Jekyll2022-06-23T14:11:09+00:00https://adamsvoboda.net/feed.xmlAdam SvobodaRamblings on Cybersecurity, Red-Teaming & Breaking Stuff.Extracting Whitelisted Paths from Windows Defender ASR Rules2022-06-22T06:00:00+00:002022-06-22T06:00:00+00:00https://adamsvoboda.net/extracting-asr-rules<table>
<tbody>
<tr>
<td>This blog post was made possible by the fantastic work and research done by <a href="https://twitter.com/commial">@commail</a> which you can <a href="https://github.com/commial/experiments/tree/master/windows-defender/ASR">read here</a>.</td>
</tr>
</tbody>
</table>
<h1 id="background">Background</h1>
<p>Recently I was presented with a scenario where I wanted to dump lsass.exe on a machine protected by Microsoft Defender for Endpoint (MDE/ATP) with the ASR rule to prevent lsass.exe dumps enabled.</p>
<p>For many red teams, lsass dumps may have fallen out of popularity with the plethora of other options we have to acquire credentials and perform lateral movement. When I need to make it happen, my first choice for lsass dumps these days is usually <a href="https://github.com/codewhitesec/HandleKatz">HandleKatz</a>, because it’s still pretty undetected by many EDR products (MDE/BitDefender/Cylance/etc).</p>
<p>So, how do you go about dumping lsass.exe on a box protected with MDE and ASR? Well, fortunately you can leverage a variety of whitelisted paths within the Defender ASR rules that help you achieve this. After finding a whitelisted exclusion path for the ASR rule you want to bypass, simply run your executable from that path!</p>
<h1 id="extracting-whitelisted-exclusions-from-defender-signature-updates">Extracting Whitelisted Exclusions from Defender Signature Updates</h1>
<p>Windows Defender signatures/rules are stored in VDM containers. Many of them are just Lua script files. It’s possible to use a tool such as WDExtract to decrypt and extract all the PE images from these containers. By analyzing the extracted VDM you can pull whitelisted exclusion paths for ASR rules.</p>
<p>I will now demonstrate a very quick, hacky way to quickly get an updated list of potential exclusion paths for particular ASR rules.</p>
<p>Let’s pick on the ASR rule for “Block credential stealing from the Windows local security authority subsystem”.</p>
<p>Here is <a href="https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-credential-stealing-from-the-windows-local-security-authority-subsystem=">a link to the particular ruleset on MSDN</a>. Here you can see that the ASR rule is tied to a particular GUID, in this case <code class="language-plaintext highlighter-rouge">9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2</code>.</p>
<p>This rule can be enabled on your machine with the following PowerShell script:
<code class="language-plaintext highlighter-rouge">Set-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled</code></p>
<h1 id="the-hacky-way">The Hacky Way</h1>
<p>First, we need to locate the Defender signature files. You can usually find these in the following location:
<code class="language-plaintext highlighter-rouge">C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup</code></p>
<p>In our case, we are primarily interested in the <code class="language-plaintext highlighter-rouge">mpasbase.vdm</code> file.</p>
<p>Let’s extract the file using <a href="https://github.com/hfiref0x/WDExtract">WDExtract</a>:
<code class="language-plaintext highlighter-rouge">wdextract64.exe mpasbase.vdm</code></p>
<p><img src="/assets/images/wdextract.png" alt="" /></p>
<p>Open the extracted file <code class="language-plaintext highlighter-rouge">mpasbase.vdm.extracted</code> in a Hex Editor, such as HxD.</p>
<p>Search for the GUID of the ASR rule you want to investigate:
<img src="/assets/images/search-guid.png" alt="" /></p>
<p>Scroll down slightly to see the list of exclusions and extract the data:
<img src="/assets/images/whitelist-data.png" alt="" /></p>
<p><em>It’s important to keep in mind that the list of paths you may see here in the hex dump are not always exclusions. They can be part of other paths listed for ASR rules such as Monitored Locations.</em></p>
<p>You’ll need to do some testing/investigating to confirm if you are just naivley using content from the hex dump. Scroll down to see a link to a GitHub repository that includes this already extracted data for you to browse.</p>
<p>Ultimately, this gives us a list of excluded paths that are allowed to perform lsass.exe dumps even with the ASR rule enabled:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>%windir%\system32\WerFaultSecure.exe
%windir%\system32\mrt.exe
%windir%\system32\svchost.exe
%windir%\system32\wbem\WmiPrvSE.exe
%windir%\SysWOW64\wbem\WmiPrvSE.exe
%programfiles(x86)%\Microsoft Intune Management Extension\ClientHealthEval.exe
%programfiles(x86)%\Microsoft Intune Management Extension\SensorLogonTask.exe
%programfiles(x86)%\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe
%programdata%\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\*\OpenHandleCollector.exe
%programfiles%\WindowsApps\Microsoft.GamingServices_*\gamingservices.exe
%programfiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
%programfiles(x86)%\Zoom\bin\CptHost.exe
%programfiles(x86)%\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
%programfiles(x86)%\Google\Update\GoogleUpdate.exe
%programfiles(x86)%\Splunk\bin\splunkd.exe
%programfiles%\Avecto\Privilege Guard Client\DefendpointService.exe
%programfiles%\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe
%programfiles%\Microsoft Monitoring Agent\Agent\HealthService.exe
%programfiles%\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe
%programfiles%\Nexthink\Collector\Collector\nxtsvc.exe
%programfiles%\Splunk\bin\splunkd.exe
%programfiles%\Azure Advanced Threat Protection Sensor\*\Microsoft.Tri.Sensor.Updater.exe
%windir%\CCM\CcmExec.exe
%windir%\CCM\SensorLogonTask.exe
%windir%\Temp\Ctx-*\Extract\TrolleyExpress.exe
%programdata%\Citrix\Citrix Receiver*\TrolleyExpress.exe
%programdata%\Citrix\Citrix Workspace *\TrolleyExpress.exe
%programfiles(x86)%\Citrix\Citrix Workspace *\TrolleyExpress.exe
%temp%\Ctx-*\Extract\TrolleyExpress.exe
%programfiles%\Quest\ChangeAuditor\Agent\NPSrvHost.exe
%programfiles%\Quest\ChangeAuditor\Service\ChangeAuditor.Service.exe
%windir%\system32\DriverStore\FileRepository\hpqkbsoftwarecompnent.inf_amd64_*\HotKeyServiceUWP.exe
%windir%\system32\CompatTelRunner.exe
%programfiles(x86)%\Printer Properties Pro\Printer Installer Client\PrinterInstallerClient.exe
%programfiles%\Printer Properties Pro\Printer Installer Client\PrinterInstallerClient.exe
%programfiles(x86)%\Zscaler\ZSATunnel\ZSATunnel.exe
%programfiles%\Zscaler\ZSATunnel\ZSATunnel.exe
%programfiles(x86)%\ManageSoft\Security Agent\mgssecsvc.exe
%programfiles%\ManageSoft\Security Agent\mgssecsvc.exe
%programfiles(x86)%\Snow Software\Inventory\Agent\snowagent.exe
%programfiles%\Snow Software\Inventory\Agent\snowagent.exe
c:\windows\system32\WerFaultSecure.exe
c:\windows\system32\wbem\WmiPrvSE.exe
c:\windows\SysWOW64\wbem\WmiPrvSE.exe
</code></pre></div></div>
<h1 id="decompiling-the-lua-scripts">Decompiling the Lua Scripts</h1>
<p>To take it a step further, you can actually read the lua scripts by decompiling them after extraction with a tool such as <a href="https://github.com/commial/experiments/tree/master/windows-defender/lua">MpLua converter</a>. This will allow you to more clearly see how the rule logic works, better decipher path exclusions vs other listed paths, etc.</p>
<p>Justin Elze (<a href="https://twitter.com/HackingLZ">@HackingLZ</a>) created a GitHub repository to group this extracted data for research. You can find the repository here: <a href="https://github.com/HackingLZ/ExtractedDefender">https://github.com/HackingLZ/ExtractedDefender</a>.</p>
<p>To take a look at the decompiled rule for the Block LSASS ASR, check it out here:
<a href="https://github.com/HackingLZ/ExtractedDefender/blob/main/asr/9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2">https://github.com/HackingLZ/ExtractedDefender/blob/main/asr/9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2</a></p>
<p>I strongly recommend exploring the <a href="https://github.com/commial/experiments/tree/master/windows-defender/ASR">great research by commail here</a> for more details!</p>
<h1 id="credits">Credits</h1>
<ul>
<li><a href="https://twitter.com/_xpn_/status/1491557187168178176">Originally inspired by a tweet from <em>xpn</em> on ASR</a></li>
<li><a href="https://github.com/hfiref0x/WDExtract">WDExtract by hfiref0x</a></li>
<li><a href="https://github.com/commial/experiments/tree/master/windows-defender/ASR">Extensive Research on ASR by commial</a></li>
</ul>This blog post was made possible by the fantastic work and research done by @commail which you can read here.Some New Security Defaults Coming to Windows 112022-04-05T07:30:00+00:002022-04-05T07:30:00+00:00https://adamsvoboda.net/new-security-defaults-in-windows-11<p>I was perusing my twitter feed this morning and came across <a href="https://twitter.com/dwizzzleMSFT/status/1511368944380100608">this tweet</a> from David Weston at Microsoft:</p>
<p><img src="/assets/images/windows11-security-announcements-tweet.png" alt="" /></p>
<p>Microsoft has been making several positive moves in promoting better defaults for Windows security features and I thought it would be good to break a few of these down and understand their impact on organizational security posture as it relates to adversary activity and red-teaming. You can also get a good general overview of some of these changes <a href="https://www.microsoft.com/security/blog/2022/04/05/new-security-features-for-windows-11-will-help-protect-hybrid-work/">here</a>.</p>
<p><em>Please note that many of these features require Windows 11 Enterprise.</em></p>
<h1 id="hvci-and-vbs">HVCI and VBS</h1>
<p>Hypervisor-protected code integrity (HVCI) is a part of virtualization based security (VBS) and will be moving towards an enabled-by-default configuration on all <em>supported</em> CPUs.</p>
<p>You can think of HVCI as a form of Memory Integrity. It leverages VBS to enforce code integrity policies, using kernel mode code integrity checks on all drivers and binaries before they are ran. It is able to prevent unsigned drivers or system files from being loaded into system memory.</p>
<p>Restrictions are enforced by the Windows Hyper-V hypervisor, running the code integrity service inside a secure enfironment. Memory pages are only made executable after code integrity checks inside the secure environment have passed. Executable pages are not writable, so if a driver had a vulnerability such as a buffer overflow, modified memory could not be made executable.</p>
<p>Taking it a step further, devices with HVCI enabled can enable the <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules">vulnerable driver blocklist feature</a> of Windows Defender Application Control.</p>
<h2 id="impact">Impact</h2>
<p>Adversaries using known vulnerable kernel drivers will presumably not be allowed to load or use the driver any longer if the hash or signature is blacklisted by Microsoft</p>
<p>You often see this used with malware leveraging leaked code-signing certificates (such as the recent NVIDIA certificates leaked by LAPSUS$, which are blocked when using this feature!)</p>
<p>Adversaries may load kernel drivers using these techniques to silence EDR callbacks or further disguise their presence on the machine.</p>
<p>Take some time to familiarize yourself with the <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules">blacklist</a> and you’ll notice that drivers for Process Hacker and Cheat Engine are also there, as they are could be leveraged for nefarious purposes. Process Explorer (signed by Microsoft) is still allowed however, which could be used nefariously to <a href="https://github.com/Yaxser/Backstab">terminate PPL processes</a> among other things, so as with anything you need to familiarize yourself with the edge-cases.</p>
<h1 id="credential-guard">Credential Guard</h1>
<p>Credguard is only avaiable in the Enterprise edition of Windows 10 and 11, and will be enabled by default going forward (for Windows 11 only).</p>
<p>The goal of credential guard is to stop adversaries from obtaining system secrets even with local administrator rights. It does this by isolating the LSA process from the rest of the operating system using VBS. <code class="language-plaintext highlighter-rouge">lsass.exe</code> then communicates to the isolated LSA process using remote procedure calls.</p>
<p>There are many caveats around authentication support to be aware of when using Credguard and you should check the <a href="https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-how-it-works">official documentation here</a>.</p>
<h2 id="impact-1">Impact</h2>
<p>Adversaries have a harder time dumping secrets from the <code class="language-plaintext highlighter-rouge">lsass.exe</code> process using traditional tooling such as Mimikatz.</p>
<p>Adversaries may attempt to read these secrets by enabling WDigest using memory patching in an attempt to get Windows to store future credentials insecurely where they can be easily obtained in plaintext.</p>
<p>Adam Chester (@<em>xpn</em>) demonstrates how to harvest these secrets from a Credential Guard enabled machine by memory-patching wdigest.dll to enable <code class="language-plaintext highlighter-rouge">UseLogonCredentials</code> in this <a href="https://blog.xpnsec.com/exploring-mimikatz-part-1/">great post</a>.</p>
<p>Be aware of adversaries leveraging WDigest to circumvent the secure isolation of these secrets within your organization.</p>
<h1 id="attack-surface-reduction-enabled-for-lsa">Attack Surface Reduction Enabled for LSA</h1>
<p>Attack Surface Reduction (ASR) is a “feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.” One example of this would be an adversary attempting to dump the process memory of <code class="language-plaintext highlighter-rouge">lsass.exe</code> to obtain credentials or other secrets.</p>
<table>
<tbody>
<tr>
<td>The default state for the ASR rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” will change from Not Configured to Configured and the default mode set to Block.</td>
</tr>
</tbody>
</table>
<p>Check out the full list of <a href="https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide">pre-defined ASR rules here</a>.</p>
<p>This also includes things such as:</p>
<ul>
<li>Blocking untrusted/unsigned processes that run from USB</li>
<li>Blocking JS/VBS from launching downloaded executable content</li>
<li>Blocking office applications from creating executable content</li>
<li>Blocking process creations originating from PsExec/WMI commands</li>
<li>Blocking Win32 API calls from office macros</li>
</ul>
<p><em>I’m not sure which of these are actually switching to enabled by default…, other than the LSA block rule mentioned above.</em></p>
<h2 id="impact-2">Impact</h2>
<p>ASR is a great step in the right direction towards hardening windows from a series of commonly abused attack vectors, but it’s often not enough by itself.</p>
<p>There are a few ASR bypasses out there in the wild already, so <a href="https://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf">be aware</a> of <a href="https://gist.github.com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3">them</a>!</p>
<p>Windows Defender maintains a whitelist of certain executables that it may allow to dump <code class="language-plaintext highlighter-rouge">lsass.exe</code> even with these ASR Protection rules enabled. One such example of this is demonstrated in this <a href="https://www.youtube.com/watch?v=Ie831jF0bb0">video</a>. See <a href="https://twitter.com/_xpn_/status/1491557187168178176">this tweet</a> by Adam Chester (@<em>xpn</em>) for more information.</p>
<p>For another great resource to learn more about ASR and potential ways around it, see this <a href="https://github.com/commial/experiments/tree/master/windows-defender/ASR">write-up by commial</a>.</p>
<h1 id="signedreputable-exes">Signed/Reputable EXEs</h1>
<p>Windows Defender Application Control (WDAC) lets you have control over the apps and drivers allowed to run on your endpoints.</p>
<p>WDAC isn’t to be confused with AppLocker (introduced with Windows 7) as there is some overlap, but it’s an entirely different beast itself.</p>
<p>With WDAC, you could enforce a policy that prevents all unsigned executables from running. You can also take a look at the reputation of that executable and determine if it should be allowed to run.</p>
<p>Take a look at a few of the <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy">Template Base Policies</a>, namely the “Signed and Reputable mode”</p>
<p><img src="/assets/images/wdac-sr-policy.png" alt="" /></p>
<p>And compare that with the “Default Windows Mode”</p>
<p><img src="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-template-selection.png" alt="" /></p>
<h2 id="impact-3">Impact</h2>
<p>Organizations can easily prevent the execution of unsigned or unreputable binaries using WDAC, restricting the flexibility of the adversary playbook for delivering malicious payloads to endpoints.</p>
<p>WDAC/AppLocker is still not a silver-bullet as it may be possible for adversaries to use LOLBINs and AppLocker bypass techniques to work around these limitations. Many of these LOLBINs are already included on the Microsoft recommended block rules <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules">list here</a>.</p>I was perusing my twitter feed this morning and came across this tweet from David Weston at Microsoft:Password Cracking in the Cloud with Hashcat and Vast.ai2022-03-09T05:00:00+00:002022-03-09T05:00:00+00:00https://adamsvoboda.net/password-cracking-hashcat-vastai<p>Cracking hashes with the power of cloud compute is nothing new and there have been several methods to accomplish this over the years. Recently I’ve been toying around with <a href="https://vast.ai/">Vast.ai</a> as a cost-effective way to perform password cracking with Hashcat in the cloud. I was very impressed with how simple it was to get up and running compared to some other solutions.</p>
<p><em>At the time of this writing</em>, you can rent 4x 3090s for about $1.5/hr and run through a large wordlist in less than an hour on average (depending on the complexity and hash types you want to crack of course). The prices seem to change depending on availability, geolocation, bandwidth speed, etc. Naturally, it would take around 600 hours of renting these GPUS at $2/hr to reach the MSRP of a single RTX 3090, so I’m very interested in this solution as a cost-effective way to quickly crack a series of hashes.</p>
<p>Vast.ai lets you rent compute by spinning up a docker container image of your choice and giving you SSH access. Some instances have certain limitations or prices on bandwidth, so keep that in mind if you are going to be downloading hundreds of GBs of data to/from the instance. Other instances may have limitations on the time they can run. For the most part, I’ve found they are pretty flexible and quite cheap.</p>
<blockquote>
<p>You should always use extreme caution when utilizing compute owned by unknown parties. At the very least, consider redacting all sensitive information from your hash types (usernames, domains, etc).</p>
</blockquote>
<h2 id="gimmie-the-loot">Gimmie the Loot!</h2>
<p>If you want to give it a spin, here’s a quick example to get you up and running.</p>
<p><strong>1. Create an account at <a href="https://vast.ai">https://vast.ai</a></strong></p>
<p><strong>2. Load up your account with <a href="https://vast.ai/console/billing/">some credits</a>. At this time, only credit cards are supported.</strong></p>
<p><strong>3. Navigate to <a href="https://vast.ai/console/instances/">Create Instances</a> and adjust the filters to your liking.</strong></p>
<p>You should change the Docker image from the default to <code class="language-plaintext highlighter-rouge">dizcza/docker-hashcat:cuda</code> or another docker image that includes both hashcat and CUDA support for nVIDIA GPUs. Click on the “EDIT IMAGE & CONFIG” button to accomplish this.</p>
<p><img src="/assets/images/vastai_1.png" alt="Vast.ai" /></p>
<p>Personally, I set the disk space to just over 100GB as the wordlists I’ll be downloading to the instance sometimes come near that amount. This affects the hourly pricing of course, so chose what you think you’ll need.</p>
<p><strong>4. Rent an instance that looks juicy.</strong></p>
<p><img src="/assets/images/vastai_2.png" alt="Yum!" /></p>
<p><strong>5. Navigate to the <a href="https://vast.ai/console/instances/">Instances</a> page and wait for your instance to become available.</strong></p>
<p><strong>6. Once the instance is initialized, click on CONNECT and copy/paste the SSH command into the terminal application of your choice.</strong></p>
<p><strong>NOTE</strong>
You must configure an SSH key in the Vast.ai Account page, and may need append <code class="language-plaintext highlighter-rouge">-i ~/.ssh/<your-key></code> to the ssh command to use key auth.</p>
<p><img src="/assets/images/vastai_3.png" alt="Connection String" /></p>
<p>After connecting over SSH you will be dropped into a tmux session of your instance, running the docker container you chose in the config options.</p>
<p>I’m going to install one of the wordlists from WeakPass for this demonstration.</p>
<p>Remember that hashcat can <a href="https://twitter.com/adamsvoboda/status/1428715349059506184">support wordlists in the zip or gzip format</a>, so if you download a wordlist already in that format you do not have to extract it before using it!</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>apt <span class="nb">install </span>p7zip
<span class="nv">$ </span>wget https://download.weakpass.com/wordlists/1947/weakpass_3.7z
<span class="nv">$ </span>7zr e weakpass_3.7z
</code></pre></div></div>
<p><strong>7. Crack some hashes!</strong></p>
<p>I placed my example hashes into a file named <code class="language-plaintext highlighter-rouge">ntlm-hashes.txt</code> and started hashcat (in NTLM mode 1000) targetting the weakpass_3 wordlist.</p>
<p><code class="language-plaintext highlighter-rouge">hashcat -m 1000 -O -w4 ntlm-hashes.txt weakpass_3 -o cracked.txt</code></p>
<p><img src="/assets/images/vastai_4.png" alt="Warming up the engines..." /></p>
<p><img src="/assets/images/vastai_5.png" alt="Not too shabby!" /></p>
<p><strong>8. Don’t forget to destroy your running instances when finished!</strong></p>
<p>Most of this process could be automated for engagements, customized as you see fit.</p>
<p>Vast offers a <a href="https://vast.ai/console/cli/">CLI package</a> that lets you do most of this from the command-line. Play around with it and let me know what you think!</p>
<p>Know of any other cloud offerings that are competitive? Feel free to reach out on twitter and let me know <a href="https://twitter.com/adamsvoboda">@adamsvoboda</a>.</p>Cracking hashes with the power of cloud compute is nothing new and there have been several methods to accomplish this over the years. Recently I’ve been toying around with Vast.ai as a cost-effective way to perform password cracking with Hashcat in the cloud. I was very impressed with how simple it was to get up and running compared to some other solutions.Sleeping with a Mask On (Cobalt Strike)2021-08-06T07:30:00+00:002021-08-06T07:30:00+00:00https://adamsvoboda.net/sleepmask-kit-cobaltstrike<p>In Cobalt Strike 4.4, Sleep Mask Kit was released to help operators customize the encryption algorithm used to obfuscate the data and strings within beacon’s memory. By default it uses a 13-byte XOR key, however this key size easily changed by modifying a single variable and rebuilding the Sleep Mask Kit. If you want to get even more creative, you can change the algorithm entirely.</p>
<p>I haven’t seen much information on this topic yet so I wanted to put together a very simple post that will show you how to hunt for beacons in-memory and change the default sleep_mask encryption behavior! Huge shoutout to the research done by Elastic at this post, whose tactics I borrow heavily from: <a href="https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures">Detecting Cobalt Strike with Memory Signatures</a>.</p>
<h1 id="mask-off">Mask Off</h1>
<p>Out-of-the-box, Cobalt Strike (as of 4.4) does not use <code class="language-plaintext highlighter-rouge">sleep_mask</code> to encrypt the beacon payload in-memory. We can prove that with the following exercise:</p>
<p>First, let’s spin up a teamserver using the default profile (no custom profile specified), generate a stageless x64 binary and execute it on our Windows 10 machine.</p>
<p>I’m going to inject this beacon into a <code class="language-plaintext highlighter-rouge">notepad.exe</code> process as an easy example:</p>
<p><img src="/assets/images/sleepmask_1.png" alt="Image" /></p>
<p>Let’s find our beacon in-memory. Taking a hint from the <a href="https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures">great article by Elastic Security</a> we can track this down by looking for calls to SleepEx from running threads within the process our beacon was injected into.</p>
<p><img src="/assets/images/sleepmask_2.png" alt="Image" /></p>
<p>We can copy the offset directly under that at <code class="language-plaintext highlighter-rouge">0x1a0ffcecd9f</code> and look for it in the Memory tab of Process Hacker:</p>
<p><img src="/assets/images/sleepmask_3.png" alt="Image" /></p>
<p>Scrolling through this memory region we can see our entire beacon unencrypted in memory. Not good OPSEC!</p>
<p><img src="/assets/images/sleepmask_4.png" alt="Image" /></p>
<h1 id="-it-mask-on"><a href="https://www.youtube.com/watch?v=xvZqHgFz51I"><em>**</em> it, Mask On</a></h1>
<p>Let’s repeat the process using a C2 profile that specifics the <code class="language-plaintext highlighter-rouge">sleep_mask</code> command, among a few others…</p>
<p>We’ll be using the <a href="https://github.com/Cobalt-Strike/Malleable-C2-Profiles/blob/master/normal/reference.profile">reference profile located here</a>, but making a few changes…</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># Obfuscate Beacon, in-memory, prior to sleeping
</span><span class="nb">set</span> <span class="n">sleep_mask</span> <span class="s">"true"</span><span class="p">;</span>
<span class="c1"># The size of memory beacon will allocate in our target process (500KB)
</span><span class="nb">set</span> <span class="n">image_size_x64</span> <span class="s">"500000"</span><span class="p">;</span>
<span class="c1"># Mark the memory region as RWX
</span><span class="nb">set</span> <span class="n">userwx</span> <span class="s">"true"</span><span class="p">;</span>
</code></pre></div></div>
<p>We are enabling the <code class="language-plaintext highlighter-rouge">sleep_mask</code> function using Cobalt Strike’s default sleep masking algorithm, and also setting the memory region size to 500KB and marking that region as RWX, the latter two just make it easier to find in Process Hacker for research.</p>
<p>Repeating the steps above to deploy our beacon and inject it into a process, we can now track down the memory region of our beacon by using Process Hacker to look for a memory region size of roughly 500KB that’s marked as RWX.</p>
<p><img src="/assets/images/sleepmask_5.png" alt="Image" /></p>
<p><em>Injecting our <code class="language-plaintext highlighter-rouge">sleep_mask</code> payload into an instance of notepad.exe</em></p>
<p><img src="/assets/images/sleepmask_6.png" alt="Image" /></p>
<p><em>Check the running threads to see any calls to <code class="language-plaintext highlighter-rouge">SleepEx</code></em></p>
<p>Let’s check out the memory tab of <code class="language-plaintext highlighter-rouge">notepad.exe</code> and look for a ~500KB map with RWX protection at <code class="language-plaintext highlighter-rouge">0x1b6a834bd51</code></p>
<p><img src="/assets/images/sleepmask_7.png" alt="Image" /></p>
<p><em>Bingo. Our beacon in memory.</em></p>
<p><img src="/assets/images/sleepmask_8.png" alt="Image" /></p>
<p><em>It’s all XOR’d up!</em></p>
<p>Reading the memory in Process Hacker, we can now see that it’s strings and data are obfuscated. By default (as of CS 4.2+), the obfuscation is using XOR with a 13 byte key.</p>
<p>If we set the beacon to interactive mode using <code class="language-plaintext highlighter-rouge">sleep 0</code> and then Re-read the memory in Process Hacker we will see the fully unencrypted beacon:</p>
<p><img src="/assets/images/sleepmask_9.png" alt="Image" /></p>
<p>You may have to click on Re-read several times until you see the decrypted beacon, because after every C2 check-in it will re-encrypt the data and strings.</p>
<p><img src="/assets/images/sleepmask_10.png" alt="Image" /></p>
<p><em>Ta-da!</em></p>
<h1 id="customizing-sleep-mask-kit">Customizing Sleep Mask Kit</h1>
<p>Let’s have a look at Elastic’s CS 4.2 beacon yara rule for the xor deobfuscation algorithm:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>rule cobaltstrike_beacon_4_2_decrypt
{
meta:
author = "Elastic"
description = "Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2."
strings:
$a_x64 = {4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03}
$a_x86 = {8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2}
condition:
any of them
}
</code></pre></div></div>
<p><img src="/assets/images/sleepmask_11.png" alt="Image" />
<em>The default deobfuscation routine the yara rule checks for, present in a memory-dump of our masked beacon.</em></p>
<p>Running this yara rule quickly reveals that we have a CS beacon running in our <code class="language-plaintext highlighter-rouge">notepad.exe</code> process at PID <code class="language-plaintext highlighter-rouge">5724</code>!</p>
<p><img src="/assets/images/sleepmask_12.png" alt="Image" />
<em>We also got a detection for PID 10264, which is our instance of Process Hacker with the beacon’s memory browser open.</em></p>
<blockquote>
<p>Now that Sleep Mask Kit lets us compile the sleep mask algorithm as a BOF, simply compiling the defaults with the 13-byte xor key will evade this yara rule since the static byte signature has changed.</p>
</blockquote>
<p>To customize and build your own Sleep Mask Kit, open Cobalt Strike, navigate to Help -> Arsenal and download the Sleep Mask Kit.</p>
<p>You’ll see files that allow you to change the sleep mask behavior for HTTP beacons, TCP beacons and SMB beacons. We’ll focus on <code class="language-plaintext highlighter-rouge">sleepmask.c</code> for now. Since this code is only for licensed customers of Cobalt Strike, I won’t be revealing too much of it in this post, but you will see the XOR encryption algorithm in the <code class="language-plaintext highlighter-rouge">sleep_mask</code> function, and the default size is defined at the top of the file:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define MASK_SIZE 13
</span></code></pre></div></div>
<p><img src="/assets/images/sleepmask_13.png" alt="Image" /></p>
<p><em>Check the mask size and rebuild!</em></p>
<p>In my example, I changed the <code class="language-plaintext highlighter-rouge">MASK_SIZE</code> to <code class="language-plaintext highlighter-rouge">8</code>. We can now tell Cobalt Strike to use our new sleep mask BOFs by importing the <code class="language-plaintext highlighter-rouge">sleepmask.cna</code> file generated by <code class="language-plaintext highlighter-rouge">build.sh</code> (Cobalt Strike -> Script Manager -> Load).</p>
<p>Deploy a new beacon, inject it into another process, and run the yara rule signature scan just for fun:</p>
<p><img src="/assets/images/sleepmask_14.png" alt="Image" /></p>
<p><img src="/assets/images/sleepmask_15.png" alt="Image" /></p>
<p><em>👻</em></p>
<p>This was just a basic example to show you the tactics necessary to find your beacon in-memory, and make a super simple change to Sleep Mask Kit that might aid in any static evasion techniques.</p>
<p>Detecting the changes we made are very trivial, but they were also trivial changes to make as an operator. In the future, I look forward to discussing sleep mask in more detail, as well as seeing what the community comes up with.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures">Detecting Cobalt Strike with Memory Signatures</a></li>
<li><a href="https://www.youtube.com/watch?v=AV4XjxYe4GM">Obfuscate and Sleep</a></li>
<li><a href="https://www.cobaltstrike.com/help-sleep-mask-kit">Sleep Mask Kit</a></li>
</ul>In Cobalt Strike 4.4, Sleep Mask Kit was released to help operators customize the encryption algorithm used to obfuscate the data and strings within beacon’s memory. By default it uses a 13-byte XOR key, however this key size easily changed by modifying a single variable and rebuilding the Sleep Mask Kit. If you want to get even more creative, you can change the algorithm entirely.Evading EDR in 15 Minutes with ScareCrow2021-07-30T07:30:00+00:002021-07-30T07:30:00+00:00https://adamsvoboda.net/evading-edr-scarecrow<blockquote>
<p>During red team engagements, we frequently encounter EDR solutions. We deploy a lot of Cobalt Strike, and I wanted to write up a short blog post on how you can quickly deploy a beacon (or your own choice of raw shellcode) on an endpoint protected by one of these solutions.</p>
</blockquote>
<h1 id="understanding-the-edr-behavior-monitoring-strategy">Understanding the EDR Behavior Monitoring Strategy</h1>
<p>In an effort to keep this post short and sweet, this will be a brief explanation of a much more complex topic, but it’s good to understand how EDR is detecting your payloads and behaviors, to help you understand the steps we take to avoid it’s prying eyes. Check out the Read More section at the bottom of this post for more in-depth posts regarding EDR functionality.</p>
<p>Back in the “old times”, before Microsoft enforced <a href="https://en.wikipedia.org/wiki/Kernel_Patch_Protection">Kernel Patch Protection (KPP)</a>, anti-virus software would typically load a kernel-mode driver to monitor behavior outside of user-mode, where all of your normal applications run and reside. These kernel-mode drivers that attempted to patch the Windows Kernel to intercept or monitor activity would frequently cause <a href="https://www.zdnet.com/article/symantec-antivirus-products-vulnerable-to-horrid-overflow-bug/">stability issues</a> by doing unspeakable things. In an effort to increase the stability of the Windows Kernel, KPP was invented, which restricts what internal structures kernel drivers are allowed to modify, restricting these tools to user-mode monitoring techniques, which makes life a little easier for those of us trying to evade them!</p>
<p>Most EDR products these days now resort to user-mode API hooking to monitor your behaviors. When a process starts on Windows, one of the DLLs loaded is <code class="language-plaintext highlighter-rouge">NTDLL.DLL</code>, which contains a myriad of Windows API calls that applications use to interface with the operating system and it’s components (Processes / Files / etc).</p>
<p>When you spawn a new process on a Windows machine, the EDR will load it’s own DLL into your process space, and place funciton hooks on these <code class="language-plaintext highlighter-rouge">NTDLL.DLL</code> functions, allowing it to monitor relevant process behaviors by essentially being a man-in-the-middle of every request that process makes to the Windows API. If you create a new child process, open a file, inject code – they can see it in real-time and even stop it before it’s allowed to happen. It used to be possible to thwart this EDR DLL injection by simply applying a process creation mitigation policy that would only allow DLLs signed by Microsoft to be loaded into your process space, however, most defense products have this Microsoft signing and we can no longer leverage this clever trick.</p>
<p>Fortunately, there are still several ways around this.. (unhooking the hooked functions, loading a clean copy of NTDLL from the disk that’s unhooked, using syscalls to evade detection, etc). Read on, comrade!</p>
<h1 id="hey-you-meet-scarecrow">Hey You, Meet ScareCrow</h1>
<p><img src="/assets/images/scarecrow_1.png" alt="ScareCrow" /></p>
<p><a href="https://github.com/optiv/ScareCrow">ScareCrow</a> is described as a “payload creation framework”. You can read all about how it works on its <a href="https://github.com/optiv/ScareCrow/blob/main/README.md">README page here</a>.</p>
<p>In short, we can generate some raw shellcode from the software of our choice (Cobalt Strike, Metasploit, PoshC2, etc) and pass it to the homie to get a loader back that will implement some common EDR evasion techniques.</p>
<p>ScareCrow takes your raw shellcode and encrypts it using AES, which is beneficial to avoid static detection on-disk when a defense product scans the loader you generated. Windows Defender is pretty good about detecting the shellcode from Cobalt Strike’s beacon, so this step is crucial.</p>
<p>After executing the generated loader, it will bypass the EDR’s hooks on <code class="language-plaintext highlighter-rouge">NTDLL.DLL</code> by loading a clean copy of <code class="language-plaintext highlighter-rouge">NTDLL.DLL</code> (as well as <code class="language-plaintext highlighter-rouge">kernel32.dll</code> and <code class="language-plaintext highlighter-rouge">kernelbase.dll</code>) from disk and replacing it with the hooked one in your process space, thus removing the EDR’s hooks entirely. From there, it leverages syscalls to load, decrypt and run your shellcode in-memory. Using syscalls is a great way to evade hooks and behavioral monitoring, and even though it already removed the EDR hooks, there are other solutions that may still detect these API call events such as Event Tracing for Windows, which ScareCrow will also bypass. I won’t go into more detail here, you can read more about how this works on GitHub repository, which I highly recommend. As a red team operator, it’s important to understand as much as you can about your tools and techniques.</p>
<p>To make things even more interesting, ScareCrow uses a <a href="https://github.com/Tylous/Limelighter">golang port of the tool LimeLighter</a> to spoof code signing certificates on the binary/dll files it generates. It also supports applying custom File Attributes to help mask a binary as legitimate:</p>
<p><img src="/assets/images/scarecrow_2.png" alt="Image" /></p>
<p><em>File Attributes on the generated loader are copied from CMD.EXE</em></p>
<p><img src="/assets/images/scarecrow_3.png" alt="Image" /></p>
<p><em>A fake code signing signature applied by ScareCrow via LimeLighter integration.</em></p>
<h1 id="okay-but-how">Okay, But How?</h1>
<p>I thought you’d never ask.</p>
<p>Here’s the steps taken to generate some raw shellcode from Cobalt Strike (if you are using Metasploit, you can use msfvenom. Check out the <a href="https://www.grahamhelton.com/blog/scarecrow/">blog post</a> by <a href="https://twitter.com/GrahamHelton3">@GrahamHelton3</a> here for more information on that)</p>
<blockquote>
<p>If you are using Cobalt Strike, it’s always recommended to use a custom Malleable C2 profile, avoid using staged payloads, and apply customizations with the Artifact Kit to help avoid detection!</p>
</blockquote>
<blockquote>
<p>If you are using HTTP, always use HTTPS with a free, legitimate certificate from Let’s Encrypt or a paid provider of your choice.</p>
</blockquote>
<blockquote>
<p>You can actually disable staging in your Malleable C2 profile (<code class="language-plaintext highlighter-rouge">set host_stage "false";</code>) which helps out with your C2 OPSEC, since CS will always send stager data when a request is made… potentially blowing your cover or getting your C2 on a blacklist somewhere.</p>
</blockquote>
<h2 id="acquiring-shellcode">Acquiring Shellcode</h2>
<h3 id="stageless-beacon">Stageless Beacon</h3>
<p>Open up CS. Navigate to Attacks -> Packages -> Windows Executable (S)</p>
<p><img src="/assets/images/scarecrow_4.png" alt="Image" /></p>
<p>Pick your listener, output as <code class="language-plaintext highlighter-rouge">Raw</code>, and make sure to tick <code class="language-plaintext highlighter-rouge">Use x64 Payload</code>, ScareCrow only supports x64 shellcode at this time! You should get a <code class="language-plaintext highlighter-rouge">payload.bin</code> file.</p>
<p>Clone the ScareCrow repository and follow the install instructions in the <a href="https://github.com/optiv/ScareCrow/blob/main/README.md">README</a>. There’s a few dependencies, such as golang, mingw-w64, etc. I’d recommend installing it on Linux if you can to streamline the process. Kali or another debian-based distro like Ubuntu keeps it simple.</p>
<p>Feel free to modify the <code class="language-plaintext highlighter-rouge">main.json</code> file if you want to apply any custom File Attributes. This is optional. If you do this, make sure to pass it to the calls below using the <code class="language-plaintext highlighter-rouge">-configfile main.json</code> argument.</p>
<p>You should read the full help documentation using <code class="language-plaintext highlighter-rouge">./ScareCrow -h</code>, but if you just want to get rocking and rolling right away, here’s how to generate a binary loader from the raw shellcode:</p>
<p><code class="language-plaintext highlighter-rouge">./ScareCrow -I /path/to/your/payload.bin -etw -domain www.microsoft.com</code></p>
<p>I’m using the <code class="language-plaintext highlighter-rouge">-etw</code> argument to enable ETW patching to prevent ETW events from being generated. Try it out, its free :)</p>
<p>Feel free to use whatever domain you’d like for the fake code signing certificate. I picked <code class="language-plaintext highlighter-rouge">www.microsoft.com</code>.</p>
<p>ScareCrow will take your shellcode, encrypt it, and generate a .exe binary from it’s built-in list of predefined binaries and file attributes. Feel free to customize them to your liking.</p>
<p>In my case, the RNG Gods blessed me with <code class="language-plaintext highlighter-rouge">cmd.exe</code>.</p>
<p><img src="/assets/images/scarecrow_5.png" alt="Image" /></p>
<p>Behold, a new beacon:</p>
<p><img src="/assets/images/scarecrow_6.png" alt="Image" /></p>
<h1 id="windows-defender-evasion">Windows Defender Evasion</h1>
<p>UPDATE (08/01/2021):</p>
<p>You may have seen a <a href="https://twitter.com/adamsvoboda/status/1421519490781786115">previous tweet</a> I made about Windows Defender evasion. This content has been removed from the blog post because while it may work for some, it’s not exactly what Defender is flagging and it also breaks the integrity of the binary by modifying the hash post-compilation.</p>
<p>Turns out, the code emitted in the final binary loader that’s causing the flag is related to how <a href="https://github.com/optiv/ScareCrow/blob/main/Struct/Struct.go#L506">ScareCrow hides the Console Window</a> after execution:</p>
<p><code class="language-plaintext highlighter-rouge">/Struct/Struct.go</code></p>
<div class="language-go highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">func</span> <span class="p">(</span><span class="n">show</span> <span class="kt">bool</span><span class="p">)</span> <span class="p">{</span>
<span class="o">:=</span> <span class="n">syscall</span><span class="o">.</span><span class="n">NewLazyDLL</span><span class="p">(</span><span class="s">"kernel32.dll"</span><span class="p">)</span><span class="o">.</span><span class="n">NewProc</span><span class="p">(</span><span class="s">"GetConsoleWindow"</span><span class="p">)</span>
<span class="o">:=</span> <span class="n">syscall</span><span class="o">.</span><span class="n">NewLazyDLL</span><span class="p">(</span><span class="s">"user32.dll"</span><span class="p">)</span><span class="o">.</span><span class="n">NewProc</span><span class="p">(</span><span class="s">"ShowWindow"</span><span class="p">)</span>
<span class="p">,</span> <span class="n">_</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="o">.</span><span class="n">Call</span><span class="p">()</span>
<span class="k">if</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span>
<span class="k">return</span>
<span class="p">}</span>
<span class="k">if</span> <span class="n">show</span> <span class="p">{</span>
<span class="k">var</span> <span class="kt">uintptr</span> <span class="o">=</span> <span class="m">9</span>
<span class="o">.</span><span class="n">Call</span><span class="p">(,</span> <span class="p">)</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
<span class="k">var</span> <span class="kt">uintptr</span> <span class="o">=</span> <span class="m">0</span>
<span class="o">.</span><span class="n">Call</span><span class="p">(,</span> <span class="p">)</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<p><em>Defender doesn’t much care for this.</em></p>
<p><a href="https://twitter.com/Tyl0us">@Tyl0us</a> was kind enough to lend his time to this issue, and after some testing I can present to you FOUR additional methods you can use to bypass the latest Windows Defender detection right now. A patch is planned for ScareCrow that will change this window hide code in an attempt to thwart the latest Windows Defender signature, but in the meantime read on:</p>
<h2 id="defender-bypass-1---sandbox-evasion-mode">Defender Bypass #1 - Sandbox Evasion Mode</h2>
<p>Try building your payloads using the <code class="language-plaintext highlighter-rouge">-sandbox</code> option. This seems to evade the Defender detection for now. Either by happenstance (lucky heuristic evasion), or by actually preventing some sort of cloud/execution sandbox analysis that Defender has used on these payloads to build heuristic detection for their behavior.</p>
<p>Caveats:</p>
<p>Requires that the machines you execute on be joined to a domain, via a call to <a href="https://docs.microsoft.com/en-us/windows/win32/api/lmjoin/nf-lmjoin-netgetjoininformation">NetGetJoinInformation</a>, or it <a href="https://github.com/optiv/ScareCrow/blob/main/Struct/Struct.go#L5">won’t run</a>.</p>
<h2 id="defender-bypass-2---process-injection-mode">Defender Bypass #2 - Process Injection Mode</h2>
<p>Process Injection works great against the EDR product I’ve been testing on, as well as Windows Defender. It contains none of the Console Window code above and still gives you full EDR evasion by unhooking it’s own loader process and then flushing the EDR hooks from the relevant DLLs in the remote process.</p>
<p><code class="language-plaintext highlighter-rouge">./ScareCrow -I stageless.bin -domain www.microsoft.com -injection C:\\Windows\\System32\\notepad.exe</code></p>
<p>Tack on the <code class="language-plaintext highlighter-rouge">-console</code> flag while testing to see interesting output on how this works, or to debug unexpected results.</p>
<p><strong>Caveats:</strong></p>
<p>You cannot use <code class="language-plaintext highlighter-rouge">-etw</code> to patch Event Tracing for Windows using the <code class="language-plaintext highlighter-rouge">-injection</code> loader.</p>
<h2 id="defender-bypass-3---console-mode">Defender Bypass #3 - Console Mode</h2>
<p>Building using the <code class="language-plaintext highlighter-rouge">-console</code> flag removes the code to hide the Console Window, evading detection.</p>
<p><strong>Caveats:</strong></p>
<p>There is a visible Console window shown during execution that contains debug information.</p>
<h2 id="defender-bypass-4---binary-mode-gui-application">Defender Bypass #4 - Binary Mode (GUI Application)</h2>
<p>Instead of having ScareCrow build our binary payloads as Console Applications (which are causing the Defender flagging discussed above), we can tell <code class="language-plaintext highlighter-rouge">go build</code> to make a <code class="language-plaintext highlighter-rouge">windowsgui</code> application instead, which has no visibile window to hide.</p>
<p>ScareCrow doesn’t do this by default for a good reason:</p>
<p><img src="/assets/images/scarecrow_7.png" alt="Image" /></p>
<p><em>ScareCrow builds as a Console Application on purpose to evade specific EDR products</em></p>
<p>But alas, Windows Defender currently doesn’t mind this type of behavior.</p>
<p>To do this yourself, make an edit to <code class="language-plaintext highlighter-rouge">ScareCrow.go</code> like this:</p>
<p><a href="https://github.com/adamsvoboda/ScareCrow/blob/windows-gui-test/ScareCrow.go#L81">https://github.com/adamsvoboda/ScareCrow/blob/windows-gui-test/ScareCrow.go#L81</a></p>
<p>Replace the existing string:</p>
<div class="language-go highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">cmd</span> <span class="o">=</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="n">bin</span><span class="p">,</span> <span class="s">"GOROOT_FINAL=/dev/null"</span><span class="p">,</span> <span class="s">"GOOS=windows"</span><span class="p">,</span> <span class="s">"GOARCH=amd64"</span><span class="p">,</span> <span class="s">"go"</span><span class="p">,</span> <span class="s">"build"</span><span class="p">,</span> <span class="s">"-a"</span><span class="p">,</span> <span class="s">"-trimpath"</span><span class="p">,</span> <span class="s">"-ldflags"</span><span class="p">,</span> <span class="s">"-s -w"</span><span class="p">,</span> <span class="s">"-o"</span><span class="p">,</span> <span class="s">""</span><span class="o">+</span><span class="n">name</span><span class="o">+</span><span class="s">".exe"</span><span class="p">)</span>
</code></pre></div></div>
<p>With this one:</p>
<div class="language-go highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">cmd</span> <span class="o">=</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="n">bin</span><span class="p">,</span> <span class="s">"GOROOT_FINAL=/dev/null"</span><span class="p">,</span> <span class="s">"GOOS=windows"</span><span class="p">,</span> <span class="s">"GOARCH=amd64"</span><span class="p">,</span> <span class="s">"go"</span><span class="p">,</span> <span class="s">"build"</span><span class="p">,</span> <span class="s">"-a"</span><span class="p">,</span> <span class="s">"-trimpath"</span><span class="p">,</span> <span class="s">"-ldflags"</span><span class="p">,</span> <span class="s">"-H=windowsgui -s -w"</span><span class="p">,</span> <span class="s">"-o"</span><span class="p">,</span> <span class="s">""</span><span class="o">+</span><span class="n">name</span><span class="o">+</span><span class="s">".exe"</span><span class="p">)</span>
</code></pre></div></div>
<p>Then you’ll need to go edit <code class="language-plaintext highlighter-rouge">Struct/Struct.go</code> and comment out the sections where the Console Window Hide code could be emitted in the final binary:</p>
<p><a href="https://github.com/adamsvoboda/ScareCrow/commit/a7b62c85d89d4734a29147a1f7d0c7d4c10dcf3e#diff-5e95797a7202b61fa219b1e55526f360534b909ec74ae46a29058c7914735516">https://github.com/adamsvoboda/ScareCrow/commit/a7b62c85d89d4734a29147a1f7d0c7d4c10dcf3e#diff-5e95797a7202b61fa219b1e55526f360534b909ec74ae46a29058c7914735516</a></p>
<p>From there, you can run <code class="language-plaintext highlighter-rouge">go build ScareCrow.go</code> and build a new binary payload that should fly under Defender’s radar for now. To take it a step further, you could add a check for the <code class="language-plaintext highlighter-rouge">-console</code> argument and only emit the console-window related code in <code class="language-plaintext highlighter-rouge">Struct.go</code> if it’s enabled.</p>
<blockquote>
<p>I do not recommend using my fork linked in the examples above (although it works for now), it’s a few patches behind master. and I don’t plan to update it. Create your own fork and just use it as inspiration.</p>
</blockquote>
<p><strong>Caveats:</strong></p>
<p>May not evade detection on specific EDR products, but still good for Windows Defender engagements (for now).</p>
<p><strong>Windows Defender Version Last Tested:</strong></p>
<p><img src="/assets/images/scarecrow_8.png" alt="Image" /></p>
<h1 id="read-more">Read More:</h1>
<ul>
<li><a href="https://www.optiv.com/insights/source-zero/blog/endpoint-detection-and-response-how-hackers-have-evolved">Endpoint Detection and Response: How Hackers Have Evolved</a></li>
<li><a href="https://www.optiv.com/insights/source-zero/blog/edr-and-blending-how-attackers-avoid-getting-caught">EDR and Blending In: How Attackers Avoid Getting Caught</a></li>
<li><a href="https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/">A Tale of EDR Bypass Methods</a></li>
<li><a href="https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/">Let’s Create An EDR… And Bypass It!</a></li>
<li><a href="https://hackplanet.io/aiovg_videos/scarecrow-and-office-365-app-phishing/page/2">HackThePlanet Video about ScareCrow</a></li>
</ul>
<p>Huge props to @Tyl0us and the team at Optiv for this incredible piece of kit. Go follow him!</p>During red team engagements, we frequently encounter EDR solutions. We deploy a lot of Cobalt Strike, and I wanted to write up a short blog post on how you can quickly deploy a beacon (or your own choice of raw shellcode) on an endpoint protected by one of these solutions.