The goal of this project is to highlight why environments should be configured with least privilege configurations to help prevent would-be attackers from compromising your infrastructure. Further, we thought the best way to teach and learn best-practices for defending against attackers and implementing proper security settings was to attempt to break down our own defenses, where we get to see both sides of the scenario, the attackers, and more importantly for us, the defenders.
A user receives an email with a malicious macro enabled document that is impersonating a legitimate invoice from an expected sender. When opened, it connects to a web server and drops a malicious a downloader. The downloader will then grab the main payload, named Java.exe, from the web server, add multiple persistence methods, protect against tampering, and ultimately allow the attacker to compromise the target machine.
In a real-world instance of this compromise, an attacker would do extensive reconnaissance for users that are more likely to open emails, or those that have higher privileges, such as IT administrators. Further, a smart attacker will research what standard formatting and images in emails of the target organization, as well as locating organizational charts to try and determine who reports to whom. Then, they will draft an email and make it appear as though it comes from an individual that the target normally receives email from.
In our experience, many organizations struggle with susceptible users opening emails that lead to compromises of infrastructure and exfiltration of valuable personally identifiable information and company assets. Some examples of susceptible users, accounts payable receiving and opening invoices, or human resources receiving resume documents.
Malicious Document – Kill Chain: Delivery
Mitigation: Securing Microsoft Office
The fake invoice, Totally Not a Virus, attempts to convince the target they need to click “Enable Content” if the invoice is missing information.
Once the hidden macro content is enabled, the document downloads a portable executable, a dropper – Vestiged.exe, from the malicious web server, saves it to the \Downloads file path, and then launches it.
In our experience, common paths that malicious attacks use are often folders that contain numerous user files -particularly .exes, folders hidden by default, or folders utilized by the Operating System:
Kill Chain: Installation
Mitigation: Least Privileges
Vestiged.exe calls two functions to execute PowerShell commands which communicate with the stage 1 command and control(C2) web server for the main payload, Java.exe and exploit UAC-TokenMagic.ps1. In addition, the dropper has functions for determining whether installation of all required files was successful.
Upon successful download, the dropper creates a folder, JavaUpdater, in C:\ProgramData that is also hidden. Then, it copies the files from the user’s \Downloads to the newly created folder and deletes the original downloaded files.
Multiple while loops are used to confirm each step in the installation process has succeeded, and once all functions return as true, the fake Java.exe launches.
MitigatION: Least Privileges
The payload first checks the operating system on the installed machine to confirm that it meets the criteria for running and full deployment, in this case Windows 10. Then, it deletes the dropped, and removes the residual files from \Downloads.
The program then utilizes FuzzySecurity’s.ps1 UAC-TokenMagic (In an actual attack, this would be renamed and modified to help avoid AV and AMSI detection). This is initiated by a hidden Command Prompt that creates a PowerShell process with commands to bypass ExecutionPolicy restrictions that prevent scripts from running, imports the module, and grants UAC Bypass to the payload, obfuscated as legitimate software.
Because this user was configured in an environment where least privileges were not implemented, UAC bypass allows Vestige to run it’s processes with full administrative privileges on the machine, which includes an elevation of privileges to a SYSTEM level persistence mechanism.
Kill Chain: Persistence
mitigatION: Detecting Compromises
UAC bypass is established for malicious payload, now all functions and processes it initiates launch with full administrative privileges.
The payload then creates a new user, OwnedUser and adds it to local group administrators using CMD and net processes. It then gives itself full trust in the firewall to allow for future updates.
A scheduled task is created with High permissions that will launch the payload if the computer has been idle for 2 hours (this command has been encoded in Base64 as an example of obfuscation techniques -more on this later).
Scheduled task without obfuscation:
“$action = New-ScheduledTaskAction -Execute ‘Java.exe’; $settings = New-ScheduledTaskSettingsSet -RunOnlyIfIdle -IdleDuration 00:02:00 -IdleWaitTimeout 02:30:00 -Hidden; $prin = New-ScheduledTaskPrincipal -GroupId ‘BUILTIN\Administrators’ -RunLevel Highest; Register-ScheduledTask -Action $action -settings $settings -Principal $prin -TaskName ‘Java’ -Force”
The program then adds itself to multiple Autostart Extensibility Points (ASEPs) in the Registry under HKEY_Current_User or HKEY_Local_Machine under \Windows\CurrentVersion\Run depending on privileges for the logged on user.
The payload then copies itself to multiple directories for each respective additional ASEP. The files are a created with hidden attributes in existing hidden folder locations.
A while loop is utilized to confirm that copied files remain present on the machine and recreates them with the “dupe()” function in the event a user or AV removes them. If any of the files or persistence mechanisms are removed, Vestige will launch the “encryptLockout()” function that encrypts multiple directories on the machine, deletes original versions of encrypted files, and then deletes itself to prevent analysis.
For persistent control, a reverse TCP shell is added to a registry key in HKCU that launches any time the compromised user logs on.
SKill Chain: Command and Control
A reverse TCP shell in the form of an encoded PowerShell command is launched. This shell attempts to connect to the IP address of the attacker’s Kali Linux machine on “public” IP 188.8.131.52 on port 80. The reason for using port 80 is that perimeter firewalls in enterprise configurations allow traffic on it, further, it has the added benefit that the shell is less likely to be detected in all of the regular HTTP traffic going in and out of a network.
On the Kali attacker machine, Netcat is configured as a verbose listener on port 80 and constantly waits for a connection from the target machine.
A successful connection provides a reverse shell to the compromised machine and control of the target is established:
Caveats for the payload:
- To allow easier understanding of the attack, none of the strings or source code were obfuscated, nor were any of the EXE files packed. In our experience with real attacks, heavy obfuscation -such as Invoke-Obfuscation, fileless processes, and packers would be utilized to prevent detection and analysis, amongst many other techniques.
- The encryption method uses a hard coded IV which would allow easy deciphering of the encrypted files. The intent of this project is a POC and not to create advanced encryption methods that prevent decryption.
- Additional functions, including detection of whether the processes are running on a virtual machine, allowing for staged updates and modification of C2s, and polymorphic file attributes, are currently underway.
- Cloud Detections for Windows Defender were enabled on this machine, however, there was no Internet connection to the outside world in the lab environment. It is possible that Windows Defender would have detected and stopped some of these processes based on behavioral analysis if there was an active Internet connection, necessitating additional steps to prevent detection.