Obfuscation in Plain Sight

foreign I'm gonna go ahead and introduce John here and uh and then we'll get going hey guys carols my name is John I am a senior blue team kind of guy I do incident response I work with our sock I'm also really on the chat gbt scene and overall I like red teaming for like the hacker first mindset how about you Ed hi guys I'm a professional karaokeer and I do cyber security for money so we have a few objectives we'd like to cover today um obfuscation in general real world threats like applications of this um some tooling like invoke obfuscation how you can detect these things um alert fatigue and how that can be a

leveraged thing in your attack and then creating those malicious non-malicious looking scripts um and why they can be difficult to detect and then actually deploying them and how you can manifest them into an environment cool oh and the obfuscation is from chat GPT here um a practice of intentionally hiding the true purpose of something right so we're deliberately trying to circumvent stacked controls or mechanisms in place and one of the big um recent threats that we've seen is goodloader and so goodloader is a prime example of obfuscation and plain sight um loader will infect business related documents they'll poison them online then they'll leverage search engine optimization poisoning to get people to download these infected JavaScript PDFs

and what it comes down to is a PDF that brings down a Javascript file and it's hidden inside of a legitimate library right so on the left here you have a JavaScript library injected with this weird looking malicious code this green stuff and on the right that's the original Library pulled from backbone.js right so if you do a diff you can see clearly this is literally injected into a default package so next slide and so if you pull out these the payload you can do a differential analysis on this and basically detonate the JavaScript library and Mandy actually published a way to pull this out of these packets of these uh payloads um in their good loader boot camp which

I really recommend you to check it out um this isn't de-obfuscated this is just the raw output from one of those uh runs um next slide please and so that was the first stage the first stage actually reaches out and then what we observed is that it was hitting iframes and pulling down these Powershell cradles for further C2 and so you download this PDF and executes the JavaScript hidden inside of this legit looking Library pulls down a Powershell from the internet right we're doing more C2 it looks again more obfuscated but again this is a second stage and then the third stage was what we observed Cobalt strike beacons being deployed so this is like as real as it gets to being

on the front I'll let Ed take it over here all right so um one way to actually automatically obfuscate things because uh typing manually is typing in random characters as your variables and then matching up kind of sucks so there's actually script of ways to do this um and to actually make things kind of work right um and specifically specifically for Powershell um there's invoke obfuscation right um and this is kind of what it looks like it's kind of hard to see on the screen here but you can you have different iterations and different versions of obfuscation here at the top you have some sort of encoding uh obfuscation uh that just looks like a

bunch of random mess here sometimes you can create a bunch of uh appendations and random characters as well and you can even mix it up in there right um so just a little example here um we can see this Powershell cradle invoke expression to an invoke request to our C2 server um get obfuscated to the bottom part right here right um however us as Defenders and attackers at once um we can also build the um the defenses in Splunk to accommodate for uh the patterns that are within invoke obfuscation right so I'm looking in Splunk I'm looking for PS home and shell ID and uh honestly I could go further with this but this is just for

the presentation of being a little lazy with this kind of search but you guys get the point on this um so we're going to actually switch over to the attacker mindset um and because we know that this entire random nonsense of of stuff is gonna is gonna catch somebody's eye right and it's gonna flag and people are going to reverse engineer it and then see what our intentions are right um and we want to essentially maintain our stealth and I'm gonna pass it back over to John here yep thanks Ed and so like he's saying that's exactly right one of the things we do is we make content right so for our Splunk we have to feed it alerts and

eventually you do get a lot of false positives and it does come from things that you do inside your environment your security your your your scripting all these little trafficking events so what you can do is go to like a public GitHub just like a developer hold down a library or a Powershell script that is out of the box designed to look like a legit thing and then again you just inject it with malicious code to do what you want and in such a way that it doesn't look inflammatory just like when you're messing with Chachi BT and you can't ask how to hack you have to ask you how to do specific things in a

non-inflammatory way so we're going to present this idea of pulling down or using an environment a legit looking script and including all those Hallmarks you know the license author try to get it signed if it is if you can get a malicious code signed your your god tier um next slide all right and difficulty of detection you know this is again hard stuff to detect and and I I run through like crowdstrike daily uh with a lot of some of these things and even even after a while you have to understand that like there's just so much traffic in some environments that you just that background scripting is extremely noisy and can be weaponized um and then it comes down to like

you know how effective is your script and if it's effective enough you can get right past EDR it's definitely possible it happens all the time that's why we have to hunt for these threats um you know and and if you have exclusions this can really open up bigger holes that's why we try not to exclude by file path right paths are terrible you should do it by hash um and then the other thing is we're just we're really targeting the the analyst here we're trying to get around the human element of these attacks right because eventually someone has to look at this if it doesn't get blocked and if you get to that you want to just get past those

eyes so we're ultimately trying to help that analyst understand what they need to be aware of and how they can monitor for these things in their environment because this is just a generalization of this field right there are many different execution combinations and variations and obfuscations you could do to ultimately hide your intent and that's what we're trying to describe here all right um so to actually kind of accomplish this in this uh version of this right there's many ways to accomplish this uh in this example here um what you see is Apen key right uh something to SSH to something however it's really not what it is um this is actually a function designed

to disguise a payload as a mem key right so I use the string delimiters uh to hide some xor encrypted payload well that that is going to be decrypted and then um and then next executed right that's the entire point of this part right here right so um and what that's going to kind of go to is something uh it's it's going to be I called the file a AWS uh health check script uh right so and it has uh three different functions so the first function is going to be the parser function and then the next function is going to be the decrypter function and the next function is going to be the execution function

right so just going over to the parser function um all it's doing is it's looking for the pattern uh right here and I could probably do a little bit better with this to kind of hide this because this kind of looks less by itself but um this is really just an example here but as you can see just regular written code so this would actually be on the client side right um the actual client side of the um the malware right um so uh obviously I don't want to say fake pen string in the uh the actual on the actual scripts for the victim uh because they see that they will uh flag that right

um so instead I want to kind of uh call it chemstring here so sorry uh to disappoint you this is just how I do things um and uh and now my function's also now called AWS pen parser here all right so let's put them side by side here uh I know uh no random characters or anything I'm just man you I'm just I'm just calling out these functions here so I'm just renaming functions and variables um so that's our parser function and again uh we're going to go to our decrypter function here right so all this is is an xor decryption function here um and then it just uh it decodes for base64 uh and then uh just returns that

value right uh and then here it is as I am I'll be skating and playing sight here um just renaming the function renaming the variables to make things look more look like AWS stuff right um and then uh putting them next to each other here right so as you can see just small changes right nothing nothing crazy fancy and you'll be surprised on how but this gets fast he's not lying either so here's here's a fun thing here right this is the execution side right and uh uh and I know it says execute decrypted uh this is how I wrote it and then I'm just again renaming functions renaming variables here right um and uh

let's see here uh and then now I'm just here we go again renaming functions and renaming variables right uh and the the best part about this is does anybody see the uh hard-coded credential here right um the hard-coded credential is what's actually decoding the X4 um uh so it can actually decode the payload and execute it right um so it's actually sitting right here uh as the Ada Lewis region uh which is the US East uh which is something that you would put into AWS CLI sometimes if you ever have to do any kind of configurations and so that also seems that legit um so put them next to each other uh that's what it looks like

uh almost looks the same top one is suspicious bottom one's not right um and then where all the money goes uh invoke expression where it's saying uh it's executing what it's 80 with a CLI in it all right so that looks like some whatever whatever uh developer would use to automate something right so I'm basically just pretending to be a developer here um to hide right so uh let's kind of put it all together right um so I got a little video here and we'll kind of see what this looks like so uh we talked about a PS app deploy script earlier and uh to be honest with you I didn't write out the entire thing

uh myself uh there's this tool called chat GPT and I copy and pasted uh psf deploy kit and said rewrite this to match my script um so here it goes um so that's what it looks like here right and then also at the end of the uh presentation you can see uh that script as well just take a picture of the QR code it goes to GitHub and it'll send a link over here so that's what it all looks like all together here right um so uh I'm just kind of highlighting a few few parts of it and what I'm doing right now I'm just commenting out the invoke expression part just so I don't have to

execute the actual payload and you can actually just see what's on the other side here um so this is uh looks like it's setting up a scheduled task um that's going to set up uh that's going to execute Powershell that goes to my C2 server and download script here so um so that's all that is right and um what what he's using here is vs code and dark mode if anyone's not familiar this is a really great platform to play with code you could use it as a notepad you can use it as an interactive development environment and you can even execute your shell scripts and such so if you're not familiar check it out

yep um yeah he taught me all about that um I was using notepad plus plus for a long time I still use it the vs code allows you to take what you've got in the plus plus and then execute it which is awesome so you can do both yep um so uh this is kind of this will be uh I think it's what the uh this is kind of how I delivered payload right could do fishing right so uh send a file um right or just straight up execute it somewhere um so it could either be fishing or if you have some sort of control right um but you're just gonna be downloading from the C2 server and then executing

right um and I just kind of want to show you this is kind of all the tests anyways so um just kind of showing what happens when it gets executed on the other side here and then we're detonating this inside of a flare VM that's another really good tool if anyone's not familiar with that one flare VM and they're just like many different ways to kind of get these all in a on a computer right send a phishing email with the malicious JS file kind of similar to a good voter right but this is kind of uh more of a post exploitation sort of thing and more persistence so but just an example of kind of how it

goes here so um right now what I'm doing is just uh I'm just gonna go and run the script here I know we just saw it at all again um and uh let's see here all right running script uh obviously want to run it here and then now we're gonna switch over to the attacker side and kind of show what that what what that looks like here so this is just a C2 built out of flask um also if you want an example let's see simple C2 fits also on the GitHub as well um just a web server that uh um that stores the commands and then unless you receive standard outputs from uh uh from the remote access Trojan right

so um and then this is also written simply in Powershell as well and so and it was not tracking sorry if anyone's not tracking he detonated the payload and it's now actively communicating back and forth between and that's his custom built C2 that's doing the periodic get request sorry Edgar it is uh I actually let you talk about this one since uh this one's kind of small gets on your side yeah yeah no doubt so and this is so that again the flare VM we have that built into our Splunk environment at home that we kind of set up off out of work and this is the actual detection from the Aurora EDR showing um you know more or less

the activity I'll just put it that way because EDR hits on activity um and so it's basically saying hey this AWS health check is definitely doing some stuff um you need to check it out and we can field things out like script block text rule description and Rule description is telling you what it is script block text is telling you the contents of the script and this is from the logging perspective how you would have what you would see right this is what I'm seeing when you're blowing stuff up and I have to track you down so I it would be on me the analyst engineer whoever to go through this script and be like okay is

the EDR doing a false positive on a legit health check or is this some ATP trying to get past right um apt my pardon um so this is a really good example of what you're going to be seeing if if if you're possibly dealing with a threat they are going to definitely try to get past you hiding in the traffic let's just put it that way yep and this is just a test environment here as you can see there's only one event but if you're in a big Enterprise environment you're going to see a ton of stuff that looks like this and they would probably all detect off of uh set execution policy right because that

happens a lot and mostly most people just tune it out and that's kind of why uh this is an interesting way to get past defenses here and and this goes back like to what he's saying with exclusion paths if you exclude a whole path from a defense that means that that could be free reign to just do what you want right and that's not good at all right I think that was all we had on this one I think it just was there anything more on this video oh uh I think we just go over the different signatures and we can actually see some some of them here so um so some of them are just normal stuff

in here actually I know some of the remote s b logons actually comes with the Aurora just already gets detected by already EDR we've got suspicious Powershell keywords on here uh and uses their web requests and commandlets right but that'll always lead back to whenever you go and investigate uh that's it's just going to show that script that Flags anyways and so um and that little uh characters are just blocking out by a actual C2 server here so um so yeah don't worry about that too much um but uh so I know we're gonna this is what we saw earlier here uh this is what it triggered out of the uh private key uh so and if you were to throw that

private key into cyber Chef uh it would still give you a bunch of nonsense because it's X and more encrypted right so it's not going to help you too much it'll still look like a private key when try to do some other stuff right try chat CPT yeah so uh speaking of chat EPT uh right um if you were to put be lazy with your job and I know a lot of people are restricted from using chat TBT uh at their Network and they try to use chat you can see for reverse engineering malware which uh for a CTF uh uh we have done so uh and and done pretty good with doing that however uh it doesn't work

all the time uh we're gonna copy and paste uh our payload our our malicious script and put it into chat gbt here and I'll probably add another one of these to the list here of weird stuff there okay uh I press play here uh copy and paste uh hear how loud my keyboard is I'm probably should have you did that but it's okay mechanical typewriter yeah so the script appears to be safe to run as it does not contain any obvious malicious code right uh invoke expression is something that gets used a lot in this in Powershell anyways so I'm kind of blending in and the other thing is if you're detecting off of both

invoke invoke expression and invoke web request uh and looking making your alerts off of that uh I the thing is that that invoke web request is actually in the schedule task uh that's actually XL encrypted uh in the pen key so that would never that won't get detected here so uh this script by itself won't get detected but uh so you'll have to rely on the attacker making mistake um the only the only way you might catch something like this is if you have like crowdstrike with ML machine learning turned on and it might catch it at run time when it goes into memory but that might be your only chance other than a manual analysis yep you'll probably get

it'll probably detect it off of the scheduled task yeah yeah 100 um but that was kind of an example so there's probably other ways that you would want to persist um that way and then also hide hide that stuff so so yeah um anybody have any questions concerns death threats challenges to death all right and well here is my uh PowerPoint if you guys want to see it in GitHub repo a lot of fun stuff on there um I learned some funny lessons from uh uh from before uh so some of it won't work if you want to use it in your red team engagements because I uploaded one of them to um virus total like an idiot

so uh it would actually never uh it would just never bypass anything not this one specifically but something else it's in there somewhere but you'll find out you can hit me up on LinkedIn if you want to get some questions in and I think the same for you right they got questions yeah no yeah yep yep maybe find me The Ether um but yeah that's all I got