Don’t you just enjoy when someone has an awesome idea?! I certainly do, on the blog of Utku Sen you can find an article which describes how it is possible to evade anomaly-based network intrusion detection systems (NIDS).
We have summarized the important pieces of the blog right here for you.
It is not a tool. It is a combination of methods which will allow you to evade anomaly detection.
The name of the first tool is firstorder. This tool analyses the network traffic and tries to identify and capture a normal traffic profile.
The second tool is called MarkovObfuscate.
The third tool is called Empire.
The mentioned tools above will be discussed below.
With a normal traffic profile, the listener will have a bigger chance evading listener-agent communication anomaly based NIDS. The NIDS simply does not see ‘weird’ traffic taking place.
In this project, the author used the Empire post-exploitation framework. This framework is based on PowerShell and Python.
Empire supports HTTP and HTTPS (also Dropbox etc.) listeners for C2-agent communication. Even tough HTTPS connection encrypts all communication, we will assume there is a solution on the network which intercepts and decrypts SSL/TLS traffic.
As you can read above, the author takes into consideration that in environments SSL/TLS splitters will be used, so in this project, the choice was made to use a HTTP based communication:
HTTP listener has following key options:
HTTP listener provides -symmetric- encrypted communication even without SSL/TLS connection.
In this project, the author mentioned that atleast the following values are used by NIDS to detect anomalies:
The author has divided the communication in two groups, the first group holds the following values:
The second group holds:
It is also pointed out in the article, that often, in these type of attacks, the post method holds encrypted and gibberish data. This is quickly detected by anomaly detection systems, and that is why the author claims to use MarkovObfuscate which is a obfuscation project of the Cylance Spear Team.
The main attack method
Main attack steps will be:
To normalize the first group of traits, we will extract most common URI, user-agent, server header and port values from the traffic capture data. With these data, we will set appropriate listener options.
The second group
For the second group of traits, default HTML content can be chosen by identifying most visited websites in traffic capture data. However, normalizing POST request body of the communication is not achievable by using traffic capture data. As it explained in previous sections, POST requests are encrypted and contains gibberish characters.
The solution for the POST requests
Instead of directly encrypting the data, we can use Markov Obfuscation tool which is created by Cylance Spear Team.
Once used correctly, it can change a simple /etc/passwd file from:
The steps which need to be taken:
Download the package: