BG - Amubush - Catching Intruders At Any Point - Matt Weeks

all right well if everybody's here could take a seat I'm going to go ahead and get started u I'm script junky also go by Matt weeks so that's fine too script junk is a little easier to remember and also my website also if you Google Matt weeks you'll get this guy who was accused of killing his fiance and got like lynched mobbed like few it's really weird but anyway let be talking about Ambush so first of all a little bit about who I am uh if you're not familiar with me which is fine you're probably not um I've done a little bit of a research release releasing different different pieces of research in the past couple of years uh

primarily with Metasploit I'm a meit developer uh with the community so I've written stuff like CLI side privilege escalation exploits uh payloads and coding Shell Code servers code injection post exploit stuff and uh backend stuff like the remote procedure call interface and the guey um RPC is also the backend for Armitage and strike that kind of thing um day job is uh malware reverse engineer um but everything uh everything that I've really been uh releasing you know doing presentations on releasing publicly has has generally been offensive focused and so it's you know it's been it's been really interesting because this is this is a big departure for me because prior to this point you know I've I've tended to release you

know I put stuff out on my blog that uh that I find or commit to menit or whatever and so I've done uh tax against crypto algorithms attacks against uh tool to attack like Facebook and other web logins uh various generic Windows attacks turned around did an exploit against menit itself uh did exploit against Firefox and mkfi um also attacks against Intel which I presented last year and then against Microsoft Office again and so after all of this stuff uh what what really struck me and kind of triggered this whole uh work was somebody said okay so there's there's all these tax out there you can do all this exploit stuff so if you could have

anything that you wanted to defend a network what would it be and so that was that was kind of interesting and I I just thought about the the different perceptions between offense and defense so you know well why was I doing all this offensive stuff well it was because you know a lot of this kind of came out from learning about Security in college or whatever which was just a few years ago and so you know take take a few years ago before I was you know really even familiar with any of these Concepts and you know hacking of course seems like magic it's like you know you get in you're doing what nobody else knows what

to do and you know it seems to be impossible and and you know if you you come up with an exploit against a piece of software you feel smarter than everybody who was behind that software you feel smarter than the billions that Microsoft put into whatever you know all all that and and defense well you know defense is normal defense is is is boring and um and so defense is is um is more difficult if you think about it attack attackers have uh exceptional success so if I'm pentesting a company you know I try to get in maybe something doesn't work maybe I try to get in again something try something else that doesn't work

that doesn't work until eventually I try something and it works and then yay I win you know I'm I win everything whereas your defense you're trying you know if you stop and attack well that's normal you stop and attack that's normal and then oh something exceptional happens oh you got hacked you lose you lose you lose and so and so offense always sounds more exciting defense always sounds more boring and so I thought I thought about the different perceptions between that and why I was doing offense and I realized after a while that you know it got to the point where I was thinking no offense isn't the amazing wow how did you do that

because there are so many ways to go get in well it would be really amazing if you could come with some actually good defensive technology to actually stop some of these attacks and so I thought well you know I I I've hear all these perceptions between offense and defense and I can't help you with a lot of those if you think offense is more exciting uh but one thing that I heard again and again and again and so this is what I'm calling the myth is you know just common frustration between defensive guys is this idea that attackers only need to win once and so you hear this again and again you know I set up all these

defenses all they got to do is find one hole in and then man I'm owned and and they win and so I thought that's not the case or actually maybe more specifically that is the case but that really really shouldn't be the case and so I thought about you know you should not have your defense set up in such way when when people talk about this what they're basically talking about is a defense which is based on this idea of the wall so uh so what is the wall well the wall is you know inside this little box that's what anybody outside can do and so here you know for example we can take the jdk security model inside that

little box there is our sandbox and outside uh you know remote attackers can do whatever they want inside the sandbox on the web page but they better not be able to talk anything outside that little box which is our files and our data and our processes and all that other good stuff and so this is the wall and you know we put our security measures in place even though they know everything about this they shouldn't be able to break out and yet what happens well you know every month you know it's kind of Patch Tuesday except every month for Oracle somebody releases a Java OD day right and so so you get all these exploits

which break through the wall and so you think you've done everything to secure it but somebody comes up with an xplay and gets through or you know even even without that somebody just sends a link to your you know your people and they've got a nice link to a Java signed applet and says just click this to see the web page and sure enough um people allow them access because they're trick to allowing access so so basically attacks either come into exploit categories or allowed access categories which was probably unintentional and this happens all the time and everybody always hacks everybody and so on the defense what can you do about this well uh advice

basically follows brush your teeth and floss which is of course patch your systems and train the monkeys not to push the buttons but guess what happens well somebody's always got an exploiter you haven't patched it or something else or all the monkeys keep clicking the buttons and you can do fishing awareness I I heard statistics I don't know if any of these statistics are worthwhile but the the best information you know awareness campaign you tell your people don't click on the buttons and that you know still 30% of the people click on the buttons if you actually send them something like fish me where they actually get fished and then they click on it and then they get punished for

that or whatever ever then it'll be better and still now only 5% of your people will click on stuff that comes in so of course the attackers still get in and um and news this will fail so what what what can you do outside of outside of that whole Paradigm since that's not going to work slash is not working so you've got different points of Defense uh that you should be defending against and there should be if you think about this turn around start thinking about it from an attacker's perspective let's say I'm going to do the Cyber criminal I'm going to go own as many people as I can set up a bot net

steal their credit cards and get rich quick scheme uh so so what what points of Defense are out there which could stop me well so you can start with a ton of external points of Defense so in this case if somebody sees what I'm doing and finds out that it's me that's doing it that's a fail cuz then I can get arrested by the FBI and you know chair cell with large roommate and uh that that would be bad for me so externally in order to to achieve this whole thing what I'm going to do is first let's say I'm going to get an exploit pack put it on a website so I've got uh first of all I've got to

get a domain out there which it goes back to so obviously I can't just register a domain except even in the process of registering the domain I have to make sure that my IP address my browser info any of that doesn't get sent over there and then I got to get a server so you know how am I well you know in order to get either of those things either I pay for them with a credit card no that's a really bad idea cuz once again I get caught or maybe I could use a prepaid credit card except it still may be possible to trace that back to you know security camera who bought that credit card and so maybe I

could hack into somebody else's server but then once again there's all these opportunities to get caught so that that's just getting a server which I can host this from then I got to get the exploit pack which itself could be you know going buying it from somebody who I don't know who that is and let's say I get this and I set it up and then I have to get people to go to this so then I've got to get traffic and you know blackout SEO or whatever I use to get traffic and then I go pop all these people and now now what do I got to do well now I got to go have malware which is not going to

get detected by the an virus agencies so that's that's not necessarily a chance to get caught but there's more work that I have to go through it's more Hoops that I have to avoid or I can get caught and it can get stopped again then it gets on the system and I steal all your credit cards when you go buy something off Amazon and then I take that and then I have to cash out but oh wait if I go cash out and that's a stolen credit card that's again another opportunity to get caught by law enforcement whatever and so maybe I could set up some type of shipping scheme with mules and whatever but but they could get caught and that

could still end up coming back to me so so there there are so many external we haven't even talked about you know you can probably come up with 15 different points here that I could get caught at um and and we haven't even talked about anything that you can do yourself to secure uh your own uh stuff and so having said that there is a great shortage of competent and willing FBI and whatever police agents to to go prosecute all this and to go investigate all this and so many of these layers although they are potentially out there often won't be followed down so we go back to your network let's say you're running a company Network and so you've

got Network defense measures so you've got your intrusion detection system intrusion prevention system well those are nice and all but most likely since the network is the traditional location for an IDs IPS if I'm going to write malware I'm going to guarantee that anything going over the network is highly Opus skated or encrypted and you're not going to see this it's not going to trigger one of your generic signatures I'm not just going to send a command shell over plain text so then we bring ourselves down to the host level so what can you do at the host level well you've got a couple different strategies you can try to patch your systems you can try to

install security software so for example you've got antivirus well antivirus is great antivirus stops all attacks and you know nothing has ever gotten past antivirus before so so if you've got that uh but just in case that fails then then what happens well the problem is it it fails because it's this one size fits all mentality so everybody has the same antivirus everybody can download mfi and and experiment with that and what people need to realize when they're complaining that antivirus didn't catch attacks is if I'm an attacker I am never going to send you a piece of malware which I think is going to trigger your antivirus I will keep modifying until I am sure

it's going to get pasted so this is all stuff we've heard of so we move farther to more behavior-based monitoring well now this is a step up under this category I would put host intrusion prevention systems well now I can start to customize that and look for bad stuff which the antivirus companies didn't necessarily catch and so this is pretty good if I take the effort to to use it correctly and yet it's still very limited so most host intrusion prevention systems out there actually all host intrusion prevention systems out there have have a set of places where they can watch they can say you can make a rule for one process can't touch this file or something like

that and so a lot of activity which malware uses doesn't get caught and so this is the main problem host intrusion prevention systems and Antivirus systems and intrusion detection systems and intrusion prevention systems they all watch certain defined points so for example the IDS will watch the network if I'm riding M I know that that point could be watched I'm going to encrypt it I'm going to opy skate it I'm going to do whatever if I'm monitoring if I'm avoiding host intrusion prevention systems um I'm going to get a copy of that which is really easy every security some company out there has trial versions or you can pirate a version or whatever and I'm going to see where it

hooks in and what systems what functions it's watching What actions it can it can identify and prevent and then I'm going to do this this was actually a slide from a 2004 blackhead presentation on bypassing host intrusion prevention systems really not much has changed since then if a host intrusion prevention system you can't see this this here is your program this here is Kernel 32.dll most programs will call colel 32 to write a file or do any other normal system activity there will be hooks there which will redirect that flow to the intrusion prevention system which will say is this allowed to do this yes no and so you can bypass that by simply bypassing the hook recreating

whatever instructions that it used or calling a lower layer function like ntdll using native API or even making direct CIS calls into the kernel and so you know this Hook is at this spot and so you can bypass it or you can use other techniques such as you can make a file that you can touch and have it hard link to a file that you can't touch and the host intrusion prevention system will be dutifully confused and you will get past it because you know what the point is ahead of time you can spend all your time coming up with a way around it or way to skate or bypass whatever you're doing through it and then you

have all these characteristics so as a ma reverser I I can see this sometimes malare does something which is common but the host contri prevention system isn't watching anything at that point so I can't identify that I can't stop that activity and so this is what you end up you end up being the invisible guy in crisis and no one will ever see you and Ma will will work well and bad guys win so I decided what we really need is a new approach to this and and this approach has to look kind of more like this than the wall while we know that any particular protection at any particular Point may be able to be bypassed what we want to

do is put up enough of them in a way that an intruder will not be able to easily bypass all of them and this is based on two basic facts and the first of all is evading Point checks is hard and so what do I mean by this well yes you can do something like bypass that hook but it's going to take you a significant amount of effort to figure out how to do lower layer hooks or lower layer function calls or direct Cy calls direct Cy calls are really hard every version of Windows and sometimes Service Pack uses different CIS calls for the same functions some of them add functions or remove functions so if you want to try

to make that work it's very difficult to make a generic piece of M work using just CIS calls um and that is why most does not do this as an example here you can take a look at the Dooku malware everybody's favorite son of stuck net or brother of stuck net or mother and law of stuck net I don't know the malare taxonomy but Dooku used a process injection technique so prior to Dooku all the public process injection techniques very common in malware you get a handle to another process you can do that by creating a process or opening process or debugging a process and then you get memory in the other process so you can either allocate

new memory or maybe you can overwrite existing memory and then you write your code into the other process and so that used the function WR process memory or the equivalent uh anti-d function enti write virtual memory so went through that point and then after that point you had to start your code and so either you could hijack an existing thread or you could use a new thread or you could wait for code to get there anyway and so there are different ways of all these steps except for the part of writing your code into the remote process that always used the same thing so intrusion detection systems host intrusion prevention systems watched that Point well Dooku used

something called map view of section it's another obscure native API to get their code into the remote process without going through this point check and that was very unique very surprising it probably took a lot of effort to figure out how to do that to evade the point check but it was worth it because creating Point checks is hard and I don't want to waste too much time uh because I do want to do demos so I won't go on the link but I have I have a link I'll put this up on my site and you can follow that as an example for to prove that creating Point checks is hard I have here a link to an

article on a forum discussing different host intrusion prevention systems and so they talking about DSA I forget what that stands for but that was just one of the Lesser known host intrusion prevention systems and DSA included things like key logger detection so most key loggers in order to get your keystrokes will use something called set Windows hook ex which will set a hook into the keyboard or they will use something called get async key state which will rapidly pull for is this key pressed down is this key pressed down and it will Loop that very fast again and again and it will detect all your key strokes well somebody came up with a key logger that used a

different function called get key State they call it Martin's undetectable key logger because existing host intrusion prevention systems didn't monitor that function that function was able to read the keyboard buffer and all of a sudden the Forum poster asked well I can't detect these key loggers so what do I do about it and the answer is well maybe you could get a new host inent prevention system but that will probably have its own holes and that'll be its own bucket of worms or maybe you could wait a couple years and maybe they will add in the ability to monitor this new function on this post intrusion prevention system because creating Point checks is hard so what can we do in response to well

not anymore so Ambush is designed with this basic concept that you can write Ambush is what I wrote a host andent prevention system that I wrote and you can write a signature to apply to any function of any exported dll systemwide and so the idea is now we are no longer limited to watching one particular function or another particular function because if you see something like oh get asyn key State you can do a a little bit of signature creation and now you can monitor that function you can block that function what's also unique about this is instead of say monitoring read file let's say malware has a bypass for that by calling the lower layer NTI dll function enti

read file well now you can put a signature on enti read file and there's no way ahead of time that a malare author is going to know where those hooks are where those signatures are and you can be really creative in how you write these signatures in Hooks and avoid any of this uh malware Behavior which which avoids these Point checks so this does come with a lot of technical difficulties however the first of all is this whole idea of hooking any arbitrary function and any arbitrary number of functions I have to use a lot of dynamic code generation to try to make that happen so for example you look at the kodo host inent prevention system so

kodo will hook different functions on the system for every function that it hooks it has a function which handles the hook so when your program jumps to that function which you're hooking it will then redirect execution flow with the jump to the kodo function the kodo function will inspect the arguments decide if this is something that it needs to act on and then if it decides to pass it then it will jump back to the original function execute that and continue well I have one single function with which handles all the signatures and I will jump from the function that I'm hooking eventually to this function well this function isn't going to know which function was hooked it isn't going

to know what the signatures are ahead of time it isn't going to know any of that so I have to use a lot of dynamic code generation and if I can make this work which it's not working

pull that up here so this is this is basically what the uh function hooking code looks like so starting with the program it's going to make it call to an API function at that point I have to use a dynamically generated springboard to load up the configuration so there's going to be one of these for every functions that I hook and that's going to take a pointer to the compiled signature and put that into one of the caller saved registers so x86 and x64 each have registers which the calling function has to save and the call E can overwrite at will so I use those temporarily to get the pointer and then use that to jump to my main function

which is hook zero that is the main compiled function which will read the signature which will tell it what function that I hooked what the arguments look like what the restrictions on those arguments are you can write a restriction that says if this is a string argument and it matches this regular expression then block it or if this is an integer argument and it matches this number or range or bit mask then block it or kill the calling process or kill the calling thread Etc and then if if the signature decides to allow the function to pass then it has to go back and call the inner API function and so to do that it has to use

a trampoline so the trampoline will reexecute any instructions that I overwrote to make this hook in the first place and then execute the real API call which will then return back into my function and at that point I can do Post call signatures so you can write a signature for example that says if you call windsock receive and you just receive something from the network and then after the call the buffer contents look like MZ blah blah blah PE so it looks like you're just downloading code from the internet then throw an alert and those signature excuse me so you can do Post call signatures to look at Advanced Behavior using that kind of technique as well at

that point then we need to return back to our original program and then you run into a artificiality of Windows API calls they use something called the standard call calling convention x86 is painful because they have like five different calling conventions but almost all the windows API calls use the standard call calling convention so I implemented standard call on x86 so in standard call the called function has to clean up the stack so once again I have to know how many arguments wrong on the stack and this is different for any of the functions which I can hook so once again I have to have dynamically generated code to fix up the stack and then return back to the program this

might seem like a lot of overhead but in reality although there are a lot of different cases each one of these is just about three or four instructions to go get the pointer and jump and you I have not noticed a significant degradation in speed with this type of hooking so now that we have that we we do run into a number of significant challenges so before we go further I want to talk a little bit about this so first of all we have we mentioned the calling conventions and and code generation code generation is very difficult because of different assembly complexities so if I'm hooking a function and it's a standard Windows API function that's explored in kernel and

it's all documented they normally have something called Hot Patch points so the beginning of the function starts with a move EDI EDI instruction which you don't need to worry about it does nothing and it's two bytes and then it continues with the body of the function before the function are five bytes of knops or in Windows 8 they changed that to uh interrupts but basically byes that don't do anything what you can do is overwrite the first two bytes of the function to be a jump back to the five bytes and th those five bytes can fit a long jump which can take you to whatever code that you want so it's very easy using those

jump instructions to jump to your code and hook uh Windows API functions which have Hot Patch points on x64 it uses a different technique where it uses a pointer it says jump to whatever is at this address and then you can swap out that pointer with your address instead of the real function address but on Native API functions lower layer functions other functions this becomes a lot more difficult because what you have is uh you you don't have nice hot patch points so you're you're overwriting actual op codes of the function actual instructions with your jump to your function so you've got recreate those later but those can be kind of complicated because those for example

could be an if statement if this go here else go there so over here when we jump back to our function this trampoline this can actually have multiple arrows out back to multiple places in the inner API function as I have to recreate the jump and rehook up all the offsets to follow that Branch or follow a jump so that entails a lot of difficulties and unfortunately there are some issues so certain functions I have run into a couple of them do not obey standard rules of API calls so they do not obey the caller saves this register they assume the collie is not going to change that register that's very rare but it occasionally happens another thing that

occasionally happens is if I am overwriting actual instructions there's there's a possibility that there could be a loop or jump back to the middle of the instructions that I overwrote which I maybe overwrote with one big jump instruction and so that will cause a crash because it won't be following the path that I thought it would so that's again uncommon but it still happens so what that means is there's a possibility that just setting a hook can cause a crash which we'll see later other issues I ran into was Dynamic loads the concept of how do I get this loaded into every function systemwide into every process and so how I'm doing that is I'm hooking

the create process calls so that a new process which is created will be created suspended my code will be injected into it and then it will resume after it's been all hooked up DLS can also be loaded dynamically and so I hook the a low layer uh dll load so that when a new DL is loaded then I can hook that up if I have signatures for that and finally Windows 8 made like five different changes which broke this they changed how the Hot Patch points looked they changed how some of the Imports looked uh they made a lot of other changes but we have uh have have worked on compensating for that as well so what's the bad news Well given

these difficulties there are certain operational challenges so if you write a fun if you write a signature which blocks a function which is used by core Windows API service you can very easily turn your computer into a brick in contrast with other host intrusion prevention systems which will kind of handhold you and only let you touch certain things the whole point of Ambush is chains are gone you can do whatever you want and so you can very easily kill yourself there's even a possibility that if you write a signature which doesn't do a block or a kill that that could still cause a crash like I said it's not very common but it could happen if you

do that and crash your system then you're pretty much hos you have to reboot into save mode and fix that Etc so the concept of developing using these signatures you do have to be careful I would recommend testing them out in a VM before you use them and the bigger problem is this idea of Kernel hooking so because of patch guard on 64bit which most systems are 64-bit now anyway it is not easy to do a generic hook of Windows system calls Microsoft tries to make that impossible so I decided not to try to so there are ways of trying to turn that off but if you do that then you're breaking what is being sold as a

security measure in itself there's always a possibility Microsoft could change their patch guard implementation and then blue screen everybody you install this on and there's a lot of other big issues with kernel hooking so there's the idea that you have to have signed code to load in the kernel I'm making this as an open source project and so I'm not going to pay for a code signing CT which now all of a sudden only I'm the guy who can make this open source project so there's a lot of difficulties with that so I'm not doing kernel hooking and since I'm not doing kernel hooking all these bypasses where you call a lower layer function or make a direct kernel call

will work so basically if you are running binary code on a system it is possible to bypass Ambush so why does this still matter and this does still matter because there are a lot of instances where first of all it can't be bypassed I might get argument from this from from some people but the basic idea of M corruption exploits are starting to die memory corruption exploits are starting to go away and we're starting to see a lot more emphasis if you look at the exploits which are actually used in real attacks out there uh we are slowly starting to see more and more exploits which are using things like logic errors command injection arbitrary file right

so for example you know a few years ago the great reliable Windows SMB exploit MSO 8067 used by metlo everybody else to just remotely pop a Windows box was a memory corruption exploit well add in non-executable memory and ASR and metas was never able to come up with an exploit for that which worked on Vista and so exploit mitigations make those a lot more work and a lot harder not that they're not there but they make it a lot work and a lot harder so the SMB OD day that was discovered with stuck net now all of a sudden they're not using a memory corruption exploit they're using an arbitrary file right via a logic flaw

a higher layer logic flaw and all of these type of exploits can easily be prevented with Ambush because when I instruct SMB to or I instruct in this in the case of the um exploit from Stu net when I instruct The Print Spooler to write to a particular file it will follow the normal colel 32 ntdll function call I can't instruct a Print Spooler to make a raw CIS call and bypass the windows API other exploits which are becoming more common are things like uh Chrome privilege JavaScript execution recent uh zero days demonstrated in Google Chrome uh there have also been zero days in Firefox which have been all implemented this type of exploitation they will obtain

JavaScript code execution with chrome or full system privileges and so once again with that privileges yes you can write a file you can execute a process you can do whatever you want but since you're using a level JavaScript abstracted API you can't say make a direct CIS call it has to follow the normal Windows API function flow so you can with Ambush prevent whole classes of exploits such as command injection exploits and exploits such as the Chrome privilege exploit and there are a lot of ways in which it can't be bypassed there are also a lot of places in which it is very very difficult to do a bypass so for example Shell Code shell code is a again

one of the focuses of Ambush small bit of code used in a memory corruption exploit to pull down or pull in the rest of the back door and launch that normally speaking there's limited space available whether that's on the stack or on the Heap for Shell Code and so they try to make it as small as possible well often times you only have about 500 bytes or so in order to load up your shell Cod and so it uses uh raw CIS calls as we'll see I'll show you an example if we have time we should have time of a bunch of different Shell Code and and how that works well that will that will use highlevel function calls

like the windows sockets call there is a lot of work that goes on in user mode in order to open up a socket in order to make a network connection or in order to download a file or in order to execute a process all of which happens in user mode and all of which one of these Shell Code pieces is going to have to do and so for examp example some Shell Code a lot of Shell Code uses something called URL download to file a it's a highlevel function which will then it's the simplest function to go out download something from the internet save it to a file all in one shot so it's very

popular among Shell Code writers however this function is not used by things like Internet Explorer or Firefox they all have they all want to maintain control of caching and connections Etc so they're not going to call this one function which does everything for them they're going to go have control over all those do it from a lower layer so if you see this function called at a high level that's another thing Ambush excels at you can say if this happens at a high level even if the low-level result Network traffic downloading a file is the same I know that this is probably something bad and so other host intrusion prevention systems Network intrusion prevention systems they'll only see that

a download happened and you can't generically stop all downloads but you could generically stop all URL download to file a and that would stop probably nothing legitimate and lots of malware and bypassing these is not going to be easy because let's say I'm a m Rider I say okay eurl download def file a might be hooked if somebody has Ambush well I'm going to skip the first few bytes of the function recreate those and just jump to the middle of the function so if there is a hook on this function I've bypassed it well now with Ambush what I can do is I can write a signature for the win inet functions so inside URL

download to file a calls different functions open internet make a connection to a remote server start reading a file from a remote server open a URL all those functions I can put a s and say if that function is being called from urlmon.dll which is the dll which URL download to file a is called then I know that they're using this function even if they didn't hit my hook on that function by looking through the call chain back up I can say oh they're coming from this point and I can still write a signature to kill the calling thread or process and break the Shell Code so this like I said you can you can do

based on that one function call probably about 20 or 30 different possible Ambush signatures to catch that and it will be very very difficult for an attacker to use Windows code and not risk hitting one of those functions so it is very difficult to bypass this unless you completely reimplement everything and like I said Shell Code has to be small so to reimplement network libraries takes an incredible amount of space you're talking half a megabyte at least not to mention I'm not aware of anybody actually doing that on windows so you'd have to reverse engineer it and it's probably different between all the different versions of windows at the very least all the CIS calls are

different between all the different versions of windows so this is not going to be very easy and finally I'm going to take a little bit of time not too much time since we're starting to run L and talk about strategy when you're doing defense you have to even if it isn't foolproof you have to take the best strategy so there there are different strategies which have been proposed and one of them uh I get a kick out of exploit developer world even though I've been one I've played in in a little bit I still get a kick out of a lot of exploit developers so a lot of the real famous hackers if hackers are famous are

exploit developers and um what what's kind of funny is even though as much as you're like a total expert on one exact area of computer security oftentimes you don't get the bigger picture so some suggestions which I've been have been put forward from some of the offensive Community is well you should have secure software so basically either don't write software with bugs or don't use software with bugs and I mean I'm all for increasing the security of software for example if software developers just buckled down and used Java or net or any other memory safe language then we won't have any of the memory corruption vulnerabilities to start with but it is not a winning strategy to

assume that you can eliminate all vulnerabilities to assume that you can not use software with vulnerabilities because they're going to be there and even if they're not there a lot of the pentesters I talk to who are some of the best pentesters don't even use exploits at all they just simply send somebody something to click on they allow the sign applet or the macro or whatever and they've got access and it's just more work than it's even worth to try to put together an exploit so no bugs is not really a good strategy there's also another strategy here which I get a kick out of and so this one is I call blame the user so if you can't

see this this is a uh screenshot uh that I pulled from Twitter uh where Dan Kaminsky basically says is antivirus even worth anything and then moo who's in charge of an antivirus company goes yeah we just stopped 500 people from getting infected with this thing to which attrition I don't know if whoever wrote this is here hi um I thought this was kind of funny says well it sounds like those 452 people shouldn't be allowed to use a computer so so I mean regardless of so you know that's kind of funny maybe that is the case but maybe they were just browsing any random site and that site had a malicious advertisement or whatever which pulled

back to an exploit pack which had a Java exploit which still hasn't been patched by Oracle and the user didn't really do anything which should have gotten them owned and they got owned anyway so so blame the user well um right right while that that may be may make you feel better inside it's not going to work so what else can we do well uh we do have we do have one example of successful defense I think it's also kind of funny how exploit developers you know on the attack side people are very very protective if they've got a good exploit so they are not going to share that out they're not you know sell it for maybe a lot of

money but they are not going to let other people know about their secret sauce I think it's kind of funny that it's almost the same way in defense people who have put up a successful defense often either don't want to tell you about it or people are on defense and they don't know they've been owned or they just have no clue in general and when you go to a you know I was a little nervous about even speaking on strategy in the first place because you go to a talk on strategy and chances are you're either going to get like a guy up here in the SE Suite who has like six points and they all start with the same letter

and he's just talking about veg generalities and you don't really get anything from the talk or you have something which is super specific and you also don't get anything about from the talk either well there is an example of successful defense the link will be on there from the guys at Lockheed who are probably the best example who will actually tell you about what they did faced significant adversaries and actually stopped them and also blew a bunch of Odes caught a bunch of Odes that they were using to get in so it's kind of funny to talk with attackers are well we used an oday you can't catch us whereas in reality in order to have a successful defense what

they did is using open source info basic security somehow uh threat research somehow you identify an attack which you the attacking group whoever is targeting you trying to get in uses and you figure out what their command control are you figure out what their exploits are you figure out how they gain access how they call back how they send their emails how they persist on the system how their malware Works how every single part of this attack Works they had seven different uh characteristics which they watched in this paper uh that I linked to and then you block them and you monitor every single one of those points so that the next time that they try to

get in they may change up their malare may they may change up their exploit they may change up their fish but oh they forgot and used one of the same IP addresses which they had before for and now you catch them again and you figure out all their other their new exploit their new malware their new ma back door and every time they keep trying to get in since you know so much about their motus op Randy and it is so incredibly difficult to change up your motus op Randy and change everything to do with it most attackers cannot do this that you stop them and every time they try to get back in they're just giving you more

of their infrastructure more of their exploits more of their tools to burn and it's it's actually quite satisfying and enjoying from a defensive perspective so having said all that um I don't want to I'm almost running out of time here so I don't want to talk too much about commercial hips is but they also all use inline API Hooks and they work all right let's do a demo so uh I do have a demo video but real men do it live so I'm going pray the demo Gods all right so this is the Ambush screen I'm going to go ahead actually I'm going to pull this out of I'm going to go ahead and log in here

you log into Ambush Ambush is implemented as a server client thing the idea is I wanted Ambush to be in a spot in a position when I released it which is now where you can set up a server you can set up your signatures on This Server I'm going to go to my uh demo set in just a second and you can push out an MSI to all everybody on your network which will then report back to your central server for alerts for signatures Etc so this should be Deployable now in an Enterprise if you want to do it you can also do it on your Local Host uh but but one of the one of the interesting

things with this is in contrast with stuff I've done before I think this could really be useful to everybody here who works at a company and everybody here who has a significant Network and I would really like to see this used and I would really like I mean nobody's using this currently on a wide scale if you're interested in this at all definitely get in touch with me afterwards cuz I definitely want to want to see if we can make this work it's open source it's free I will help you with any bugs or anything else you encounter um but having said that first let's go pull up so when you launch a Metasploit exploit

I don't know if anybody here has ever looked at the Shell Code um but it's going to execute uh first of all this big bunch of assembly so this is the reverse TCP assembly source to the m interpreter Stager so the first thing that it does is it calls load Library a of windsock 232 and it goes on makes a bunch of other uh function calls so one of the things you can do is you can say well this is going to be called for memory which is executable and it also had to be written by the exploits this will be page execute read write which is unusual and not handled by uh most uh most

systems so I'm going to go to My Demo set here and um so I've created a signature along with some other signatures but I've created a signature here uh basically you go ahead put in your name for the signature tell whether you want to block it kill a calling threat or process I'm just going to do an alert so I can show you how many times we would catch this and then you go ahead and choose your function so I'm going to go to windsock 232 pull up that function that's going to load up the functions which that dll exports so I'm going to oh sorry I'm not doing the windsock one I'm doing the colonel 32

one this is not easy to see so I'm going to pull up Colonel 32 and then I'm going to pull up load Library a so then it's going to load up the function prototype for that function and then allow me to put in signatures for the uh argument so I can go ahead and put in a regular expression I can say if I see load Library a called and it's only calling WS2 32 which is unusual most legitimate programs will use WS2 32.dll so I can put it in a for that or I can put in a signature for a return value if the return value points to memory with a protection of page execute read WR I've just hardcoded that

to 40 but you can actually type in the symbol if you want then go ahead and throw me an alert so it's really easy to put put together signature like this I just hit submit I've already created that the signature is right here um and then it's good in the signature block so I'm going to go yes yeah you can so if I did a import from Windows API you can define a custom dll and a custom function define what the arguments look like and you can do any function you want it just has to be standard API on 32-bit uh yes all the all those functions which are there you don't have to go and no no all those functions

which are there are good they're in um all right so let me close out some of this stuff so I have over here my innocent victim and um I'm just going to go ahead oh that didn't work and make sure my signatures are updated signatures will propagate like every few

hours here you go thank

you all right all right so just make sure I have the latest copy of the signatures in case I modified them since I saved this VM so I'm going go ahead and open up a good PDF sure enough everything works just Handy Dandy and it is Neato all right all is well now I'm going to open up this wonderful PDF that a guy named script junkie sent me in the email and that is going to fire up oh it's not on screen this and sure enough oh hey look at this I got a I got a shell uh so I got a interpreter shell on this box and what's going to happen is it will have

load up the Shell Code then it will have load up interpreter which also does similar uh dll loads that will get reported centrally it will wait about 30 seconds uh to aggregate calls and then boom let me go ahead and pull this up to full screen as we can see here way down at the bottom here's the load Library a a with WS 232 here's the Shell Code function which we monitored you will notice that none of these signatures fired in normal acrobat operation when I looked at the safe PDF nothing happened only when the exploit fired um other things here you can find it uh so I put in different signatures looking for if

windsock receives into um uh execute rewrite memory those signatures fired all these low Library signatures uh let's let's try something else here thing to keep in mind is at any point I could have put the signature to a block and the entire exploit would have failed so now I'm going to do something else which is very common among malware and that is do some process injection which I'm going to run migrate spawn off a new process inject into that process and then kill the existing process and so I have let me think here all right and in just a second that will fire up so I put together a couple of signatures on the process injection

functions which um interpreter uses and then what you'll find is the reflective loader also uh loads up other other functions as you see here as as interpreter loads all this and sure enough boom here's all your load libraries as you can see here we use a virtual Alec ex into the remote process right process memory which is what interpreter uses to inject code into the other process and then create remote thread to start that code and then sure enough here is the new process and here is it loading up all the same interpreter functions which our existing process started from another thing that you'll notice here is that the calling module this would have a calling module

like which dll or executable actually made the function inside the process that is all blank because none of these calls came from a real module they all came from the Heap or the stack or somewhere so all that's pretty cool uh I will say I don't have time to do the demo but the same signature will also light up or kill in addition to any metas sploit Stager it will also kill canvas it will also kill poison ivy I think it will also kill core but haven't had a try chance to try that and so it's very easy for me looking at Shell Code to put a signature together like this in a minute which will then permanently

kill it it doesn't matter how they've encoded it what exploit they've embedded it with it doesn't matter how they've put it into an executable or how theyve distributed it PDF anything systemwide any attack it's killed permanently and so this is the type of activity which which I have Ambush for thanks and I think that's well that's almost it let me go back over here and all right so everything is at ambush ip.com my I would show it to you but my wireless I don't think my wireless is working very well yeah that's not going to come up but go to Ambush i.com and uh and that concludes the [Applause] [Music] talk so any questions go

ahead main sign Library

right so at this point I don't maintain State that's a I've been trying to think of a good way to do that in a generic fashion um I will say however when you do make a new signature you can either Blacklist you can Blacklist and or wh list both processes and calling modules so if you have a certain process which makes a function call you can Blacklist uh that process or you can Blacklist the actual calling module inside that process so if anything else happens like somebody ends up executing code from the Heap as we showed here then that will still fire the signature all right I think that'll be it if you have any other questions come

talk to me afterwards buy this guy a drink