Presentation is loading. Please wait.

Presentation is loading. Please wait.

What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN.

Published byRandell Nichols Modified over 8 years ago

Similar presentations

Presentation on theme: "What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN."— Presentation transcript:

1 What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

2 The following story is fictional and does not depict any actual person or event. Although inspired by true events, the network, people and company described are completely fictional. Whilst the source code shown today is publicly available, I hold no responsibility for any loss or damage that may arise from you using or manipulating the source code. Everyone involved in this presentation are trained IT Professionals, so please, don’t try this at home! Malware IS DANGEROUS

3 The Bad Guy  Name: Boris  Previous Title: System Administrator @ Queensland Department of Widget Management  Technical Skills:  PowerShell  Group Policy  Windows Azure  some hacking knowledge

4 The Malware  Written in PowerShell  IT IS VERY OBVIOUS!  Signed by SSL Certificate issued by 3 rd Party Root Authority  A machine is considered infected when:  C:\Infected contains required files  Drive infection scheduled task is running  C&C scheduled task is running  Command and Control is cloud based, uses Windows Azure VM Role  Windows Server 2012 with IIS and WebDAV

5 The Malware: Infect-WebPC.ps1  Infects a client  Clients download and execute script  Downloads other files for infection, creates scheduled tasks to communicate with Command and Control

6 The Malware: Invoke-CandC.ps1  Runs as scheduled task  Uploads “registration” file to Command and Control server, file contains running processes and services  Gets “Commands” from Command and Control server, filters out tasks previously run, or those not destined to run on host  Runs each command using invoke-expression  Commands can be executable or any PowerShell command

7 A Quick Note: Code Signing  Authenticode/Code Signing only ensures us of the authenticity and integrity of the signed file/script/executable  Does not prove good intentions  Due to Crypto basis, more trusted by technically minded users  Many sources of abuse:  Forgery  Deception  Theft  See Also:  http://www.f-secure.com/weblog/archives/00002437.html http://www.f-secure.com/weblog/archives/00002437.html  http://arstechnica.com/security/2012/09/adobe-to-revoke-crypto-key- abused-to-sign-5000-malware-apps/ http://arstechnica.com/security/2012/09/adobe-to-revoke-crypto-key- abused-to-sign-5000-malware-apps/

8 The Network  Simple, flat network  Limited outbound protocols allowed, HTTP, HTTPS, DNS  Single Windows Server 2012, running DC and File and Print  Windows 7 SOE  All users local administrators  UAC was disabled due to an application compatibility issue  VNC runs on all machines, as a service account –which is a domain admin

9 What Boris Knows  Usernames, computer names, IP addressing…  Security and Firewall policies  That passwords have all been changed  Group Policy restrictions – PowerShell Execution Policies  Personal details of those remaining  Email addresses  Pets and favourite animals  Hobbies and interests

10 The Plan of Attack 1. Infect previous co-workers 1. Alice: His former Boss 2. Bob: The co-worker he didn’t like 3. Eve: The paranoid security administrator 4. Jane: The C-Level exec 2. Get a Domain Admin account username and password 3. ? 4. Profit!

11 A Quick note: PowerShell Execution Policies There are 6 states for the execution policy  UnrestrictedAll scripts can run  Remote SignedNo unsigned scripts from the Internet can run  All SignedNo unsigned scripts can run  RestrictedNo scripts are allowed to run  Undefined (Default)If no policy defined, then default to restricted  BypassPolicy processor is bypassed

12 Demo: Boris infects Alice’s PC

13 Demo: Boris infects Bob’s PC

14 Demo: Boris infects Eve’s PC

15 Code: Bypassing Restricted Execution Policy

16 Demo: Boris gets a domain admin username and password

17 Demo: Demo infects the server

18 Demo: Boris cracks open AD

19 Cloud Cracker Results

20 Malicious HID Devices  HID: Human Interface Device, examples generally include mice keyboards, fingerprint readers, joysticks, webcams, gamepads  Device shown today: Hak5 USB Rubber Duckie  Retails for: USD 60  Contains Micro SD storage card and 60MHz CPU  When placed in plastic case, will appear like any other USB device  Appears as a HID Keyboard – Bypassing USB Storage controls  Simple programming language, can do anything you could do with a keyboard  Cross Platform

21 Demo: Boris goes for complete domination, infects Jane’s PC

22 So what do we do?  Boris never made a connection to the network, it always connected to his PC  Boris could have easily done this with a significant level of anonymity  PowerShell Execution Policies  URL White Listing  Application White Listing  Email filtering  USB Device Control  Solution: User Education

23 Questions? More Info…  Website: http://aperturescience.suhttp://aperturescience.su  Twitter: @kjacobsen  EmailKieran@thekgb.suKieran@thekgb.su  GitHub Project: http://bit.ly/pscandchttp://bit.ly/pscandc  Tools:  PwdumpX:http://bit.ly/pwdumpxhttp://bit.ly/pwdumpx  Quarks PW Dump:http://bit.ly/quarkspwdumphttp://bit.ly/quarkspwdump  Cloudcracker.com:http://bit.ly/cloudcrackerhttp://bit.ly/cloudcracker  Usb rubber duckie:http://bit.ly/TFe7EGhttp://bit.ly/TFe7EG  Hak5:http://hak5.orghttp://hak5.org

Download ppt "What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN."

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.

POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Installing Samba Vicki Insixiengmay Jonathan Krieger.

Installing Samba Vicki Insixiengmay Jonathan Krieger.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
IT 210 The Internet & World Wide Web introduction.

IT 210 The Internet & World Wide Web introduction.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
Chapter 7: Using Windows Servers to Share Information.

Chapter 7: Using Windows Servers to Share Information.

Similar presentations

Ads by Google