 Good afternoon. Do you know how to fix a Windows computer? Reboot it? And do you know how to hack a Microsoft computer? Use Microsoft tools to do that. So my talk is hack Microsoft using Microsoft sign binaries. I'm Pierre-Alexandre. I'm Belgian and I work in Canada for Deloitte as a senior consultant. I'm doing incident response and red teaming. I have 14 years experience and I talk at several conferences intentionally. And I'm a Starcraft 2 player and I was very happy to see Blizzard here. So I asked to the guy, when will they do Starcraft 3? I did not have any response. So why did I made Power Memory? My first goal was to understand the Windows authentication system really inside the memory in the kernel. I wanted to learn PowerShell and learn memory concepts. What is Power Memory? Power Memory is a mind sweeper solver. That's all. Thank you very much. That's not true. So currently all eyes of security guys are on PowerShell. You have a lot of tools that can detect PowerShell activities now like carbon black, titanium, but also some endpoint antivirus like Simon Tech. As they did a very good white paper about the increased use of PowerShell in attacks and some patterns they can detect. We get some PowerWare which was last year the first one somewhere into the memory. I did a little script that you can find on my GitHub called Invoke Tartarusk that does the same thing. So running into the memory and encrypted files. But I think there are more possibilities that just PowerShell with PowerShell.exe etc. A lot of guys are working on that like Casey Smith which is an awesome guy about white listing a lot of things. You have Armjoy from Empire Project. Benton which launched NPS which is no PowerShell and I did some interesting thing too with MSBuild.exe you can find it on my GitHub too. So basically you execute a reverse shell with an XML file that you host on a webdav server. And through MSBuild.exe you will launch PowerShell into the memory, into the MSBuild process. So with PowerShell that is a Microsoft tool you don't have to use PowerShell.exe but the DLS if you want. And a Microsoft Sign Debugger PowerMemory can achieve whatever you want. In the user land, in the kernel land and also in Wonderland. So the basic concept of PowerMemory is just to send and receive text. So PowerMemory send text to Debugger and it receives text from the Debugger, that's it. With this concept you can do everything you want into the Windows kernel and the user land. When I say text it's bytes. So how does it work? You have PowerMemory from one side and WinDBG or CDB which is a common line version of WinDBG Windows Debugger from Microsoft which is signed. PowerMemory will call the Debugger and send a command to execute. Then it will retrieve the bytes, passes them and send a new command with byte write or read to execute. So you have a server somewhere and PowerMemory and PowerMemory will save basically for retrieve some memory information it will say ok by WMI call dump the memory for this process by example. The server will answer ok if you are by example elsas.exe dump which contains some interesting information like password and you can do for a lot of servers if you want. But yes I said that I dropped a binary file on the file system and you will say ok you touch your disk maybe it's not very good that's true but I do it I can do it also like that so you have the server your PowerMemory you say dump it it will dump it and to do that I will use userdump.exe which is Microsoft Tools 2 and which is signed by Microsoft and if you are interested with this kind of tools Microsoft wrote in 2008 a very good article with a lot of tools they create signed to that can lead to dump process memory so I don't dump don't dump every day but when I dump I did it with Microsoft Tools so PowerMemory is also a userline attacker you can get Windows password for memory but you can also inject and execute a shellcode in a remote process you can modify the memory of a process I will show you with a little demo this thing with Mind Sweeper by example PowerMemory is also a kernel line attacker so we've become direct kernel object manipulation stuff you can do pretty much everything that you can imagine like hide and hide process I made some Pock inject all privilege in a process with system in identity because I found we have a lot of empirical approach on a lot of different operating system or version of Windows that the system hash is always the same whatever the system you are so you can inject this identity pretty easily you can pass the token attack protect a process with this concept so also because I like a lot active directory so you can spn scan which is pretty useful when you want to find by example all the SQL server in a domain all the file server in the domain I don't know which wall you want to find but it's very useful because you have just to ask the domain controller one time ok show me all your SQL server you don't have to make a Nmap very noisy but just asking to the domain controller you get gpp password of all connected forest not just the forest when you land it but all connected forest you can access also server shares of all connected forest which is very interesting because in a lot of huge company you have some misconfiguration of your server share which are often configure with authenticated user right and they can write on this share so you will see that and you can draw the ad tip topology you have also some elevation of right inside the framework you can retrieve site.xml file password from McAfee I did the same day I did that I think it was I don't remember but we were too to do that the same day you can crash operating system vulnerable to some vulnerability you can bypass us etc and yes there is a lol thing because on several company in Quebec city you have some very old software firewall which are installed on all computers which can lead to ask the user ok give me your password I'm your firewall you can trust me and you will receive the information so that's the main menu it's the interactive menu of primary but I also did some things that bind to empire and you can use it non interactively so the thing is with for memory is to debug but not really debug but use the debugger to and I don't know if you know Jeffress Nover Jeffress Nover is the creator of Porsche ok automate everything so I decided to automate the debugger to hack Microsoft and why using the Microsoft debugger because it's a Microsoft sign application so to me it's very interesting because in a company where there are a lot of defensive mechanism often a sign application won't be will be trusted by a security analyst and every people inside the company so first step when you use WinDBG you can do some DB which is display bytes with little indian transformation and you will have some very interesting information like that you can also do display routes to have two bytes display double routes you understand the concept and if you do something like du you will display unicode so in a place into the memory where you have clear text you will have something like my email address directly in the memory if you do that on something encrypted you will get encrypted bytes but getting the password inside the memory is not just doing d-u-n and expecting to have to get the password it was true before but not now the first thing you have to do is to load the symbols what is the symbols? the symbols are pdb files which are when you compile something into the Microsoft world you will generate some pdb files and into these pdb files you have a lot of very interesting information and cdb or windbg which is the Microsoft debugger tool you have the way of managing the symbols automatically so if you say ok show me these symbols and you have the pdb files you will get automatically the right address into the memory even if it's dynamic so if you do if you ask the debugger to display symbols without having loading the pdb you will have some quotation mark like that so you load the symbols and bam you have the correct bytes so symbols are free it's Microsoft publishes them so for all versions of it's Microsoft tools but also for its operating system from very old operating system to the newest and the symbols we will look for for getting the password will be a list entry think the list entry is a double linked list entry so each elements are linked together in a circular way and it will contains all the domain, user and password of people which is logged on the computer you will access so the symbols for this double linked list entries I'll log this list as a key for nt5 operating system so like 2003 by example or xp is this gp.dios.xk key and the feedback you will need for nt6 and t10 it's the same thing it's and you need initialization vector for nt6 and t10 it was very easy because as soon as you get this key and initialization vector it's very simple to implement an algorithm and get the password for nt5 it was harder because dsx it's a ds implementation of Microsoft which is not documented so it was harder to get the password for nt5 than for nt6 and t10 but we need to go deeper let's get technical so you want password in userland memory Microsoft documented the digest security support provider which is one of the authentication provider of Microsoft you have different provider but this one is very interesting because it manage sso authentication and web authentication and in company network web authentication it's not easy to remove because it will manage sso authentication to share point by example you cannot just remove that so it's used everywhere and you will you will always get this password yes there is no reason to store the password into the memory after the utilization because the concept is to just use the hash of the password on the network so normally Microsoft could just remove it from memory but it didn't I don't know why so the concept is to steal the bytes you want to dump elseas process you can do it by different mechanism one dumping elseas process localy or remotely because you can do it remotely too by calling WMI and asking asking the system to dump this process you can convert iBus file.sys to dump file you can make the computer crashed and get the dump file and then give it to primary and it will give you the password you can leverage your hypervisor this point is pretty much the most interesting because I will show you after but basically if you are just an operator on hyper-v on VMware you are like you have more rights than a domain administrator in this network and also you can if you have kernel mode access you can directly access elseas process you have no need to dump the memory but just access to the information you need so I say for the hypervisor you say you are an operator in an hypervisor environment and you have less rights than a domain admin seriously so this thing is on hyper-v but it works also on VMware you will just use an hyper-v tool from Microsoft which is a tools wrote by Marc Roussinovich which is LiveKD and which will allow you to dump the memory of the virtual machine running into the hyper-v system so once you have this dump you give it to primary and it will give you the password and even if you have absolutely no rights inside the domain or inside the virtual machine and it works for containers too the containers of Microsoft when you launch a container in Microsoft World it will launch a new elseas process so basically you have access to all the password of the containers once you have access to the host can you see the password is over there no it's like trying to find well do but if I show you the information like that it's a famous double link list entry so it's just one element of the list this green information is the next item in the list so the address of the next item in the list this information is a previous entry then you have the address this address the current address is a LUID and Windows is a unique identifier that is 64 bits and which is guaranteed to be unique until the next reboot it's totally non-interesting for getting the password then the username address if you type du on this address you will have the username in clear text the net BIOS domain name address the encrypted password so if you do du on that you will have nothing just encrypted bytes the domain name address and the username address it's a 2008 R2 dump so it's not the same thing exactly and it's 64 bits it's not the same thing on a street 32 bits 64 bits it's not the same thing on a Windows 10 etc so with this approach you have a lot of things to implement always the same information at the same places yes, so max length min length that help to automate the process so now you have the password encrypted and you need the key and then the initialization vector so to get the key you just type the symbols that I give you just before that it will give you something like that so you type the next entry and you will get some interesting information so in red it says size it's an empirical approach so I estimate it it seems to be the size the yellow information is a tag which is always the same KSSM so next entry you will find another tag which is mssk and in pink it's the key you look for so if you just type db it will make the little indian transformation and you will be able to inject that in your decryption algorithm and finally it's really the hard other part you will see so you have to type the symbols db and you get the initialization vector so it was really the most hardest part in all the process so I have some demo sorry so it's power memory you have the menu you want to reveal password yes you can ask power memory you will find password eventually maybe you will find password do you want that I try to what kind of account it is it is a backup operator it is an administrator it is an enterprise administrator if you say yes it will ask to the domain controller so if you want to just stay in this system and don't do any request outside you will just say no so locally in this case do you want to exfiltrate the information and paste bin no do you want to clear the event log on this local computer so it's not just a right click and clear event log it's really take the event log in place, take my specific event log that I crafted and replace my event log with your event log with lot of crappy event log so you say ok it will so here it will get pass dump then pass all the bytes get the password information into the memory and you will have an administrator with spring 2017 and use a one with password 3 bang which is very good password because it's not one password one so you can do the same thing remotely so I ping dc1 ok dc1 dc1 sorry is another computer ok it's dc1 so no I want that remote dc1 no no so it will through SMB it will drop the binary that will dump the SAS process retrieve it then I will pass the same way that in locally and normally yes MSDSE is just something I crafted it's not at all a true process it's just because it's very close to a real process in Microsoft so you get the password spring 2017 so that was 4 so in user learn you can also with this technique inject a shellcode in a remote process and execute it without calling API so normally when you do that you will say ok I will virtual unlock something and then I will call an API in Windows to execute the process but my goal was to just do all the things by just sending byte and writing byte and reading byte through Debugger so you have to find a memory executable zone a null padding zone in the memory of the remote process to inject your shellcode in this memory you need the address of the null padding zone to inject your shellcode then you will need to pass the PE executable dynamically so the PE is running into the memory so you need to dynamically dynamically pass it it you will find the address of the module loaded to inject and a lot basically and sequentially you will find all the information that you need until the padding zone and after that you will be able to so you write your byte under the good places and then you just change your RIP which is register and suction pointer and by doing that you will take to the operating system and you will get your address zone and you will get a nice calculator so I have demo demo for that so in Pormomo UF Pro process with different things I will create a new notepad by example processname processname notepad.exe so and you have it if I look process explorer you will find notepad is injected with a calculator and I have some interesting other findings if you want now ok I will just go back to that because we have kernel stuff too and yes I need to to present of you and with the same technique if you are able to get in kernel by reusing a known technique to hide process I will do the same thing but just by reading and writing the bytes so the goal is to hide a process in the correct list into the kernel so you want to do that break this link and then it's the bytes that you will write to do that and you need to just create new links from previews and next process and then if you just do that you will have a nice bsod because the operating system now will figure it out so it's not normal I have a process structure E process structure but that is not linked to anything it's not normal I have to crash because I'm corrupted so you have to redo just the link of the process you hide and remember I just injected a calculator in notepad so I want to hide this process so I will say hide notepad.exe so notepad is over there does not work notepad yes it's I hide notepad notcalc sorry so I will hide calc also ok it's not any calc but if you look calc is over there notepad is over there so I want to hide so I need a process address that I know and calc is there and if I ok notepad is there too cool so you did some userland things and kernel land things too I made some weaponization to be able to do that in real world and I did a pull request into empire but since a lot of things happened to the project empire with people living as a company it was not it was not integrated currently yet but it will be normally 2.0 version yes I will it's I didn't correct it but the new pull request is 503 not 298 so if you want to do the same things with an agent that you have into the memory first or find another technique for the target to load the empire agent or another agent if you have another one through your agent you will load per memory in the target machine memory drop the signed debugger and you never you want you will make calls to the windows api so if some advanced end point detection tools try to find you because you call some api windows it won't be able to find your stuff and then you make fun and profits and then you go to jail normally so the demo I don't have this demo I just have I can show you but if you know empire you will recognize things I think I have this so yes you use credential WMCRS and just saying run here you will have something like that so the same thing that in interactively mode but in a non interactive process ok mitigation so the first thing is you cannot trust trusted tools you have to look really at the behavior of tools why these tools are sending some bytes to another tools so you have to understand what they do you have to look for dumping activities and a very good way to do that is to look for suspended process so if a process is very fastly put in suspended mode it's weird and if it's LSAs it's absolutely abnormal because normally it will never be put in suspended mode look also for suspicious bcdeedit.exe which is another Microsoft tools allowing you to make some very interesting thing to your kernel so asking by example to windows to run in kernel debugging don't trust the endpoint defense mechanism implicitly and look for suspicious user tools behavior so you have no very simple way to mitigate this kind of attacks and because I work from Deloitte we have some framework to be able to mitigate this kind of thing when we do compromise our incident response so basically what we will say to our client is look first to your cron jewels and be able to detect quickly to not to avoid every attacks but to contains the damage that the attacker will be able to do to your company because it's not something that you will avoid you will be attacked and it will be successful but the thing is not to say it won't be successful at all but ok it will be successful but I will be able to detect it quickly and to contains the damages so the main take away is the basic sim use cases can detect already API calls it's easy you have just to say ok I saw that this process make virtual alloc calls to this process so it's not normal and security analyst will be able to view that sorry using a sign debugger ok you drop something on the disk but it will forces it will force the blue team to look for the behavior of your attacks not just because this tool was a sign it's ok I can just avoid to look for that you can use public symbols to get memory addresses of every microsoft tools but also for every tools which were compiled in microsoft world with this technique you can play in New Zealand and look at empire 503 pull request because there is also certificate bug which I corrected I want to see you something before the end so I said you can manipulate memory and you want to play do some interesting stuff with partial and a debugger so we have the mind sweeper I never play at this game before trying to manipulate the memory but it's pretty cool so you can say ok when you look into the memory you will figure out that 24 and sorry 8 30 width it's a maximum allowed by the computer because it's a maximum allowed into the memory just for that if I try to make some different thing here it won't work so by example I will put this so I have a new grid and you have several choice I don't like to lose so I want to win so the easy way to win is to remove the bombs from the game so I want to remove the so it detects 24x17 if I refresh the screen oh the bombs are not there I win yeah oh yeah because I didn't ok I will reset score and yes I win but you can do also you can trick the program because you can say ok I want to explode the bomb and I want to win so the bomb will be exploded I see them they are exploded if I click it won't nothing will happen and I can just play normally and win so that's cool because that shows that you can basically do everything with this debugger and the porochel executable and that's funny but if you do that in another software it won't be so funny for several companies but Microsoft like this tool because they call it hack tool officially they make a signature for this tool just after I tell us I saw that is that normal they say yes it's not a security problem so just after saying that they just make it an hack tool with a signature and on every of my computer even on my wife computer there were a lot of alerts of my own tools thank you that's the end of the talk