to IPO/bonds/shares acquisition

» Social Marketing offering

» Banger tricks:
» Ride-to-Left-Override-Like-Its-90s

» “This E-mail was scanned.[…] No Spam detected.

Links are safe to open.”
 Phishing
» Get familiar with
state-of-the-art Detections

• Here we reverse-engineer 20+

• MS Defender for Office365
Anti-Spam rules
 Phishing
» Apply Phishing e-mail HTML Linting
» On embedded URL’s domain – MS Defender for O365 ATP: Safe Links
» Categorisation, Maturity, Prevalence, Certificate CA signer (Lets Encrypt is a no-go)

» Domain Warm Up

» Landing Page specific

» Anti-Sandbox / Anti-Headless

» HTML Smuggling <3

» Keep your URL contents benign

» Beware of ?id= , ?campaign=, ?track=, /phish.php?sheep=

» Number of GET params, their names & values DO MATTER

 Phishing

» Apply Phishing e-mail HTML Linting

 Phishing
» Email Sending Strategy – MS Defender for Office365 cools down a sender upon 4-5th mail

» Throttling is absofreakinglutely crucial

» What works nice for MDO:

» GoPhish -> EC2 587/tcp Socat Redirector -> Gsuite -> Target
INITIAL ACCESS
 Initial Access

» Phish to Persist
» instead of Phish to Access (Matt Graeber @SpecterOps)

» Strive for delayed & elonged execution

» --> dechain File Write & Exec events

» Use VBA/WSH to Drop DLL/XLL

» COM Hijacking
» DLL Side Loading / DLL Hijacking
(%LOCALAPPDATA%\Microsoft\Teams\version.dll)
» XLL Persistence

» If dealing with CrowdStrike – drop CPL

 Initial Access »

Typical Vectors - WSH

» Windows Script Host (WSH)
WSF
» VBE, VBS - VBScript

» JSE, JS – JScript

» HTA – HTML Application

» XSL - XML

» WSF – Windows Script File

VBS
» Language agnostic file format

» Allows multiple scripts („jobs”) and combination of languages within a single file

» Mostly very-well detected

XSL

JS
 Initial Access »

Typical Vectors - Executables

» Executable files
» EXE

» CPL – Control Panel Applet (DLL)

» XLL – Excel Addition (DLL)

» SCR – Screensaver (EXE)

» BAT, COM, PS1, SH

» Very well detected

» Unless dealing with CrowdStrike

» For some reason CPL files are excluded from scanning

» 100% Success Rate, No Joke

 Initial Access »

Typical Vectors - LNKs

» Clever use of shortcut files

» Still a popular threat, especially in Phishing campaigns

» lnk – Link

» Often detected
 Initial Access »

Typical Vectors - HTMLs

» HTML in Attachment – not so commonly detected

» Can contain HTML Smuggling payload inside (more on this later)

» Can be conveniently abused with Right-To-Left Override trick

» „My Resume.vbs” ➔ „My Resume sbv.html”
 Initial Access »

Typical Vectors – COM Scriptlets

» COM Scriptlets
» SCT – COM Scriptlet WSC
» WSC – Windows Script Component

» INF-SCT – CSMTP accepts INF which can execute COM Scriptlets

» Used to instantiate COM objects

» via Regsvr32

» via GetObject

» Can be detected
SCT
 Initial Access »

Typical Vectors - Maldocs

» Dodgy VBA macros

» Consider applying Defender ASR Bypasses

» Prepend with “Enable Macro” lure message + lure-removal automation

» Gazillion of different weaponization strategies – yet merely few effective:

» File Dropping-based

» DotNetToJS

» XSL

» Documents that support Auto-Execution

» Typical Word, Excel ones

» pub - Publisher

» rtf – disguised Word document

» Macro-Enabled Office still not eradicated

 Initial Access »

Typical Vectors - Maldocs

» Some Office documents DO NOT support Auto-Exec

» But yet they can be instrumented to run VBA (CustomUI)

» ppt, ppsm, pptm – PowerPoint

» accde, mdb – Microsoft Access

» doc, docx – Word via Template Injection

» xls, xlsx – Excel via CustomUI Injection

» Lesser detected
Rise of
Containerized
Malware
 Containerized Malware
» Starting with 7 Feb 2022, Microsoft

blocks VBA macros in documents downloaded from Internet

» Files downloaded from Internet have Mark-of-the-Web (MOTW) taint flag

» Office documents having MOTW flag are VBA-blocked.

 Containerized Malware
» MOTW, We Evade

» Some Container file formats DO NOT propagate MOTW flag to inner

files. – As pointed out by Outflank folks
» ISO / IMG

» 7zip*

» CAB

» VHD / VHDX

» Inner file w/o MOTW

 Containerized Malware
» PDF can contain URL pointing to malware or Attachments

» Attachments are commonly used feature to package multiple docs into a single PDF

» Attachment can auto-open using Javascript in PDF

» We’ve seen Customers using PDFs with 10+ attached resources – on a daily basis
 Web Browser

Web Server Super Duper Web

Proxy

The Beauty of
HTML Smuggling
Endpoint
 HTML Smuggling – Deadly Effective

» Gets passed through the most aggressive Web Proxy policies

» Proxies, Sandboxes, Emulators, Email Scanning => BYPASSED

» Malicious file embedded in HTML in Javascript.

» MUST employ anti-sandbox/-headless, + timing evasions

~ again, thanks Outflank!

 Initial Access »

Summing Up On File Format Vectors

» Plenty Ways To Skin A Cat (probably there’s a lot more)

» Nightmare for detection Use Case designers

1. docm 35. vhd

2. doc 19. vbs 36. vhdx
3. xls 20. vbe
4. xlsm 21. hta 37. exe
5. rtf 22. sct 38. scr
6. xlam 23. wsf 39. cpl
7. xla 24. xsl 40. xll
8. xlt 25. vbe 41. bat
9. xltm 26. js 42. ps1
10. dot 27. jse 43. sh
11. dotm 28. html 44. lnk
12. ppa
13. ppam 29. zip 45. docx
14. pptm 30. 7z 46. xlsx
15. ppsm 31. iso 47. pptx
16. pot 32. img
17. potm 33. cab
18. pps 34. pdf
Evasion
In-Depth
 Evasion In-Depth -> Across The Kill-Chain

» Apply Evasion Regime At Every Attack Step

» Across the Kill-Chain

» Each stage of cyber kill-chain comes with unique challenges

» Each challenge needs to be modelled from detection potential point-of-view

» Each detection area to be addressed with Unique Evasion

 Evasion In-Depth »

Delivery - Payloads Hosting

» Serve payloads (HTMLs) off Good-Reputation URLs

» Avoids self-registered domains

» Snags well-trusted certificates

» Living Off Trusted Sites (LOTS)

» Outlook Attachment volatile URL

» Github anonymous Gist

• Clouds
• Storage Services: S3, Blobs

• Virtual Machines + webservers Hi mr.d0x!

• Serverless endpoints that host files

• Inter-Planetary File System (IPFS)

 Evasion In-Depth »

Delivery - Evasions
» HTML Smuggling + delay + Anti-Sandbox capabilities

» VBA Purging, VBA Stomping

» Office Document Encryption

» VBA Execution Guardrails (Domain Name, Username, etc)

» Consider using Template/CustomUI Injection

to de-chain infection process
 Evasion In-Depth »

Exploitation
» Office Document gets executed

» Good to use non Auto-Exec Docs (CustomUI)

» Or Auto-Exec but with ActiveX entry point

» Beware of AMSI in VBE7!

» DotNetToJS works great against Defender and AMSI! ~ in 2022

» Evades ASR rules:

» Block office applications from injecting into other processes

» Remote Process Injection + Parent PID Spoofing = SUCCESS

 Evasion In-Depth »

Exploitation - Evasions
» DotNetToJS from VBA

» Alternatively XSL Loader from VBA

» Low IOC footprint, executes in-memory, stealthy as hell

» Spawn into Remote Process to live outside of Office

» Utilise Parent PID Spoofing

» Or instead use Dechained Execution:

» WMI

» Scheduled Tasks

» COM Hijacking

» DLL Side-Loading

» AMSI Evasion from VBA is Cumbersome

» Requires Registry manipulation BEFORE running malicious VBA

» Or copying Maldoc into Trusted Locations before running it

 Evasion In-Depth »

Installation
» KILLER EVASION:
» BEWARE OF USING COBALT STRIKE , EMPIRE, SILENTTRINITY, COVENANT, METASPLOIT

» They’re used to fine tune EDR/XDR/AV detections. Sadly CS is a benchmark now 

» If your Client/Team/Employer can afford it:

» Develop In-House Malware

» Better - Develop In-House Mythic C2 Implant (no time wasted for UI)

» What’s fancy nowadays?

» Nighthawk – helluva C2, but priceyyy

» Brute Ratel C2 – been told it’s good

» PoshC2 – may work just fine

» Sliver – really evasive, requires mods, too heavy for my taste

 Evasion In-Depth »

Installation
» Prefer DLLs over EXEs
» Indirect Execution FTW!

» Microsoft Defender For Endpoint EDR has this ASR prevalence rule -> not that effective against DLLs

» DLL Side-Loading / DLL Hijacking / COM Hijacking / XLLs

 Evasion In-Depth »

Installation
» Obfuscate your Implants:
» Use my ProtectMyTooling

» Roll your implants through

Multiple daisy-chained packers

» I’ll release it soon on my

Github, stay tuned
& follow me on Twitter!
 Evasion In-Depth »

Installation

» Watermark Your Implants

» Deliberately inject IOCs

» For implants tracking

» For VirusTotal polling

» To stay Ahead of Blue Teams

» Inject into:
» DOS Stub

» Additional PE Section

» Manifest

» Version Info

» PE Checksum, Timestamp
 Evasion In-Depth »

Installation

» If you need to have them EXE

» Backdoor legitimate EXE

» or Sign Your EXE with legitimate Authenticode

» PE Backdooring strategy:
» Insert Shellcode in the middle of .text

» Change OEP
» … or better hijack branching JMP/CALL

» Regenerate Authenticode signature

 Evasion In-Depth »

Installation – Shellcode Loader Strategies

1. Time-Delayed Execution to timeout emulation & make AV Timeout & Transit into Behavioral analysis

2. Run Shellcode only when correct decryption key acquired – see image below

3. Conceal shellcode in second-to-last (or N-to-last) PE Section

4. Use Parent PID Spoofing wherever applicable Nighthawk shellcode loader decryption key
recovery options:
5. Prefer staying Inprocess / Inline

6. For Remote-Process Injection – use elonged DripLoader style:

• Dechain Alloc + Write + Exec steps

• Introduce significant delays among them

• Split shellcode into chunks

• Write chunks in randomized order

• Execute in a ROP style = Indirect Execution

 Evasion In-Depth »

Installation - Evasions
» Patchless AMSI + ETW Evasion (via HWBP + DR0..DR3)

» Anti-Hooking with Direct Syscalls

» Consider Self IAT Hooking to redirect unsafe
CreateRemoteThread to safe Direct Syscall stubs

» Advanced In-Memory Evasions

» Shellcode Fluctuation

» Thread Stack Spoofing

» Process Heap Encryption

» Modules Refreshing

» Unlink Malware PE Modules from PEB during Sleep

» Indirect Execution -> jump to shellcode thread via System Library Gadgets

» Indirect Handles Acquisition

» convert HWND into Process Handle,

» reuse opened LSASS handles

» Anti-Debug, Anti-VM, Anti-Dump, Anti-Splicing, Anti-Sandbox, Anti-Emulation, Anti-Forensics, yeeeaaahhh

 Evasion In-Depth »

Command & Control

» Switch from Fork & Run into Inline (Inprocess) Operations

» Hard to safely perform Remote Process Injection

With apex EDR

• So instead of injecting – remain inprocess

with BOF.NET by @CCob
 Evasion In-Depth »

Command & Control

» Utilise Nginx Rev-Proxy + RedWarden to cut off suspicious Requests & evade JA3

» C2 over Serverless Redirectors & Domain Fronting (CDNs) only

» AWS Lambda, Azure Functions, CloudFlare Workers, DigitalOcean Apps

» Azure CDN, StackPath, Fastly, Akamai, Alibaba, etc.

» Communicate over Exotic channels (C3):

» Steganography-based in PNGs hosted on Image Hosting

» Mattermost

» Asana

» Github

» JIRA

» Discord, Slack

» Dropbox, Google Drive

» OneDrive

» MSSQL

» LDAP

» Printer Jobs
 Evasion In-Depth »

Exfiltration
» Always in-memory ZIP / Compress files before exfiltrating

» Exfiltrate to Cloud Services

» Azure Storage / Blob

» OneDrive

» SharePoint

» Google Drive

» Exfiltrate by copying to private OneDrive synced folder

» Steal Azure / Office Primary Refresh Token (PRT)

» Steal OneDrive SSO Access & Refresh Tokens

for Session Hijacking on attacker-controlled Machine
SUMMARY
 Phishing – Bullet Points - What Works

» Spearphishing via Third-Party channels – LinkedIn

» Forget about attachments in 2022, URLs are the primary viable vector

» Email Delivery-wise:
» GoPhish on VM1

» SMTP Redirector on VM2

» Google Suite / any other decent quality email suite as a next-hop forwarder

• Frequency – extremely low yields best results: keep it 4-5 emails every few hours.

• Pay extra attention to embedded URLs & maturity of chosen domains

• Payload Delivery-wise:
• Landing Page equipped with Anti-Sandbox

• HTML Smuggling + delay + “plausible deniability” decoy payload

 Evasion In-Depth »

Delivery – Bullet Points

» My Personal Bonnie & Clyde:

» 2022, still HTML Smuggling + Macro-Enabled Office document =

» MacOS – VBA to JXA -> but then heavily sandboxed

» Secret Sauce lies in VBA poetry

» HTML hosted in high-reputation websites, storages, clouds

» Smuggling must include self-defence logic

» Office document encryption kills detection entirely – “VelvetSweatshop” might too!

» VBA Purging lowers detection potential

» VBA Stomping no longer has significant impact on detection potential, therefore not required

» Among different VBA Strategies – File Droppers, DotNetToJS, XSL TransformNode are killing machines
 Initial Access – Bullet Points

» HTML Smuggling
» That drops ISO, IMG, Macro-enabled Office docs (yup, they still keep on rolling)
» ISO/IMG/other-containers merely effective against extensions-blacklisting

» Yummiest Payload Formats

» PUB, PPTM – rarely blacklisted/sandboxed
» ACCDB, MDE – for those who favor exotic ones
» DOCX + Remote Templates (with arbitrary extensions),
» DOC/XLS heavily obfuscated/encrypted/purged/yadda, yadda
» CPL – still ignored by CrowdStrike
 Initial Access – Bullet Points
» Effective VBA Macros Strategies
» File Droppers
» Simplicity at its best
» DLL = Indirect + Delayed Execution + No Reputation/Prevalence Evaluation
» forget about EXEs in 2022
» Drop proxy DLL into %LOCALAPPDATA%\Microsoft\Teams\version.dll & execute DLL Side-Loading
» Drop XLL & setup Excel extension
» Drop DLL & execute COM Hijacking

» DotNetToJScript flavoured
» Pure In-Memory execution
» Ironically bypasses Defender’s ASR rule:
» “Block office applications from injecting into other processes”

» XSL TransformNode
» Pure In-Memory execution
» super effective, not signatured, low IOC surface, lesser known
 Installation – Bullet Points

» Use Custom Malware or Customize Lesser Known C2s

» Modify Open-Source C2 to remove outstanding IOCs, hardcoded HTTP status codes, headers

» Develop Custom Shellcode Loader

» If you ask me - I’m a purist – C/C++ is the optimal language choice.
» Rust/Go/C# add their own specific nuances, I don’t buy them for MalDev
» Nim looks promising though

» Embed shellcodes in Proxy DLL loaders

» Utilize DLL Side-Loading as your execution entry point (Teams’ version.dll is convenient)
» Direct Syscalls or intelligent Unhooking, AMSI + ETW evasion, delayed execution are MUST HAVE
» Remote-Process Injection is a tough one to get it right, prefer operating Inline/Inprocess

» Malware Development CI/CD Pipeline

» Develop -> pass through daisy-chained obfuscations -> Backdoor legitimate PE -> Watermark -> Sign It.
 C2 – Bullet Points

» Egress Through HTTPS – Highly Trafficked Servers Only

» Serverless Redirectors,
» Domain Fronting via CDN,
» Legitimate services – Github, Slack, MS Teams, Asana

» Forget DNS, ICMP, IRC

» We’re no longer in mid-90s – robust NIPS/NIDS and ML-based signaturing outrules exotic protocols

» Offensive Deep Packet Inspection

» Closely examine Inbound requests and decide if they originate from your Implants/Infra
» If not, kill them at spot – TCP RESET/Redirect/404
» RedWarden-style:
» Rev-PTR inspection
» WHOIS, IP Geo
» HTTP Headers
» Alignment to expected Malleable contract
Q&A
Questions? ☺

↘
@mariuszbit / mb@binary-offensive.com

https://mgeeky.tech

https://github.com/mgeeky