Stealth Shell: A Fully Virtualized Attack Toolchain
by Ryan Petrich
Phrack Magazine issue 71 article 14. 2024
https://phrack.org/issues/71/14.html
| Notes |
|---|
| remote shells are a foundational element of the attack development lifecycle. |
| post-exploitation toolchains are either noisy and flexible or stealthy and cumbersome |
| target puppetry |
| interactive shell |
| DOS |
| remote shell |
| implant |
| stealth |
| attack development lifecycle |
| post exploitation |
| usability of hack tools |
| syscall |
| interactive shell |
| C:\> prompt |
| shells - prompts, aliases, scripts |
| SSH |
| SSH is the canonical tool for legitimate remote interactive shells. |
| connectback shell = reverse shell |
| socket reuse shell |
| socket |
| shell interpreter |
| standard in, standard out |
| nginx |
| connectback shell |
| “shelling out” |
| system administrator |
| payload |
| sysadmin vs attacker; shell usage |
| middle-aged exploit authors who sold out to enrich venture capitalists |
| attackers spawn shells during exploitation to be more nimble; allows them to poke around and make changes instead of re-exploiting with another payload |
| classic reverse shells only give access to tools already on the host |
| custom implants tend to be brittle |
| custom implants often re-implement basic functionality (cat, ls, …) |
| many people, especially devs, do not like the default settings of shells |
| PowerShell |
| Linux |
| macOS |
| Immunity Canvas |
| Core Inpact |
| proprietary tools may have extensibility, but you are walled into their ecosystem |
| stealth shell allows you to interact with the target as if you were using your own shell |
| grep for logs, passwords, keys, … |
| cp files |
| interact with their database with mysql cli |
| add ssh key with echo |
| run whatever editor you like locally as if you were editing it on your machine |
| use curl to download files to their system |
| wipe their disk with dd |
| rsync to exfil big directories |
| stealth shell allows you to use any software installed on the attacker’s system as if it were on the victim’s machine |
| system call remoted (originally commercialized by CORE) |
| stealth shell functionality: |
| perform a syscall and report the result |
| call a function and report the result |
| peek memory and report the bytes back |
| poke memory, writing bytes to it |
| multiplatform malware |
| enterprises tend to use older, LTS Linux distributions |
| challenges of writing multiplatform malware |
| “Exploits get most of the hype, but toolchains and workflows are what make or break real attack operations. Plus, we deserve civilized workflows that don’t require us to cosplay as Windows sysadmin.” |
| ADI |
| grep, cp, psql, .authorized_keys |
| curl |
| dd |
| rsync |
| xmrig |
| SHA256 |
| scripting language |
| shellcode |
| system call remoting |
| stat command |
| newfstatat() |
| cat command |
| openat(), open() |
| bash |
| path |
| relative path |
| file descriptor |
| CreateFileEx |
| serialized, unserialized |
| subprocess |
| cryptomining |
| Bitcoin |
| GPU |
| security stack |
| sandbox |
| SRE |
| defenders |
| aton, texec |
| VirtualAllocEx |
| runtime |
| ELF interpreter |
| JIT (just in time) |
| x86_64 |
| Detours |
| trampolines |
| mmap() |
| CreateThread |
| SysV auxiliary vector |
| clone() |
| ResumeThread |
| Task Manager |
| pico process |
| distributed system |
| multi-platform |
| HANDLE |
| Cygwin |
| pwnage |
| DNS |
| HTTP |
| multiprotocol malware/multiprotocol command and control |
| exploit hype |
| toolchain |
| workflow |
| stealth-shell.tar.gz |