164. Living off the Land (OBJ 3.7)
In this lesson, we’re going to talk about living off the land and some differences between some traditional malware exploitation techniques. And so we have to first define what is an exploit technique? Well, an exploit technique describes the specific method by which malware code infects a targeted host. Now there is lots of different ways that this can be done. In the old days, we used to have malware that would go and rewrite or modify the code within an executable or a macro file on a target disk. That way, whenever that file was run, the virus was loaded, it could execute its payload, and go out and do bad things.
Now if you had worm malware, it would actually go out and try to infect only the memory, and then go through a process of going through remote procedure calls over the network trying to infect as many other hosts as it could. Now modern malware on the other hand though, uses fileless techniques to avoid detection by signature-based security systems like antivirus, and host-based intrusion detection systems.
By being fileless, this means that the malware is executed directly as a script or a small piece of shellcode that creates a process in the system memory without having to use the local file system. Now some of these things will actually get installed to a temporary directory first, and then be run and then they delete themselves. But we’ll still consider those relatively fileless. Because there’s not a lot of evidence on the drive for people to find you. Now this is one of the things that a lot of APTs will use.
And so we have to ask the question is how does an APT use this modern malware to operate? Well, first, it’s going to use a dropper or a downloader. The first step is the malware has to get on your computer. And it’s going to do that in a fileless manner. And the way they’re going to do this is by running lightweight shellcode on your system. By doing this, this becomes what we call a dropper or a stage one dropper. And it’s then going to go out and download the rest of the code. And so that dropper is just a very small file and can run very easily from memory.
Now the whole point here is to try to trick the user into clicking on something or running the code. And that way, they are infecting their own machine. At that point, the APT then tries to maintain access. The malware is now on the system, and it’s going to install that second stage downloader. That downloader can download something like a remote access Trojan, and this will give the adversary C2 over that victim machine.
After that, they’re going to start strengthening their access. And to do that, they’re going to use that remote access tool they have from the maintaining access phase, and they’re going to start looking around and identifying and infecting other systems. As they’re doing this, they trying to find systems of higher values, like servers or domain controllers. But even if not, they want to compromise other workstations too and do this lateral movement so they can gain additional privileges and an additional footprint. So if you find them on one machine, hopefully you will find them on the other machine, and they get to stay there. After this, they move on to step four, which is actions on objectives. Now with actions on objectives, the attacker now has enough permissions, and they’ve identified enough things that are of interest, they can start doing what they want to do, which is usually going to be copying or stealing files, encrypting files or doing something else, whatever their motive was. And then finally, we have our fifth step, which is concealment. The attacker at this point is going to maintain their tool access, but they might just go ahead and start hiding themselves. And they’re going to start covering their tracks by deleting log files and things like that. They want to make sure they’re eradicating any sign that they weren’t there and that they infected your system. Because this way, they can stay there longer if they need to, and they can always go back in later on if they need to get something else from the machine. All right, so that is the basic five steps of an attack. And I mentioned a couple of terms that I think we need to go back and to find a little bit deeper. I talked about things like droppers, and downloaders, and shellcode, and lots of other things. So let’s take a look at those. First, we have a dropper. Now a dropper is a specialized type of malware that’s designed to install or run other types of malware embedded in a payload on an infected host. Usually this will be a stage one dropper is that code you first got. And once you get that code and run it, it’s then going to go out and get some other code, and it uses a downloader to do that.
Now a downloader is a piece of code that connects to the internet to retrieve additional tools after the initial infection happens by a dropper. Now in my explanation of that process, I also mentioned the word shellcode. Now shellcode is any lightweight code that’s designed to run an exploit on a target. This can include any type of code format. It can be scripting languages, all the way down to a compiled binary. Shellcode originally referred to malware code that would give the attacker a shell or a command prompt on the target system. For this exam, they want you to use the definition of the more generic shellcode that I just provided, which is any lightweight code designed to run an exploit on a target. It doesn’t have to give you a command prompt, it just has to be something that’s going to give you some kind of an exploit that’s going to be run. Now, once the shellcode is created as a process on the target system, all this bad stuff has to start happening to your system, right? How does that happen? Well, one way is through code injection. Code injection is an exploit technique that runs malicious code with the identification number of a legitimate process. So when I go to install this code, you’re going to notice that every process has a unique ID number with it.
And so if I have assuming that is allowed to run like the Explorer for Windows, and I decide to run malware and make you think I’m running it as the Explorer for Windows, I can hide that malware by injecting the code into that. That’s the idea of code injection. Now there’s a lot of other techniques we can do as far as different types of code injection. This includes things like masquerading where your dropper is going to replace a genuine executable with a malicious one. You can use DLL injection, where the dropper starts forcing a process to load as part of the DLL. So it’s going to load the DLL and the executable malicious code. You also can do DLL side-loading. This is where the dropper is going to exploit a vulnerability in a legitimate programs manifest to load a malicious DLL at runtime and essentially you side-load by making it load this malicious thing. Or we can do process hollowing. This is when a dropper starts a process in a suspended state, and then rewrites the memory locations contain the process code with the malware code. So essentially, we’re taking over someplace in memory and putting our malicious code in there. Now droppers are likely to implement a lot of these different techniques. In addition to that, they also use some anti-forensic techniques to help prevent detection and analysis. We talked about anti-forensic techniques. This is things like encrypting their payloads, or compressing their payloads, or obfuscating their payloads. Now when they do this, it makes our job as reverse engineers a lot harder, but we still find ways to find these people. And so one of the things that a lot of pen testers and a lot of attackers are starting to do now is a concept called living off the land. Because when they live off the land, it’s really hard for us to find them. When I talk about living off the land, this is an exploit technique that uses standard system tools and packages to perform their intrusions.
For instance, they might use something like this, which is PowerShell. PowerShell can be used to do all sorts of malicious activities. And so what we can do is when we break into a system as a pen tester or as an attacker, we can actually use your own PowerShell against you. If I’m on a Linux system, I can’t use PowerShell, but I can use Bash scripting. And so again, if I use the tools that are native to your operating system, I am now using tools that were already installed for your administrators. And I’m using them in a malicious way. But it’s going to be really hard for you to detect that because I’m living off the land. So if you fall victim to an attacker who is used to living off the land, the detection of that adversary is going to be much more difficult because you’re executing malware code within those standard tools and processes. So as a penetration tester, when you want to use living off the land techniques, you want to really focus on your use of PsExec, Windows Management Instrumentation, PowerShell remoting, Windows Remote Management, Visual Basic Scripts, and other things that are already installed by default in the operating system. First, we have PsExec.
PsExec is a lightweight program that’s part of the Sysinternals tool suite that’s heavily used by administrators. Now PsExec is going to use the server message block suite to be able to issue commands to remote systems without having to manually install client software. This gives you a way to remotely access and tell those systems what to do. Now this is a great tool for system administrators. But as an attacker, we’re able to use it as well. And when we use this, we can issue a lot of different commands to do bad things on the network. For example, if I wanted to run a malicious application called malware.exe, I could simply type in psexec \\, the IP address of the target machine, -s, and then the path to the command I want to run. So it might look something like this, psexec \\ 10.0.0.2 -s C:\malware.exe. This would then run malware.exe on that system located at 10.0.0.2, and it would be able to run that malicious code for me. Second, we have the Windows Management Instrumentation or WMI. WMI is going to provide us with an interface for local and remote computer management. This is another tool that is designed for system administrators. But in the hands of a penetration tester, we can get information about the status of a host, configuring security settings, and manipulate many of its environmental variables.
The Windows Management Instrumentation tool is really useful during your enumeration phase, as well as the ability to change security settings on devices during your post exploitation phase. Next, we have Microsoft PowerShell that’s installed by default on all Windows systems. Now PowerShell is a command shell and scripting language built on the .NET framework. PowerShell is again a tool that was meant for administrators to have the ease of being able to perform all sorts of system management and configuration tasks over the network. But in the hands of a penetration tester, it can be used to do all sorts of malicious things, such as adding users, adding groups, creating persistence, adding registry tasks on systems all across the network, and much more. In fact, there are hundreds and hundreds of different malicious tools that are written for PowerShell for penetration testers to use, including collections in the scripts and tools like Empire. Another tool that comes installed by default inside of Windows is the remote management tool known as WinRM.
Now WinRm is the Windows Remote Management tool, and it’s going to give you the ability to configure machines to be able to access them using the command line environment or through PowerShell. Once you’ve configured WinRM and are able to use it, you’re going to be able to actually go into those systems and execute commands to monitor and manage those clients and servers across the Windows domain. Again, this is another administrator tool that will avoid detection when you’re using it as a penetration tester. Another wonderful tool for us to use as penetration testers is VBScripts or Visual Basic Scripts. Much like PowerShell, Visual Basic Scripts are a command shell and scripting language is built onto the .NET framework, and it was meant to allow administrators to manage computers and different developers to be able to add features to different toolsets, like Windows, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint. So when you’re using these different tools, you can actually combine a lot of them together to chain your attacks.
For example, you might trick a user into opening an attachment that contains a malicious Visual Basic Script inside of its file. When they open that, it’s going to execute the script, which then may go ahead and execute different PowerShell tasks or tasks using the Windows Management Instrumentation. It might also go ahead and execute commands using PsExec, and you can chain all these different administrative tools together to create a lot of havoc for a system administrator as you’re doing an engagement on their network. If you’re going to be using something in Linux, you might be going after things in Perl, Python, Bash, and other languages that are installed in Linux by default. The idea here is simple. With living off the land, our idea is to try to use the administrators tools against them. This way, if we’re able to use their tools, they’re less likely to detect it and we’re going to be able to stay in that system much longer without getting discovered or getting kicked out.
165. Data Exfiltration (OBJ 3.7)
In this lesson, we’re going to talk about data exfiltration because after all, most attackers when they break into a system aren’t breaking in just for fun, they’re breaking in for a purpose, and most of the time that purpose is to steal data. Now, as a penetration tester, you may be asked to steal data and exfiltrate it from the network to prove that there’s a compromise that could be had there against your target organization. In this lesson, though, we’re going to put on our blue team hat for a moment and we’re going to look at things from the defender’s point of view because as you understand the different ways that we, as attackers, might be able to send data out of the network, it’s important to understand how defenders might be able to determine that you’re doing this and catch you in the act. So, we’re going to go ahead and put on our defender hat for a moment as we go through this lesson.
Now, data exfiltration is the process by which an attacker takes data that’s stored inside of a private network and they move it out to an external network. Now, data exfiltration is essentially stealing your information, and this is really important because it can be done for lots of different reasons. For example, somebody might try to steal your information to then blackmail you based on what they took.
Or they may steal your information like your customer’s credit card numbers to be able to use those credit card numbers and buy things and make money for themselves. There are lots of different reasons that someone might want exfil your data, but either way, you need to understand what data exfiltration is and all the different ways that someone might try to do it. Data exfiltration can be performed over many different types of channels. This can be done over HTTP or HTTPS transfers. It can be done over HTTP requests to databases. It can be done using DNS. It can be done using overt channels or it can be done using explicit tunnels. Throughout the rest of this lesson, we’re going to cover each of these five areas. First, we have HTTP or HTTPS transfers.
Now, these transfers occur when an attacker uses commercial file sharing services to upload the exfiltrated data from a victim. For example, if someone breaks into your network and they find a lot of files on your hard drive, they need to get those things out. Well, they might log into something like their Dropbox account from your machine and then upload all your files to that Dropbox account. They can do this with Dropbox, OneDrive, Google Drive, or many other cloud-sharing services. All of these are a valid way for you to upload those files to this centralized server and exfiltrate that data. Another way that might happen is if they’re using HTTP requests to database services. Now, when this happens, an adversary is going to use an SQL injection or another type of similar technique to copy records from a database to which they shouldn’t have access. Now, these are a little bit easier to detect. The reason is there’s a common IOC that you’re going to notice with them. If you see a spike in request to a PHP or other script files or unusually large HTTP response packets, this could be an indicator that someone is trying to use this HTTP request to the database service to get the data out of the database and over to an attacker. The third type of data exfiltration channel that we can use is DNS. Now, DNS can be used with its queries to transmit data out of a network enclave.
Now, there’s lots of different types of records with DNS but one of the common indicators of compromise is if you see an atypical query type being used, for instance, someone starts asking for TXT files or MX records or CNAMEs or NULL. All of these are not nearly as common as a standard A record. And so, if somebody has a client on a network and they start sending out a request for TXT records, and in that is additional data that can actually be a way of exfiltrating data out of your network using DNS as a covert channel.
Another thing you might be using is just an overt channel. Now, basically an overt channel is a channel that is meant to send data. For instance, FTP is file transfer protocol, instant messaging, peer-to-peer information, emailing and other obvious file and data sharing tools are all considered overt channels. This is what those tools were designed to do, to send information. Now, an attacker is using them to get your data out of the network, making it an overt channel. The final type we have is an explicit tunnel.
Now, when you’re using an explicit tunnel, this uses something like SSH, which is Secure Shell, or VPNs, virtual private networks, to create a tunnel to transmit the data across a network. So how do you identify if one of these explicit tunnels is actually being used as part of data exfiltration or it’s just something that is useful and needed by an administrator? Well, one of the IOCs for this is if you start seeing atypical endpoints being involved in these tunnels. Now, one of the most common ways that it could be atypical is based on geographic location. For instance, in my company, we have employees in several areas.
We have employees in Maryland and Washington DC area. We have employees down in Florida. We have employees down in Puerto Rico. We have employees out in Asia, in the Philippines and places like that. Now, if I start seeing traffic with an endpoint going from my servers to Russia, or my servers to Turkey, those are locations that we don’t have any employees in. So that would be atypical and something that would be suspicious that we would look into. But if I saw an SSH connection or a VPN going from Puerto Rico into my servers, that wouldn’t be atypical because my staff down there connects through VPNs all the time. So, now that we’ve covered the basics of data exfiltration and the five types channels that could be used, let me give you a warning about data exfiltration. An adversary could use a different channel for data exfiltration than they use for command and control.
So just because you identified something like beaconing or command and control and you block that, it doesn’t mean the data is going to stop being exfilled. The reason for this is you might stop the beaconing and the command and control but the command was already received before you cut that off. And so, if I had a command and control channel over DNS but I’m sending that data out over SSH and you block port 53, that stops the command and control but I may have already received the command signal to send the data, and so I’ll continue sending it over port 22 using SSH. This is just something you have to think about because you’ve got to catch both areas, whatever the command and control channel is and the data exfiltration channel.
The final thing I want to talk about here is, what is the best mitigation against data exfiltration? Well, the best mitigation is to use strong encryption of data when it’s at rest or when it’s in transit. If you have a hard drive that is encrypted, the data stored on that hard drive can’t be copied off and exfiltrated without breaking that encryption first. So even if they’re able to download those files and exfiltrate them, they would have these encrypted files without the key and they wouldn’t be able to open them and read them. This makes the data they exfilled essentially useless to them. So, make sure you’re using strong encryption on all of your data at rest, especially if you want to protect it from data exfiltration.
