Winning Your "Arguments" with EDRs



A recent client engagement had me thinking about ways to evade security tools that rely heavily on command line arguments. During a red team task, I wanted to dump the SAM database of the victim’s system, but I knew that commands such as “reg save HKLM\SAM SAM” would easily be caught by the installed EDR. This technique is well-known and documented under Credential Dumping in the MITRE ATTACK framework, so most EDRs should pick it up.

What about somehow modifying the commandline arguments with a fake one, one that’s definitely not on the EDR’s alert configuration. I later found out this has been implemented in Cobalt Strike 3.13, but I don’t have CobaltStrike yet. I encountered some online research work that has done very well in introducing and explaining this concept:
·         Red Teaming in the EDR age - https://www.youtube.com/watch?v=l8nkXCOYQC4 – Will Burgess
·         https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/ - Raphael Mudge
·         https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/ - Adam Chester

As I have grown fond of C# over the past few months, I looked for some existing C# code and noteworthy is FuzzySecurity’s “SwampThing”. It creates a process in a suspended state, rewrite the PEB, resume and finally revert the PEB. The PEB is like metadata for the process and contains the commandline arguments. In the suspended state, the PEB is identified and the benign arguments are switched to the malicious ones. When process is then resumed, Windows records the benign arguments, but it is the malicious ones that are executed.

For example: SwampThing.exe -l C:\\Windows\\System32\\notepad.exe -f C:\\fake.txt -r C:\\real.txt




Examination of the sysmon logs show that the fake arguments were logged, but there is the problem of the ParentCommandLine as shown below, it gives away the arguments, and a good threat hunter should catch this easily.


A simple way to avoid this detection (to an extent) is to modify the SwampThing source code and hard-code the arguments within the source code, recompile and run. An example is shown below: trying to dump SAM, SECURITY, SYSTEM in order to extract the local credentials.


Before execution, rename SwampThing.exe to something more generic (DiagReg.exe) in a good location on disk (C:\Windows\System32\). Recompile the source code and execute on the victim system. This should dump the SAM file to C:\Windows\System32\SAM. Repeat this for SYSTEM and SECURITY.




A look at the logs shows the fake arguments and it sort of looks legitimate 😉


Once this is done for SAM, SECURITY and SYSTEM, one can use impacket’s secretdump.py to dump extract the hashes.


This process was replicated on a system with well known EDRs and AVs without detection. Blue teams should ensure their threat hunt game is up and running. Also note that this method just tries to bypass the command line detection rule sets, its not a silver bullet for it. Success depends on the rule sets in place.

Comments

  1. simfront24 February 2021 at 22:09

    This post is much helpful for us. This is really very massive value to all the readers and it will be the only reason for the post to get popular with great authority.
    VCCI

    ReplyDelete

Post a Comment

Popular posts from this blog

Pentesting Android applications

Image
Hi all, I would like to talk about the coolness of android applications. So if you want to perform a security review an android app, how will you go about it? There are so many ways to go about this, i will highlight some of the ways I use. 1) Most android applications work just like Web applications, they send out HTTP requests using POST and GET methods. So a cool thing to do is to intercept and capture these requests, make modifications and monitor responses (which can also be intercepted and modified). So how can this be done? A sweet way to achieve this is by proxying all traffic from the application on your phone through a proxy tool such as Burp Suite (coolest tool for me). Now how can you direct that phone traffic to your Burp Suite which is probably running on a laptop or system? Well, you can use a great android tool called "Proxy Droid" to direct the traffic to the IP address and port on which the burp suite is listening. You can connect them to the same wire...
Read more

Global Cyberlympics Finals 2015 Write-up - Tracker.7z

Image
Hi all , It has been a while since I updated this blog. Just want to share one of the challenges my team solved at the Cyberlympics finals held in Washington DC, USA. Tools used : wireshark, chaosreader, vncviewer, tightVNC, online QR code scanner. We were given a zipped pcap file - tracker.7z and asked to analyse it as it contains some information about a meeting location for a suspect in the whole storyline. We were to get the location of the meeting. Well, we loaded the pcap into wireshark to have a first look at it. Screenshot below: From the screenshot above, one can notice the VNC protocol being used during the capture, probably the suspect communicated with a remote person via VNC. So we need to reassemble the VNC session and see if that gives us any valuable information. A tool of choice, or probably the only tool I know that can do this is Chaosreader  by Brendan G. Gregg.   An index.html file is generated after run with chaosreader. Th...
Read more

Red Teaming with Covenant and Donut

Image
Red Teaming has rapidly transitioned from Living off the Land (LotL) to Bringing Your Own Land (BYOL). It is now possible to execute .NET assemblies entirely within memory. By developing custom C#-based assemblies, attackers no longer need to rely on the tools present on the target system; they can instead write and deliver their own tools, a technique called Bring Your Own Land (BYOL).  This has led to transitions from PowerShell tools (e.g. PowerShell Empire) to frameworks targeted for .NET assemblies. {shamelessly copied from  https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html } About Covenant Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Covenant is an ASP.NET Core, cross-platform application that includes a web-based ...
Read more