The content of the article
As you know, any attack is carried out in several stages. We successfully conducted reconnaissance, increased our own privileges, moved wherever we wanted, and eventually managed to capture the entire network. But here's the problem: we were discovered, cut off from the network and caught. To avoid such a development of events, it is time to consider methods of protection against detection.
Read also about Active Directory Pentes
All information is provided for informational purposes only. Neither the editors nor the author are liable for any possible harm caused by the materials in this article.
Evading memory scanners
Any actions in the system are recorded in one way or another, and it will never succeed in completely hiding from an experienced observer. But you can disguise yourself as much as possible. Most Red Team or Pentester teams use PowerShell when attacking a domain. Moreover, it became so popular that whole frameworks appeared, for example Empire and Powersploit. In addition, PowerShell scripts can be obfuscated using the same Invoke-obfuscation. In response to the emergence of all these tools, the defense side has developed methods for detecting them, such as detecting strange parent-child relationships, suspicious command line arguments, and even various ways to de-obfuscate PowerShell.
One of the most advanced means of attacking Windows domains with the ability to hide activity is Cobalt Strike, in particular the use of the module
execute-assembly. It is possible to run programs written in C # close to PowerShell scripts. For example, compiled in C #
get-userswhich duplicates the functions of the module
Get-NetUser from package
PowerView. In this example, the domain controller is requesting properties
UserSurname for each account.
Let's see what happens at this time on the target machine. This can be done using ProcMon.
powershell.exe contains the load of the cobalt strike, and the process
rundll32.exe used to load and execute
get-users. It is worth saying that
powershell.exe is a parent
rundll32.exe just because the Cobalt Strike load was launched from under PowerShell.
But the load of Cobalt Strike can be run from under any process, while it is also possible to migrate to different processes. In addition, some Cobalt Strike functions are uploaded to new processes, which ensures the stable operation of this software. Among other things, DLLs loaded into the process
rundll32include those that are necessary for
get-userssuch as LDAP libraries and Kerberos authentication.
The main advantage of this module is that the file is never written to disk, that is, the assembly is performed strictly in memory. At the same time, during the analysis of memory, much attention is paid to the function
CreateRemoteThreadThanks to which malicious programs migrate to other processes and download images. Module
execute-assembly loads custom assembly using built-in function
LoadImage, and since this function is mainly used by legitimate processes to load DLLs, it is very difficult to detect assembly loading.
It is worth adding that PowerShell is not the only legitimate process, the use of which is closely monitored by the protection side. Other common programs and services (such as WMIC or schtasks / at) are also subject to close monitoring. But the functions of these tools can also be reproduced in custom .NET assemblies. And this means that there is the possibility of their secret use using the same module
Endpoint Detection and Response (EDR) – technology for threat detection and response on terminal equipment. EDR constantly monitors and analyzes suspicious activity and takes the necessary measures in response to it. Since most organizations focus on network security, they ignore activity on the terminal equipment. Being one of the main sources of information for SOC, EDR helps to close this gap by setting various policies, including application launch control, macro and script control, analysis of memory operations and much more.
All the methods described in the article can overlap with the topic of avoiding EDR, but it is in this section that I would like to consider the hidden work of critical software (such as mimikatz) and the delivery of the initial load.
Hide the work of mimikatz
As a rule, almost all EDRs detect the use of one of the main tools of any pentester, editor or attacker attacking Windows-systems – mimikatz. Therefore, the use of this tool in its pure form, when dealing with serious organizations, makes no sense.
Alternatively, you can dump the LSASS process, with which mimikatz works to obtain important data. But the use of ProcDump EDR will also detect due to interception of the corresponding API calls. Thus, if you detach the LSASS process from the corresponding APIs, you can silently dump it. This is exactly how the tool called Dumpert. Thanks to direct system calls and disconnecting the API, this tool allows you to make a shortened dump of the LSASS process, bypassing antivirus tools and EDR.
And now you can use mimikatz to extract information from the dump, after specifying the dump file.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru