C&C with Empire - A Mitre Att&ck T1071 and T1086 Demo

".. a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. It premiered at BSidesLV in 2015."

                                                                                                                                  ReadMe file of Empire 

Empire is a publicly available post-exploitation framework used by nation state threat actors and red teams. This demo is about gaining C&C and associated to MITRE ATT&CK (r) Tactic: Command and Control and Technique: T1086, T1071.

It is important to install Empire with this command to use all functions of it;

        git clone https://github.com/BC-SECURITY/Empire

After installing Empire, we are creating a listener on port 80. I am using Ubuntu for this demo.

After enabling listener, we must use a stager. Here, we are using a batch stager;

With executing the commands above, a malicious batch file has been created in /tmp/ folder. When the victim executed this file in his/her machine, we get a session. With the "agents" command, we can see active sessions like below. Then with the "interact <agent id>" command, we can get the C&C connection to the victim. 

Empire is a good and fast framework for C&C. But if we do not make obfuscation, it is very possible to detect these processes for defense teams. In EventViewer, we can find logs of the malicious behaviors;

For defense, it is important to use an EDR solution on endpoint machine. You can find here is my EDR Choosing Guide post. 

Credential Dumping - Attack and Defense Techniques (MITRE ATT&CK T1003)

Credential Dumping

As MITRE says on its website, adversaries dump credentials to obtain login credentials to perform lateral movement when they got access to a computer. Several tools and techniques may be used to dump credentials of a computer. Here, I will try to show two different credential dumping techniques and prevention of it using FireEye's Endpoint Security product, as a quick demo.

lsass

Before demo, I wanna give a short brief about lsass. LSA (Local Security Authority) is a process that authenticates user to computer. It checks SAM (Security Accounts Manager) database to validate user information. LSASS.exe (Local Security Authority Subsystem Service) is the process that is responsible for enforcing the local security policy on the system. If someone can dump lsass on the computer and get this dump file, it means the users' credentials are stolen because lsass stores the credentials as clear text. 

FireEye HX Process Guard

HX is the Endpoint Security producth of FireEye as you know already. I will not explain what it is and what it does here but typically it is an EDR solution with AV and some other prevention modules also. I wanted to try its Process Guard module, basically blocking attackers to dump lsass process. 

"The Process Guard Module for FireEye Endpoint Security prevents attackers from obtaining access to credential data or key material stored within the lsass.exe process, thus protecting endpoints against common credential theft attacks" says FireEye about Process Guard. 

Here, I will try to show some dump techniques to dump lsass and how Process Guard preventing it. This techniques are associated to MITRE ATT&CK (r) Tactic: Credential Access and Technique: T1003

Credential Dumping with comsvcs.dll

comsvcs.dll is a part of Windows OS. It is a system file and hidden. It is found in \Windows\System32 and can call minidump with rundll32.exe, so it can be used to dump credentials via lsass.exe process. 

Firstly, process ID of lsass.exe process must be identified;

Then, the command below will dump the lsass;

A file about 48MBs being created with this process;

Now, it is time to use Mimikatz and get the passwords as clear text or hashes of the passwords (depends on the OS);

As you can see, it is very easy to get the credentials of the user of a compromised computer, if you do not prevent lsass.exe process against malicious behaviours. Now, I will try to prevent it using FireEye HX's Process Guard module. For this, I enable Process Guard module on my computer's policy;

lsass dump command again;

After that, when I check the created dump file, I can see a 0MB sized file has been created;

When I check Process Guard module in HX's console, I can see HX has detected this behavior done by PowerShell;

Credential Dump with ProcDump

ProcDump is a Sysinternals tool used to generate memory dumps of applications. After disabled Process Guard module on HX again, I try to dump lsass using ProcDump;

A 48MBs sized file has been created;

Again Mimikatz and get the passwords or hashes (depends on the OS);

Then, let's try again after enabling Process Guard. I try ProcDump again, but this time Process Guard is enabled;

It got error while creating the file and could not create any dump file. 

NOTE 1: This tests are done while Antivirus of HX is disabled. Otherwise, AV would block and delete or quarantine Mimikatz. This is an alarm of this behavior;

NOTE 2: Even if you do not enable Process Guard and Antivirus at the same time, HX generates an IOC alert for these attacks. The IOC says us "-ma" command is being used with "lsass.exe" on cmd. This attack and IOC are associated to MITRE ATT&CK (r) Tactic: Credential Access and Technique: T1003

Host-Based Firewalls - A Possible Nightmare for IT Pros

With increasing remote workforce process during Covid-19, clients are now more independent with their laptops and mobile phones that also being used for personal usage besides organizational usage. Not only workers, but also computers and data are now outside the organization and most of the protection layers such as firewall and IPS. Vulnerabilities and attacks continue to surface but remote users’ connection and VPN also create troubles for IT teams to patch  and protect the clients.

 

Host-based firewalls help security professionals in many subject. Firstly, it controls the incoming and outgoing traffic, so becomes a very critical defense layers. For example, security pros may want to block all inbound connection to the client host initiated from outside. This is a very basic protection on some kinds of malwares.

Some sensitive applications like Swift, should be isolated from the network in the organization. But sometimes it is not an effective solution to create vlans for a few PCs or servers. For the situations like that, host-based firewalls are true saviors. These sensitive PCs and servers can be isolated with host-based firewalls. Since most of the antivirus agents also includes host-based firewall feature, this solution becomes easier and more logical. 

Meanwhile, organizations should not make it a habit. In large organizations having thousands of PCs and servers, this isolations on host-based firewalls can easily turn into a nightmare, since hundreds of rules have to be written. If these rules are not followed properly, also with the circulation in the administration team, a possible mixed rules can harm PCs and network more than they protect. It is inevitable that every rule for each small groups makes the rule list more complex, and it becomes more possible to make a mistake while adding new rules.

So, even if host-based firewalls are important and valuable solutions, they should be used as needed, and should not be a regular solution for isolation situations. 

Fall of A Hero - Rise and Fall of AV

All IT Security experts surely faced with such situations that anyone who does irrelevant with security, know only AV about computer security. AVs was the hero of our security for long times.

Legendary Times

AVs begin their advanture as signature based protection against known viruses and worms. With the development of the threats; fisrtly with script kiddies, than financially motivated hacker groups, it was enough to update signatures weekly or every few days. Today, things work a little differently. Actually, much more differently. As mentioned in the “A Guide to Choose EDR” blog before, with the explosion of the connectivity between PCs and mobile devices, usage of cloud more day by day, threats have also changed. Attackers now have the ability to bypass signature based detection and protection technologies. For dealing with these situations, heuristics detection skills have been added to AVs. Machine learning and behavior monitoring added for detecting and blocking suspicious behaviors. Also, AV vendors added host based IDS/IPS, hostbase firewall and device control skills, and these features become very useful for admins, to use all of these features within one agent, while this agent is already deployed in all PCs.

Fall of the Hero

Despite all these new features, researches conducted after 2018 say that AV products misses more than %50 of attacks. Besides, false positives caused by constantly updates causes difficult situations fort he IT professionals.

Everyone accepts that there is no any solution providing %100 security. With this approach, speed of response and visibility become the key features against threats. This is the reason SIEMs must be used to complement to AV. Yet there are also caveats that it is not enough and advanced tools like endpoint detection and response (EDR) solutions must be implemented alongside AV. That must be true, at least we see that AV vendors are also now developing such solutions beside their AV solutions. You can access to a more detailed review of EDR solutions; what they must include and how to choose them here.

What is next?

Now, AV vendors thich are also developing EDR solution, suggest that the customers must implement these solutions beside the AV. Meanwhile, the vendors developing only EDR solutions, or vendors which entered endpoint field with EDR, say that customers can change their AV with EDR solutions peace of mind. But is it so easy to replace AV with EDR? Or simply, is it easy to change any AV with something else.

As mentioned before, companies are now using their AV agents for device control, host IDS/IPS, host firewall, application control and whitelisting. For replacing the AV, the new product must support these features, even if the solution is very success in detecting and responding. Meanwhile, event if the solution has these features, there are too many policies, rules and exceptions for all. I am sure all IT Professionals will be afraid of this replacement since these policies. Until overcoming these problems, it seems better to use EDR beside AV solution. For now, it is also important to use a vendor that have enough working experience with commonly used AVs.

A Guide to Choose EDR

As spoken in all security events in last decade, the attacker’s purposes and methods have changed greatly and become more complex. As if this is not enough, increase in the number of the mobile devices used in the organizations and moving some (or most of the) services to cloud made endpoints’ protection more difficult. With the expanded cloud usage and development of the mobile technologies, more users are coming less to the Office. This situation makes management, monitoring and protecting more difficult for the endpoints.

As said at the beginning, with the new advanced techniques of the attackers (like advanced malwares, fileless malwares or exploits), it is very difficult to protect endpoints with only traditional endpoint security solutions. Neverthless, as the subject of another discussion, this does not mean that signature based antivirus, host IPS, host firewall or other conventional endpoint security solutions meaningless anymore.

Meanwhile, while talking about traditional security solutions, we have to touch what endpoint is. Because, attack surface increased against today’s organizations, since IoT and OT are parts of the endpoints’ of them. Now, we need to expand endpoint security solutions as covering mobile phones, POS, wearable devices, sensors, cameras, HVAC, and cars, since they can access both to internet – even if confined with the cloud - and organization’s network, wherever they are and whenever they want.

According to this traditional endpoint security solutions, EDR solutions have malicious activity detection, containment of the endpoint, investigation of the incident and remediation capabilities fort he endpoint. With this capabilities, they can reduce the impact of an incident in the organization and provides intelligence for responding faster.

EDR systems use an agent on each endpoint system. EDR vendors feed these agents with their intelligence services, global customer data, firewalls, network and/or e-mail based APT devices, etc. With these intelligence data, the agent provides deep and real-time monitoring on the endpoint, discovery and response.

An EDR system must use at least a few monitoring methods such;

IOC Detection, means that the agent is comparing the system changes with its Indicator of Compromises. This IOCs can be feed from other devices of the vendor 

in the same network, or global customers and intelligence services.

Anolmaly Detection, means checking the system for anormal states.

Behavior Detection, means checking the system for bad or malicious behaviours.

Machine Learning and AI, means that the solution has the ability to determine the malicious activities without being explicitly programmed.

For an effective tussle against threats, time is the most important thing. Your EDR solution should help you detect, investigate and response  as quickly as possible. For doing this, first, your EDR should detect the threat as soon as possible. Right here, the power of the tools mentioned above shows the importance of their capabilities.

Power of the intelligence services of your EDR solution’s vendor, shows the power of the IOCs. A vendor should feed customers’ EDR with fast and effective intelligences. Also, as community data, vendors can feed their customers with other customers’ known bad data. This means, bigger community helps you better.

Also, integration with other security tools in the network is a key point. If an EDR solution can be fed with the other network tools, endpoints can be ready for the threats seen elsewhere, like in network traffic or in an e-mail. When we think that the malicious software reaches to the endpoint via e-mail or network channel, this feature becomes very important. With the integration and the advanced search capabilities in the EDR solution, a threat that seen in network anywhere can be catch quickly in the endpoint. From here, we also must see that an EDR solution must include an advanced search feature, searching the endpoint by many different options. These advanced searching options helps admin searching his clients against possible threats.

An EDR solution must provides clear and meaningful explanations about the threats. Only determining a threat is not enough for admins. The solutions must help them responding to these threats. For responding quickly and correctly, admins must understand the content of the threat. Also, containment is an important feature fort he EDR solutions, a time-saving feature for the admins, while they are working on the threat. An endpoint has a malicious content should be contained during the analysis, so other endpoints prevented against spreading of this malicious content.

Also, for investigation, EDR solution must provide a full state output of the endpoint, for the timezone that the malicious thing happen. A full or specific memory dump information, states of the services, etc. An automatic creation of these information is critical during the investigation processes.

From the experiences, I know that the endpoint is the most boring and difficult part of the security. Distribution problems, slowing machines after distributing, user complaints, etc. Most of the security admins don’t like to deal with the endpoint security. But as shown in most studies, thousands of threats are produced every day. Just protecting the network and a-mail channel is not enough for these new threats. We have to give the necessary importance to the endpoints. So, with all these problems of endpoints, choosing the right vendor becomes the most important thing. An endpoint security solution must not obstruct end users’ business. Even for security, business must go on. At this point, vendor’s experience is very important to choose. Also, getting a quick answer during a problem must be evaluated, during the selection process of the EDR solution.