DerbyCon 2018 presentation on payload encryption using various keying techniques.

1. Protect Your Payloads:
Modern Keying Techniques
Leo Loobeek

2. • Senior Consultant @ Protiviti
• Execute penetration testing, red teams, etc.
• Enjoy custom implant and tool development
• Casually blog at adapt-and-attack.com
• Not a crypto expert
About Me

3. • Current Landscape
• Keying Review and Advantages
• Keying With Remote Resources
• Tie It Together
Agenda

4. Defense is getting better…
Endpoint
Security (EDR)
Sandboxing
Innovative
Tooling
VirusTotal,
Clouds, ML
Threat
Hunting
Improved
Methodologies
Detection
Capabilities
Researchers
Eventually, you WILL get caught and your remote access code WILL be analyzed…

5. • Command And Control
• Method (HTTP, DNS)
• Server Addresses
• Initial Execution Behavior
• Launching another process?
• Using injection? Process hollowing?
• Endpoint telemetry may catch this, may not…
• Custom Implant
Attacker Crown Jewels

6. • VBA – Macros
• JScript/VBScript – HTA, SCT, XSL
• PowerShell – oneliner everywhere
• C# - MSBuild, DotNetToJScript , ClickOnce
• DLL/Shellcode injection typically executed from
above
Scripting Languages (and C#)

7. Ever think about *what* key data points you lose
control of the moment you send that phishing email?
Ever think about *who* will see those key data
points?

12. Find more on #DailyScriptlet

13. • Advantages
• Great technique to defeat automated solutions
• Can slow down defender analysis
• Disadvantages
• Can eventually be reversed once obfuscation is
understood
• Behavior analysis, sandboxing, etc. may reveal behaviors
• can be limited if anti-analysis is included before obfuscation
‘Obfus’ + ‘cation’
@danielhbohannon and @cobbr_io good people to follow for obfuscation-fu!

14. Enter Key Derivation
Functions (keying)

15. • Keying is the idea of encrypting your payloads and using
local and remote resources to build the decryption key.
• These "resources" could be environmental variables on
the victim's workstation, HTML source of a web page, or
a specific computer name in Active Directory.
When an attacker is using this strategy, they may need to
discover information in order to encrypt the payload
properly.
What Is Keying?

16. • Back in 2016, Josh Pitts (@midnite_runr) and Travis
Morrow (@wired33) presented about this technique
• They released a tool: https://github.com/Genetic-
Malware/Ebowla
• Discussed previous academic studies on the topic
dating back to 1998
• Discussed Gauss – a real world example of malware
using keying in 2012
This is not new

17. • It still works GREAT
• Encrypts your DLLs, EXEs, shellcode, Python,
PowerShell
• Gives you binaries created from Go/Python, or
PowerShell
• Thanks to Josh and Travis on pushing these
techniques forward to the industry
Ebowla Is Awesome

18. • Keying is needed now more than ever
• Share my experiences and use cases
• Common Responses:
• “Oh yeah, that technique sounds useful for bypassing
sandboxes”
• “It’s a cool idea but it seems like a lot of work”
• “I don’t get it”
• “Yeah we use it, we have [X] technique that works really
well for us”
So Why am I Here?

19. Check out the Genetic Malware talks by Josh and
Travis for more in-depth understanding...
Slides:
https://github.com/Genetic-Malware/Ebowla
Video of ekoparty12 presentation:
https://www.youtube.com/watch?v=WI8Y24jTTlw
Keying Review

20. • Attacker is targeting a specific VP of E-Corp
and through OSINT has discovered
• He uses Microsoft Project
C:Program FilesMicrosoft Officeoffice15winproj.exe
• His username is JDoe
• Attacker wants to encrypt his payload so it only
executes on target’s workstation
Keying Review

21. Create Encrypted Data -
1. Hash the key data
“C:Program FilesMicrosoft Officeoffice15winproj.exeJDoe”
2. Use first 32 characters as encryption key
3. Encrypt payload with key
Keying Review

22. Create Keyed Payload -
1. Create functions to retrieve key data
- Get environment variable for “USERNAME”
- Get all paths under “C:Program Files”
2. Loop through all key data and hash each possible key
3. Attempt to decrypt with each key hash
Keying Review

23. HashOf(“C:Program FilesApplication Verifier” + “JDoe”)
HashOf(“C:Program FilesApplication Verifiervrfauto.dll” + “JDoe”)
…
HashOf(“C:Program FilesMicrosoft Office” + “JDoe”)
HashOf(“C:Program FilesMicrosoft Officeoffice15” + “JDoe”)
HashOf(“C:Program FilesMicrosoft Officeoffice15excel.exe” + “JDoe”)
HashOf(“C:Program FilesMicrosoft Officeoffice15msproj.exe” + “JDoe”)
Keying Review

24. • The following data carries over to the payload:
• Method(s) to retrieve key values
• The following data does not carry over to the
payload:
• The actual values (“JDoe”, MS Project file path)
• Original payload
Information Disclosed In Final Payload

25. • This is payload is now target specific and should have
difficulty running on sandboxes, VirusTotal, and
incident responder’s analysis systems
• Difficult to determine the target if sent to all VPs at
E-Corp
Keying Review - Takeaways

26. • Ebowla outputs to a compiled binary generated from
Python or Go
• This is ideal: would require serious analysis and reversing
to determine that the payload is using keying techniques
• Keying use in text-based payloads are subject to
quicker analysis with direct access to source code
Compiled vs Scripting

27. • What does a responder do when they see the
following being used as a key:
[Environment]::GetEnvironmentVariable("USERNAME")
[Environment]::GetEnvironmentVariable(“COMPUTERNAME")
[Environment]::GetEnvironmentVariable(“USERDNSDOMAIN")
• Sent through phishing? Find all recipients of the
email, compile the list, and try each one until it
executes.
• Found as persistence? Well, we know where to get
the environment variables…
Scripting Downsides

28. • Get all possible combinations of those three
environment variables
• Upside of combinations: possible blank values!
• If USERNAME=leo, COMPUTERNAME=pc, and
USERDNSDOMAIN=ecorp
Combinations
leopcecorp
leopc
leoecorp
leo
pcecorp
pc
ecorp

29. • What if E-Corp saw this..?
combos = new array()
combos += GetEnvionVar(“COMPUTERNAME”)
combos += GetEnvironVar(“USERNAME”)
combos += GetTime()
combos += GetSIDOfUser()
combos += GetIPAddressOf(“intranet.tesla.com”)
combos = GenerateCombinations(combos)
Combinations

30. • What if E-Corp saw this..?
combos = new array()
combos += GetEnvionVar(“COMPUTERNAME”)
combos += GetEnvironVar(“USERNAME”)
combos += GetTime()
combos += GetSIDOfUser()
combos += GetIPAddressOf(“intranet.tesla.com”)
combos = GenerateCombinations(combos)
Combinations

31. • Builds on the Combinations idea
• Custom key derivation functions
• Allows attackers to come up with new and creative ways
to specifically target remote access code to endpoints
• Allows attackers to still use keying if they haven’t found
data that fits Ebowla
• Currently supports C#, JScript and PowerShell
• JScript does not use DotNetToJScript
Introducing KeyRing

32. • Combos (string)
• Keying functions that would return one string value
• Ex) environment variables, current time (HH:MM)
• Chains ([]string)
• Keying functions returning one or more strings
• Ex) directory listings, running processes, computer
names in active directory
• Currently supports one chain and unlimited combos
KeyRing Vocabulary

33. KeyRing Decryption Process
combos = new array()
chains = new array ()
combos += GetEnvionVar(“COMPUTERNAME”)
combos += GetEnvironVar(“USERNAME”)
combos += GetTime()
chains = GetRunningProcesses()
combos = GenerateCombinations(combos)
for chain in chains {
for combo in combos {
tryDecryption(path, user, payload, payloadHash)
}
}

34. • More combinations, larger chains…
Keying Considerations
Longer execution
CPU may spike
Fan noise
Hard to determine
final key

35. KeyRing Demo

36. We still don’t have much control...
Could This Be Better?

37. Keying Using Remote
Resources

38. • If the payload also went to retrieve remote
resources, we could control those resources
(ex: HTTP)
• If we can control the data on those remote
endpoints, we can effectively “turn on” and “turn
off” those resources
• This returns control to the attacker: YOU choose
when your payload executes and when it doesn’t
Adding Remote Resources to Your Keys

39. • Back in 2015, Alex Rymdeko-Harvey (@Killswitch_GUI)
and Chris Truncer (@christruncer) put together an HTTP
Key module for Veil
https://www.veil-framework.com/framework/veil-
evasion/
• This is no longer a part of the Veil project
• Alex’s original blog post is no longer up
https://web.archive.org/web/20161001104512/http://cybersyndicates.com
:80/2015/06/veil-evasion-aes-encrypted-httpkey-request-module/
This also is not new

40. HTTP Key
Key Server C2 Server
www.site1.com www.site2.com
GET /content/dashboard.html

41. HTTP Key
Key Server C2 Server
www.site1.com www.site2.com
Expected HTML returned…

42. HTTP Key
Key Server C2 Server
www.site1.com www.site2.com
C2 Session Established

43. HTTP Key
Key Server C2 Server
www.site1.com www.site2.com
Benign HTML returned…

44. HTTP Key
Key Server C2 Server
www.site1.com www.site2.com
Nothing Happens

45. DNS Key with TXT Record

46. • Use benign response, send phish, wait an hour,
replace benign response
• Replace expected page with benign page
immediately after execution
• May never be decrypted again
• Monitor logs for access attempts to the URL/DNS
record to detect incident response
Use Cases

47. • KeyServer is DNS and HTTP keying made easy
• Easily turn the keys “on” or “off”
• Greppable logs
• Alerts for Slack and Email
• Built to be behind Apache mod_rewrite
Introducing KeyServer

48. • Use Constraints to automate switching the key status
Turn key on between 09:59am and 10:01am
or
Turn key off after it has been accessed once
or
Turn key on once access has been attempted 20 times
or…
KeyServer Constraints

49. • KeyRing includes code to generate HTTP keying for
C#, PowerShell, and JScript
• KeyRing includes code to generate DNS keying for C#
• Uses Pinvoke for DNS queries
• Thanks to @Arno0x0x for
https://github.com/Arno0x/DNSExfiltrator
• DNS and HTTP keying are “Combos” in KeyRing
terms
KeyRing+KeyServer

50. KeyServer Demo

51. Phishin’ With HTTP Key
Payload + Key Server C2 Server (empire)
www.fakederbycon.com webmail.stealthyc2.com
GET /freetix
GET /dave/kennedy.html
1
2

52. IR Detection with DNS Key
Key Server C2 Server (empire)
keyserver.site webmail.stealthyc2.com
In-Memory w/High Delay
Persistence on
user workstation
AB

53. Using KeyServer in the “Wild”

54. Using KeyServer in the “Wild”

55. • I still lost my KeyServer domain
• How could it be better?
Original Payload
Encrypt with HTTP/DNS key
Encrypt with other keying
Could’ve Done Better…

58. If Blue Team blocks KeyServer IP/domain/URL, payload
won’t execute and you will lose access if you don’t
have other methods of persistence
Important Note

59. My Motivations and How I’ve
Used Keying

60. • Several detection techniques that continue to scare me…
• Improvements to in-memory detection capabilities
(CreateRemoteThread, etc.)
• Abnormal binaries initiating network connections – Sysmon
EID 3
• PowerShell and command line logging
And why are these finally getting the attention they
deserve?
Odds Are In Defenders Favor

61. All Tradecraft About In-Memory

62. • If I don’t feel 100% comfortable attempting to get
my payload directly into memory…
Let’s drop things to disk! With keying techniques, I feel
comfortable doing this again
Droppin’ Files To Disk

63. Obfuscate Original Payload
Encrypt with Keying Techniques
Obfuscate Encrypted Payload
Obfuscation Still Needed

64. • Prepare a C# dropper
• Implant will use InternetExplorer.Application COM object
for web requests to C2 server
• Get an HTA file onto disk
• Use DotNetToJScript to get C# over to JScript
• Use keying to encrypt DotNetToJScript output
• Embed inside HTA file
• Find a way to execute “mshta.exe
C:fullpathtofile.hta”
Here’s A Reliable Go-To…

65. • No network connections initiated from anywhere but
Internet Explorer or Edge
• Mshta.exe is a signed binary
• All interesting behaviors still occur in memory
• Everyone’s looking for “mshta.exe https://...”
• https://attack.mitre.org/wiki/Technique/T1170
• Bonus: Not a console application, fits nicely with scheduled
tasks
• Downside: Mshta.exe execution itself may set of alarms
The Advantages

66. Closing Thoughts

67. • Understand the whole file’s behaviors
• Look for encryption/decryption functions
• Be careful interacting with attacker infrastructure
• Be careful running a file to analyze
• Avoid VirusTotal uploads if possible
Defense

68. • Highly recommend implementing forms of Keying
throughout your offensive operations
• Please Key Responsibly…
Hide your remote access code and behaviors as much
as possible during the exercise, but share your
behaviors and IoCs after the exercise.
Conclusion

69. • KeyRing
https://github.com/leoloobeek/KeyRing
• KeyServer
https://github.com/leoloobeek/KeyServer
• Let me know if you have questions or problems on
GitHub or @leoloobeek
Tools

70. Questions?