BG - Wolves in Windows Clothing: Weaponizing Trusted Services for Stealthy Malware

hi everyone my name is Michael buery and I'm be I'll be uh this talk is going to be interesting because let me kind of share briefly what we're going to do we're going to show you how you can take trusted executables that are baked into Windows uh service accounts that are baked into windows and services that are part of the window of the office Cloud to operate your own malware all right so that's the promise uh let's see how it goes so briefly about me uh I've been kind focused on this area of you'll see in a moment but no code low code and the kind of things that business users are building for a long time now uh and I founded a company that's focused on this area if you're interested if you're looking for something interesting to do reach out to me afterwards there's plenty of research we put out there uh so please check us out all right so the what I'm going to do in this talk is to try and get from initial access to a full uh operational uh malware now one thing that's so so two things are important to note here from the get go one is that I assume initial access okay that's the that's the start point I have access I have the ability to run code on somebody's a Windows machine and then I want to operate I want to create a malware operation on top of it and let's just try to make sure we all understand we we're in the same page of what what do I mean by that so you have initial access to a victim machine which is great right you're like you won right um so actually no there are a few things in the real world that would that would stop you from actually doing anything with it right this uh this might be behind a firewall with an EDR uh in in in a corporate environment things are are difficult so you have initial access you need to be able to actually run malware on that machine right you need to be able to Comm to do command and controls through Network parameters you need to be able to exfiltrate data back uh you need to to avoid defense as well while you're doing all of that and you need to persist in in case somebody tries to boot you off the machine and so there are plenty of things that you still need to do after initial access and when you think about this this this list of things these are mostly Grant work right this is not hacking this is mostly engineering there's a lot of operation involved which is great but as hackers we want to focus on what we care about we care about hacking so all of this thing right now we want somebody else to take care of this for us now in today's world there's pretty much a SAS for everything right so what if we had a SAS that would solve this thing for us that wouldn't be nice that that would be probably pretty good uh so um let me introduce you to RPA Robo robotic process automation I'm not sure how many of you have heard of this but this is a technology that's meant to uh help business users automate their processes or help people automate processes and the way it works it has three separate components there's an agent running on on people's machines laptops um workstations as well there's a controller so something that can reach out through the network to your machine and run something there and there's a cloud endpoint that allows you to manage all of that now the crucial thing about RPA is that it's trusted all of these things are trusted and what do I mean by trusted I mean that your EDR will will already have incl uh inclusion rules for all of these Services right so it would ignore everything here uh which is pretty great so RPA is what we're going to use here because it's it seems like this is the service we want right it's like a remote remote code execution as a service which is awesome this is what we're going to use and so one thing that's important to not is that RPA is really anywhere I I put here like the the main RPA vendors uh that are out there but in in any major Enterprise you'll find at least one of them and I'm going to pick on Microsoft in this talk uh because I mean why not it's it's kind of uh the thing that we're doing but um but but this is actually a problem with RPA as a whole like with with this type of of of thing you'll see in a moment why I I focus specifically on Microsoft um and so RPA is going to take care of everything for us so everything we we wanted earlier command and control exfiltration uh avoiding defenses persistency clean up but it's also going to do a whole bunch of more things because when you build a malware you need to think about the different 's that you want to support you you need to be able to handle errors you need to be able to do retries updates all these things are taken care of for us which is nice right it's it's really like a built for our purposes so this is what we're going to uh um how LPA is going to help us um and so just a kind of a a quick understanding of what RPA is the idea is to replace the copy paste uh uh copy paste integration that business users are building are doing so like if you want to move a file from one place to another people have been doing that for ages we've been trying to tackle it with DLP and all sort of solutions that didn't really kind of uh solve the problem this is an attempt to automate that process and the key feature about RPA is that it works as the user on the same session as the user so it imp personaliz the user by design it means that it can operate in Tangent with the user so the user is interacting with things on their computer and in the same time the bot is interacting with those same things with those same same same credentials same permissions everything is is is the same right so it's very difficult to distinguish what an RPA agent does on a user's behalf and what a a user does all right and it can run on users machines it can also run on dedicated servers to do some more heavy lifting because people are also using RPA for like heavy Enterprise processes uh and and use cases I mean there are there are many of them like C onboarding and offboarding uh Financial uh financial management reporting there are plenty of use cases for automation uh this specific automation again is the the number one thing about it is because it emulates the user it's able to uh integrate with things that don't have a proper API so if you have a legacy system that doesn't speak to anything else like I don't know a healthcare system that people are plugging in data from that system to some other system so RPA could help you there but again it also means that you're operating as the user inside of the user context and so here's what we're going to do today we're going to start we just covered uh the motiv like what are we actually going to achieve him here uh we also talked about what I'm going to kind of briefly show you an example of what RPA is so we all make sure we're on the same page uh and then we're going to do a technical Deep dive to understand how we can exploit this we're going to see how we can take RPA and and turn it into rce as a service I'm going to introduce you to a tool that will do all of that for you and of course we'll finish with difference understanding how how do we protect ourselves from this thing all because of course this is the this is the goal here um so just as a quick example to make sure we all on the same page on what RPA is um when I was a teenager I used to play in a game called tibia I'm not sure if any of you if there are any tibia fans here I didn't get I I'm I'm not finding a lot of those but uh I spent like the majority of my teenhood uh do play playing this game and what you're doing there is actually um it's it's like an early MMO RPG right but the vast majority of the time you're not doing what you want to do which is kind of go in quest and play with your friends you need to do some uh you need to do grw in order to level up uh and in this particular case you do fishing so fishing means you go to a pond and you click on a worm and then you click on on on the sea and then you click and you get some fish and you click and you get some fish and you click and you get some fish and it's terrible right you spend hours doing this thing and so I really wanted to automate this thing because it was too much uh and so this is this is kind of the equation that you that you're going through so I wanted to do something better and then I came up with a with a very good idea um physical automation so and this is an illustration but I couldn't find the real uh the real uh picture this is really what what I used to do I used to go to sleep with like heavy things uh on on my keyboard and mouse and when you wake up in the morning in the morning one of two things happened either you leveled up or somebody uh killed your character and and you're you're not in a good stape um of course this doesn't hold uh because this this is very basic right you can only click things so the next level up after you do this thing is to use uh some sort of a program that records your screen You Records what you're actually doing and then replays it and the cool thing about this thing is that you can also share it with other people so this kind of made me popular for a second there because I could share it with my friends that could also fish automat ially at night and then you can see what this thing is actually doing so I'm recording an entire session of me like uh uh fishing around and then this thing will replay it overnight okay so this is this is a funny example but this is actually what RPA is and now like I don't know 20 20 years later we are we are using this kind of technology to solve Enterprise problems all right so now that we understand what RPA is and we have an example in mind which is very relevant to the Enterprise uh setting we are going to look into RPA and what and how RPA works because if you don't understand that then you won't understand uh how am I achieving what what what you're going to say in a moment so I'm going to focus on Microsoft and this is the reason every Windows 11 machine has an RPA agent built in to Windows right now so open up your your laptop you'll find this agent look for Power automate it's already there so this is the reason why Microsoft is definitely the thing to focus on um and so let's try and look at how this looks like so when you open a brand new windows 11 machine you'll find this screen um and then let me show you hopefully all right yeah so we don't need the videos but basically um when you when you log into this let's let's do it here so when you find this power automate agent on your machine the next thing that this will uh that this will uh pop up is like a signin screen and that signin screen allows you it asks you for for an office uh user account whatever account you have this could be your personal account this could be your corporate account whatever you have right and once you do that this agent will start sying with the relevant ual tenant so it could be again your personal like a personal account and then it's the shared tenant or it could be a corporate tenant it's going to fetch all of the different automation that you've already set up on the cloud side and then you can just pick them up and use them and so sorry all right and so once you do that this is the screen that you're that you're seeing after you log in and you can see a whole bunch of uh so in this case those are payloads because I've pre-prepared this but this could be just like regular automations and you can see on the upper side that this goes to an environment at something called pontos pontos is actually just the malicious tenants that I've created all right and so this thing is synced with the cloud again this is my Windows machine talking to to office and so we need to understand how this thing actually works because recall that Microsoft has put this inside of Windows 11 they didn't ask any network admin team in the world to open up different ports right so something is going on here that allows the Windows machine to communicate with office in whatever setting you might be in and so on the on the left side on the machine side power automate is actually comprised of multiple different executables the first executable that you saw that uh that you'll see for the signup is is the is power automate it communicates with something called machine runtime which is actually uh a service that's going to go up to the cloud and pull uh pull uh payloads that it needs to toh to run uh and this is running on a on a on a on a service account you can see the service account there okay that is automatically being created on on your machine um Power automate also allows you to run a bunch of uh automations on the browser so again by default you can um you can install a a plugin on your browser that takes full control of over your browser in Edge this would be automatically deployed in some cases uh in other in other browsers you need to install it and then it would would allow you to do like it would allow power automate to operate on your behalf on the browser so in order to do this there are uh specific executables that that communicate with each one of those now if you're looking for a place to do some research I really recommend this this is a I've just described like three executables out of this entire thing all of this thing is is already in your Windows machine and the attack surface is huge and not a lot of people are looking at it so if you're looking for a uh easy pickings uh I really recommend but all right uh this is the machine side now let's try to figure out how does the how does power automate how does the RPA agent work with office how does it trans uh Works through this uh uh corporate boundary so the way it works is actually with a with a niche piece of software that's called Azure service bus or Azure relay basically both sides are oper are creating outbound connections and then there's no inbound connection to your network there's outbound connections from the window Windows machine through your firewall or whatever uh to pull on on this queue now most people are not blocking uh outbound connections especially not to uh to Microsoft Services right and so this is the way that it operates so this is basically uh a a message box where people can leave messages where office can leave messages for your machine to execute all right and so once you once you sign in then on the office side this is what you see this is basically um a way to So you you're seeing all of the machines that I've infected you can see their versions you can see the ones that are connected or disconnected you can see how many automations are running on on those machines and you can actually go further and you can execute things from the cloud to the machine through this mechanism of of queuing um you can also look at each individual task that you've scheduled through the cloud and see what exactly happened like full logs and if something uh was failed you can rerun it so everything is is is handled for you um and so this is pretty much what we needed right and so now I'm going to show now now that you understand how this works I'm just going to show you how uh what we can do with it as as hacker so for from now on uh we are wearing the hacker hat and we're not describing the service anymore but we're describing how we're going to use it all right so this is my wish list and uh let me go through the wish list one by one um so first of all deploying the malware to to start this thing what we need is a malicious Microsoft tenant uh this is pretty easy to get right so I've created a something here called pontos which is kind of a I don't know a nice reference for Microsoft um and you can create this tenant uh free no credit card needed then once you do that you go to Power automate it will tell you hey you need to introduce new machines and so in order to introduce new machines um you well you didn't see that that uh because the video didn't work but what you're seeing right here is the sign in screen that uh that people need to log in through when they when they enter when they first go to Power automate and so what we really need is to use our account not like note this account here this needs to be our hacker account because this is the moment where we register a users machine to our tenant rather to their own home tenant once we do that the machine is uh is onboarded to our malicious tenant we're a global admin we can do whatever we want right so we can also run things on their machine and so this is the crucial piece now you can do this with UI but well as a h that that wouldn't be that would that would wouldn't really help us and so we need a way to circumvent this thing this registration form and and so this the question is can we avoid that and the answer is that uh of course so Microsoft actually has a pre like an existing um executable there called uh machine registration. silent which is awesome uh and then you can use this uh this nice little script to register the machine to your own tenant and you can see that uh this is the this is the command that I'm using here right here all right so it's it's like a oneliner very quick and this machine is now registered to my interet and by silent it means that this machine does nothing will pop up on the machine side right if you go to Power automate and you try to log in you you wouldn't see that it's already registered right you can you can check registry keys we'll we'll go into that uh later in this talk all right now this is great but uh if your if your eyesight is especially good then you have picked up uh you know uh yeah um you have picked up on on this little on this little thing right here which is that I'm running this as an admin which is like a yeah I don't know it's not good right we want we I mean if this is only something that that requires admin machine admin access to the machine then this would be terrible and so we wanted we really wanted to find a way to circumvent this protection and to run this as a user so we did a very sophisticated thing we just tried uh and it actually worked so why not um I mean yeah so so it works um and and by the way once you do that of course the machine is now registered here uh to your malicious tenant so you can go to your malicious tent you can view the machine specifically this is Windows 11 which I just infected and it's connected and you can see the version of the agent and so on uh which is kind of nice so uh I just showed you how to infect a machine that's it that's what you need to do again when you run this command line right here no Ed will will will stop you because this is something that enterprises are already doing I mean it's it's something that they need to do and so all right in order to trigger this thing from the cloud then I need to do a couple of things first of all I choose like uh that I'm going to run this automation on some on self sof machine I need to um to specify like the the specific machine and credentials for that machine I can run this with any user any user on your local machine right not just a single user by the way this opens up another threat uh Vector because think about a machine that just gets uh a stream of payloads with with usernames and and passwords on top of but that's a topic for another talk um and then I need to choose a payload and these are the payloads that I already submitted to my cloud all right and now one thing that I need to figure out is what happens if a user is working on the machine so if somebody's already working on the machine and I'm going to run some sort of payload is it going to conflict with them or not so how do I how do I man manage that and if somebody is not logged into the machine will it still work so um the good thing about this is that RPA has already solved this problem for us that's why we're using SAS right so you have two versions of RPA attended and unattended which basically means uh whether