>> Uh, we're gonna be talking about a post-exploitation tool, but uh we just have an extra little add on of this o day. So when uh Jenna Magius and I were working on the eternal blue, uh we discovered that uh part of the pool grooming process was allocating uh memory uh and in a contiguous way and by abusing those memory allocations we were able to come up with an attack that we're calling SMBLoris. Its similar to uh the slow Loris attack that is for HP servers. So with that, a single machine is able to open, uh many connections. Hold on. Just want to show the flags here. So the first uh four bytes of a connection are this uh net bio session setup header. And it has a seventeen bit length field. So what windows is gonna do is its gonna see that length field and its automatically gonna allocate a buffer uh for whatever length you say, for whatever length you say and uh preemptively allocate that much memory on the non paged pool. Which is memory that cannot be uh swapped out. Its physical RAM that has to be reserved. So two to the seventeen gives you a hundred twenty-eight kibibytes and if you uh send many connections that do that uh from a single IP you can get to eight kibibytes which is like eight and a half gig- gigabytes. So we're gonna demo the attack now. And all we're doing is opening a lot of connections and sending uh this packet with the full length. And as you're seeing now the uh non page pool is filling up. Its actually down here. Right now we're at five. Five and a half gigs. And eventually this ping is gonna die. Because there is not enough uh RAM and you'll also notice that the CPU has spiked to a hundred because now the operating system is searching through memory looking for a free spot. And now we actually have free uh- the computer, so like Slow Loris if we stop this attack, uh the computer will restore unless you sustain the attack. Eventually you will get a hard freeze. Which is worse than a blue screen because then you need physical access to uh restart that machine. Uh you can't just RDPN. Um, so. 

[applause]

There you go. Thank you.

Oh and I just wanna mention that we did report that to uh Microsoft Security about sixty days ago. Uh they said they aren't gonna fix it right away. So we had to uh go to full disclosure. We already told uh our DDoS partners and stuff like that. So. Ha. And it works on ipv4 and ipv6. Um so here's just some of the artifacts that we have that happened. Um and then you can crash programs and then right here is Microsoft's response. Uh, this is fine. Haha. Alright so onto the main topic of the day. Uh we're gonna talk about the current open-source malware options for red teams. So these are teams uh that you can use on your pen tests to you know own a network and then we're gonna release some new tool uh called Koadic C3. It's an advanced JScript VBScript RAT.  Uh it's based on a lot of work by others. Um subTee, Enigmo, OX3. Uh Tiraniddo. Um they were doing a lot of work on research. A lot of research on JScript uh past year or two. Uh we're gonna talk about some of the hell we went through with Windows Scripting host quirks. And then at the end we're gonna have a demo of the tool.

So this uh a list of the people who helped work on this tool. Um, I'm zero sum. That's Aleph Naught. We got Jenna Magius in the audience and The Naterz is watching on the live screen. Um so we're the red team at RiskSense, it's a spin off of New Mexico Tech. Uh led by Dr. Srinivas Mukkamala. He lets us have time to do some research on side projects, so we've done uh extra bacon and eternal blue. We reported both those exploits to metasploit uh we're kinda the first to uh look at those exploits. 

Uh just a couple quick notes before we get started. So if you use this tool for illegal activities we're not responsible. Uh we're releasing this with pen testers, there's no like ransomware in it or anything. Uh like I said, there's a ton of overlapping research uh from subTee, Enigmo, OX3. Uh Tiraniddo. Um but we're trying to consolidate all those research techniques into a single tool. And we've also advanced the state of art a little bit. Um so this is just prototype. There are gonna be bugs in it. So submit fixes, not tixes. Ha.

And uh just to be very clear, this is a post exploitation tools, so this won't be like metasploit where you get access to a box. This assumes you already have access and you want to do something better with that shell. You want to add pivot, uh dump passwords and stuff like that.

So the current state of Windows post exploitation, you have you know Meterpreter, Cobalt Strike, PowerShell Empire or you can roll your own. Those are basically your options right now. For uh very- and they're all very nice tools but, we're gonna talk about some of the the downsides of those tools and we're just kind of a very niche gap. Uh you're not gonna use this tool a lot. But it will fill uh uh a very niche gap.

Um so the downside to PE Malware. This is stuff like Cobalt Strike and Meterpreter. Um they're both amazing software. Uh but most of the time in the post exploitation scenario you're gonna be dropping a binary on disc and that's what AV loves to eat. And you're gonna, you're gonna have to evade that payload with either Veil Evasion or Shellter or some type of Crypter Packer. Um so that's one downside. And one of the main exploits we have eaten a lot is uh PS Exec, which is probably the most common one you use on a pen test. 

Um, so the downsides of PowerShell. Again, Empire is amazing software. Officially it requires PowerShell. Obviously. Which is server 2008 service pack two, you can install on earlier versions but officially that's what Microsoft supports. And PowerShell Empire also uses some features that are in modern dot NET. So I've actually had uh the case where I compromised a box and had PowerShell on it, tried uh doing an Empire Stager and it failed. Uh with the error. Another very bad downside of PowerShell is that it is a first class citizen in the logs on Windows. So that's that's one thing you need to realize when you're using PowerShell is you are uh filling up the logs.

So we fill, we made a tools made out of JScript and VBScript. Um it works on Windows 2000 service pack zero, possibly easier. Uh the main benefit of that is that the Windows Script Host unlike PowerShell is baked directly into the Windows core. Unlike PowerShell which was like bolted on later. Uh so it's a little bit harder to limit. And we found some creative use of uh the default  EXEs that are in the system folder. And we also found some ways to execute completely by memory so there's no dropping to disk. And that's the main benefit of PowerShell. Need some water.

So the down sides are is that there is no access to Windows API, uh the only thing you get is COM objects, which I'll talk about in a second. There's also no real threading, so when you have an agent running you might want to run multiple jobs at the same time and have them report back. Uh there's no threading in JScript. It's also missing a lot of uh standards functions like base sixty-four, you can use certutil and some other utilities that are default installed but they're not on all versions of Windows. And then what's really bad is uh all the strings are UCS two wide unicode. So when you insert uh structor shellcode in memory, it's gonna fill it with null bytes or even just totally uh clobber all of your strings and you're not gonna have the same shell code that you put in. That you thought you had.

So COM was kind of this big idea from Microsoft that you could write uh a class in one ob- uh language. And then instantiate an object in another language. So what they did was uh write a lot of COM objects in C. And then now you can use them in JScript and other uh scripting languages. Um so it's language neutral. Object oriented. It has a very uh spelled out binary interface. And it's distributed so you can actually instantiate objects on another server. And then use them on your local host. Uh uh which actually leads to a lot of pivot opportunities. Uh it's an arguable precursor to dot NET. It has slightly different goals than dot NET did and dot NET has a lot of tools that you help you to interact with COM. And it's also found everywhere in Windows. It's in uh its its own secur- or its own registry hive. It's uh HC- or HK- uh current classes or classes.

So this uh an example of instantiating in a uh COM object in JScript. So what we've done here is we've instantiated this object called html file. And like I said, we don't get access to Windows API, but we get access to all the interfaces that this uh COM object exposes. And from that we're actually able to scape the clipboard by uh going to the parent window and getting the text. 

So we uh- be- originally started this project back in October. Using VBScript. VBScript and JScript are basically the same thing at the end of the day. They just have slightly different syntax. And uh couple other things. Uh one thing that's really bad is that uh it has VBScript has an insane error handling thing, where you have to do on error resume next at every function scope. And then for every uh instruction that you run, you have to check there's an error condition. So there's no like uh try catch logs that you hit in uh JScript. The other thing that we ran into was Shlemiel the Painter problem. So this is a problem with string indexing. Normally for string indexing you want oh one look up so you want to look at the hundredth element in the string. That's oh one. Uh with JScript, it counts from the beginning of er- with VBScript it counts from the beginning of the string. Uh so you actually get oh of impactorial to traverse the entire string instead of oh of N. Uh so Jenna Magius had a, he solved uh a parse problem in computer science when uh we just grouped the bucket with a so every thousand iterations. We moved part of the string pointer up.

Um while working on this tool we uh researched a good new Readline. Which is a interactive shell for um Linux and Unix systems. So in Metasploit, what happens is a as shells start to rain in, your input is getting overwritten by uh all those shells raining in. So we were able to uh redraw everytime a shell came in and not mess up your input and that's just the pictures just an example of uh kind of the bad input. Uh we committed it in PR seventy-five seventy to Metasploit uh they've actually commented it out. They have to support Windows and some other systems. So, it wasn't, there was a couple bugs there, but we're only supporting Linux.

So I'll talk about some of the uh terminology before I talk about how we architected this. So Zombie is a hooked target, it's basically like uh a session in Meterpreter or an agent in PowerShell Empire. Uh Stager is a web server that we used to have the C2 C3 server and then Implants uh just starts one or more jobs on a Zombie. And then a Job we figured out a way to fork and so you can have a simultaneous jobs running. And then report back to the server. 

So this done by a plugin class. There's two types of major plugins or uh stagers which spawn web servers and implants which starts jobs. Uh they all have a load method which has uh variables so these are like things that you set Meterpreter kind of. Uh all we do is a simple string replace for tilde and the variable name. Uh inside of JS files and then they also have a run method. Uh which like I said starts an HP server or starts a job. Uh uh the job class is what you instantiate uh from implants. And then have a report handler, so when the job reports back to you, you're able to handle that. And then we also implemented a standard lib dot js file which uh kind of abstracts a lot of that COM stuff for you. Its so you can run commands. Upload, download files. And uh perform those HTTP communications.

Uh Uh we have all the standard implant categories you would expect. You can pivot to move from machine to machine, persistence so you can uh if a machine reboots, it will still call home. Manage and Utils are kind of like, they'll they'll let you enable RDP or run commands, download, upload files. Elevate is a whole class of UAC bypasses. Lets the run as administrator box on Windows. Um Gather will scrape credentials out of uh from the hives, like NTM hashes. We actually wrote a TCP scanner which I'll get into in a little bit. We have a fun category like PowerShell Empire does uh they play AC/DC Thunderstruck, they blast the volume and do that. We do that but we do uh the Cranberries Zombie song. Um and then we also have inject, which is a whole category where we've figured out how to break free of the COM chains and uh get to the Windows API. And from there we do reflective dll and mimic hats and stuff. We have a cool demo. 

So stager architecture is uh generally in a post exploitation stetting you're gonna hook by a manual command. That's what you do with PowerShell Empire. Uh you just run a command and then it calls home. Um you can hook from IE if someone, so you can fish somebody. And if they click Yes from this you know, huh all these active X objects, it'll work. Uh also off this macros, you can do a Stager that way. Um so all we're using is a simple HTPS threaded server and Python as the uh main C3 server. Uh so you get enryption through TLS or SSL. There is a caveat there, uh couple caveats. So one is uh older versions won't have TLS enabled so you'll have to fall back to SSL. And the other one is you need a valid certificate, so you'll have to call home to a domain that you own a certificate for. And how we do the uh the call home is if you do a long poll. So this is kind of the old way of doing A checks before web sockets is you call home to the sever and then the server hangs you for like a long time until there's a job to be done. And it tells you that job and you run that job.

So there's a couple problems with that. Haha. Uh there's no problem with uh hanging forever 'cause once you go into the uh COM object and you run that, you're in COM world. It's outside of your script context, but there is uh a limited amount of it instructions you can run in JScript. So it's actually default five million I believe. So if you run five million instructions in JScript, which is actually very easy to do. Uh even for just a few milliseconds, its gonna pop up an error saying stop running this script and it's gonna hang the script until the user clicks yes or no. So for that reason we fork on a regular basis.

So the first time you call home to the sever you're not gonna have a session ID. Um it's gonna assign you a session ID. And it's gonna fork to a special job called stage. That stage is gonna do that long-poll process I was talking about uh until it gets a job ID. When it gets that job ID, it's gonna fork uh that special stage job again so we don't use too many instructions and it's gonna fork the job. And then uh when that job calls home, it's gonna have both the session ID and the job ID. So then it's gonna send the job payload, which is gonna do some work, it's gonna report back to the server about that work and then it's just gonna strictly exit.

Um so some of the stages we have. Uh we do have the traditional way of running JScript and VBScript uh through cscript or wscript uh these require dropping a file on the disk so um anti-virus can catch that pretty easily. And you can always disable the windows script host.

Uh an interesting stager we have are MS uh- HTA html applications. So these are kind of like in a weird IE security zone. Uh they'll let you get access to the registry, filesystem, the command shell. Um and the payload for that is really tiny, it's the tiniest payload we have. All you do is run HT- er MSHTA and then URL. And then it's gonna home with that session ID and get assigned one and all that.

Um so with these html applications, they're gonna pop up like a little browser window. So we experimented with many techniques to try to hide this window. Uh the best that I could come up with and I really did a lot of experimentation was I moved the uh window two thousand pixels off the screen, resized it to one pixel and then I blur it so it doesn't steal focus and then also there's some uh xml that we can do to hide it from the taskbar. Uh I thought this was really bad until I looked at some malware samples that were doing the same thing, so I didn't feel as bad.

Um, so run dll thirty-two, uh this kind of abuses the way that run dll thirty-two uh parses. Uh the dll it's supposed to run. So in this example, its loading the MSHTML dot dll and it's running run HTML application on it. Uh which is the same thing that MSHTA does only this is a little bit more hidden. Now when that function gets called, it's gonna parse the entire command line and its gonna see it starts with JavaScript colon, it's gonna start. Uh executing JavaScript. Such our MSHTA stager as soon as we fork uh we go to this one 'cause it has less windows visibility. Um another one that uh another stager here that uh subTee rediscovered is uh called COM plus scriplets. Uh they still get written to disk, but it's uh this program called red server thirty-two dot exe which is supposed to assist you in uh installing uh COM stuff uh you can actually feed that URL and it's gonna go fetch that scriplet and then it's gonna run some JScript. Um so this is actually a stage of this presently on Windows 2000 MSHTA is not uh, maybe it is in a service pack, but at the uh beginning it's not.

Um so there's a couple of ways to run commands. Uh the most common way is through WScript dot Shell. It has two ways to run commands, either exec or run uh exec gives you access to standard out and standard error for all of uh that processes output. Uh the only problem is its gonna flash a little command dot exe window. So it's not good. Uh we had to resort to dot run uh which does not give access to standard out. Um but we kind of piped to a new UID in the temp folder. Temp folder text file and we pipe uh standard out and standard in to that file then we read that fine. So we were able to get the output. Um another way to uh start a process is is with wami. Um win thirty-two process is part of that and that's the windows management instrumentation, kind of for managing boxes. 

Um so one of the main things you wan to do with post exploitation tool is upload files and download them. Uh the binary data is very hard to work with in JScript. Um so writing, if you want to write a file to disk, writing byte by byte uh you use all of your limited instructions I was talking about. Um so what we do what what one way you can do that is you can write the response body screen directly to a an A D O D B dot stream. Uh the only problem is as you can see, uh you get an error that says safety settings on this computer prohibit access. Accessing a data source on another domain. So this is part of that IE security zone. Sandboxing I was talking about.

Um. So what we do is we create a temporary uh A D O D B object in memory. We write that string to that object in memory and then so now its on our domain or whatever. And then we're able to write that to file. So this is just some boilerplate co- code that just lets you write directly to file without using a lot of instructions.

Another problem we encountered was with downloading files. So this is when you want to get a file um its on the Zombie, you know you see x arrays, you see something interesting on the fa- uh target, you want to download it to your machine. You're gonna do that by having it send an http request sending a not text string, which is gonna have uh all that binary data. The only problem is that Windows is going to put uh double encode that date uh so through some reverse engineering we found out it was encoding it with Windows twelve five two encoding first. And then you UTF eight uh so we saw that the binary data did not match up when we got it back. Uh another thing is if you send a null byte, it just ends the response string right there, uh the request string. Uh so we added another layer of encoding where we then code backslashes and null bytes. So we have three different decodings we have to do once it gets back to the server. Its really slow uh LF Knot wrote a hard coded lookup table. So it's about one second per megabyte now. Down from ten seconds per megabyte. 

Um so these are all of our UAC bypasses. These work um because on Windows there's the current user hive, which a user is able to write to their current user hive, no problem. Um and then windows has these binaries in the system thirty-two folder that have a manifest that auto elevates them, gives them UAC bypass privileges and then there's a couple binaries that are gonna look in that current user hive that you're allowed to write to for a command to run. I don't, I don't know why. But ha. You're so we're just gonna put the stager command at those registry keys start that process and its gonna call home and we're gonna be elevated. Um Microsoft is trying to fix some of these, they've closed a couple of them in red stone two and three. Um but the UACME by hFireFox uh some future work if you know these methods get closed down, there's thirty-five plus methods we can use. Uh some are applicable.

So uh another main thing you want to do in the post-exploitation tool is dump the NTLM patches off the server. Uh so there's a reg dot exe. I believe it was added in some service pack in windows two thousand, its at least present in windows xp and and higher. Uh but from there, if you're elevated you can save the same system security hives and run uh CoreSecurityImpacket which will uh decode decrypt those hives and give you the hashes out of them. Same thing for domain controllers uh you can create a volume shadow copy. Uh and then the system hive you can get that. And we get the ntds dot dit, we can run the same tool uh with some different arguments and extract uh AV credentials out of them.

So there's several different HTTP COM objects um most of them are just like like msxml two dot xmlhttp and then there's the server xmlhttp. So this dates back to uh the early days of the internet. Um where you first start with ajax and so the ones that are not marked server are going to have a bad uh sandboxing policy it's gonna have that cross origin ajax policy you see in web browsers. Where as the server versions are gonna be what you would have ran on a classic ASP server to one of the server to fetch something. So it's gonna be less sandbox. Um so same interface, but a little bit different behavior. 

Um using these objects uh checking out the error messages they do when we try to do an http connect- connection to a uh an IP uh we're able to tell which ports are open and so we have two different methods. Um of telling if a port is open or not and uh based on the error codes, so we're able to write a TCP scanner using these methods.

Um another interesting COM object is the uh wscript dot network, this let's you enumerate the printer connections and the network drives the that computer is connected to. So that's useful information.

And now we're gonna talk about uh the the pivoting modules. So PS Exec uh was originally written by Mark Russinovich. Um for the sys internals before he was hired by Microsoft. Uh now it is in Microsoft signed binary. And this lets uh admins run commands on different uh boxes remotely. Um there's no reason for us to have to upload this binary to the server because Microsoft is hosting it on a live share on the internet. So we just use that live share, um we do get a dirty bit when we do that, but the bypass I found was just running it uh instead of WScript dot run I ran it through the BMI or something, I forget. But we didn't get that dirty bit which would have popped up a message of an error. Um so that that just lets you run commands on another box and we do have a working pivot with that. 

Another way to uh pivot is with WMI. Uh so this lets you spawn that WMI uh win thirty-two process I was talking about. On another server. Uh as long as you have uh cache, er, either your credentials or uh you get credentials out of memory. You can perform a pass the hash uh with JScript, we found. Um uh a really bad problem with this is when you start that new process, its gonna run a session zero on the sever, which is GUI-less process so you won't be able to elevate. Um but it it it does let you get on those other boxes and maybe there's a work around.

Another things that been uh making the the the waves the past couple uh weeks are uh DCOM lateral movement type makes. So MMC twenty dot application enigma oh three, oh x oh three uh found back in January, but it has a you can spawn this object on another server and it has an interface called Execute Shell Command let's you re-stage. Um and then just this week we had Excel dot Application and Outlook dot Application by Ryan Hanson four two four F, four two four f and uh staaldraad. But both of these have ways that you can uh load uh commands on another server. Um so that's some future work, we don't actually have plugins for this yet, but if you know PSExec and the BMI aren't good enough, the we can write a plugin for DCOM.

Um so now we're gonna talk about some of the ways we escaped that um COM context into windows API. So uh work they gave us some office licenses and we did find a good use for them. We gone, we didn't actually write any reports with them, but, um we did create a GUI list except object in memory and then from that GUI list Excel object, we also wrote some registry keys that let us uh uh run macros without a prompt and so we actually eh and when you run macros in that its Visual Basic which is different than VScript. That lets you get access to uh the the entire windows API. So whomever we were able to run Shellcode or Reflective DLLs. So that's one of the ways we escaped.

Uh another technique uh was published a couple months ago by Tiraniddo this guy from Google Projects Zero. Um so when you install dot NET on a server, it gives you or a workstation error thing. It gives you a bunch of COM objects uh for that dot NET installation and one of the and a couple of those COM objects that you write to memory and then also deserialize a dot NET object and when you can deserialize dot NET object, you get access to the Windows API because dot NET has access to Windows API. So uh we can do all that from JScript. 

Um and then the final way that we found in our research was dynamic wrapper X. This was a DLL written by Yuri Popov and releases Freeware in like the late nineties or the late two thousands uh it does have zero to sixty-one of virus total. Uh people are using this for legitimate reasons. Um but basically this lets you install a COM object on the server, which gives you access to the windows API. Um normally installing a COM object you're gonna have to write a lot of registry keys and stuff like that. Um, but subTee uh rediscovered a thing called uh registration-free COM so we don't actually have to write all those registry keys. We just drop a manifest file also on the disk and that DLL and then we're able to load that COM object. At least for our process.

So now that we have access to the windows API, one of our design goals was to use the powerkatz dot DLL. So this is the uh PowerShell Empire DLL, uh that lets you get access to Mimikatz. Uh there was a problem with this and that was that all the DLL mapping was performed in PowerShell, so normally with reflective DLL you're gonna write some C code uh that will load itself. And uh they did it in PowerShell. Uh so we have limited instructions, we can't do all of that DLL mapping. So what I did is I wrote a DLL called mimishim and that's just normal reflective DLL. So all the uh loading code is in C, it's part of the DLL and we just say start a thread there and it'll load itself. Uh so what it's gonna do is it's gonna see if we're an x sixty-four pro- or an eighty-six process on an x sixty-four system. Which if you've ever uh dealed with Mimikatz that can be an issue. If that is an issue, we're gonn- uh, we're just gonna fork uh um a sys native notepad dot exe. We're gonna process all of that uh and inject the powerkatz dot dll into it. And from there we're gonna do a couple default things. We're gonna do, we're gonna get the debug privilege which is kind of a God mode privilege on windows and then we're gonna elevate our token to system and then we're gonna run whatever custom mimikatz command you want to run. Um which will let you extract plain text passwords out of memory. Uh provided that credential guard or some other defense aren't enabled.

And with that I'll let Aleph-Naught uh run the demos.

>> Heard you guys like live demos.

[applause]

Alright so what we're gonna do is we're gonna show our tool. At least we have a screen, I heard we had a screen problem, so we have it. [inaudible] Ok, uh so the first thing we're gonna do is uh we're just gonna load it up and try to get our stager first right. Uh I know we were talking about this in the beginning. So. So we lit up, uh we were greeted with a screen like this. Uh we have a lot of options in here. So as you can see its very similar kind a structure to like Metasploit or other tools of a similar kind of nature. Uh we run info and we set our LHOST. This is uh a local hosting eternal network for a domain that we have here uh on a couple of VNs right now. 

>> Yeah, the only reason why he's setting his LHOST manually is because we have a weird network setups, we're not on the main internet. Uh normally it will try to go to eight dot eight dot eight and uh get your IP automa- your local IP automatically. Spawned a stager there.

>> So and then after that's run uh the stager is done. You can close the window and you see no windows pop up and nothing seems out of the ordinary. But we got a stager coming back right here uh and we'll see uh if you take a good look here, it's not an elevated prompt uh as you can tell right here. It would come back with a star if it was. Uh and so from here we have our zombie and we can kind of do what we want. Uh so to demonstrate the kind of ridiculousness that we had to go through, uh we can kind of upload a file, get a shasum, download the file and do a shasum again. So we're gonna use an implant. And we see everything has a like a nice little options file. So we can also get into a command shell from here. Um so if we look onto our hook client right here and we take a look at the directory. Um where we should have uploaded the putty. And we'll see it uh and it's right here. Nice little putty. Uh we'll open a local window right here and we'll do a shasum of the actual putty file. See it is shasum right here. Eight one and ends with five E. And so now we will download the file from the victim client, the one that's hooked. Oops. And so we go to our file right here. And we'll see uh that the integrity has been kept. Right? So we got a nice upload of data. Uh and the client doesn't notice a thing, no windows are coming up. Nothing at all. It's uh nice and in the background. So uh what we're gonna do next is we're gonna try to elevate the prompt, right? A little bit of a UAC bypass and stuff like that, right. So we're gonna use er uh elevation. So if everything eh- if everything goes right, we should see uh a shell come back with the little bit elevating code. Looks like we're coming back and here we are. And a nice elevated prompt. Hmm. Ok, here we are. Alright so uh from here uh you could kind of um move around and try to pivot across the network. I know we were trying to explain to everybody that the ridiculousness that we had to do for kind a TCP scanning and everything along that line. So what we could do is we could try to find another victim or we could scan them for like an open port five and then try to migrate and pivot right? Er pivot, just pivot. So. So we're gonna use another implant for this. Doesn't really matter what filename you use for this. This font is ridiculous. We had to make it large for everybody. So as we see here a nice little read out. Um a nice scanning from one of the hosts to another host upon a mate. And right now uh we're gonna try to pivot ok? So so we're going to use. Actually uh we should probably get the hash tags first from the current machine that we got, right? We're gonna use the uh elevated zombie uh with the elevated crypt tools to kind of dump the hashes here. And here we go. Uh we got hashes from the hash machine. Uh and that's uh mimikatz. Uh you can kind of run any command from that uh from mimikatz. So uh right now we're going to uh kind of pivot from the one machine that's compromised and we're gonna pivot and we're gonna get a stager on the next machine uh within the domain, right? We uh as you see we got the credentials from mimikatz and so we assume we got plain text password or something along that lines. And we're gonna move onto the next machine. So.

And here we go. Uh we pivoted uh throughout the network and uh we moved. And we can see a command shell. Um if you take a look at, take a look at who am I. We're here on the machine pivoting through the network, um nice and small execute COM objects. So.

[applause]

>> Yeah, so you can see he has two different or three different shells here. The first one was his medium integrity. Next one was one he elevated and then this has a different IP because he pivoted uh to another machine.

Just gonna. Um so we're gonna talk about some of the mitigations we're gonna do against this. Um there are some uh ransomware samples that we saw that do all of there uh operations in JScript including their cryptography. Um so people are mainly focused on PowerShell right now. We kind of want to point out that uh JScript is also an attack surface. So there's a thing called the anti-malware scanning interface. I haven't actually played with it. But it was designed to catch PowerShell scripts before they execute. It's also hooked with anti-virus to get uh JScript and VB Script uh files before they execute. Even if they're uh using the type of bin memory stagers that we talked about. Um another thing is device guard, app locker, CI, it's all kind of the same umbrella. Uh for a term a common term called app white listing. Um in your environments you only want to run the programs that you want to run and this will actually prevent a lot of extra malware that gets on your system from running if you only  have a whitelist of what can run. Um its kind of a pain to setup right now, it requires a lot of uh PowerShell and registry editing uh I've heard that there are good things coming there. So just keep an eye out, probably red stone four. Uh next year. Um but if you do get it working, you want to block the windows script host, you want to block HTA and uh compost scriplets. Um you can also delete uh the MSHTA dot exe and red server uh some components rely on that and windows update will probably reinstall them um but that's one thing you can try. Another thing is you can delete COM objects if you're not using them. It's hard to tell what you're actually using. Uh including the script parsers themselves, so like the JScript and VBScript. Those are all COM objects that are script parsing. I haven't actually tried deleting them, I think you might break your system, but ha.

Uh we do have some uh intent to add this to Metasploit at least as target to PSExec uh so right um it has a it drops a file or it runs a PowerShell command. We want to do a MSHTA command back and then iterate it through all those methods that we found a fork to uh windows API. And try to spawn a meterpreter binary that way. Uh just iterate yeah, just iterate all over those methods.

Um some more future uh work is exploring COM uh seeing what is exposed through the interfaces. Uh its a large attack surface on windows that's kind of forgotten about or its kind of a difficult concept to to grasp. Um Tiraniddo has a cool tool. I forget what it's called. Like LOE Viewer or something uh that lets you get the interfaces for a lot of these COM objects and you can see what you can do with them. Uh another thing is that with this tool like I said, there's a lot of bugs. Uh so we do plan to clean up the code and uh do a small plugin revamp. So uh right now the plugins are kind of reusing a lot of the same code and uh we also want to implement a JavaScript obfuscator so right now all the payloads are pretty generic. They're all the same um but if we obfuscator its gonna kind of uh add some uh bypasses for very obvious lookups of that. Um we've kind of neglected persistence implants. Why we didn't talk about them. There are a few ways to get persistence. That's when the machine reboots, it will restage. Uh WMi subscriptions is one that we could do. And then another things is we're using the basic uh Python server uh just very generic. Uh so we actually do have the Slow Loris attack, I believe it works on this similar when we drop that oh day. Uh SMBLoris, the- we have Slow Loris attack on this. Um so that's one thing we want to close down by throttling the amount of IPs.

Some related talks by Tiraniddo. He did COM in Sixty Seconds. This is the best primer on COM you can watch. Um better than any book I ever read. Um he does it, it's not actually sixty seconds, it's sixty minutes, but he did at infiltrate uh this year. Another one is Windows Archaeology which uh subTee and enigma oh x three did at BSides Nashville this year. And then last year subTee wrote a very basic uh JScript RAT and presented that at Derbycon, uh we're trying to expand that concept and it, uh you know, as close to empire as we could.

And so yeah this code is available at Github. Uh zero sum slash koadic. Uh we're also doing a workshop today uh it was a registration only though. But we have also released that code as well. Uh just check my Github. Um more lower level stuff. C and shell code. But so cool stuff. So yeah. Yeah that's zerosum and aleph naught.

>> Thank you guys very much.

>> Thank you.

[applause]