Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

BlueHat v18 || Killsuit the equation group's swiss army knife for persistence, evasion, and data exfil

Francisco J Donoso, Randori

Most research into the Shadow Brokers’ leaks of Equation Group tools has focused on the Equation Group's brilliant exploits, but very few researchers concentrated on the extremely effective post exploitation capabilities.

This talk expands on my research into the Equation Group's post exploitation tools. My previous research focused on providing a general overview of DanderSpritz, a full-featured post-exploitation toolkit included in the ShadowBroker's "Lost in Translation" leak. This talk provides a deep dive into KillSuit which is the Equation Group's Swiss Army Knife for persistence, information gathering, defense evasion, and data exfiltration in unique and interesting ways.

During the talk, we will dissect the capabilities and functionality of the KillSuit framework, a little-known (and somewhat overlooked) component of the much larger DanderSpritz post-exploitation toolkit, leaked by the Shadow Brokers in April 2017. KillSuit is a full featured and versatile framework used by a variety of the Equation Group's tools and implants. KillSuit provides the ability to quietly establish persistence on machines via bootkits and other persistence methods and then allows operators to install persistent modules such as keyloggers, packet capture tools, tools that perform WiFi MITM, and other more information gathering tools. KillSuit also includes support for many plugins that provide interesting ways to silently exfiltrate data - some specifically designed to make data exfiltration across air gapped networks possible - including custom written IPSEC-like protocols and misuse of "disabled" WIFI cards and nearby open networks.

  • Sé el primero en comentar

BlueHat v18 || Killsuit the equation group's swiss army knife for persistence, evasion, and data exfil

  1. 1. KILLSUIT
  2. 2. • DEVOPS / SECURITY AT RANDORI • ARCHITECT • SECURITY ENGINEER • CONSULTANT • SECURITY ANALYST
  3. 3. • RESEARCHERS FOCUSED ON EXPLOITS • WANTED TO KNOW MORE ABOUT “APT” POST EXPLOITATION • ENCOURAGE OTHERS TO RESEARCH & REVERSE • THIS HAS WORKED (A LITTLE)! • WANTED A TECHNICAL SIDE PROJECT
  4. 4. • BRIEF OVERVIEW OF DANDERSPRITZ • QUICK HISTORY OF THE FRAMEWORK(S) • GETTING TO POST-EXPLOITATION • KILLSUIT • PERSISTENCE • EVASION • DATA EXFIL • QUANTUM SHOOTER – MAN ON THE SIDE • DANDERSPRITZ LAB
  5. 5. • FREAKING COOL • A FULLY FUNCTIONAL POST-EXPLOITATION FRAMEWORK • WRITTEN IN JAVA  • EXTREMELY MODULAR • “PLUGINS” (FEATURES) WRITTEN IN PYTHON / CUSTOM SCRIPTING ☺ • DESIGNED FOR STEALTH • DESIGNED TO PREVENT DUMB OPERATORS FROM MESSING IT UP
  6. 6. Expanding Pully DanderSpritz DanderSpritz script rewrite 2001 2005 2011
  7. 7. Expanding Pully DanderSpritz DanderSpritz script rewrite 2001 KillSuit 2008
  8. 8. • TARGET = ATTACKED COMPUTER(S) • LP = LISTENING POST (C&C SERVER) • COMMAND = SOMETHING RUNNING ON TARGET • PSP = PERSONAL SECURITY PRODUCT (AV) • SAFETY HANDLER = DON’T MESS IT UP • IMPLANT = MALICIOUS CODE DEPLOYED ON TARGET
  9. 9. GETTING TO POST-EXPLOITATION Fuzzbunch Exploit DouplePulsar PeddleCheap DanderSpritz
  10. 10. WHAT IS KILLSUIT?
  11. 11. • EXTREMELY MODULAR PERSISTENCE FRAMEWORK • MULTIPLE SUPPORTED PERSISTENCE METHODS • CAN LOAD SEVERAL DIFFERENT ”PLUGINS” • ENCRYPTION FOR EVERYTHING
  12. 12. • INSTANCE = A SPECIFC INSTANCE OF KILLSUIT (MULTIPLE CAN BE INSTALLED) • TYPE = A SPECIFIC KISU INSTANCE INTENDED TO SUPPORT PERSISTENCE FOR A COMPLEX IMPLANT • LAUNCHER = THE DRIVER EXPLOITED TO RUN KERNEL MODE CODE • MODULE = SPECIFIC IMPLANT / CODE THAT IS INTENDED TO BE PERSISTENT • MODULE STORE = ENCRYPTED VIRTUAL FILE SYSTEM
  13. 13. • MODIFIES VBR TO LOAD KERNEL DRIVER • USES AN ENCRYPTED TRUETYPE FONT FILES AS “CONTAINERS” FOR KERNEL DRIVER • PATCHES WINLOAD.EXE & THE FIRST DRIVER LOADED DURING BOOT TIME
  14. 14. • LAUNCHES A “KERNEL MODE ORCHESTRATOR” BY EXPLOITING A “LAUNCHER” DRIVER • PROVIDES ABILITY TO RUN *UNSIGNED* KERNEL MODE AND USER MODE CODE • BEGINS LAUNCHING IMPLANTS • INJECTS MALICIOUS USER MODE CODE INTO PROCESSES
  15. 15. DEFENSE EVASION
  16. 16. • EVERYTHING ENCRYPTED WITH UNIQUE KEY PER TARGET • VIRTUAL FILE SYSTEM STORED IN REGISTRY • PROCESS INJECTION FOR USER MODE CODE • TEMPORARILY CREATE FILES • TIME STOMPING
  17. 17. • PROVIDES COVERT (NON-WINSOCK) NETWORK ACCESS FOR TOOLS • FLEWAVENUE = IPV4 DRIVER • DOORMANGAUZE = IPV6 DRIVER
  18. 18. DATA GATHERING
  19. 19. • STEALTHY KEYLOGGERS • PERSISTENCE USING KILLSUIT USING THE “STLA” INSTANCE TYPE • STORES ENCRYPTED DATA IN VBNARM.DLL (CONFIGURABLE)
  20. 20. • FULLY FEATURED PACKET CAPTURE TOOL • USES BERKLEY PACKET FILTER (BPF) FILTER FORMAT • INSTALLED ONTO AN EXISTING KILLSUIT INSTANCE • CAPTURED DATA STORED TO AN ENCRYPTED CONTAINER
  21. 21. • DANDERSPRITZ INCLUDES DRIVERS TO INTERACT WITH SEVERAL DATABASES • CAN BE INSTALLED PERSISTENTLY WITH KISU • MSSQL, MYSQL, SQLITE, ORACLE
  22. 22. • WIFI MAN IN THE MIDDLE (MITM) • USES A SEPARATE KILLSUIT INSTANCE WITH IT’S OWN TYPE (MABE) • INSTALLS DRIVER WITH PACKET INJECTION CAPABILITIES
  23. 23. STEALTHY EXFIL
  24. 24. STRAITBIZARRE FRIEZERAMP
  25. 25. • STRAITBIZARRE = IMPLANT DESIGNED FOR STEALTHY DATA EXFIL • FRIEZERAMP = CUSTOM NETWORK PROTOCOL • PROVIDES COVERT & ENCRYPTED NETWORKING CAPABILITIES • USES ”ADAPTERS” TO INSERT PACKETS INTO RELEVANT TRANSPORT LAYER • SIMILAR TO IPSEC
  26. 26. • DATA EXFIL VIA UN-USED / DISABLED WIFI CARDS • USED WHEN THE TARGET IS AIR GAPPED • CAN USE STOLEN CREDENTIALS OR SEND VIA OPEN NETWORKS • USES A SEPARATE KILLSUIT INSTANCE WITH IT’S OWN TYPE (SOKN)
  27. 27. QUANTUM SHOOTER
  28. 28. • STRAITBIZARRE SHOOTER REDIRECTS TO FOXACID EXPLOIT SERVER • EXPLOIT SERVER DEPLOYS “VALIDATOR” • VALIDATOR CONFIRMS IF TARGET IS INTERESTING • UPGRADE TO UNITED RAKE
  29. 29. STORY TIME
  30. 30. v 0x7a43e1fa in hex
  31. 31. • • • • • • • • • • • • • • • • •
  32. 32. DANDERSPRITZ LAB
  33. 33. • FULLY FUNCTIONAL DANDERSPRITZ LAB IN 2 COMMANDS • PACKER BUILD DANDERSPRITZ_LAB.JSON • VAGRANT UP
  34. 34. • BRIEF OVERVIEW OF DANDERSPRITZ • FRAMEWORK HISTORY & OVERVIEW • GETTING TO POST-EXPLOITATION • SOLARTIME • KILLSUIT MODULES • QUANTUM SHOOTER – MAN ON THE SIDE • DANDERSPRITZ LAB
  35. 35. DANDERSPRITZ.COM @FRANCISCKRS DANDERSPRITZ_DOCS DANDERSPRITZ_LAB

    Sé el primero en comentar

    Inicia sesión para ver los comentarios

  • nkokkoon

    Oct. 30, 2018

Francisco J Donoso, Randori Most research into the Shadow Brokers’ leaks of Equation Group tools has focused on the Equation Group's brilliant exploits, but very few researchers concentrated on the extremely effective post exploitation capabilities. This talk expands on my research into the Equation Group's post exploitation tools. My previous research focused on providing a general overview of DanderSpritz, a full-featured post-exploitation toolkit included in the ShadowBroker's "Lost in Translation" leak. This talk provides a deep dive into KillSuit which is the Equation Group's Swiss Army Knife for persistence, information gathering, defense evasion, and data exfiltration in unique and interesting ways. During the talk, we will dissect the capabilities and functionality of the KillSuit framework, a little-known (and somewhat overlooked) component of the much larger DanderSpritz post-exploitation toolkit, leaked by the Shadow Brokers in April 2017. KillSuit is a full featured and versatile framework used by a variety of the Equation Group's tools and implants. KillSuit provides the ability to quietly establish persistence on machines via bootkits and other persistence methods and then allows operators to install persistent modules such as keyloggers, packet capture tools, tools that perform WiFi MITM, and other more information gathering tools. KillSuit also includes support for many plugins that provide interesting ways to silently exfiltrate data - some specifically designed to make data exfiltration across air gapped networks possible - including custom written IPSEC-like protocols and misuse of "disabled" WIFI cards and nearby open networks.

Vistas

Total de vistas

955

En Slideshare

0

De embebidos

0

Número de embebidos

0

Acciones

Descargas

36

Compartidos

0

Comentarios

0

Me gusta

1

×