Jul 30 2024 |
Deep Sea Phishing Pt. 2
PHISHING SCHOOL
Making Your Malware Look Legit to Bypasses EDR
I wanted to write this blog about several good techniques for endpoint detection and response (EDR) evasion; however, as I was writing about how to evade EDRs, I was hit with an epiphany:
💡“EDR evasion is all about looking like legitimate software” — ph3eds, 2024
Boom! That’s it! That’s the complete game changer that only took me 10 years to finally crystalize! You’re welcome.
“EDR evasion is all about looking like legitimate software”? No duh! Why is that even worth writing a blog about?!
Please, let me explain.
What is Legitimate Software?
When I say legitimate software, I mean software that a trustworthy source like Microsoft has authored and signed. So, to bypass EDR, we want all of our malicious actions to come from a binary that a trusted source authored and signed. When we put it that way, there are actually multiple ways to achieve this goal. This blog is about the many ways we can hide our code and our actions so that they look legit.
Note: You can’t just sign a Meterpreter payload and expect it to bypass EDRs. The point here is to blend in the best we can to extend the useful life of our custom payloads as long as possible.
❌ Not Legit — Untrusted, Unsigned
We are starting at the bottom here: an untrusted, unsigned binary similar to what we might write as an initial access payload, based on my previous blog. We may have achieved “unknown bad” status, but that’s about the only thing we have going for us at this point. We do not have a trusted, signed binary, so we don’t look very legit. Let’s fix that!
🤷♂️Barely Legit — Steal a Cert and Sign It!
This section is really just a plug for Tijme Gommers’s amazing blog about how they were able to use VirusTotal to find and crack code signing certificates embedded in software samples:
https://tij.me/blog/finding-and-utilising-leaked-code-signing-certificates/
This is a gray area and definitely not advised for the average red team. It’s a jerk move to burn someone else’s certificate, even if they do suck at software design. Not to mention that VirusTotal subscriptions are insanely pricey!
🤔 Kinda Legit — Get a Cert and Sign It!
You can actually get a code signing certificate and sign your own malware with it. To get a trustworthy one, you will need to go through an “extended validation” process. That means you need to be a real company and show some documents to prove it. Per Digicert’s website, this validation process…
“also includes verifying that the organization is not listed in any fraud, phishing, or government restricted entities, or anti-terrorism databases”
The certs tend to range somewhere between $500-$1,000 per year. Of course, if you go this route, make sure to use your certificate sparingly to avoid losing it.
I’ve actually worked with a team that did this and we managed to keep the certificate for a couple of years without issues. We only used it for very targeted, individualized social engineering, but it was helpful for minimizing the warnings displayed to the targets and bypassing some EDR products.
👌Probably Legit — Microsoft Signed (a.k.a. LOLBins/LOLBAS)
Also frequently referred to as “application whitelisting bypasses”, these are binaries that come standard on a range of Windows operating systems. Many of them can execute code or scripts:
https://lolbas-project.github.io/#/execute
Over the years, I’ve gotten some insane mileage out of these utilities and I find that many of them still work to bypass a surprising number of EDR products. VBscript is still alive and well as an initial access vector, so don’t forget about it!
✅ Pretty Legit! — Sideloading
Sideloading is another way we can execute our code from within a trusted signed binary. The trick here is to use DLL search order to trick a legitimate binary into loading and executing our malicious code. At the time of this writing, this seems to be the primary method of ceding access for the team here at SpecterOps. Nick Powers and Steven Flores published a blog on the subject, spoke at Defcon, and released tools to help with the discovery and exploitation process. More specifically, they demonstrate how to sideload ClickOnce applications. Keep in mind that you can use a very similar process to sideload other binaries as well. The SpecterOps team has found many ways to sideload some very popular software. I would highly recommend digging around on your own system for sideloading opportunities.
💯Totally Legit — Screen Sharing/Meeting Apps
Did you know that, by default, you can share your screen on Microsoft Teams to users outside of your organization? I guess this kind of makes sense to help collaboration during meetings with other companies, but did you know you can then “Give Control” to an outsider: as in, hand over your mouse and keyboard inputs to a person outside your organization? And they can drive around your desktop willy-nilly. Sick!
Apparently, this is a totally legitimate feature of Teams and it’s allowed by default even for outsiders. I’ve used this feature to perform entire purple team exercises just over Teams as the method of ceded access. There are several other popular screen sharing and meeting apps that have similar features. Of course, put me behind a keyboard, and I’ve suddenly got way more options of how to drop and execute a fully featured shell for post exploitation. Imagine convincing an employee to join you (the IT guy) on a call to help them walk through some updates. Maybe letting them know it might take a while and that they are free to go grab some coffee…
🔥Super Legit — Help Desk Software
While remote desktop access may be a feature of Teams and other meeting software, it is the sole purpose of help desk software. There are many popular options to choose from and all of them are authored and signed by trusted sources. Your target organization likely already uses this kind of software. In the case of help desk applications, the only difference between remote access software and a remote access trojan is who’s driving.
Most EDR solutions allow these applications because they don’t want to deal with the complaints from customers and help desk software vendors about why they are being blocked. In other cases, EDR solutions will block this category of software but make it easy for network admins to add exceptions for the ones they actually use. In these cases, we simply need to figure out which ones they are using and sign up for a trial account.
When thinking about the problem of EDR evasion from the stance of trying to blend in with legitimate signed binaries, it finally clicked for me why help desk software is the number one go-to tool for spammers and fraudsters. It’s not that they aren’t smart enough to run some l33t hacker tools like ***insert your favorite C2 here***. It’s that they don’t need to, and time spent on implant development or C2 infrastructure would be time wasted for them when help desk software already has the highest chance of being allowed by EDR anyway. Savage.
Don’t forget this class of initial access software the next time you need to get your foot in the door at a target organization.
🚀 Too Legit (to Quit… This List) — Remote Desktop Software
What if we don’t need to execute remote access software at all? If your target organization is using remote desktop software like Citrix or VMWare Horizon, you can just use a multi-factor bypass like HumbleChameleon or CuddlePhish to walk in the front door. I’ve used both tools countless times to gain access to internal networks through public facing Citrix portals. Citrix is remote code execution (RCE) as a service and is very popular. With only access to Notepad.exe in Citrix, you can open a new file, type “powershell.exe”, save as a “.bat” file, and double-click it to obtain a PowerShell window running on the Citrix server. You are then just a local privilege escalation vulnerability away from taking over the server and all the logon sessions for whoever else is using it. It always makes me excited to find remote desktop portals during reconnaissance.
In Summary
While the last blog was all about writing custom payloads to bypass EDR, this blog explains how to help your initial access blend in. In some cases, you may not even need to write a payload to obtain initial access. I think that for most red teams, a custom implant in combination with either a LOLBin or sideloading is the sweet spot that will work for most environments. Of course, it’s always nice to have options, and if you are ever really struggling to bypass EDR, don’t forget about using legitimate software for illegitimate porpoises!
Deep Sea Phishing Pt. 2 was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.