Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[CB20] Operation I am Tom: How APT actors move laterally in corporate networks by Aragorn Tseng and Charles Li

TeamT5 has helped many cyber-attack victims defending against APT actors for years. We see enormous cases showing that the actors still maintained their access to the victim network after some malware cleaning by unexperienced network managers or immature security teams. The main reason would be lacking knowledge regarding threat actors’ techniques in lateral movement operations. For example, Microsoft Windows Active Directory plays a key role and dominates most corporate network environments for centralized management and authentication. However, there are many scenarios of improper security settings would cause Active Directory attacks to become a convenient way for threat actors to move around.
In this talk, we are going to present lateral movement methods to penetrate corporate network environment and techniques to bypass security monitoring systems. All cases are based on our real experiences fighting with APT actors in recent years. We categorize them into 4 categories and list the items as below:

1.AD Farm's penetration technique: mimilib, MemSSP, skeleton key, ACL abuse
2.Web-shell technique: IIS module abuse, Web source code injection, Deserialization, Rootkit
3.Second Tier backdoor techniques: DLL-hijack, IAT insert, Port reuse
4.Miscellaneous technique: how actors moving laterally in your network without malware or hacking tools.

The target audiences of this talk include security researchers, antivirus vendors, SOC team analyst and incident response teams. The techniques disclosed in this talk would help and facilitate blue team members to detect and understand threat actors’ footprints inside a corporate network and effectively block their activities.

  • Be the first to comment

  • Be the first to like this

[CB20] Operation I am Tom: How APT actors move laterally in corporate networks by Aragorn Tseng and Charles Li

  1. 1. Aragorn Tseng Charles Li
  2. 2. ✚ ADFarm's penetration ✚ Webshell ✚ Miscellaneous technique AGENDA ✚ Introduction
  3. 3. Charles Li 1P 2PCTO Aragorn Tseng Malware Researcher
  4. 4. How APT actors move laterally in corporate networks(Operation: I am Tom) The operation name came from:
  5. 5. How APT actors move laterally in corporate networks(Operation: I am Tom) This talk covers: • Post-exploitation techniques abused by threat actors in corporate networks for the following purposes: • Lateral movement • Bypass detection or thwart analysis • Observed in real incident response cases by TeamT5 • They are leveraged by Chinese threat actors and discussed in some Chinese forums
  6. 6. How APT actors move laterally in corporate networks(Operation: I am Tom) Core-level host Application-level host
  7. 7. Core-level host AD Farm 's penetration How APT actors move laterally in corporate networks(Operation: I am Tom)
  8. 8. LSA NTLMSSP Kerberos CredSSP SSPI Active Directory Authentication NTLM Remote Desktop  SSP: Security Support Provider  SSPI: Security Support Provider Interface  LSA: Local Security Authority MimikatzMemSSP mimilib msv1_0.dll kerberos.dll credssp.dll
  9. 9. Mim ilib - SSP  Mimilib is a tool of Mimikatz Copy mimilib.dll to c:¥windows¥system3 2 Modify registry: HKEY_LOCAL_MACHINE¥Sys tem¥CurrentControlSet¥Co ntrol¥Lsa¥Security Packages¥ After rebooting, kiwissp.log will generate at c:¥windows¥system32
  10. 10. Mim ilib - SSP
  11. 11. Mim ilib - SSP
  12. 12. Mim ilib - Mem SSP  Mimilib also support patch ssp(lsass.exe) in memory Run Mimikatz type misc::memssp inject Lsass.exe’s memory Once someone login or run “Runas”, mimilsa.log will be generated in c:¥windows¥system32
  13. 13. Mim ikatz m em ssp – m em ory status
  14. 14. Mim ikatz m em ssp – password
  15. 15. Mim ikatz m em ssp – patched dll Patched dll
  16. 16. Skeleton Key  Skeleton Key is installed in 64bit domain server  Support Windows Server 2003—Windows Server 2012 R2  Inject shellcode into lsass.exe to change its execution flow  Allow all domain users to log in with the same universal password  All domain users can still log in with the original password  It will fail after restart Run Mimikatz type misc::skeleton inject Lsass.exe’s memory Just use "mimikatz" can log in
  17. 17. Mim ikatz skeleton key
  18. 18. Mim ikatz skeleton key – injected lsass
  19. 19. Mim ikatz skeleton key – injected shell code
  20. 20. Mim ikatz skeleton key – patch dll Patched dll
  21. 21. Wdigest – clear text passwords  For Windows 7, 8, Server 2008 R2 and Server 2012  KB2871997 update  HKEY_LOCAL_MACHINE¥System¥CurrentControlSet¥Control¥SecurityProviders¥W Digest¥UseLogonCredential set to 1 Picture source : -clear- text-passwords-stealing-more-than-a-hash/
  22. 22. Registry ACL
  23. 23. clear text passwords
  24. 24. Mim ikatz bypass AV  VMP  Mimikatz variant
  25. 25. ntds.dit  Windows password is stored after being hashed and stored locally in hklm¥SAM and HKLM¥system in the registry  In the domain, password is stored in C:¥Windows¥ntds¥ntds.dit and HKLM¥SYSTEM of the domain controller Take snapshot of ntds.dit Copy ntds.dit and delete the snapshot Get the key from registry Use NTDSDumpEx to get all user’s password hash us/library/windows/desktop/gg294074.aspx
  26. 26. Precautions  Remove or limit access to Windows shares  Disable the remote registry service  Limit the possibility of DLL injection by removing users and groups from the ‘Debug Programs’ policy setting (SeDebugPrivilege)  Lsass.exe process protection  Protected Users Group  NTLM is not used. Kerberos or third party SSP is required  Kerberos tickets have a shorter life span  Windows Digest is not cached
  27. 27. Application-level host Webshell How APT actors move laterally in corporate networks(Operation: I am Tom)
  28. 28. IIS Module Use APPCMD Install IIS Module Need to obtain the administrator rights of the IIS server first Use IIS Administration Tool to register register IIS Web The process where the dll is located is w3wp.exe -Raid
  29. 29. IIS-Raid  Compiling  Installing
  30. 30. IIS Module Precautions  Check whether IIS is installed with a backdoor by viewing Modules  1. Use APPCMD.EXE command line tool  C:¥Windows¥system32¥inetsrv¥APPCMD.EXE list module  2. Use IIS Administration Tool for interface operations  Run inetmgr.exe and enter the IIS manager  Select Modules  Also note that only when the module is successfully loaded, the module- related dll can be found in w3wp.exe
  31. 31. Exchange privilege Default system permissions!!!
  32. 32. Webshell
  33. 33. Add malicious code in javascripts of Logon.aspx The malicious code will post username and password to errorFE.aspx Add malicious code in errorFE.aspx The malicious code will save the username and password into C:¥Windows¥Debug¥errorFE.tmp Modify the source code
  34. 34. HyperShell  APT34Leaked Tools  For Exchange webshell  Add code to ExpiredPassword.aspx  Request URL: https://<domain>/owa/auth/ExpiredPassword.aspx  The default permission of webshell under this path is System cyber-espionage-tools-leaked-on-telegram/
  35. 35. curl " https://<dom ain>/owa/auth/expiredpassword.aspx" --data "url=..%2F&usernam e=…..&newPwd2=….."
  36. 36. Com pile dll (iis cache)  Csc.exe compile will generate a compile dll cache file  Only after the aspx file is executed  It can be used when checking, to see when the file was generated
  37. 37. Precautions  Modify directory permissions  File check (number of files, file hash)  fciv.exe(Microsoft) and-description-of-the-file-checksum-integrity-verifier-u us/download/details.aspx?id=11533
  38. 38. Exchange Antivirus Whitelist  Mailbox servers  Client Access servers  Web components  %System Root%¥System 32¥Inetsrv  Inetpub¥logs¥logfiles¥w3svc  %System Root%¥Microsoft.NET¥Framework64¥v4.0.30319¥Tem porary ASP.NET Files Ref: virus-software-in-the-operating-system-on-exchange- servers-exchange-2013-help
  39. 39. Exchange Antivirus Whitelist
  40. 40. (De)Serialization overview  ASP.NETViewstate deserialization  CVE-2020-0688 : Remote code Execution on Exchange Server
  41. 41. Microsoft .NET Viewstate  Object passed between client & server  Stores both user-submitted and application information  Protected by HMAC crypto  If server-side HMAC routine checks out, ViewState is processed  If HMAC check fails, ViewState error occurs  Viewstate is serialized by LosFormatter and deserialized by ObjectStateFormatter  supports ObjectStateFormatter
  42. 42. Machinekey Elem ent  Validation Key  used to sign the ViewState HMAC  Decryption Key  used for ViewState symmetric crypto  Load Balanced Environment Considerations  Keys can not be autogenerated (default behavior)  Must hard-code keys on all IIS servers in the pool  These values are stored in the file web.config
  43. 43. When you got a web config
  44. 44. Exploitation Path  Utilize to generate a malicious ObjectStateFormatter payload  Sign the payload with a valid HMAC  Submit this payload as a ViewState  The server will:  Validate the HMAC  Deserialize the malicious payload
  45. 45. Picture source : -with-dotnet-viewstate- exploit-and-create-fileless-webshell/
  46. 46. Precautious  Review your open source projects for default keys  If your web server is ever compromised or has a file read and XXE flaw, regenerate your keys or set to autogenerate  Encrypt the machine key
  47. 47. TEBShell  TEBShell is a backdoor based on HTTP API. After it is executed, it will use Windows HTTP Server API to open an Http server service and register a specific URL for actors to control. It is a backdoor for listen port.
  48. 48. TEBShell (White) Benign EXE (Black) Malicious DLL (Black) Encrypted Payload payload dll hijack Inject process Ex:dllhost.exe webshell query specific urls to access webshell Ex: register
  49. 49. TEBShell 3.0
  50. 50. Miscellaneous technique How APT actors move laterally in corporate networks(Operation: I am Tom)
  51. 51. "StickKeys" Backdoor  C:¥windows¥system32¥sethc.exe  shift * 5  copy /y cmd.exe C:¥windows¥system32¥sethc.exe  HKEY_LOCAL_MACHINE¥SOFTWARE¥Microsoft¥Windows NT¥CurrentVersion ¥Image File Execution Options¥sethc.exe  Debugger set to cm d.exe
  52. 52. Attacker’s trap? 2020-09-01 IISlog attacker access a.aspx 2020-09-01 eventlog Del c:¥inetput¥wwwroot¥a.aspx 2020-09-01 eventlog Del c:¥inetput¥wwwroot¥b.aspx 2020-09-03 IISlog attacker access a.aspx 2020-09-03 eventlog Del c:¥inetput¥wwwroot¥a.aspx 2020-09-04 IISlog attacker access a.aspx 2020-09-04 eventlog eventlog clear 2020-09-05 IISlog attacker access a.aspx 2020-09-05 eventlog eventlog clear
  53. 53. Rootkit to hide directory  In the beginning, the attacker used normal Webshell to operate and pull a lot of data  After incident response, the hacker used Rootkit (Easy File Locker) to hide the file directory. Dropper Rootkit Hide the directory of Webshell
  54. 54. Easy File Locker 1b09d7e0d250236f510420dd8b848fbd
  55. 55. Check source host MAC??
  56. 56. VPN abuse different attack’s source MAC Fail to host check policy Pass host check policy Same attack’s source IP
  57. 57. VPN abuse different attack’s Hostname Find host in TWdomain, bypass security policy
  58. 58. Virtual Directory
  59. 59. Thanks! We hope you gained !!!