Posts

Covenant Task 101 - PPID Spoof Example

Image
Covenant is a great C2 tool for red teaming. I use it on most engagements as its in C# and easily extensible. This post was inspired by Rasta Mouse's Covenant 101  where he nicely described how to modify Covenant source to add a task. The purpose of this post is to leverage Rasta's post to further simplify the process especially for those new to Covenant. Ryan Cobbr, the main author of Covenant has already done a great job by adding a "Tasks" menu where an admin user can lists all tasks and modify their configurations. I will be be showing how I leveraged this in a recent engagement to bypass certain EDRs and AV behavioural signatures. Story Time Once upon a time, I was contracted to do a red teaming engagement for one of the World's leading pharmaceutical firms. Fast forward to when I crafted and had sent a neat phishing mail (embedded with a link to a malicious Word doc). Within 10 mins, about 9 users had clicked, and I had 9 grunts, however, the grunts we...

Getting Covenant Payloads past Windows Defender [outdated]

Image
Introduction I wrote an article about a month ago about Covenant and Donut , and mentioned that to get your Covenant payloads past AVs, all you have to do is rename keywords like "Grunt", "Stager" and "Covenant". However, this technique is no longer effective against Defender as a recent binary payload I altered the same way was immediately detected and quarantined. This shows how fast things change within the offensive and defensive cyber space. In this post, I will show a little trick to modify a grunt payload (C#) and get it past Defender (thus, 98% of other AVs). By default, an unmodified payload is detected as   VirTool:MSIL/Covent.A . Part of the alert name " Covent " indicates Defender knows that this payload is from the Covenant C2. A snippet of the alert is shown below: Looking through the C# code, I modified a lot more keywords that seems to be uniquely associated with Covenant, but this didn't do much as the same alert wa...

Winning Your "Arguments" with EDRs

Image
A recent client engagement had me thinking about ways to evade security tools that rely heavily on command line arguments. During a red team task, I wanted to dump the SAM database of the victim’s system, but I knew that commands such as “reg save HKLM\SAM SAM” would easily be caught by the installed EDR. This technique is well-known and documented under Credential Dumping in the MITRE ATTACK framework, so most EDRs should pick it up. What about somehow modifying the commandline arguments with a fake one, one that’s definitely not on the EDR’s alert configuration. I later found out this has been implemented in Cobalt Strike 3.13, but I don’t have CobaltStrike ☹ yet. I encountered some online research work that has done very well in introducing and explaining this concept: ·          Red Teaming in the EDR age - https://www.youtube.com/watch?v=l8nkXCOYQC4 – Will Burgess ·          https://blog.c...

Red Teaming with Covenant and Donut

Image
Red Teaming has rapidly transitioned from Living off the Land (LotL) to Bringing Your Own Land (BYOL). It is now possible to execute .NET assemblies entirely within memory. By developing custom C#-based assemblies, attackers no longer need to rely on the tools present on the target system; they can instead write and deliver their own tools, a technique called Bring Your Own Land (BYOL).  This has led to transitions from PowerShell tools (e.g. PowerShell Empire) to frameworks targeted for .NET assemblies. {shamelessly copied from  https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html } About Covenant Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Covenant is an ASP.NET Core, cross-platform application that includes a web-based ...

The Lie of the "Retis" ransomware - How to decrypt

Image
Its two days to christmas and there is no petrol to move around and I have been grounded by my wife for staying out late (10pm), so i stay at home and play with my daughter (Nicole). At the exact point she slept off, i got a threat intelligence report about a new ransomware dubbed "Retis Ransomware". Bored at home, i decided to have a look at this new toy. I got a sample of it from hybrid-analysis and just threw it into "dnSpy" - my favorite .NET decompiler. To my surprise, the code was not obfuscated as most malwares are usually obfuscated to prevent reverse-engineering. I also noticed it was very selective of the type of files to encrypt and focused on documents and pictures. I ran it within my test system and it encrypted some files and added ".crypted" extension. Unlike most disastrous ransomwares (wannacry, notpetya, badrabbit) this was a bit lax on the range of files to encrypt, and also it did not seem to delete shadow files which could b...

Global Cyberlympics Finals 2015 Write-up - Tracker.7z

Image
Hi all , It has been a while since I updated this blog. Just want to share one of the challenges my team solved at the Cyberlympics finals held in Washington DC, USA. Tools used : wireshark, chaosreader, vncviewer, tightVNC, online QR code scanner. We were given a zipped pcap file - tracker.7z and asked to analyse it as it contains some information about a meeting location for a suspect in the whole storyline. We were to get the location of the meeting. Well, we loaded the pcap into wireshark to have a first look at it. Screenshot below: From the screenshot above, one can notice the VNC protocol being used during the capture, probably the suspect communicated with a remote person via VNC. So we need to reassemble the VNC session and see if that gives us any valuable information. A tool of choice, or probably the only tool I know that can do this is Chaosreader  by Brendan G. Gregg.   An index.html file is generated after run with chaosreader. Th...