1 00:00:00,630 --> 00:00:02,810 Malware exploitation. 2 00:00:02,810 --> 00:00:03,730 In this lesson, 3 00:00:03,730 --> 00:00:06,830 we're going to talk about malware exploitation techniques. 4 00:00:06,830 --> 00:00:10,510 And so, we have to first define what is an exploit technique. 5 00:00:10,510 --> 00:00:13,380 Well, an exploit technique describes the specific method 6 00:00:13,380 --> 00:00:16,700 by which malware code infects a targeted host. 7 00:00:16,700 --> 00:00:19,680 Now, there is lots of different ways that this can be done. 8 00:00:19,680 --> 00:00:21,720 In the old days, we used to have malware 9 00:00:21,720 --> 00:00:24,170 that would go and rewrite or modify the code 10 00:00:24,170 --> 00:00:27,880 within an executable or a macro file on a target disk. 11 00:00:27,880 --> 00:00:31,000 That way, whenever that file was run, the virus was loaded, 12 00:00:31,000 --> 00:00:34,680 it could execute its payload and go out and do bad things. 13 00:00:34,680 --> 00:00:35,940 Now, if we had worm malware, 14 00:00:35,940 --> 00:00:38,700 it would actually go out and try to infect only the memory, 15 00:00:38,700 --> 00:00:40,230 and then go through a process 16 00:00:40,230 --> 00:00:42,590 of going through remote procedure calls over the network 17 00:00:42,590 --> 00:00:45,340 trying to infect as many other hosts as it could. 18 00:00:45,340 --> 00:00:47,180 Now, modern malware on the other hand though, 19 00:00:47,180 --> 00:00:48,860 uses fileless techniques 20 00:00:48,860 --> 00:00:51,440 to avoid detection by signature-based security systems 21 00:00:51,440 --> 00:00:55,180 like any virus and host-based intrusion detection systems. 22 00:00:55,180 --> 00:00:58,680 By being fileless, this means that the malware is executed 23 00:00:58,680 --> 00:01:01,890 directly as a script or a small piece of shellcode 24 00:01:01,890 --> 00:01:04,130 that creates a process in the system memory 25 00:01:04,130 --> 00:01:06,600 without having to use the local file system. 26 00:01:06,600 --> 00:01:08,540 Now, some of these things will actually get installed 27 00:01:08,540 --> 00:01:10,880 to a temporary directory first and then be run, 28 00:01:10,880 --> 00:01:12,390 and then they'll delete themselves. 29 00:01:12,390 --> 00:01:14,890 But we'll still consider those relatively fileless, 30 00:01:14,890 --> 00:01:17,040 because there's not a lot of evidence on the drive 31 00:01:17,040 --> 00:01:18,550 for people to find you. 32 00:01:18,550 --> 00:01:21,200 Now, this is one of the things that a lot of APTs will use. 33 00:01:21,200 --> 00:01:22,820 And so we have to ask the question, 34 00:01:22,820 --> 00:01:26,690 "How does an APT use this modern malware to operate?" 35 00:01:26,690 --> 00:01:29,820 Well, first, it's going to use a dropper or a downloader. 36 00:01:29,820 --> 00:01:32,750 The first step is the malware has to get on your computer, 37 00:01:32,750 --> 00:01:34,890 and it's going to do that in a fileless manner. 38 00:01:34,890 --> 00:01:35,880 And the way they're going to do this 39 00:01:35,880 --> 00:01:38,950 is by running lightweight shellcode on your system. 40 00:01:38,950 --> 00:01:39,783 By doing this, 41 00:01:39,783 --> 00:01:42,660 this becomes what we call a dropper or a stage one dropper. 42 00:01:42,660 --> 00:01:44,060 And it's then going go out 43 00:01:44,060 --> 00:01:46,150 and download the rest of the code. 44 00:01:46,150 --> 00:01:48,320 And so that dropper is just a very small file 45 00:01:48,320 --> 00:01:50,590 and can run very easily from memory. 46 00:01:50,590 --> 00:01:52,850 Now, the whole point here is to try to trick the user 47 00:01:52,850 --> 00:01:55,020 into clicking on something or running the code, 48 00:01:55,020 --> 00:01:58,210 and that way, they are infecting their own machine. 49 00:01:58,210 --> 00:02:01,480 At that point, the APT then tries to maintain access. 50 00:02:01,480 --> 00:02:03,160 The malware is now on the system, 51 00:02:03,160 --> 00:02:05,830 and it's going to install that second stage downloader. 52 00:02:05,830 --> 00:02:07,040 That downloader can download 53 00:02:07,040 --> 00:02:09,080 something like a remote access Trojan. 54 00:02:09,080 --> 00:02:10,870 And this will give the adversary C2 55 00:02:10,870 --> 00:02:12,710 over that victim machine. 56 00:02:12,710 --> 00:02:15,130 After that, they're going to start strengthening their access. 57 00:02:15,130 --> 00:02:15,963 And to do that, 58 00:02:15,963 --> 00:02:18,100 they're going to use that remote access tool they have 59 00:02:18,100 --> 00:02:19,810 from the maintaining access phase, 60 00:02:19,810 --> 00:02:21,160 and they're going to start looking around 61 00:02:21,160 --> 00:02:23,760 and identifying and infecting other systems. 62 00:02:23,760 --> 00:02:24,610 As they're doing this, 63 00:02:24,610 --> 00:02:26,330 they're trying to find systems of higher values, 64 00:02:26,330 --> 00:02:28,500 like servers or domain controllers. 65 00:02:28,500 --> 00:02:29,470 But even if not, 66 00:02:29,470 --> 00:02:31,460 they want to compromise other workstations too 67 00:02:31,460 --> 00:02:32,860 and do this lateral movement 68 00:02:32,860 --> 00:02:34,700 so they can gain additional privileges 69 00:02:34,700 --> 00:02:35,890 and an additional footprint. 70 00:02:35,890 --> 00:02:37,420 So, if you find them on one machine, 71 00:02:37,420 --> 00:02:39,030 hopefully you can find them on the other machine 72 00:02:39,030 --> 00:02:40,830 and they get to stay there. 73 00:02:40,830 --> 00:02:42,500 After this, they move into step four, 74 00:02:42,500 --> 00:02:44,490 which is actions on objectives. 75 00:02:44,490 --> 00:02:45,900 Now, with actions on objectives, 76 00:02:45,900 --> 00:02:47,850 the attacker now has enough permissions 77 00:02:47,850 --> 00:02:49,960 and they've identified enough things that are of interest 78 00:02:49,960 --> 00:02:51,960 that they can start doing what they want to do, 79 00:02:51,960 --> 00:02:54,410 which is usually going to be copying or stealing files, 80 00:02:54,410 --> 00:02:56,420 encrypting files or doing something else, 81 00:02:56,420 --> 00:02:57,980 whatever their motive was. 82 00:02:57,980 --> 00:02:59,770 And then finally we have our fifth step 83 00:02:59,770 --> 00:03:01,090 which is concealment. 84 00:03:01,090 --> 00:03:02,350 The attacker, at this point, 85 00:03:02,350 --> 00:03:04,580 is going to maintain their tool access, 86 00:03:04,580 --> 00:03:07,670 but they might just go ahead and start hiding themselves. 87 00:03:07,670 --> 00:03:09,300 And they're going to start covering their tracks 88 00:03:09,300 --> 00:03:11,740 by deleting log files and things like that. 89 00:03:11,740 --> 00:03:13,110 They want to make sure they're eradicating 90 00:03:13,110 --> 00:03:14,630 any sign that they were there 91 00:03:14,630 --> 00:03:16,180 and that they infected your system. 92 00:03:16,180 --> 00:03:17,013 Because this way, 93 00:03:17,013 --> 00:03:18,840 they can stay there longer if they need to, 94 00:03:18,840 --> 00:03:21,000 and they can always go back in later on 95 00:03:21,000 --> 00:03:23,160 if they need to get something else from the machine. 96 00:03:23,160 --> 00:03:26,370 All right, so that is the basic five steps of an attack. 97 00:03:26,370 --> 00:03:27,880 And I mentioned a couple of terms 98 00:03:27,880 --> 00:03:28,910 that I think we need to go back 99 00:03:28,910 --> 00:03:30,440 and define a little bit deeper. 100 00:03:30,440 --> 00:03:31,273 I talked about things like 101 00:03:31,273 --> 00:03:33,450 droppers and downloaders and shellcodes 102 00:03:33,450 --> 00:03:34,560 and lots of other things. 103 00:03:34,560 --> 00:03:36,320 So, let's take a look at those. 104 00:03:36,320 --> 00:03:37,930 First, we have a dropper. 105 00:03:37,930 --> 00:03:40,160 Now, a dropper is a specialized type of malware 106 00:03:40,160 --> 00:03:43,070 that's designed to install or run other types of malware 107 00:03:43,070 --> 00:03:45,710 embedded in a payload on an infected host. 108 00:03:45,710 --> 00:03:47,410 Usually, this will be a stage one dropper, 109 00:03:47,410 --> 00:03:48,980 it's that code you first got. 110 00:03:48,980 --> 00:03:50,750 And once you get that code and run it, 111 00:03:50,750 --> 00:03:53,290 it's then going to go out and get some other code, 112 00:03:53,290 --> 00:03:55,540 and it uses a downloader do that. 113 00:03:55,540 --> 00:03:57,090 Now, a downloader is a piece of code 114 00:03:57,090 --> 00:03:58,190 that connects to the Internet 115 00:03:58,190 --> 00:03:59,680 to retrieve additional tools 116 00:03:59,680 --> 00:04:02,130 after the initial infection happens by a dropper. 117 00:04:02,130 --> 00:04:03,790 Now, in my explanation of that process, 118 00:04:03,790 --> 00:04:05,690 I also mentioned the word shellcode. 119 00:04:05,690 --> 00:04:07,760 Now, shellcode is any lightweight code 120 00:04:07,760 --> 00:04:10,050 that's designed to run an exploit on a target. 121 00:04:10,050 --> 00:04:11,970 This can include any type of code format, 122 00:04:11,970 --> 00:04:13,390 it can be scripting languages, 123 00:04:13,390 --> 00:04:15,700 all the way down to a compiled binary. 124 00:04:15,700 --> 00:04:18,210 Now, for the exam, I want you to remember, 125 00:04:18,210 --> 00:04:20,450 especially if you have some experience in the field, 126 00:04:20,450 --> 00:04:23,030 shellcode originally referred to malware code 127 00:04:23,030 --> 00:04:25,300 that would give the attacker a shell or a command prompt 128 00:04:25,300 --> 00:04:26,770 on the target system. 129 00:04:26,770 --> 00:04:28,180 If you take the PenTest+ exam, 130 00:04:28,180 --> 00:04:29,570 that's how they're going to use that term. 131 00:04:29,570 --> 00:04:32,300 For this exam, they want you to use the definition 132 00:04:32,300 --> 00:04:34,800 of the more generic shellcode that I just provided, 133 00:04:34,800 --> 00:04:36,230 which is any lightweight code 134 00:04:36,230 --> 00:04:38,230 designed to run an exploit on a target. 135 00:04:38,230 --> 00:04:39,890 It doesn't have to give you a command prompt, 136 00:04:39,890 --> 00:04:41,980 it just has to be something that's going to give you 137 00:04:41,980 --> 00:04:44,440 some kind of an exploit that's going to be run. 138 00:04:44,440 --> 00:04:46,030 Now, once the shellcode is created 139 00:04:46,030 --> 00:04:48,480 as a process on the target system, 140 00:04:48,480 --> 00:04:49,330 all this bad stuff 141 00:04:49,330 --> 00:04:50,980 has to start happening to your system, right? 142 00:04:50,980 --> 00:04:52,270 How does that happen? 143 00:04:52,270 --> 00:04:54,750 Well, one way is through code injection. 144 00:04:54,750 --> 00:04:56,770 Code injection is an exploit technique 145 00:04:56,770 --> 00:04:58,070 that runs malicious code 146 00:04:58,070 --> 00:05:01,260 with the identification number of a legit process. 147 00:05:01,260 --> 00:05:03,750 So, when I go to install this code, 148 00:05:03,750 --> 00:05:05,280 you're going to notice that every process 149 00:05:05,280 --> 00:05:07,260 has a unique ID number with it. 150 00:05:07,260 --> 00:05:09,250 And so, if I have something that is allowed to run 151 00:05:09,250 --> 00:05:11,110 like the Explorer for Windows, 152 00:05:11,110 --> 00:05:12,640 and I decide to run malware 153 00:05:12,640 --> 00:05:14,230 and make you think I'm running it 154 00:05:14,230 --> 00:05:16,030 as the Explorer for Windows, 155 00:05:16,030 --> 00:05:19,450 I can hide that malware by injecting the code into that. 156 00:05:19,450 --> 00:05:21,600 That's the idea of code injection. 157 00:05:21,600 --> 00:05:23,850 Now, there's a lot of other techniques we can do 158 00:05:23,850 --> 00:05:26,040 as far as different types of code injection. 159 00:05:26,040 --> 00:05:27,900 This includes things like masquerading, 160 00:05:27,900 --> 00:05:29,290 where your dropper is going to replace 161 00:05:29,290 --> 00:05:31,840 a genuine executable with a malicious one. 162 00:05:31,840 --> 00:05:33,550 You can use DLL injection, 163 00:05:33,550 --> 00:05:35,770 where the dropper starts forcing a process to load 164 00:05:35,770 --> 00:05:37,250 as part of the DLL. 165 00:05:37,250 --> 00:05:41,120 So, it's going to load the DLL in the executable malicious code. 166 00:05:41,120 --> 00:05:43,160 You also can do DLL sideloading. 167 00:05:43,160 --> 00:05:45,550 This is where the dropper is going to exploit a vulnerability 168 00:05:45,550 --> 00:05:47,400 in a legitimate program's manifest 169 00:05:47,400 --> 00:05:49,810 to load a malicious DLL at runtime, 170 00:05:49,810 --> 00:05:51,330 and essentially you sideload 171 00:05:51,330 --> 00:05:53,550 by making it load this malicious thing. 172 00:05:53,550 --> 00:05:55,660 Or we can do process hollowing, 173 00:05:55,660 --> 00:05:56,530 this is when a dropper 174 00:05:56,530 --> 00:05:58,750 starts a process in a suspended state, 175 00:05:58,750 --> 00:06:00,430 and then rewrites the memory locations 176 00:06:00,430 --> 00:06:03,430 containing the process code with the malware code. 177 00:06:03,430 --> 00:06:06,160 So, essentially, we're taking over someplace in memory 178 00:06:06,160 --> 00:06:08,440 and putting our malicious code in there. 179 00:06:08,440 --> 00:06:10,230 Now, droppers are likely to implement 180 00:06:10,230 --> 00:06:12,020 a lot of these different techniques. 181 00:06:12,020 --> 00:06:12,853 In addition to that, 182 00:06:12,853 --> 00:06:15,310 they also use some anti-forensic techniques 183 00:06:15,310 --> 00:06:17,660 to help prevent detection and analysis. 184 00:06:17,660 --> 00:06:19,760 When we talk about anti-forensic techniques, 185 00:06:19,760 --> 00:06:22,070 this is things like encrypting their payloads, 186 00:06:22,070 --> 00:06:23,520 or compressing their payloads, 187 00:06:23,520 --> 00:06:25,560 or obfuscating their payloads. 188 00:06:25,560 --> 00:06:26,660 Now, when they do this, 189 00:06:26,660 --> 00:06:30,010 it makes our job as reverse engineers a lot harder, 190 00:06:30,010 --> 00:06:32,710 but we still find ways to find these people. 191 00:06:32,710 --> 00:06:35,360 And so, one of the things that a lot of pentesters 192 00:06:35,360 --> 00:06:37,570 and a lot of attackers are starting to do now 193 00:06:37,570 --> 00:06:40,000 is a concept called living off the land. 194 00:06:40,000 --> 00:06:41,790 Because when they live off the land, 195 00:06:41,790 --> 00:06:43,810 it's really hard for us to find them. 196 00:06:43,810 --> 00:06:45,240 When I talk about living off the land, 197 00:06:45,240 --> 00:06:46,610 this is an exploit technique 198 00:06:46,610 --> 00:06:49,090 that uses standard system tools and packages 199 00:06:49,090 --> 00:06:50,550 to perform their intrusions. 200 00:06:50,550 --> 00:06:52,520 For instance, they might use something like this, 201 00:06:52,520 --> 00:06:53,930 which is PowerShell. 202 00:06:53,930 --> 00:06:55,120 PowerShell can be used to do 203 00:06:55,120 --> 00:06:57,130 all sorts of malicious activities. 204 00:06:57,130 --> 00:06:58,420 And so, what we can do is, 205 00:06:58,420 --> 00:06:59,670 when we break into a system 206 00:06:59,670 --> 00:07:01,620 as a pentester or as an attacker, 207 00:07:01,620 --> 00:07:04,240 we can actually use your own PowerShell against you. 208 00:07:04,240 --> 00:07:06,520 If I'm on a Linux system, I can't use PowerShell, 209 00:07:06,520 --> 00:07:07,960 but I can use Bash scripting. 210 00:07:07,960 --> 00:07:08,793 And so, again, 211 00:07:08,793 --> 00:07:11,660 if I use the tools that are native to your operating system, 212 00:07:11,660 --> 00:07:12,710 I am now using tools 213 00:07:12,710 --> 00:07:14,630 that were already installed for your administrators. 214 00:07:14,630 --> 00:07:16,450 And I'm using them in a malicious way. 215 00:07:16,450 --> 00:07:18,420 But it's going to be really hard for you to detect that 216 00:07:18,420 --> 00:07:20,210 because I'm living off the land. 217 00:07:20,210 --> 00:07:21,920 So, if you fall victim to an attacker 218 00:07:21,920 --> 00:07:23,420 who is used to living off the land, 219 00:07:23,420 --> 00:07:24,750 the detection of that adversary 220 00:07:24,750 --> 00:07:26,470 is going to be much more difficult 221 00:07:26,470 --> 00:07:28,010 because they're executing malware code 222 00:07:28,010 --> 00:07:30,350 within those standard tools and processes. 223 00:07:30,350 --> 00:07:32,500 And that makes it really hard to detect, 224 00:07:32,500 --> 00:07:33,440 and it's going to allow them 225 00:07:33,440 --> 00:07:35,253 to stay on your system a lot longer.