← All talks

BSidesDFW2020 Track 1 / part 2

BSides Dallas/Fort Worth1:46:5970 viewsPublished 2020-11Watch on YouTube ↗
Show transcript [en]

PR escalation the platform options in

here particular op option of search Floy in Cali so you can just type search Floy and the name of the application that you want to find an exploit for

um there is you know in the industry like oh are you scell I'm such a hacker and there's a lot of backlash and so I ask people okay what is the right what is the right you know like type of distribution for you to use what is the right type of distribution um because that's the one that I like so if you ask me what is the right type of distribution for p testing whatever you feel comfortable working with right unless a client specifically tells you don't use that whatever it is that you feel comfortable working with and works for you or gives you the results that you want because you know like it just works

well for me but um for example my brother is just getting started with an infosec and and he tells me he told me something that made me think um rather than going for Cali I'm just going to the pesting framework that I could use on DVM because rather than downloading something and or getting an extra I'm the kind of person that try to add that capability to what I already have me I guess exploit suggestor so exploit suggestor is designed with the purpose of detecting security deficiencies for a given Linux Kel it provides the following functionality assessing kernel exposure on publicly known exploits tools as kernel on every publicly known Linux kernel explo and hardening security measures so

it can check for most security settings available in your Linux kernel and it verifies not only the kernel compile time configurations but also verifies runtime settings giving more complete picture of security posture here's the interesting part known Linux kernel explo so it has to be something that has already been you know like documented so if your explo suggestor is really not you know like up toate or it's not something that you know like alties or all the Expos document listed then it might not be any good like I said before do not again do not rely just on third party tools you really have to have a good idea what you're doing um so we're going to take a quick

look of how the output would look like so this is this is what this is my terminal right now

so this is the results that it's given

much what potential explodes you could

use but um yeah just most of theed um you know like they take a lot of they they might be really resource consuming a good counter measure against them it's also um I know that if you're in security operations there's just so much that you can do but you know like just keep your eyes open for compilation tools you do not want to keep compilation tools on you know like an on an end user's computer to go and hacked but I mean if you're going to get hacked make it harder on them just don't offer everything on a silver silver platter and then for so I have three rules never allow to change without testing it never

testing production and always follow one two so that's something my boss always say well just getting started and basically boils down to don't do anything stupid sgid files sgid is a Linux feature that gives low privilege users the ability to execute a file as a file owner as ID stands for said user ID owned by the r user and the setu ID bit said no matter who executed VI the file it's always going to run with r user

privileges find how we would find set uid

files and this is the one that I

found kind to run it through you know like the manual way with the exploit um with the smart numerator Linux smart numerator is also going to list it right so this is something to keep in

mind to find a set u ID normally Linux permissions are broken into three different you know like groups like this so s are represented by an S at um as in the execute position user group and other user is pretty much like the owner I love this mem so 444 I know that they say that if you have to explain a meme it's no longer funny but going back into the permissions we have a full user we have a four for the group and we have a four for the other always equals only rate permissions and this is a read and only area well nerdy humor I'm not a nerd though look for an existing exploit and

write an existing binary with a reverse shell in this case there is an exploit for it so this is the one that I rent it's called exm appropriate permissions I run it and here it is I am R this password is in is a plain text based database that contains information for all user accounts on the system it is own by root and has 644 permissions by default by R users with t Privileges and readable by old system users but only root can modify it so what I didn't here if I wanted to exploit it is um what I did is created a hash in my local box why because the format requires me to do

so a new line into the EDC password file to create a new user so this is what it looks like I switched to my newly created user and boom I was rude once

again with Linux um what you can do is for this double sign it appends to the existing file appending just means you add it and this is just going to basically write to

it as I was mentioning earlier if a Target is running a CMS system um it is recommended to look at the configuration files as they can often contain sensitive information such as credentials not necessarily just credal shs but like I said they can also be for example operating system versions or application versions hashes usernames for other machines something very helpful cron jobs a Chron job is a Linux utility used for scheduling tasks that can be executed at a specific time this type of tasks wrun with the security level of the user who owns them the configuration for Chron jobs is stored in the Chron tab which is known as cont apps so if we browse directly to the kab

directory this is where we're looking this is what we want fishous this is always going to be in Linux this last couple of lines are what called my eye try Okay where is this file if I'm supposed to Rite to it I gotta know where it is and I found it so what I did in here is completely wipe this file blank okay just I don't want anything on it so I rewrote you know like the starts of shell and this line I am writing my shell this is my um you know like Local Host this is the computer where I wanted to connect back to wanted to use okay and the reason why I'm doing

CAD override. um sh is because I want to make sure that everything that I wrote is in there so I can see it in here and then this is my listener and I can see that since this is a contest determin amount of time it started running and I got my RO you know like reverse shell that you most commonly are going to use for them backups backups with permissions misconfigurations can contain sensitive information so such as private Keys a private key is used to identify you to any server you're connecting to so it must match the public key stored in the service authorized keys for the account that you're trying to connect to so you

have to have a match to it to your destination some common directories where backups should be F find our temp bar and root this is what a private key would look like in a case like this so we copy it and it's going to give us access and here I'm just permissions um and I'm trying to ask is H2 it I'm giving the appropriate permission in here of my Victim [Music] post I'm already root so I'm just going to try to show you guys this file looking into it this is my private

key I I wanted to give it any kind of you know like random name but I couldn't think of anything so I was just like yeah I see you boom I'm rude so you want to be able to always always look into your SSH ssh folder because if you have access to it then it just means you have to do is to get the root key sources um privilege escalation cheat sheets um I know that this is just kind of tricky when because it's recorded but if you all have any questions or anything that wasn't clear enough or anything that I could help you guys with definitely reach out to me um I love memes they're really funny

so yeah again for joining me and another thing I wanted to say you know like just thank you to the bides group um for biging my presentation wanted to do this and I'm really excited so yay awesome

thanks

e

e

e

e

e

e

e

e

e

e

e

e

e

e e

So today we're going to talk about search order hijacking or s first a little about me I spent several years doing digital forensics and incident response Consulting and moved from there to corporate in financial services where I ran our security operations team for several years I have been on red Canary's detection engineering team since early in 2016 and I lead our CS internal training program uh for detection engineering now we're not going to go very far into dll search order itself uh but I wanted to set out at least some basic information dlls are shared code libraries on Windows and based on references within the binary will get loaded into memory upon execution or as

needed to perform that shared function they can be leveraged by multiple processes and aside from having each dll's fully qualified path hardcoded into the binary or a manifest file the system will search for dlls following a preset order and that preset order is where search order hijacking or S comes into play if you know the name of a legitimate dll that will be loaded by a legitimate and presumably trusted but not frequently executed binary you can set up S by placing a copy of that binary along with a malicious dll that has a legitimate name together in a path that you control which is commonly under the user profile then when that legitimate binary executes the malicious dll gets loaded

into memory thus running its code in the context of a trusted process it kind of sounds confusing but we'll show some real world examples later and it will make more sense then if it is confusing now so why is s important well every year uh like many companies we put out a threat report this past year s was in eighth place overall from an adversary technique perspective and it impacted 16% of our customers the numbers increased over the course of the year as we developed new ways to identify related activity and as we continue to improve our detection I expect that those numbers will also increase it's not just about the usage but about the visibility into that Usage

Now there will be a link to our report later in the preo for those interested in the nitty-gritty details and yes with the roll out of miter uh attack sub techniques this summer s is is now 15741 instead of 1083 and there will be a link to that also just to save you the the searching around for it now we see s applied by various adversaries both commodity and advanced and it provides a means of persistence potential privilege escalation and bypassing various security controls for prevention detection and and so on now if you watch the full disclosure email list at all you'll quickly realize that a lot of legitimate signed binaries for operating systems and trusted third

parties such as security software are vulnerable to S A Lot on the good side from the security software perspective even though it shows up uh on on that list a lot we don't see it leveraged very commonly so that's a plus course it usually just gets disabled which makes it easier I guess now there are a lot of talks and articles about S8 from different aspects but very few address early identification based on ongoing activity instead they focus on after Thea forensics reverse engineering dlls or executables and so on now where I work we leverage endpoint detection and response or EDR Telemetry to identify and alert on active threats within our customer environments now the

concept of using EDR Telemetry is what I'm going to focus on today but not from the perspective of Any Given platform nor how we use it specifically I've tried to keep this generic from that angle and just provide you with methods and Concepts that you can use to extract information from whatever data sources you have at your disposal now the most accurate way to identify s is based on knowing every legitimate binary every single legitimate binary on every single system and the paths that they are expected to launch from and check every single one of those then you combine that with knowing every single legitimate DL that they are supposed to load by name and path and

check the unexpected binary launch paths to see if any of those dlls are being loaded as well now you back that up a little bit further earlier in the chain and you can identify the activity based on the file rights of those legitimate executables and illegitimate dlls to those unexpected paths now you might think it would be as easy as watching for any file rights of xes or dlls to those paths but not so much all right so if the best way isn't all that feasible and and if you didn't gather from what I just said that the best way isn't all that feasible then I did a terrible job of explaining it but it's not that feasible okay so if the

best way isn't at least keep it in the back of your mind and while you're doing that focus on the behaviors that may help point to S so at various levels um of the technique okay so let's say that you have a scenario which looks like it might be related to S how can you confirm it check out the XS to see if they're legitimate and remember they might be Windows system binaries but often ones that are not commonly used or other legitimate binaries for other software once you've done that check the dlls in the same directory do any exist that are named the same as known legitimate ones but don't contain the appropriate signatures or metadata or

maybe even if you get lucky they've already been flagged by antivirus engines as malicious again the key aspect here is that the malicious dll gets loaded from the same path as the XE if the legitimate lll of that name is likely to already be in memory that will get checked first and then the technique fails okay so I've talked at a very high level about some methods that you might be able to use to identify and validate s activity next I'm going to provide some sample logic that you might be able to get used uh might be able to use to get started and as I mentioned already detecting s so isn't necessarily straight forward and some of the

concepts are fairly Broad and may be prone to noise in order to raise up activity a lot of it depends on the individual environment now these are some these are some rough ideas uh of of generic query logic that I pulled together based on some of the things that we look for to identify s hopefully the logic construct is something that you can use to create queries with within your own environment if you aren't already looking for these again this is not any specific query language it's just designed to kind of capture the concepts of what we're looking for now be be forewarned they may be noisy depending on your environment so don't go full production

right from the start also two of these will only work if you can reliably collect signature information on binaries and depending on your data source this might be challenging uh especially if the information is stored in a manifest instead of being embedded in the binary all of them will probably require further tuning uh depending on the individual results you get in your you know specific scenario and environment now as alluded to before detecting actual search order hijacking can be challenging and we continue working on ways to do that better one of the other ways we've approached It Is by building detector logic that's focused on other Behavior which can potentially lead us to or point to

S and as a result we've seen s so associated with scheduled tasks process injection masquerading use of admin shares and domain trust Discovery to name just a few and we're going to look at a couple of examples from Real World activity um not just something that was set up in a lab not from reversing malicious dlls or researching specific malware and so seeing it in this way should provide some clues that we can then watch for as activity unfolds on systems now here we have the creation of a scheduled task to launch a legitimate windows biner one that's part of bit locker from a path under the user profile in app data roaming so not only do we have a

legitimate binary where it shouldn't be but there's also the persistence mechanism from schedule task okay and it's important to note that most of the binaries that we see used this way are not commonly observed executing right they they pick something that's unusual less common but still trusted the reason is as previously mentioned it's less likely to cause conflicts with dlls that might already be loaded into memory by another process remember that if that legitimate dll is already in memory the won't work it's going to fail because it's going to check memory first before it looks for path so shortly before or excuse me shortly following the creation of the schedule task the executable is written to disk

in the referenced path um the Windows command processor did this file right and if I recall correctly it copied the BD UI uh SRV XE from system 32 and wrote it here to this path so that's also a possible detector concept and we can let aage all these observables in a lather rinse repeat sort of scenario to continue improving detection methodologies now at this point we definitely know that we're looking at s being set up the dll being written here has a legitimate name but it's not the actual WTS API 32 dll nor is it in the proper and expected path now this one did not succeed in going through all the way so we didn't see

execution but it is a classic setup for S it's all right on to another detection in this one we have the windows script toast writing a binary under the user profile metadata indicates that it's the ganu diffutils binary cm. XE but the size is wrong and ENT says that it's imitat it actually kicks off other activity which goes into the S side of things and we're right back into a situation that's very similar to the previous detection a copy of the windows fax and scan binary is written to disk under the user profile in app data roaming we're getting ready here folks and Confirmation received a legitimately named but completely malicious dll is written to the same

path it's ready to load we've got it it's going the binary and the dll are preed and now the scheduled task gets set up for execution and persistence our wfs binary will be live and In Living Color in 60 minutes and here we go execution of wfs xie and sure enough immediately following that execution the malicious dll is loaded into memory by wfs we have once again s so for the win but it's not all doom and gloom all we need to do to prevent this is to have all compiled binaries have explicit fully qualified path references for all dlls that will be used including dependent dlls that's all simple right okay maybe not at any rate good

security hygiene can help Microsoft has some resources that can be leveraged to help mitigate some of that risk and having solid detection methodologies that balance out signal to noise and catch activity as early as possible can help as well and so here are some links to more information um if there's time for questions here that's great otherwise I'll be available uh in the Discord Channel and happy to talk more on the topic thank you very

much

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e e

there I am all right um so uh I'm assuming you can all see me um it's it's been an interesting day uh thank you all for coming out to uh bides DFW 2020 um it was in many ways it was a year one we've been doing this for 11 years but there's a lot of learning curves uh going full virtual uh it it had a lot of implications and things that we just didn't know what we were getting into originally uh so there were some bumps uh there were some slight technical difficulties we apologize for those uh we hope you still had a good time and um we hope you uh come back for the next go

around uh before we get into all the usual type stuff um for those of you that are actually local uh you're lucky to be in the Metroplex we have a few groups in the area um there's occasionally something going on and um I if you get bored you might be able to break that random spell once in a while if you're not local to the area area you know if things keep going the way they're going a lot of these groups are doing stuff virtually uh you can still join in on the fun um so uh like I said we got a little bit going on check them out um next thing just thank you thank

you to everyone uh thank you to the folks that helped out thank you to the folks that showed up thank you to the speakers uh for their time contributing content being willing to share and the hours of work that went into their individual research and and projects um thank you to the sponsors uh thank you to our patreons um just thank you to everyone I I know I'm missing some specific folks uh but it is what it is and thank you to everyone uh again rundown of our sponsors uh you know like I said earlier in Opening Ceremonies uh the this is a very short list of folks that genuinely truly wanted to be here and partner with us we

can't do it without them and once again thank you for what you do and for supporting the community and the information that most people are looking forward to and unfortunately I didn't get it all collected beforehand but um contest winners uh uh if you were already on beers twitch uh for the hardware hacking um we had Mitch cheevus won the multimedia in m multimer in the noob contest uh the second competition had no winners so they had a second Noob drawing uh Daniel got the Raspberry Pi for that and for the hacker competition uh Pony Pony lover won that one in the prev CTF give me one second here we go yeah we still don't have information

on the prev CTF we will post that later likewise with the3 security CTF I do not have that information yet we will also post that layer later sorry for that and with that said short and simple um that's all we got for this year uh we've got some things Half Baked in the works uh still trying to figure out how to do stuff going forward outside of just an annual event um now that we've been forced into this virtual thing and we've been through this one time and we know some of the tricks you might start seeing some more uh some possibly maybe not don't quote me uh maybe some monthly events coming forward um if nothing else

definitely some guest spots uh so just follow Twitter and uh once again thank you for all thank you all for coming out um that's all we got have a good evening and see you on the flip side

Related talks

34:39
A Drop of Jupyter: A Modular Approach to Penetration Testing
BSides Dallas/Fort Worth
46:20
Target Acquired: Human Intelligence Tradecraft and Insider Threat Recruitment
BSides Dallas/Fort Worth · 2021
36:40
Hashcat and Survivorship Bias: Cracking uncommon passwords
BSides Dallas/Fort Worth · 2021
51:16
Rosetta 2: Keeping Mac Malware Alive for Years to Come
BSides Dallas/Fort Worth · 2022
39:13
Minimizing AWS S3 bucket attack vectors at scale
BSides Dallas/Fort Worth · 2022
29:00
Unraveling the Russian Snake: Turla
BSides Dallas/Fort Worth · 2022
[ feedback ]