Unpacking Impacket: Detect remote execution of offensive tools

can everybody hear me sound good awesome off to a good start uh cool so thanks everyone for coming to my talk uh titled unpacking and packet how to detect uh remote execution of offensive security tools um I know it's close to lunchtime so I'm getting hungry as well so I appreciate the time uh who am I my name is Tyler Bullman I'm an incident Handler at a company called Red Canary uh I like to describe it as ghost hunting and computers to find evil and um figure out why computers misbehave and do bad things uh before that before joining incident handling I was actually the first technical support engineer at Red Canary and then before that I worked

at various msps doing a lot of different I.T work help desks desktop support stuff like that um a little bit about me I'm a girl dad there's a picture of my two girls one is a dog and one is a human I also really enjoy Jiu Jitsu which is just wrestling and fancy pajamas and I enjoy coffee so much that I put in all caps quick overview of what we're going to cover we'll Define what is in packet next we'll discuss why should you care what's the significance here and then we'll cover briefly cover detection and response and then after that we'll start to talk about tracing it back to initial access after that some future considerations

and then we'll end with a Q and A cool what is in packet and packet is basically just a collection of python classes that are used to Target Windows networking protocols the project used to belong to secureauth but I guess earlier this week fortra announced that they're undertaking the project that uh going forward uh Fortress formerly known as help systems they have everybody's favorite uh adversary emulation tool called Cobalt strike maybe they'll call it Cobalt impact or something like that who knows but it's essentially a low impact tool very versatile used to attack all the things can do enumeration Discovery capture hashes move out laterally throughout the environment perform some provesque and of course what we'll talk

about talk about today remote execution and also on the right there it can attack those targets those protocols Kerberos window Secrets wmi Etc uh show of hands who had her who's uh used in packet but only in a testing scenario like pen test stuff like that has anyone encountered it on like a surprise pen test or malicious use okay cool um so why should you care uh from my perspective at least that Rick Canary we normally see this as testing activity and testing only um so it's usually used in common scenarios are ad assessments internal internal assessments assume breach stuff like that very limited in scope but they're trying to accomplish the same things as an adversary just the

severity of what they're trying to do is slightly different and that's why under the uses they're meant to look the same except for adversary execute malware and deploy ransomware slightly different outcomes there and then for the examples pen tester I'm just going to pop calc remotely see if I can execute some code uh on an on a remote endpoint and then the other one is just not just but uh executing whisper gate so I'm gonna destroy the MBR and then leave a ransom note so in packet use essentially exists on two ends of the spectrum when it's testing it's good we kind of just shrug it off but when it's adversary use it can be

bad and really lead to to worse things pretty quickly so it kind of blurs the lines and kind of lulls us into a false sense of security uh additionally it also differs from other threats at least from my perspective when we talk about commodity malware uh using bootloader as an example if we look at that command line there we can intuitively intuitively derive a lot of information of kind of what's going on pretty quickly we see W script executing I guess executing this Javascript file that JavaScript file was in a zip file and the name of the file uh looks to be related to some kind of search query possibly so really quick we have a lot of useful information that

kind of drives our investigation next we have ex exchange exploitation via a web shell uh with that process execution there w3wp or as the cool kids say whoop uh spawning CMD or Powershell that kind of looks odd kind of looks very suspicious we can kind of infer it might be related to a web shell if there is command line information available that starts with Echo we can that kind of uh points us more in the direction that it is a web show we can start looking at is logs to pull in additional context so kind of intuitive we can derive a lot of information from there oops I forgot my memes so we like the first one it's easy to

investigate second one easy investigative two but then we have remote execution uh within packet and we get this weird command line that is a bunch of gibberish uh initially looking at it so harder to investigate we don't really like that really quick just wanted to go over how I did my testing super simple uh at a high level uh the data collection just to spawn and then I'm using Olaf hartog's default system on config and then we just have the default Windows event logs that are available operating system just a local Windows 10 VM and Kali Linux tools to kind of display this information I use Eric Zimmerman's timeline Explorer and also uh there's a

suite of sysmon tools and it's just mumbu isn't uh in them and then the scripts I tested PS exec SMB exec wmi and dcom so first we'll discuss PS exec um it's actually not PS exec from CIS internals it's based off of a remcon which is basically just open source PS exec connects to remote machines to execute commands using a name pipe uh what is a name pipe uh just allows for inner process communication uses client server architecture to basically just transfer data back and forth um cool yeah communicates over 445 as well um so the event logs that it generates there's four of them uh 4624 so for that one we're specifically specifically looking for

logon type 3 which is over the network it's going to contain the compromised username and then the remote IP of the device that it's coming from we'll also see 46.72 so those special permissions that are granted to that compromise username we'll also see a lot some log off events usually when the shell exits or when a command is entered and then lastly we get 7045 which just is showing that service has been created this is kind of what that data looks like in Timeline Explorer so the top red box is showing 4624 and 4672 and then we can see defected user in this case is Bob we have remote IPA information and then also that log on type 3 just

showing that it's occurring over the network uh 4672 showing those special permissions assigned and then the 46 30 34 log off event and then if you look at the bottom 70 45 you get the display name of the the service and also the image path of where that's pointing to so pointing to that that service binary that gets randomly generated looking at this from sysmon we get this nice process hierarchy so we get that service binary that that gets created spawn CMD and then for General enumeration I just did who am I in hostname so pretty easy to follow there and then the system on events that it that it creates there's three of them

that stick out at least to me system writing that service binary to disk and see windows get some pipe creation the name pipes are prepended with REM com so just supporting more evidence towards that it is REM com and not actually PS exec uh and then registry modifications so the image pass specifically pointing to that service binary and then if we're going to go about um querying or searching for this data I have some pseudo detection logic that just at a high level takes the system on data and kind of puts it in kind of a query format so we have system looking for a file being created and see windows that again that service binary

uh service being created that one probably will be pretty noisy depending on the endpoint activity so maybe false positive prone there and then that pipe creation so that service binary creating a pipe that starts with remcon and then we move on to SMB exec so pretty similar to PS PS exec this is actually based off of Eric millem's SMB exec project from 2012 2013 I think uh his main use case was to get obfuscated metasploy payloads to a remote endpoint basically to evade AV this is again similar to PS exec except it doesn't actually drop a binary to disk but still creates a service uses a batch file for execution and then there's a temporary file

that's there for the output and then also communicates over 445 and then just like PS exec it's going to generate those same Windows event logs as well so again if we look at that in Timeline Explorer we see kind of similar activity to to PS exec um but for the service creation if you look at the executable info column those are all the commands that are being generated into well that's going to point to the image path for the registry modification but CD is Echo CD is when the the Shell First connects to the remote endpoint and then who am I so that gets it or updated in an iterative fashion um so kind of interesting to see and

this is what it looks like in cismon from a process hierarchy standpoint so Services spawning CMD and then again did the simple enumeration with who a mine hostname um so for sysmon registry modification events looking at the image path specifically it's going to point to not a service binary this time but a temporary file called execute.bat so that's that batch file that's executing the commands and then a temporary output file in the root of C um by default the service name for SMB exec is BTO BTO but you can change that uh in the script itself but a lot of people don't uh and then the command line down there I just wanted to point out the whole

command line since it gets kind of cut off in the the screenshot above it and then file creation so it's going to create that execute.bat file and see see Windows temp um and then the way it executes is kind of interesting so if you look at the white box uh the bottom or the bottom uh Red Box is actually echoing the command into that execute.bat file and then the way it executes that is it spawns another CMD process and then that CMD process just goes ahead and executes that bat file so that's why you see um Services spawning CMD so that's going to Echo whatever command you're entering into that execute.bat file and then a

secondary CMD process will spawn to actually execute the the batch file so kind of interesting and then again pseudo detection Logic for SMB exec so we have CMD creating a file execute.bat and I put C Windows underscore underscore output but I actually didn't get a file creation event for it and I'm wondering because that doesn't have a file extension so something to look out for there and then registry modification again with Services being created might be noisy might be false positive prone and then command line execution so CMD which has a CLI of that whole string there and then next we move on to WMA exec so it's say it's I was going to say it's the

same as SMB but it's actually stealthier it doesn't create a service at all it uses Windows management instrumentation basically allows remote access to Windows endpoints a lot of system administrators or network admins use it to manage endpoints within within their environment communicates over 135 and 445 for that initial shell connection and then subsequent data is sent over a dynamic Port through that Port range uh so for Windows event logs we have three uh just like the previous two scripts except for we don't get a service creation here so no 70 45 being created uh so again this is what it looks like in Timeline Explorer pretty similar to the previous two except there's going to be no service

being created and then from a system on point of view this is the process hierarchy so we have wmi spawning CMD and then whatever command you're going to enter uh and then for sysmon events we have a file being created so if you look in the blue boxes see windows and then a funky string of characters or numbers uh that is actually an Epoch timestamp so forensically that's kind of nice to have because you get date and time of when the execution occurred and also when those commands were going off and then for uh process CLI just wanted to point out that CMD is had is executing uh this command line here so pretty unique it's going to proxy whatever

command you're entering so in this case who am I to that temporary file in that admin share uh and then spawn who am I in this case and then just like the previous two some high level pseudo detection logic so again we have system creating a file that Epoch timestamp and C windows uh some command line execution so CMD that has a command line of uh that unique string of characters there and then a child process of wmi spawning CMD uh kind of one thing to look out for the child process one if you use wmi legitly in your environment like that's going to be the execution chain I think SCCM also uses this as well then additionally

malicious word macros to break that parent-child process relationship also uses this as well so some things to look out for there and then dcom similar very similar to wmi except that uses decom objects it supports right now MMC shell windows and shell browser window and then this is actually based off of Matt Nelson's work that he's done for decom lateral movement techniques uh common dcom if you don't know is basically middleware uh it acts as a hidden translation layer between the operating system and applications to transmit data basically I also call it Blackmagic because it works in mysterious ways uh also communicates over one three five and four four five and then yeah for that initial connection then sends

additional data over a dynamic port uh similar to wmi it's going to generate those same three Windows events and again looks pretty similar to wmi um looking at it in Timeline Explorer and this is what it looks like in sysmon so we have mmc.xc which is super interesting that it spawns CMD and then again executing those enumeration commands to a Mayan hostname as I was making the slide I was actually thinking how common is this in real large environments something to kind of further investigate for sysmon events we have file being created so similar to uh wmi we have a file being created in C windows and instead of a date time stamp it just looks like

a date stamp uh an Epoch format and then also the process creation so MMC spawning CMD uh with those command lines over there on the right

and then next we have some pseudo detection logic so pretty similar to wmi system creating a file and see Windows starting with underscore underscore command line execution so CMD having that command line of that unique uh string there and then the child process is interesting MMC spawning CMD as well all right now that we've covered some detection methods for understanding how those various scripts work and what they look like we can look back at our alert from earlier in a previous slide and kind of start to investigate it this is something that I always remember whenever I started investigation I don't know if anyone has taken Chris Sanders investigation Theory course but I highly recommend it so a question well stated

is a problem have solved so some things to start asking yourself to help identify scope in such a situational awareness um since we just have one alert this is going to be a just affecting one endpoint so far and then since we know the endpoint we can determine Haze this is actually a workstation or server um workstation in this case and then uh what user or users are affected in this case we just have Bob who's been compromised can we account for this endpoint do we know the system owner do we know the endpoint role Etc yes but just on the affected endpoint here to cover situational awareness where are we in the incident response process

So currently identification since we've identified this kind of execution going on workstation but we need to quickly move to containment and then remediation efforts to remove the threat and then how far is the adversary within their attack objectives so they're already performing some kind of execution there and then from that what kind of assumptions can I make initial access has already taken place somewhere user credentials is probably probably been compromised this could be coming from some unmonitored or Rogue endpoint then I made this in package cheat sheet just uh quickly to help with triage as well actually um so if we look back to this command line here we notice the epoch timestamp after you after the admin share

and then looking at the cheat sheet okay this is actually wmi we should be looking for a file being created and see windows and then also some event IDs to investigate and system on event IDs as well if we have those available and then also just wanted to include this um since this is what each script looks like um over the network I just performed netstat on the remote endpoint and this was happening on so PS exec actually creates four connections on 445 SMB exec only creates one and four four five and then wmi and dcom exec kind of look identical so they both connect initially on one three five and four four five and then submit additional data over

that Dynamic port and then tracing back to initial access so usually when it's a test um we don't really think about initial access because they're already on the internal Network they've been given an endpoint and user credentials probably so initial access is usually an afterthought but when it's adversary use we kind of panic and try to figure this out quickly especially if it's on an unmonitored endpoint so I like to ask how did this happen where did it come from uh in from my experience I've usually seen this come from a rogue endpoint usually coming from some VPN service getting popped or sutrix Gateway or in a rare case there was a VoIP my tail box that got popped and it was

coming from that which was pretty interesting so then that leads us to think about other internet-facing services so that's why I put those three techniques there for initial access external remote services uh using valid accounts um and then maybe exploitation of some public facing or internet-facing web application and I thought this uh screenshot here was interesting it's just showing the most common or top cves exploited by Chinese apt groups since 2020 a few of those are VPN or Citrix services and then half of them I think are remote code execution and then everyone's favorite is at the top block for Jay uh so I thought that was interesting there and something to to always think about

uh future considerations don't use active directory just use sneakernet you you of course use active directory but some things to think about uh there's this really great mandian article where they go over a lot of great advice so some things that they talk about are segmentation and disabling admin and hidden shares that's a typo uh and then further we have uh if you're familiar with atomic red team there's two tests in there that you can use if you don't want to spin up and pack it yourself so segmentation so when we think about um our architecture workstation or workstation and then workstation to any non-dc or non-file server we can consider uh blocking incoming connections from SMB or RPC

so that's pretty much what impact it uses earlier this in this case these these four scripts additionally we can think about RDP if we use Windows Remote Management as well and then those Dynamic ports for wmi again this is just a consideration something to think about you could legitimately break something if you just block out these outright without testing so and then disabling admin or hidden shares so these are some common uh admin or hidden shares here listed at impact it usually abuses the admin share um again if you use like PS exec legitimately in your environment this actually might break things so something to consider there always test don't just Implement these without testing uh

that's the registry key for both workstation and servers there you could also create a service to disable these or use GPO and then lastly we have two Atomic tests from from the art repo that you can test with ones for executing uh commands out of the local admin share and also wmi execution um for remote execution there that's it any questions

super quick question

that's yeah

I think so but that's I mean that's a really good question I haven't really thought about that yet um but that kind of removes the scenario that you'd commonly use in packet for right you'd use it on a domain environment to move laterally quickly execute code um I would think so but I've got to have to do testing but that's a good consideration a great question um on uh women being deprecated I think earlier this year did you find shops that have it still around and does impact it do anything with um I it's another good question I haven't really noticed that or seen that um I think the two main scripts I've seen use are SMB and wmi exec but

thank you yeah I I've seen it still working in a test scenario um so I haven't really seen like any issues with it not working does that help yeah okay cool uh my question was if uh we'd like to test out uh the material that you presented here ourselves what would be the best place to start you mentioned a few resources there I didn't get them all written down so I don't know if this slide deck is available shared okay they can share the side deck if you feel like spinning up a Windows domain environment you could do it that way or did like I did just test it with the local Windows VM um and then just run and pack it from

like Cali or download the repo yourself does that help answer your question cool

yeah my question um you you had a list of iocs for the the various exploits um how have you implemented it into a live environment as I'm sure you have but how noisy have you seen this turning on these alerts in conjunction with uh legitimate events and and I know that subjective per environment but in general what have you observed are you talking about the detection logic yes yeah um so obviously you want to tune and test uh that detection logic and every every environment's different and there's also since impacket is open source that that code has been reused for like volt scanners or other legitimate tools that kind of inventory like ad environments there's a tool called block 64 that

actually does this um so that's something to look out for there as well it can be really noisy but again like from a vendor perspective it's hard to know that you know internal environment context but if you know your environment pretty well like you use PX exact legitimately or wmi to administer things remotely um that's additional information and insight that you have to say hey this is actually normal um so it would take some tuning and baselining to initially see like hey how often is this occurring in my in my environment and then from there Trace that back to either either if it's legit or not that's how I'd kind of uh handle that does that help answer

your question cool thanks everyone appreciate it