DUALITY – Advanced Red Team Persistence through Self-Reinfecting DLL Backdoors... - Faisal Tameesh

hey folks thank you so much that was an awesome intro I love your style dude all right so so yeah this title is titled uh or this talk is titled Duality Advanced R team persistence through self- reinfecting dll back doors for un yielding control there's a lot of words there I know uh and I hope they all Mak sense in the end because I still don't know what they mean uh but maybe we'll both figure it out here in a bit so uh a little bit about me and my name is fasel tamish technical director I uh spent half my time doing uh security research to support our red team Ops uh at Aon and basically it's kind of like a consultancy within Aon that does you know pent testing and red teaming and I do the research to kind of make our red team shine a little more and be have a higher chance of being successful I have a couple of Cs and in my spare time I love training Jiu-Jitsu and mu Tai does anybody here do Jiu-Jitsu all right just infos has some folks you know so I got to ask I also love to hunt and I love playing guitar and producing music uh you can actually find some of my music on Spotify under Primal cerebral so there's my uh little music thing anyway let's start out with a little war story I want you guys to imagine with me that you are on a red team and uh you've obtained a foothold through a physical vector and that is one of your very talented colleagues she is absolutely amazing at obtaining access to wherever she wants really uh she can talk herself into anywhere and uh to do that we've targeted an office building kind of like in a downtown area we're going to uh try to you know the way those buildings work is the first floor FL has a turn Styles where you would use something like a badge you'd get through the turn Styles and then you uh get into the elevator and then maybe you'd have to use your badge there and eventually get to the floor and sometimes you have to badge into different places depending on their security Now if you guys heard me say the word badge multiple times that was very intentional so we really need to use a badge cloner and that's something that we use heavily during these types of engagements uh in order to get somewhere so uh she's able to clone somebody bad just by talking to them and having her tote back you know within one or two feet of that person usually those folks have their badges you know on their belt or something like that kind of an easy clone and then um from there when she gets to the floor between a couple of workstations uh and network ports uh she's able to get a couple of footholds and so far they're entirely undetected she's able to egress herself out of the building so no physical detections and plugging things into the network port uh the way that it works and the way we have our Hardware set up it's pretty hard to detect um and also uh there is an an unlocked workstation so we were able to drop a form of initial access Cobalt strike so uh now it's your turn to play You're the Cyber operator uh behind this red team kind of supporting it from the back and you have an objective your objective is to compromise the CEO's machine stealthily for long-term information collection you're looking for information that might inform the company's Financial direction for basically insider trading and this is absolutely illegal don't do that but I'm just saying this is what your objective is and we're trying to simulate getting to that point and being able to collect that kind of information we're going to need to persist on that machine for extended durations so we can't do the thing where you have internal network access and you just um you know use whatever wmi exec or Ps exec or your custom variant of those to gain code execution on the machine we actually want to be on the machine in case that person's not connected to the VPN and let's say they're traveling they're not connected we still want that continuous persistence on that person's machine the laptop is equipped with a AV and EDR solution that will detect common implant loading persistence uh loading and persistence techniques so things like registry keys Auto star directories SK scheduled tasks it turns out that for that specific user is an enactive Directory Group that is very heavily monitored for common persistence techniques okay the sock is pretty locked in on lbass and for folks that haven't done pen testing or red teaming those are basically windows binaries and scripts that you can use to indirectly execute some code to load an implant Ms build is one example run dll is another and there's quite a few of them now it turns out if a machine never runs one of those L bass and then random it just runs one that could be a heris for detection the EDR itself interestingly in this case does not Auto quarantine novel portable executables on touching disc and this is something that a lot of edrs and AVS do out of the box the moment you touch dis uh it's going to check the reputation of the binary and it's going to try to make sure that uh you know if it's signed by some kind of certificate that the certificate is not blacklisted Etc and sometimes they just run it through sandboxes and it takes a while so really depends on the EDR but that's really in the most aggressive settings and sometimes you into environments where that's kind of toned down and you don't have that kind of immediate response the EDR is going to detect CIS calls from weird memory addresses and again um CIS calls are basically a way to bypass uh how the EDR hooks one of the primary dlls that's used for interacting with the operating systems operating system which is ntdll.dll and we basically need our tradecraft to be flexible in between Ops or sometimes within the op itself depending on what we're targeting signed backdoor dlls will likely get deleted on program updates and this is because let's imagine the scenario let's say we backdoor FFM peg. dll for Microsoft teams which um is a dependency uh what happens when we on the next team's update it's gone you lose your back door so if you back door one dll no matter how advanced it is the next time teams updates which isn't like a week or two you lose your uh persistence technique and we want to persist for way longer than that okay so let's define our problem statement we want to execute from trusted memory space uh we could do and what to do that we're going to do some variants of side loading there are quite a few uh sub techniques for side loading what vulnerability really allows us to do that and this is the main takeaway of this talk uh if you're really like what how can I put this into one sentence most programs don't check for dependency Integrity when they're loading in dlls They Don't Really Care you know they lean a lot on the AV and EDR solutions to make sure that the dlls that are going to be loaded or not are not malicious or malicious and then the EDR is just going to delete that dll or prevent the executable the main executable from actually executing by the way do I am I loud on the speakers I can't really hear myself out there okay cool thank you okay we want since we're backdooring multiple DLS we want to plant custom shared logic between all the back doors so they can do things like reinfect each other and they have this kind of smart Hive Behavior between them reinfecting each other ends up being one cool thing you can do but you can actually end up doing quite a few things with that the back doors themselves they have to execute and not disrupt the the original program logic or memory stability that means that if I load a dll even if I bring my implant up I don't want the main program to crash first of all that's it's not going to be usable so we need program continuity and the second thing is we actually need to inject into a different process from that main one that's loading the dll because loading dlls especially uh if you interfere with a dll main loading process is very finicky in Windows so there's a lot of things you have to work around like if DL main takes too long or if you allocate too much memory or if you do different things from the dll main uh especially through your injected code it's going to basically hang the program any operations on the victim host when we're staging these backd door DLS either when we're grabbing them or putting them in we we need to make sure the Stager doesn't do anything too crazy besides besides uploading downloading files and copying moving or deleting that's because staging and payload detonation for your implant when they're too close together is actually a heuristic for EDR so if you have a Stager that let's say it's Powershell or let's say it's an HTA file that then runs some Powershell which then does like process injection or something like that that itself since it's so close to the staging process is a heuristic and helps inform the EDR that something funky is going on so separating the St aging from the payload detonation as much as possible uh gives us the ability to be stealthier so we want the ability to use this for persistence and it turns out we can use this for initial access as well and I'm going to cover that here in just a little bit even though the talk is kind of centered out the persistence idea but once you understand the idea of Duality and the methodology you can do a lot with it so let's look at some current options before I decided to come up with my own thing I was like okay what's already out there so the first option is uh going to be the backdoor Factory the backd door Factory is uh a kind of popular piece of work actually it's very cool uh there was a black hat talk about it and there are some advantages to it it supports different architecture so you can back door windows Linux Mac whatever you like and it operates at the assembly level which is what we want and I'm going to touch on why that's necessary with some modifications you probably could Implement Duality like features but the workflow does not include easyc to polymorphic assembly generation basically the way the back door Factory works is you have some folder you put in your assembly code that you want to back door to put into the DLS that you're trying to back door it just goes and grabs the assembly and puts it where it needs to go and you don't really have too much control in the workflow of how that assembly is generated and what you can do after you compile the assembly and I'm going to touch on Duality does a lot with that so repurposing the back door Factory is possible but it's probably going to be more work than just designing something from scratch with that said the back door Factory was a huge inspiration so thank you to Josh pittz uh also known as the midnight Runner so the second option here is dll proxy so theoretically you can implant any logic you like via d proxies and this is kind of a a more of a modern uh technique actually that's used by Red teams these days the logic itself is written at a higher level than assembly something like C and with some compiler in Linker magic and helper scripts you can end up uh backdooring dlls in a manner where it proxies certain function calls executes malicious code and hands it over to the original dll like nothing happened now dll proxying is great but keep in mind that Beyond some EDR bypass Jiu-Jitsu we are really interested in highly polymorphic machine code because we want to do things like control flow officiation dead code insertion instruction substitution all that fun stuff to make our code really hard to reverse and really hard to Signature especially between different iterations so like a payload generator different iterations makes it really hard to Signature that piece of malare okay so there is implicit power in assembly this is kind of the typical workflow for uh DL appr proxying you have a process it loads a dependency in this case it's math. dll which exports a bunch of functions so you can call add subtract and all that but when you're dll proxying you actually you you call in this proxy dll and one of these functions is going to be replaced with some malicious function and then you can when when that function ends up getting called with the same name it's going to basically execute the malicious code and then either terminate right there or hand it over to the the function that's supposed to be called so it's going to proxy it on any other function that's called is immediately going to go to where it's supposed to go because we're not backdooring those functions so note here that we have two dlls on the system we have the proxy and the original uh and also there are some limitations to proxy dling that become more clear as we cover Duality more in a bit so without further Ado let me introduce act Duality so this is a logo that I made an illustrator in 30 minutes hope you guys like it if Brian made a logo he'd be able to do something much better than that but uh this is what I could come up with and those basically those are the two um icons or symbols for U DLS and the idea behind the logo is that the dlls know of each other's presence in the operating system they're checking for their infection State and if they're no longer there they're respawning The Duel so and by the way it's Duality like there's two but actually turns out you can use the same thing you can back door like 10 or whatever arbitrary number of dlls and they all check on each other we'll touch more on that in a bit so there's really three major components to Duality there's the target machine interaction script which is going to be uh in this case like duality. CNA which is basically an aggressor script for Cobalts it's a it's the script aggressor script is the scripting language for Cobalt strike and you can use that in uh ways to automate things that you want Cobalt strike to do so duality. CNA is the persistent script that helps you use Duality uh as you're operating from within a Cobalt strike context this is with regards to persistence you can also have a Powershell oneliner and this is is actually going to be released but the oneliner itself is going to be easily detectable by more advanced EDR and then you can actually Implement your own custom Stager the Powershell oneliner and the Stager are for initial access and uh the Powershell oneliner can still evade uh any of the lower AVS and edrs but if you want to be able to evade the more advanced stuff you probably want to write your own Stager we're we're not going to release the more advanced stagers just because we try to keep our trade craft at like n minus one we try to share with the community but at the same time it takes a lot of time to do this research uh so we try to keep like what we release at n minus one and but you can take all that knowledge or all that uh methodology and slightly modify it and improve it a little bit and you can pretty much get to what we use uh inside for our own red teams the second component here is a c program which is going to actually do the backdooring once you upload the dlls it's going to perform the backdooring by relying on the shell coat C file that is pre-written the shell coat C file is a program written in carefully written C and I'll touch on why that is is because you don't have the C run time basically so you're you're writing position independent code you're going to compile that down uh the C program is going to compile that down and then inject it into the dlls to back door them and then the Stager or the persistent script is going to grab those TLS and slide them in where they need to go for the programs that uh you're backdooring okay so in general what does Duality do if we're just trying to rephrase it in a much simpler manner it bro it back doors a set of dependency dlls each dll is aware of every other duel and there's three modes of operation Singularity is when you have only one dll back doored and this is the case for initial access you're probably going to back door one dll through your Stager slide it where it needs to be potentially respawn the program that you want to load that DL to immediately get your shell or you're going to give it some time and whenever the program gets naturally used it's going to spawn the shell for you then the second one is Duality and Duality is the minimum number of you need two dlls it's a minimum number of DLS required to manifest The Duality phenomenon where the dlls check on each other and the third one is totality which is when you have more than two DLS so if you backd door say 10 dependency DLS in 10 different programs s then you're going to uh be able to you know whenever any of those programs runs it checks on the nine other dlls reinfect them if necessary and also brings one implant up not more than that so you don't spam your C2 server one other thing about Singularity too is it happens if total if Duality fails so for example if you have two you're down to two dlls one of them dies let's say because the program gets entirely deleted from the system the other duel is no longer going to find the you know the its duel basically one of the DLS can't find its duel so then it understands that now it's by itself it's operating in Singularity mode each dll checks on all the other duels to reinfect them we already said that and then we're going to bring an implant up if it's not already up and any of the back door dlls can do that so how does the whole chain work let's speak in more practical terms here so let's say we have three programs we're trying to back door teams Slack and python we're going to grab a dependency from each of those programs fm. dll um and actually for both programs they have the same dependency name and then we're going to have Python 31. dll and then we're also going to have uh the ntdll.dll from the same machine because Duality the the back end can actually add a section of a clean ndl that is unhooked from the same host that the Stager uploaded and we're going to refer to that when we're doing things like process injection so we bypass all EDR hooks for each dll we're going to use that c program is going to encrypt our C2 Shell Code that's all happening in the in the back end by the way which is uh basically a host controlled by the operator we're going to pack clean ntdll into a section with a random name same thing with the C2 Shell Code that's encrypted and then we're going to SW we're going to swap out template variables in the Shell Code C file what what are the template variables well each dll needs to know where all the other dlls are so that's one example of template variable it's just an array of strings and then we're also going to tell it what are the names of the mutexes that are randomly generated during runtime uh to bring an implant up or to check if the other DLS are still infected so there's two things that we're doing there uh and there's a bunch of other things that you do with the template variables finally the C program compiles the Shell Code file and injects it into the DLS so where's the duality in all of this um the secc file defines custom logic basically prior to process injection each back door dll it knows where all the other duels are that are dueled it checks on each duel for this thing called The Sign of the sign of the duel and what that essentially means is it's a little part in the D and it can be anything but in this case it's a section name and the other duels know that per dll there needs to be this specific section name in order to know that that duel is still infected if it's not there we know that the dll has been cleansed so to speak so we need to perform a reinfection this that special section name is basically something that only the back door DLS know of each other if you try to write a signature for that and actually the first version of Duality intentionally hardcodes that section to a name of called do Duality because I'm hoping that AV and EDR out there do end up signatur that