net hijacking to defend powershell
play

.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 - PowerPoint PPT Presentation

Jan 05, 2023 •559 likes •1.04k views

1 .NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend PowerShell 2 MALWARE UNICORN Senior or Malware Researcher @ Endgame, Inc. Wo Works s as s a a Mal alware are Re Researc archer r at at

  1. 1 .NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  2. 2 MALWARE UNICORN Senior or Malware Researcher @ Endgame, Inc. Wo Works s as s a a Mal alware are Re Researc archer r at at Endgam dgame who fo focus uses es on n attacker er tec echni hnique ue application n to dynam dy amic be behavi avior r de detection bo both on Windo dows an and d OS OSX X platfo forms. AMANDA ROUSSEAU @malwareunicorn CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  3. 3 GOALS Allow PowerShell to be run in a normal environment What Do We Need? Analyze de-obfuscated commands STEALTHY, Remain stealthy in the environment to avoid bypasses RUN-TIME MONITORING. Allows run-time analysis and blocking Supports PowerShell v2-5 CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  4. 4 CONTENT OVERVIEW FOUNDAT FO ATIONS: POWERSHELL ATTACK HISTORY C# DLL INJECTION .NET OVERVIEW OVERVIEW SOLUTI SO TIONS: S: IL BINARY JIT COMPILER C-BASED CLR PROFILING MODIFCATION HOOKING METHOD HOOKING CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  5. 5 TIMELINE Offensive Pow owerShell and .NET Attacks ATTACK HISTORY 2012 PowerSploit (2012) Nishang (8/2012) Plotus (10/2013) 2013 Power Worm (3/2014) 2014 ConfuserEx (5/2014) PoweLiks (8/2014) Syrian Malware (8/2014) CoinVault Rasnomware (11/ 2014) PowerShell Empire (2014) Hunter EK (8/2015) 2015 Fileless Backdoor (8/2015) PS>Attack (12/2015) 2016 Trojan.Laziok (4/2016) PowerSniff (3/2016) PowerShell Ransomware (5/2016) PowerDuke Backdoor (11/2016) CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  6. 6 PHISHING CAMPAIGNS Utilizing scripting for Diagram of PoweLiks transitioning from the 1st stage of the attack to the 2nd stage payload 1 2 PoweLiks PowerSniff PowerDuke Hunter Exploit Kit CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  7. 7 BAD MALWARE PICKUP LINES “ Hey girl, do you like PowerShell? Because I'd like to stay persistent in your memory ;) ” CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  8. 8 OBFUSCATION ANALYSIS EVASION Invoke-Obfuscation Script Obfuscation Code Protection Applications: ConfuserEx CoinVault obfuscated C# Code .NET Reactor: stri string encry rypti tion an anti-de decom ompilat pilation ion co cont ntrol fl flow w obf obfuscat ation ion an anti-ta tampering CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  9. 9 OFFENSIVE FRAMEWORKS PowerShell Offensive Frameworks Useful for automating attacks and post- exploitation routines NISHANG POWERSPLOIT Collection of scripts to automate tasks such as: • analysis evasion • remote execution • privilege escalation • lateral movement • exfiltration POWERSHELL PS>ATTACK EMPIRE Command to reflectively load and execute a PE binary into memory Improve and propagate these PowerShell offensive techniques CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  10. 10 FOUNDATIONS of .NET C# Referenced Code Assemblies C O M M O N L A N G U A G E R U N T I M E ( C L R ) J U S T - I N - T I M E ( J I T ) Compiler “ S T R O N G N A M E D ” A S S E M B L I E S Managed Assembly Metadata & IL codes N G E N A S S E M B L I E S .NET Framework D E C O M P I L I N G . N E T B I N A R I E S JIT CLR getJit() I N T E R M E D I A T E L A N G A G E ( I L ) clr.dll / mscorwks.dll compileMethod() clrjit.dll/mscorjit.dll Native/Machine Code CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  11. 11 COMMON LANGUAGE RUNTIME (CLR) C# vs IL Code PowerShell ScriptBlock Create UNMANAGED Vs MANAGED Handler that manages: Dependencies Memory Exceptions Synchronization Managed Assemblies Metadata & IL Code No additional information is required Agnostic across architectures CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  12. 12 JUST-IN-TIME COMPILER (JIT) IL CODE -> NATIVE CODE JIT Order of Operations JITCompiler 1) Metadata Lookup Table Index of MethodInfo Convert and optimize the IL code into 3) Convert IL to CPU native CPU instructions which is then Instructions & Store in stored in dynamic memory Memory Block 2) Allocate getJit() 4) Update Method’s entry point in the table Memory Block 5) Jump to memory & compileMethod() execute Return Back to Compiler CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  13. 13 JUST-IN-TIME COMPILER (JIT) METADATA LOOKUPS Assembly Metadata Metadata Table Description Assembly contains metadata tables Lists of objects with names, offsets ModuleDef (0x00) Identity of the module Method Tokens are unique per module List of class Types and the indexes to the TypeDef (0x01) methods that each class owns Each method entry contains the name, MethodDef (0x02) offset location, flags, and signature. Contains information about the current Assembly (0x20) assembly. Contains information about the referenced AssemblyRef (0x23) assemblies. Contains each member including methods MemberRef (0x0A) referenced by the module. CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  14. 14 JUST-IN-TIME COMPILER (JIT) TRAVERSING THE METADATA JIT Compiler Function Offsets D971C845B82D877107906335EFF1824C#32_2_0_50727_8670 Download JIT .PDB 2621605; MethodDesc :: s_pfnReset 55606;MethodDesc::s_pfnIsGenericMethodDefinition 60512;MethodDesc::s_pfnGetNumGenericMethodArgs Identify function offsets for hooking 762227;MethodDesc::s_pfnStripMethodInstantiation 60894;MethodDesc::s_pfnHasClassOrMethodInstantiation 160213;MethodDesc::s_pfnContainsGenericVariables Need to traverse the MethodDesc Tables to 1179150;MethodDesc::s_pfnGetWrappedMethodDesc update the information for methods 56056;MethodDesc::s_pfnGetDomain 1020785;MethodDesc::s_pfnGetLoaderModule 4801122;LoadedMethodDescIterator::s_pfnConstructor 0;LoadedMethodDescIterator::s_pfnConstructor_v45 0;LoadedMethodDescIterator::s_pfnConstructor_v46 4950262;LoadedMethodDescIterator::s_pfnStart 0;LoadedMethodDescIterator::s_pfnNext_v4 4950393;LoadedMethodDescIterator::s_pfnNext_v2 4950297;LoadedMethodDescIterator::s_pfnCurrent_F43F7 0AF86B02890FCF95ED91EA373BB#32_4_0_30319_17929 _1BC333D76444B51B01A74B7447ADBC9E#64_2_0_50727_4963 CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  15. 15 MICROSOFT INTERMEDIATE LANGUAGE (MSIL) CPU agnostic machine language that IL Instructions operates on a slightly higher level CLI instruction set standard from ECMA-335 Address is a 4-byte value called a token Relevant only to assembly JIT Optimizes the IL instructions Extraneous instructions such as NOP codes will be removed to improve performance CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  16. 16 MICROSOFT INTERMEDIATE LANGUAGE (MSIL) CPU agnostic machine language that PowerShell ScriptBlock IL Instructions operates on a slightly higher level .method /*06002149*/ public hidebysig static class System.Management.Automation.ScriptBlock/*02000316*/ Pushed and popped on the stack Create(string script) cil managed // SIG: 00 01 12 8C 58 0E .ma maxstack re refers rs the st stack sl slot si size needed for r arg rguments s { an and loc d local al var variable iables // Method begins at RVA 0xa9499 // Code size 12 (0xc) .maxstack 8 After JIT IL_0000: /*73|(06)001FDA*/ newobj instance void Can acquire the virtual memory address of the method. System.Management.Automation.Parser/*020002F7*/::.ctor Using GetFunctionPointer . () /*06001FDA*/ IL_0005: /*02|*/ ldarg.0 IL_0006: /*28|(06)00214A*/ call class System.Management.Automation.ScriptBlock/*02000316*/ System.Management.Automation.ScriptBlock/*02000316*/:: Create(class System.Management.Automation.Parser/*020002F7*/, string) /*0600214A*/ IL_000b: /*2A|*/ ret } // end of method ScriptBlock::Create CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  17. 17 DECOMPILING .NET BINARIES Can easily be decompiled & disassembled Tools rely on disassembling the IL code Tools and reconstructing the C# code based on the metadata definition dotPeek original function names dnSpy function offsets membership to parent classes ILspy De4dot ILAsm.exe & ILDasm.exe CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  18. 18 DECOMPILING .NET BINARIES DotPeek https://www.jetbrains.com/decompiler/ CanSecWest 2017 | .NET Hijacking to Defend PowerShell

  19. 19 STRONG NAMED ASSEMBLIES Fixes version dependency Public Key Token Reference for Mscorlib from DLL Hell Uniquely identified assemblies signed with a publisher’s public/private key pair Public key is embedded into the header of the assembly Intended to tamper-resistant Global assembly cache (GAC) GAC Locations .NET tool gacutil.exe to install assembly Weak assemblies searched by its file name and executable extension with in the containing folder. CanSecWest 2017 | .NET Hijacking to Defend PowerShell

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PowerShell Desired State Configuration for Linux By: Kolby Allen

PowerShell Desired State Configuration for Linux By: Kolby Allen

PowerShell Desired State Configuration for Linux By: Kolby Allen August 19, 2015 LINUXCON North America Outline - What is PowerShell and Desired State Configuration?

798 views • 18 slides
How to defend your proposal like professional Dr Dr. Reyas What is proposal presentation

How to defend your proposal like professional Dr Dr. Reyas What is proposal presentation

RD FYP 1 WORKSHOP 3 RD Proposal Presentation How to defend your proposal like professional Dr Dr. Reyas What is proposal presentation or proposal defend To defend your final year project work a) Comply with Bachelor or Diploma

436 views • 33 slides
JSON hijacking For the modern web About me Im a researcher at PortSwigger I love

JSON hijacking For the modern web About me Im a researcher at PortSwigger I love

JSON hijacking For the modern web About me Im a researcher at PortSwigger I love hacking JavaScript let : let { let :[x=1]}=[alert(1)] I love breaking browsers @garethheyes History of JSON hijacking Array constructor attack

630 views • 44 slides
PowerShell Todd Klindt Todd.klindt@sympraxisconsulting.com @toddklindt www.toddklindt.com

PowerShell Todd Klindt Todd.klindt@sympraxisconsulting.com @toddklindt www.toddklindt.com

PowerShell Todd Klindt Todd.klindt@sympraxisconsulting.com @toddklindt www.toddklindt.com www.toddklindt.com/ShortURL Agenda Talk about Microsofts PowerShell Talk about PNP Look at some fun scripts Official Modules There are 4

638 views • 52 slides
Demo: BGP Path Hijacking Vimal Stanford University August 18

Demo: BGP Path Hijacking Vimal Stanford University August 18

Demo: BGP Path Hijacking Vimal Stanford University August 18 th 2014 Goals of the Assignment Understand how BGP path hijacking aGacks might happen in

322 views • 11 slides
DUTY TO DEFEND BY JOHN R. CRAWFORD NO DUTY TO DEFEND WHEN INSURED FAILS TO GIVE TIMELY NOTICE

DUTY TO DEFEND BY JOHN R. CRAWFORD NO DUTY TO DEFEND WHEN INSURED FAILS TO GIVE TIMELY NOTICE

DUTY TO DEFEND BY JOHN R. CRAWFORD NO DUTY TO DEFEND WHEN INSURED FAILS TO GIVE TIMELY NOTICE Food Market Merchandising vs. Scottsdale Indemnity , 857 F.3d 783 (8 th Cir. 2017) Facts of Food Market January 13, 2014: former employer Robert

908 views • 19 slides
Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Practical Aspects of Security Prof. Michael Backes Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2 Control hijacking attacks Attackers goal: Take over target machine (e.g. web server)

921 views • 57 slides
Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala

Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala

Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek Andy Archer, Allan Aquino, Andreas Pitsillidis (UCSD), Stefan Savage (UCSD) Hijacking is a pervasive problem

318 views • 27 slides
Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we detect BGP IP hijacking by probing the at risk subnets to detect suspect change to hosts and subnets. 2 Intro Fingerprinting Avoiding

795 views • 31 slides
Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route Hijacking~ Mar 1 2007 in APRICOT 2007 NTT Communications Corp. Taka Mizuguchi Tomoya Yoshida What s BGP Route Hijacking? s BGP Route

583 views • 40 slides
THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of

THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of

Principal Consultant Nick Harbour nick.harbour@mandiant.com ick.harbour@mandiant.com @ THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of Persistence Techniques Overview of Persistence

153 views • 14 slides
PowerShell Its time to own. David Kennedy (ReL1K) Josh Kelley (Winfang)

PowerShell Its time to own. David Kennedy (ReL1K) Josh Kelley (Winfang)

PowerShell Its time to own. David Kennedy (ReL1K) Josh Kelley (Winfang) http://www.secmaniac.com Twitter: dave_rel1k About Josh Security Analyst with a Fortune 1000 --- Works with Dave Heavy experience in penetration testing,

520 views • 21 slides
Deployment With The Magic Of PowerShell and Chocolatey Paul Broadwith @pauby

Deployment With The Magic Of PowerShell and Chocolatey Paul Broadwith @pauby

Click Free Application Deployment With The Magic Of PowerShell and Chocolatey Paul Broadwith @pauby https://blog.pauby.com Who Am I? Paul Broadwith, Glasgow, Scotland 25+ years in defence, government, financial sectors Lead

621 views • 26 slides
Make your system administrator friendly with PowerShell Enrico Campidoglio @ecampidoglio This

Make your system administrator friendly with PowerShell Enrico Campidoglio @ecampidoglio This

Make your system administrator friendly with PowerShell Enrico Campidoglio @ecampidoglio This work by Enrico Campidoglio is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy of this

291 views • 17 slides
A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis,

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis,

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis, Xinyang Zhang Presented by: Tony Z.C Huang, Adapted from slides by Hitesh Ballani Prefix Hijacking/ Interception Internet AS CIA AS U Owning

873 views • 38 slides
Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:>

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:>

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:> whoami /all Tom Ueltschi Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!) Focus & Interests: Malware Analysis, Threat Intel,

1.45k views • 115 slides
Public Hearing IH 35E From: FM 2181 To: US 380 October 20, 2011 Denton, TX IH 35E Corridor

Public Hearing IH 35E From: FM 2181 To: US 380 October 20, 2011 Denton, TX IH 35E Corridor

Public Hearing IH 35E From: FM 2181 To: US 380 October 20, 2011 Denton, TX IH 35E Corridor Project Location US 380 FM 2181 PGBT IH 635 IH 35E North Study Area Limits Project Limits: FM 2181 288 Texas Project End: U.S. 380 US

465 views • 42 slides
Call Your Leader: Does the Mobile Phone Affect Policymaking? Jahen F. Rezki University of York

Call Your Leader: Does the Mobile Phone Affect Policymaking? Jahen F. Rezki University of York

Introduction Institutional Context Conceptual Framework Data and Empirical Strategy Evidence Conclusions Call Your Leader: Does the Mobile Phone Affect Policymaking? Jahen F. Rezki University of York 2018 Nordic Conference on Development

717 views • 34 slides
Other Useful Statements and Database Joins SWEN-250: Personal Software Engineering Overview

Other Useful Statements and Database Joins SWEN-250: Personal Software Engineering Overview

Other Useful Statements and Database Joins SWEN-250: Personal Software Engineering Overview Other Useful Statements: Database Info: SELECT Functions .tables SELECT Like .schema ORDER BY LIMIT Joins: UPDATE

641 views • 24 slides
DISTRICT EDUCATIONAL IMPROVEMENT COMMITTEE (DEIC) 2/13/20 MEETING Agenda Topic Presenter

DISTRICT EDUCATIONAL IMPROVEMENT COMMITTEE (DEIC) 2/13/20 MEETING Agenda Topic Presenter

DISTRICT EDUCATIONAL IMPROVEMENT COMMITTEE (DEIC) 2/13/20 MEETING Agenda Topic Presenter Welcome & Introductions Jennifer Price District Performance Objectives Update Jennifer Price Finance Update Mark Youngs Human Resources Update

868 views • 39 slides
String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Friday, April 27, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Friday, April 27, 12 String

String Theory in the LHC Era J Marsano (marsano@uchicago.edu) 1 Friday, April 27, 12 String Theory in the LHC Era 1. Electromagnetism and 5. Supersymmetry Special Relativity 2. The Quantum World 6. Einsteins Gravity 3. Why do we need

826 views • 70 slides
PUZZLING IT OUT WHAT WE KNOW ABOUT PRE-K IMPACTS AND WHY BUSINESS SHOULD CARE Deborah A.

PUZZLING IT OUT WHAT WE KNOW ABOUT PRE-K IMPACTS AND WHY BUSINESS SHOULD CARE Deborah A.

PUZZLING IT OUT WHAT WE KNOW ABOUT PRE-K IMPACTS AND WHY BUSINESS SHOULD CARE Deborah A. Phillips, Ph.D., Georgetown University Presentation to: Committee for Economic Development Fall Policy Conference, Nov. 15, 2017 Authors & Funders

360 views • 15 slides
Routing your first exercise

Routing your first exercise

Exploring Advanced Networking Topics What do you remember? Routing your first exercise

496 views • 4 slides
Community Economic Recovery: Preparing for the Unthinkable CDCK CED Forum April 2019 SFU

Community Economic Recovery: Preparing for the Unthinkable CDCK CED Forum April 2019 SFU

Community Economic Recovery: Preparing for the Unthinkable CDCK CED Forum April 2019 SFU CED Programs Jeremy Stone, Director 30 Years of CED programming 18 Years in CED Highly engagement-focused Microfinance, small business

626 views • 38 slides

More recommend