Welcome to our new blog series, in which ReliaQuest teammates recommend interesting stories that you might find useful in your day to day jobs. This month, I’m joined by my colleagues, threat hunters George Paco and Jonny Elrod. Here is what we are reading.

Rick’s Recommendation

“Octosuite: A New Tool to Conduct Open Source Investigations on GitHub”

The bottom line up front: Adversaries are conducting reconnaissance on your company’s GitHub repositories, and Bellingcat’s new tool, Octosuite, will make it easier for you to find and remediate risks before the bad guys exploit them.

You are hopefully familiar with GitHub, but if you aren’t, “GitHub is a code hosting platform for version control and collaboration. It lets you and others work together on projects from anywhere.” If your company has developers, they are likely using GitHub or a competing solution like GitLab.

Many developers believe that their code repositories are private when they are actually public, and sensitive data is leaked out. Misconfigurations have led to bad actors gaining private SSH keys, account credentials, and even AWS keys. Attackers also target developers so that they can gain access to their GitHub accounts. Many high-profile intrusions have started with bad actors gaining access to GitHub.

If you aren’t familiar with Bellingcat, they are a well-respected and world-renowned “independent international collective of researchers, investigators and citizen journalists using open source and social media investigation to probe a variety of subjects.” When an organization with the pedigree of Bellingcat puts out an OSINT tool, it is worth checking out. “Octosuite is an advanced GitHub framework written in Python that uses GitHub’s Public API to make the process of investigating accounts and repositories on the platform more efficient while also creating a set of automated and easily reproducible queries.” If you are concerned about the risks to your GitHub, and you should be, check out Octosuite.

George’s Recommendation

“How legitimate vulnerable drivers are being used to evade EDR detection.”

The bottom line up front: Threat actors utilize legacy drivers to gain kernel access and disable security monitoring. Hardening against these attack vectors could save your company headache and pain.

“Hacking involves a different way of looking at problems that no one’s thought of.” – Walter O’Brien

Hacking is the repurposing of software or devices to produce different outputs than the intended use for the hacker’s benefit. After initial access, most threat actors will attempt to elevate privileges, disable security tools, and establish persistence. Many environments don’t alert on malicious use of trusted, legacy, or signed third-party drivers. Thus, threat actors can exploit these drivers, giving them access to kernel memory. This technique can be called Bring Your Own Vulnerable Driver (BYOVD)—which is basically like bringing your own keys to the bank vault.

ESET has reported APT groups like Lazarus Group utilizing a signed, legitimate Dell driver, “DBUtil_2_3.sys”, and exploiting CVE-2021-21551 to elevate privileges and gain kernel write permissions. Once they gained kernel access, Lazarus Group could disable EDR monitoring.

Sophos reported a similar attack where Blackbyte exploited the drivers “RTCore64.sys” and “RTCore32.sys” within “Micro-Star’s MSI Afterburner 4.6.2.15658” via CVE-2019-16098. The report states that “a whopping list of over 1,000 drivers on which security products rely on to provide protection” can be disabled from this technique. Like Lazarus Group, the end goal was to disable security controls after gaining initial access.

Mitigating these attacks requires security teams to follow Microsoft’s recommended driver block rules. I also recommend using Hypervisor-Protected Code Integrity (HVCI). Windows 11 users can leverage the Windows 11 2022 update, which by default enables “Microsoft Vulnerable Drive Blocklist.”

Jonny’s Recommendation

PowerDP: De-Obfuscating and Profiling Malicious PowerShell Commands

It’s always a cat-and-mouse game with adversaries. To combat the pervasive use of PowerShell obfuscation by threat actors, a group of Taiwanese researchers developed a reliable way of de-obfuscating and classifying the behavior of PowerShell code automatically through deep learning. If you’re unfamiliar with PowerShell obfuscation, it is the process of generating commands so that their intent is hidden. This obfuscation makes incident responders’ jobs much more difficult. PowerShell obfuscation comes in many forms. For some practical examples of decoding obfuscated PowerShell, see MattNotMax’s CyberChef Recipe guide in GitHub.

The authors first had to solve the problem of identification. Before performing de-obfuscation, you need to understand how a particular PowerShell command is obfuscated. PowerShell has many features which can be used for obfuscation, including string manipulation, encoding, and compression. The researchers took the measure of the entropy of character distribution for each obfuscation method for use as a distinguishing metric. With an extensive training data set of obfuscated PowerShell commands, the researcher’s machine learning algorithm was able to use the measurement of character distribution to make accurate predictions on the type of obfuscation in place. From there, the researchers applied the appropriate regex string replacement method to decode the PowerShell command.

With a reliable decoder, the authors set about to statically profile the expected behavior of the PowerShell command. A foolproof method of doing this is to parse the PowerShell command into an Abstract Syntax Tree (AST) which effectively breaks the PowerShell command into its base elements. The PowerShell language introduces a lot of flexibility in that the same function can be accomplished using different methods. PowerShell cmdlets can be invoked using aliases that can be shortened. Parsing a PowerShell command into its corresponding AST removes ambiguity by reducing its complexity. The researchers chose to use only a few behavior classifications: sleep, known malware, code injection, byte usage, and downloader. By feeding the ASTs of the decoded PowerShell commands into their machine-learning algorithm, the authors could reach a high level of accuracy with the profiling of PowerShell behavior.

If you’re interested in PowerShell decoding solutions but need a Ph. D. in data science, don’t despair! Using a more straightforward method of decoding PowerShell commands, Palo Alto Networks researchers demonstrated that PowerShell could be decoded using simple regex matches, with no data science required. In a tool developed using Python, the Palo Alto Networks team laid out a process of recursively matching and replacing obfuscated PowerShell commands. The script then runs a keyword search on the decoded PowerShell script to look for behavioral indicators. While the programmatic approach to decoding PowerShell commands has shortcomings and won’t work in every case, it proves an adequate substitute for machine learning, especially when you don’t have a bench of data scientists.