msxsl.exe Working As Designed.

August 25, 2017, 10:30 am

≫ Next: Banned File Execution via InstallUtil.exe Nov 11, 2014 12:58 AM

≪ Previous: DEFCON 30 CFP: New Directions in Cryptanalysis, an Exploration of Disruptive Disclosure

$

0

0

So, I recently was exploring XSL, and injection and came across several interesting references.

<msxsl:script> Element

XSLT Script Block Sample

The basic gist, and what I think is interesting is that you can host/execute scripts inside trusted signed binaries that ingest XML.

So, here is an example, a tool called msxsl.exe.

You can download it here:

1. start /b msxsl.exe customers.xml report.xsl
2. start /b msxsl.exe http://example.com/customers.xml report.xsl
3. start /b msxsl.exe customers.xml http://example.com/report.xsl

The sample code above just show a very basic example.   If you look at the parameters accepted, either the xml or xsl file can be a url.

So, msxsl.exe while not default, may exist in your fleet, and it packs a powerful punch. It is a trusted binary that can be used to bypass some script controls.

Here again, you have a tool, that is working as designed, yet gives has functionality that can easily circumvent many controls.

By that I mean, execution events are likely not being noticed.... And it allows you to load and execute vbs/js and more...

I recently updated a sample you can use for testing.  So, I using the amazing DotNetToJscript, all you need is to update the base64 shell code here and you can execute in the context of msxsl.exe.  Keep in mind its a 32 bit application.

MSXSL Test Cases

You could easily base64 encode and deliver this script host runner too.  Its small but packs a big punch ;-)

Cheers,

Thats all.  Short and simple.

Cheers.

Casey Smith
@subTee

---

Banned File Execution via InstallUtil.exe Nov 11, 2014 12:58 AM

September 2, 2017, 4:52 am

≫ Next: Demogorgon - A Stranger Things Inspired Tool, Coming Soon.

≪ Previous: msxsl.exe Working As Designed.

$

0

0

I was going through some of my old research today, and thought I might share the genesis of one of my older findings.  I thought maybe it would be helpful to share my thinking and motivation for some of the research I have done in the past.

It was October 31, 2014.  We were running a Red Team exercise against our environment, it was the first engagement we had conducted since deploying our then Bit9 App whitelisting software.  Which was kicking our asses.  We had to learn to completely retool.  Dropping arbitrary unsigned, unapproved binaries was NOT going to work..

So, in an effort to try to circumvent the whitelisting we started enumerating all default .NET binaries on the system we were on.  We had proved earlier that year, this might actually be a useful angle for attack.  Details here: Application Whitelist Bypass Using IEExec .

For each binary, we asked the question.... How could I get this binary to execute my code... We were looking in:

C:\Windows\Microsoft.NET\Framework\v2.0.50727

The default path on Window 7.

After a couple hours trolling MSDN we worked our way alphabetically through the list of Assemblies.  We landed on InstallUtil.exe

InstallUtil.exe on MSDN

Now we needed to find a sample or understand HOW InstallUtil triggers execution... No real luck so we decided to Reverse the Assembly.

We used a .NET tool called ILSpy, you can also use dnSPy.

The first path from the args input passed to a Method call occurs on line 18.

This is important, cause we want to know what we can control or influence to get our assembly to execute.  We needed to know what InstallUtil.exe is looking for.  We can trace the arguments as they pass through ManagedInstallerClass.InstallHelper().

For sake of brevity...  We learned that we can influence InstallUtil.exe by crafting an Assembly that gets ingested by InstallUtil.exe and executed. If you continue to read/work through the Assembly. You will find that you need to decorate a class with the attribute
[System.ComponentModel.RunInstaller(true)].

This lead to some really interesting behavior.  We discovered, we could execute this file in our environment,  EVEN if we explicitly banned that file.  This can be execute by any normal user and does not require any additional privileges to execute.

This was a real gem for sure.  We used the utility InstallUtil.exe to complete our mission and about a week and a half later, I finally had some time to report to the vendor. I posted a question to Bit9 in their User Exchange.

I won't share all the details of my original post, but the Carbon Black [CB] User Exchange is a fantastic way to share configuration data, Threat Intel and its a huge asset for CB customers and still is.

CB engineering immediately reached out to me and began digging into the internals of what caused this behavior, and it was subsequently fixed in later releases of their product.

Carbon Black (Bit9 when I was growing up ;-) . Has formal disclosure mechanism in place and they are really great to work with.  Reporting Security Vulnerabilities

So here we are almost 3 years since the original discovery of the use cases for InstallUtil.exe to bypass whitelisting deployments. At least original for me.  Others may have found but weren't blogging / talking about if they did....

If you want to test this against your environment, here is the original gist:

Shellcode via InstallUtil

Later we would write a full blown PE Loader for Mimikatz in InstallUtil

Mimikatz Inside InstallUtil

Here are some screen shots of my original dialogue / disclosure:

What does this all mean, and why am I posting this?

1. You should be aware of InstallUtil.exe as a mechanism to launch unapproved binaries.
2. When you find something, working with the vendor directly helps everyone be prepared.
3. Never stop being curious and investigating ways to adapt on an engagement.
4. InstallUtil has been seen in the wild example: Operation Cloud Hopper
5. This bypass, affects AppLocker as well as other Whitelisting tools.  Not Device Guard though.
6. .NET visibility is weak for a defender perspective, and its easy for an attacker to hide here.
7. App Whitelisting, even in audit mode allows you to track unsigned binaries as they move around your fleet.  For example, once we knew the hash, we could hunt where else it had landed.

I hope this was some helpful context on InstallUtil.exe and its history.

Feedback Welcome.

Cheers,

Casey
@subTee

Demogorgon - A Stranger Things Inspired Tool, Coming Soon.

September 17, 2017, 11:49 am

≫ Next: dbghost.exe - Ghost And The Darkness

≪ Previous: Banned File Execution via InstallUtil.exe Nov 11, 2014 12:58 AM

$

0

0

******
This tool is inspired by the show "Stranger Things".
There are spoilers, so, if you want to watch the show, read no further.
You were warned.  :-)
******

First some background.  If you haven't seen the show.

In the show, an alternate reality, called the Upside Down is introduced.  Think of this as an overlay to the real world, same infrastructure and objects, but unseen, and inhabited with monsters.

"The Upside Down is an alternate reality or dimension existing in parallel to the human world. It contains the same locations and infrastructure as the human world, but it is much darker, colder, foggier..."

In one of the scenes, they discuss the Vale of Shadows from a D&D book...

"The Vale of Shadows is a dimension that is a dark reflection, or echo, of our world. It is a place of decay and death, a plane out of phase, a [place] with monsters. It is right next to you and you don’t even see it..."

Over the summer, I took some time off to reflect and think about things... While binge watching the show, I was inspired to think about Apex actors.  :-).  The result was a show inspired tool I wrote.

By Apex actors, I mean those actors that are untouchable so to speak.  Think of apex predators in the natural world.  These are the animals at the top of the food-chain...

Ok.  So the question becomes, if we are really into "Adversarial Emulation", how can we mimic the actions of these actors.  What exactly are Apex actors capable of?

Here would be a short list of what I would consider examples of Apex actor capabilities:

• Remote Privilege Escalation
• DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis
• Digging deep for PLATINUM
• Careto

So, while you may think your Red Team operates like an Apex actor, you probably do not. 

If you are honest, you probably operate/emulate something like cyber criminal capabilities.

So, what is the point of this post?

Over my time off this summer, I spent a fair amount of time exploring the idea of releasing a set of tools/capabilities to be able to emulate an Apex actor.

I wanted to build something that would give teams the ability to step up their game.  I want limited distribution to keep the "mystique" and to not to be a commodity tool.  

I wanted to something to allow Red Teams to operate from the "Upside Down" ;-).

The Upside Down being a Stranger Things reference to being able to operate from an "undetectable dimension", and interact with the actual infrastructure of an organization.  

Geeky? Yes. Possible? Absolutely.

I developed a tool, I'm calling Demogorgon:

"What’s a Demogorgon? Why were they so afraid to face it in battle? Demogorgon is none other than the Prince of Demons, and has been an iconic D&D creature since 1975, along with Orcus, his chief rival and enemy. You can find a short description of Demogorgon in the 5th edition Monster Manual under the Demon Lords section (pgs. 51-52), and a brief mention in the 5th edition Dungeon Master’s Guide in The Abyss section (pg. 62)." [1]

I will first share some of my architectural decisions and capabilities that I built into the tool.  The idea was to be a "rootkit-like thing".  Rootkits are interesting, in that they want to run, they want to hide. Some traditional rootkit capabilities just aren't always necessary, and will likely get you caught by modern Operating System defenses. 

Some things I've added include:

• Novel execution, migration and repair capabilities. (The Flea)
• Detailed logging and reporting from Red Team use.  
• Modules delivered as keyed byte arrays.  Minimize PE structures, RWX regions etc... (Inspired by Ebowla )

Do we really need a new tool?  Maybe, if you don't think so, don't use it... Its not going to be for everyone anyway.  I wanted to learn some advanced tactics.  I wanted to push past modern detections and advance defender detection capabilities. 

I intend limited distribution to friends and family.  Once I've got the bugs worked out, I'll distribute to a wider audience, maybe.  I intend to limit distribution.  Maybe it will only be available west of the Mississippi :-) .

This tool is not meant to compete with tools like Empire, Cobalt Strike, or Metasploit.  From host based to network based, many organizations are prepared for and have strong detection capabilities for these tools.

These are all still highly effective tools, but they often have strong signatures and detections built around them.

If all goes well, the final development will be ready for October 31st release.  

Thats it, just a sneak peak of stranger things to come.

The idea behind Demogorgon, is to give Blue Teams a chance to face their nightmare, something they have never seen before, and something that they can't see.

Feel free to DM if you want to be added to the list of technical reviewers.

Cheers,

Casey 

@subTee

dbghost.exe - Ghost And The Darkness

September 22, 2017, 12:04 am

≫ Next: CLRGuard - Let's Kick the Door Down. Part One

≪ Previous: Demogorgon - A Stranger Things Inspired Tool, Coming Soon.

$

0

0

I found another Device Guard bypass recently.  It was great to get to work with MSRC to get confirmation of the bypass, and to have them update the Device Guard configurations here:

Device Guard Configuration

This is another example of a misplaced trust bypass.  A trusted signed binary that can allow unapproved execution.

I'll keep this post short and sweet.

This tool is well documented on MSDN:

How to Use the Debug Diagnostic Tool v1.1 (DebugDiag) to Debug User Mode Processes

Read that carefully ;-)

So... dbghost will execute vbs scripts.  The next question is, what form? Anything special to do?

This is what caught my eye:

'Load the .NET debugger extension sos.dll (2.0 version)
CmdOutput = g_Debugger.Execute("!load C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\SOS.dll")
'Get the size of the GC
CmdOutput = g_Debugger.Execute("!eeheap -gc")

Couple of things there. If you are familiar with windbg, you will recognize that this allows you to not only execute .vbs... But you can execute windbg commands too.

Check out Matt Graeber's  example of some things you could do with windbg scripts:

Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner

Thats it, I'll leave it for you to explore your own implementation here.

Special thanks to Matt Graeber and Matt Nelson for the ideas, inspiration, and confirmation of the bypass.

This tool is not default, but it may be in your fleet.

Thats all for now. Reading MSDN pays off again ;-)

Cheers,


Casey
@subTee

CLRGuard - Let's Kick the Door Down. Part One

September 27, 2017, 5:09 pm

≪ Previous: dbghost.exe - Ghost And The Darkness

$

0

0

I really like this tool!  Let me start with that. ;-)

I really appreciate Joe Desimone ( @dez_ ) and EndGame making this available open source.

First, check this DerbyCon 2017 Talk out, it will help you have the necessary background.

The code can be found here:

I've had some time to experiment with this code the last few days.

Lets look at the tool.  Its pretty straight forward to deploy for your testing. 

I wanted to show you how this tool can disrupt the MSBuild attacks I have been working on. 

The feature that I have abused in the past execute .NET assemblies in memory, is called Inline Tasks

Lets see what happens when we try to run Mimikatz Inside MSBuild:

BOOM!

I will do another post in the future to go over the internals and some bypasses (I may have found a one or two  :-)  ).

This is a great training tool.  When you find bypasses to this type of defense, it will lead you to better capabilities as an attacker.  I encourage you to dig in and learn from this prototype.  Really good stuff.

This is one of the first tools, I've seen to directly challenge the tactics I am using in .NET to block the capability.

Here is an analogy.

This tool, is NOT an Over-The-Horizon Tool.

Sometimes, we choose to engage attackers Off-Horizon with data collection and analytics.

Sometimes, you have to get in their face a bit, kick in some doors. Write mitigations that directly disrupt the attacks.  Kick in some doors, if you will.

Both tactics have their place.

This tool is designed for the tactical hunt. To get inline with attackers.

Thats all for today.  Great Work Joe, keep it up.

Cheers,

Casey
@subTee