I'll See Your Missle and Raise You A MIRV: An Overview of the Genesis scripting engine

Video thumbnail (Frame 0) Video thumbnail (Frame 2071) Video thumbnail (Frame 3583) Video thumbnail (Frame 4767) Video thumbnail (Frame 6209) Video thumbnail (Frame 8588) Video thumbnail (Frame 12902) Video thumbnail (Frame 15082) Video thumbnail (Frame 16575) Video thumbnail (Frame 20760) Video thumbnail (Frame 21954) Video thumbnail (Frame 25099) Video thumbnail (Frame 26296) Video thumbnail (Frame 30071) Video thumbnail (Frame 31347) Video thumbnail (Frame 32746) Video thumbnail (Frame 33657) Video thumbnail (Frame 37267) Video thumbnail (Frame 38371) Video thumbnail (Frame 42366) Video thumbnail (Frame 43742) Video thumbnail (Frame 46248) Video thumbnail (Frame 47183) Video thumbnail (Frame 48802) Video thumbnail (Frame 50036) Video thumbnail (Frame 51007) Video thumbnail (Frame 54267) Video thumbnail (Frame 55452) Video thumbnail (Frame 56424) Video thumbnail (Frame 58787) Video thumbnail (Frame 66334)
Video in TIB AV-Portal: I'll See Your Missle and Raise You A MIRV: An Overview of the Genesis scripting engine

Formal Metadata

Title
I'll See Your Missle and Raise You A MIRV: An Overview of the Genesis scripting engine
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Typically, the activities of a malware attack occur on an execution timeline that generally consists of 3 segments—the vector, the stage, and the persistence. First, a vector, or method of exploitation is identified. This could be anything from logging in over a credentialed method like RDP or SSH and running a malicious payload directly, to exploiting a memory corruption vulnerability remotely. Second, that access is leveraged into running malicious code that prepares the victim for the deployment of persistence (commonly "implant"). While segments one and three have been extensively automated, a effective automated utility for deploying persistence in a dynamic and unified context has yet to present itself. Enter the Genesis Scripting Engine. The Genesis Scripting Engine, or Gscript for short, is a framework for building multi-tenant executors for several implants in a stager. The engine works by embedding runtime logic (powered by the V8 Javascript Virtual Machine) for each persistence technique. This logic gets run at deploy time on the victim machine, in parallel for every implant contained with the stager. The Gscript engine leverages the multi-platform support of Golang to produce final stage one binaries for Windows, Mac, and Linux. This talk will consist of an overview of the origins of the project, a technical deep dive into the inner workings including the modified Javascript VM, a walk through of the CLI utility, and examples of how we've leveraged Gscript in the real world. Multiple demos involving practical application scenarios will be presented, as well as an opportunity for audience members to submit their own implants and have them built into a hydra on stage in a matter of minutes.
Cybersex Scripting language Demo (music) Operator (mathematics) Software developer Core dump Right angle Cartesian coordinate system Information security
Malware Server (computing) Vector space Semiconductor memory Chain Exploit (computer security) Cuboid Bit Procedural programming Cartesian coordinate system Plot (narrative)
Scripting language Source code Bit Drop (liquid) Malware Operator (mathematics) Gastropod shell Right angle Fiber bundle Computer forensics Computer worm Physical system Software development kit Form (programming)
Scripting language Computer virus Dialect Computer-generated imagery Binary code Source code Shared memory Mereology Number Prototype Single-precision floating-point format Chain MiniDisc Right angle Information security Computer architecture
Standard deviation Implementation Functional (mathematics) Scripting language Thread (computing) Run time (program lifecycle phase) Code Debugger Tape drive Virtual machine Water vapor Number Graphical user interface Semiconductor memory Operating system Gastropod shell Representation (politics) Computer worm Software framework Computing platform Scripting language Key (cryptography) Debugger Binary code Core dump Bit Compiler Embedded system Process (computing) Logic Interpreter (computing) Right angle Fiber bundle Quicksort Computer worm Library (computing)
Point (geometry) Standard deviation Functional (mathematics) Computer file Virtual machine Compiler Declarative programming Variance Hooking String (computer science) Computer worm Normal (geometry) Macro (computer science) Library (computing) Form (programming) Scripting language Multiplication Line (geometry) Compiler Embedded system Sic Function (mathematics) Statement (computer science) MiniDisc Computer worm
Scripting language Greatest element Computer file Computer file Content (media) Function (mathematics) Directory service Drop (liquid) Compiler 2 (number) Writing Function (mathematics) Compilation album Cuboid Computer worm Extension (kinesiology)
Point (geometry) Scripting language Code Number Power (physics) Web 2.0 Programmer (hardware) Malware Operator (mathematics) Gastropod shell Software testing Selectivity (electronic) Macro (computer science) Quipu Scripting language Cross-platform Software developer Binary code Compiler Process (computing) Logic Personal digital assistant Order (biology) Right angle Quicksort Computer worm Reverse engineering
Point (geometry) Functional (mathematics) Context awareness Virtual machine Compiler Student's t-test Disk read-and-write head Focus (optics) Operator (mathematics) Operating system Diagram Macro (computer science) Social class Graphics processing unit Scripting language Dataflow Namespace Binary code Bit Process (computing) Software Order (biology) Computer science Window Library (computing)
Functional (mathematics) Mobile app Code Multiplication sign Compiler Parameter (computer programming) Computer programming Malware Computer configuration Flag Macro (computer science) Information security Scripting language Covering space Key (cryptography) Mapping Wrapper (data mining) Information systems Interface (computing) Cartesian coordinate system Entire function Abstract syntax tree Compiler Type theory Linker (computing) Logic Right angle Quicksort Library (computing) Computer worm
Functional (mathematics) Scripting language Multiplication sign Interactive television Boom (sailing) Client (computing) Mereology Computer programming Formal language Revision control Different (Kate Ryan album) Term (mathematics) Linker (computing) Bridging (networking) Macro (computer science) Scripting language Multiplication Namespace Debugger Interactive television Client (computing) Line (geometry) Connected space Compiler Type theory Process (computing) Function (mathematics) Right angle Object (grammar) Spectrum (functional analysis) Library (computing)
Scripting language Functional (mathematics) Context awareness Namespace Code Debugger Debugger Binary code Bit Client (computing) Density of states Graphical user interface Type theory Macro (computer science) Pointer (computer programming) Gastropod shell Right angle Video game console Object (grammar) Macro (computer science) Library (computing)
Computer icon Functional (mathematics) Standard deviation User interface Debugger Interactive television Electronic mailing list Symbol table Compiler Type theory Type theory Function (mathematics) Library (computing)
Scripting language Standard deviation Complex (psychology) Concurrency (computer science) Binary code Electronic mailing list Virtual machine Primitive (album) Limit (category theory) Regulärer Ausdruck <Textverarbeitung> Mereology Evolutionarily stable strategy Compiler Formal language Revision control Programmer (hardware) Latent heat Mathematics Case modding Energy level Library (computing) Library (computing) Row (database) Computer worm
Covering space Scripting language Presentation of a group Functional (mathematics) Computer file Codierung <Programmierung> Computer file Client (computing) Control flow Content (media) Mereology Usability Software bug Type theory Cryptography Process (computing) Type theory Military operation Function (mathematics) String (computer science)
NP-hard Gateway (telecommunications) Point (geometry) Scripting language Vapor barrier Code Multiplication sign Perspective (visual) Number Different (Kate Ryan album) Operating system Software framework Error message Library (computing) Computing platform Compilation album Computer architecture Physical system Scripting language Collaborationism Cross-platform Binary code Debugger Code Library catalog Exploit (computer security) Finite difference MiniDisc Right angle Writing Library (computing) Computer worm
Windows Registry Randomization Functional (mathematics) Computer file Code Online help Latent heat Operator (mathematics) String (computer science) Ring (mathematics) Core dump Computing platform Scripting language Injektivität Multiplication Block (periodic table) Binary code Drop (liquid) Directory service Binary file Process (computing) Personal digital assistant Function (mathematics) Einbettung <Mathematik> Self-organization Hill differential equation Game theory Library (computing)
Point (geometry) Service (economics) Semiconductor memory MiniDisc Right angle Line (geometry) Binary file Mereology Bookmark (World Wide Web) Number Computer worm
Metropolitan area network Multiplication Touchscreen Virtual machine Directory service Open set Malware Different (Kate Ryan album) Internetworking Synchronization Cuboid Window Wireless LAN Computer worm
Service (economics) Computer file Multiplication sign Firewall (computing) Virtual machine .NET Framework Function (mathematics) Binary file 2 (number) Uniform resource locator Videoconferencing Cuboid Software testing Information Booting Physical system Installation art Scripting language Standard deviation Demo (music) Key (cryptography) Cross-platform Process capability index Bit Radical (chemistry) Right angle Window Library (computing) Computer worm
Default (computer science) Server (computing) Demo (music) Source code Directory service Different (Kate Ryan album) Internetworking Computer configuration Computer music Information Data compression Local ring God Computer worm
Mixed reality Password Operating system Boom (sailing)
Injektivität Scripting language Remote administration Demo (music) Computer file Code Virtual machine Evolute Electronic signature Revision control Type theory Data management String (computer science) Chain Gastropod shell Remote procedure call Information security Resultant Metropolitan area network Spacetime Physical system
Greatest element Randomization Context awareness Run time (program lifecycle phase) Multiplication sign Encryption Office suite Information security Scripting language Mapping Binary code Electronic mailing list Shared memory Determinism Bit Regulärer Ausdruck <Textverarbeitung> Flow separation Process (computing) Hash function Software repository Normal (geometry) output Right angle Figurate number Quicksort Writing Ocean current Point (geometry) Functional (mathematics) Link (knot theory) Control flow Online help Metadata String (computer science) Touch typing Authorization Data structure Address space Computing platform Default (computer science) Projective plane Expert system Cartesian coordinate system Cryptography Compiler Uniform resource locator Revision control Einbettung <Mathematik> Window Library (computing)
hey this is Alex this is Dan and I got something really cool talk about hey you guys doing last talk of the day then you guys are gonna go to bed right after this I imagine thanks for coming out guys it's pretty exciting for us my name is Alex Levinson got Dan here today we're gonna go through a tool that we wrote the agenda today you're gonna talk about droppers and stagers as some of you might call them not really gonna get the damn ticket out the terminology there and how we kind of got here today after that we're gonna go into this technology that we built and how it works and we'll talk about some of the real-world applications and then we'll give you a demo which will inevitably fail but you know we'll see if we'll see how that goes so first off just an introduction for us so my name is Alex Levinson I'm a thank you I'm a senior security engineer at uber I've been there for a couple of years my specialty is really in tool development in red teaming I am a core red team member at the National CCDC and also the Western Regional CCDC as well thank you hey guys I'm damn gorgeous I'm a senior Red Team operator in dev I also partake in national CCDC on the red team and Alex I play a lot of cyber competitions together so we're just here to show you some of our cool tools so we
got to go back a little bit we got to cover some basics first we're gonna talk about what is a dropper what is this classification a thing we're talking
about in our little hyperlocal kill chain right here we have an exploit this is your initial vector this is how you're getting on the server this is usually like a memory corruption attack something like that next attackers usually moved to some kind of stager this is moving from memory to their next tool often this can reach out and download more shellcode do something like that and then this is really where we're going to focus on this is kind of your stage one some some people call it the stage one the stage two this is the dropper you're moving from your exploit to bringing over your tools this this is what's gonna bring over your malware it's gonna put your persistence on the Box your elite your deep slow stuff and then finally you have your own malware these are your custom applications maybe your specific TTP's that you want to put on a box and again using a dropper here is important because you can protect your TTP's your tools and tactics and procedures by using the dropper so where a dropper is
used we're trying to emulate what we see in the wild what we see is a lot of third party crime where people will use these exploit kits and then between the exploit kit and their own private malware they'll usually lever some kind of dropper they can do this as a form of packing to either bundle it with other executables or just as a way to to get their malware onto the system we can also use a dropper to be contextually aware and have contextual iya where implants this is kind of like Stuxnet so do you want to land on this system do I want to deploy my payload because sometimes you don't want to infect this host and that's a good thing for a dropper to say and then kind of back off and not put the malware down and then we use it a lot in our Red Team operations for CCDC we like to go fast and hard so this is the perfect tool for us to really like lay on the pain fast so a
little bit of history about how we arrived here back in the day on the CCDC Red Team all these people will be bringing these super cool kits we'd have really advanced techniques and they'd be going against a single team and they'd be using this technique on this this team and what we wanted to do is we wanted to apply this pain to everybody equally so we started wrapping it in shell scripts in PowerShell bash and all of these great techniques to really just kind of drop six seven implants up to ten on a single team so now each team's not getting just one implant made especially for them they're getting all 10 implants we made for everybody so we can really share and then around 2015-2016 we moved to these like I said these scripts but they started to have drawbacks right they had like forensic drawbacks right people can find the scripts on the systems PowerShell script lock logging and they could tell exactly what we were doing they could get our source code which was pretty dangerous for us as operators so in late 2016 early 2017 we
moved a lot of our tool chain to golang we did this for a number of reasons mostly because you get natively compiled executables so you can get a binary that runs specifically on an architecture this means you have to disassemble it it's hard to do which means you can't get that source code back it's it's difficult to reverse and while we were doing this we also started looking at what is a dropper like right this had all all of our tactics built into it and we really wanted to say let's abstract our specific techniques out and make a pure dropper that we can put any technique into and at 2017 at a national CCDC we had a few friends virus Lucas and they put together this thing called Genesis where we had an SMB share and you could just drop binaries in it and we bundled them all into one executable and we just ran it on the disk it run everything that you put into this SMB share just a native executable this was really cool this was really good but it had a few drawbacks we basically instead of just running everything together we wanted to specifically instrument them in a certain way so I think it was late 2017 into the 2018 CCDC season Alex started working on this prototype of G script the genesis scripting engine which we'll get to and we used it we used it all through this last CCDC season and it was really successful we dropped it on every single team at Nationals everybody felt the pain and then between then which was April 2018 and now we've added a ton of cool new features like really sweet stuff and that's what we're gonna get into today whoo thank you Dan
yeah as Dan said today we are going to show the world you guys the awesome information security community that we're a part of basically what we've done cumin Allah over the last several years but also some really awesome features that even if you were at CCDC you really didn't get a chance to play with but from now on I'd like to introduce the genesis scripting engine or as we call it G script what is G
script Dan covered sort of this thing it's it's this dropper it lets us take malware bundle it together and tape it up in a big ball and throw it at somebody great that's a good explanation but how do you use it what does it look like to you as the red teamer it's really easy you have your payloads you write a script for your payload you use the G script compiler just on the command line you get out a native binary it couldn't be more simple than that I use this all over our documentation G script is a frame work that allows you to rapidly implement custom droppers for all three major operating systems so let's talk about what makes this what mate what makes up G script right so first off there's the engine the engine is the thing that is inside of that native binary that you made that actually runs and executes the logic that you've specified in your script there's the compiler the compiler takes your script and turns it into that native binary there's an OP you skater that's hooked into the compiler that we wrote try and make it a little bit harder for you Blue team folks out there we really do like you but you know we just we want to make you mad sometimes we've got a standard library these are functions that you can use inside of your Genesis scripts we've got a command-line tool that's how you interact with the compiler and other things and we also have an interactive debugger to help you develop these scripts in a more more reliable way let you test them out ahead of time so you're not doing stuff live a high-level walkthrough here's what happens when you use the compiler and that three-step process we just showed what ends up happening very first is the compiler goes and creates essentially representations of engines within memory for each of the scripts that you that you pass into it the next thing it's going to do is every one of the payloads that you gave into it this is a live interpreter payload will have some shell code will have some you know SSH keys that we're gonna drop somewhere it encrypts it embeds them directly into that virtual machine that it's got in memory after that it's gonna take all in number of virtual machines remember it has a virtual machine isolated for each script it's gonna take all in number of those and it's gonna sew it all together it's like with needle and thread into an actual executable for whatever platform you're targeting and then when that executables run that main that it's sewed it together is gonna launch every one of those runtimes in parallel so
let's do just a quick quick walk through my water thank you so a quick walk through of this just to kind of hopefully illuminate you guys on how easy this is to use so I've got a little
example here the example isn't isn't crazy it's really simple so we're gonna write it script it's eight lines there's some important things to note on this though it looks like JavaScript for all intents and purposes it is JavaScript we've sprinkled some syntactic sugar in the form of comment macros so compiler macros that you see in the very first line there that import statement is telling the G Script compiler I want you to import this file off my disk when we go to bundle this together the next line line three is just a normal variable declaration like you would call in JavaScript and then lines five through eight there is a function called deploy now when I talked before about when you run main it launches all those virtual machines the the JavaScript VMs essentially need an entry point to launch when that happens that's what it launches it launches the deploy hook so every one of your G scripts no matter what you're doing in it will always have a function deploy with something defined in it what's defined in ours here we get the payload text the the data that was in that file we get it as a string called payload data and then we write that to the destination file which we defined in line three so very quick very easy G script that anybody can write but hey
this is this is not just for one script this gonna be for multiple things right so let's write another one what's this one doing it's simply writing a file second underscore file.txt with the string rect so what do we do
now step 3 just use the compiler 1 command G script compile with an output file star dot GS GS is our file file extension for G script that's it and
what did we get at fer at the top we got drop it up in what is drop it up in it's a 64-bit ma Co executable I'm doing this on OS X what else is in I've run it on the the bottom of the first box there and then what happens all of a sudden you see desk text and second file dot text in that directory what's in those exactly the contents that we had placed in them initially all of you guys seemed pretty quiet was that too easy thank you all right so let's just talk
about that that seemed you know why couldn't you do that with PowerShell or a shell script or something like that
well first off you're getting a native binary you're getting a native binary that I could have written the first script dan could have written the next one and if Dan messed is up or I miss mine up it's not going to take down the entire binary it's gonna keep executing right that's the whole point of this is to be robust and resilient in the case of failure when you do these large-scale red team ops and you have many people contributing code you don't necessarily have have the luxury of constantly testing to make sure that somebody's payload isn't gonna isn't gonna mess up something in your process right so we really wanted to give the people writing the payloads the ability to come up with their logic on how they wanted this to be bundled in to to the actual final binary so you've got your native binary you've got your isolated G Script engines you've got the user-defined logic in those scripts that is actually encrypted and embedded just like the assets are into the binary and then you've got the embedded assets in their payloads those all get bundled together into one container inside of your native binary so let's talk about some of the features here right so first off the number one feature we saw was that you get to do this in JavaScript now I'm not a JavaScript developer but I think that we need to be making tools that are is easy for the broadest selection of us to use right so I know a lot of people in here probably C programmers a lot of people in here do a lot of low-level stuff I wanted to make something common that people were familiar with a lot of there's a lot of people to do web in testing JavaScript seems pretty familiar right now to a lot of people so let's just go ahead and go with that so it's easy to write it's easy to learn there's good documentation on how to write JavaScript well next thing is it's resilient to failure as we talked about if script 2 failed script 1 would have kept on going third it's highly customizable so things like order of operations of your script timeouts all of this stuff you can customize with those compiler macros that we showed you right we showed you one but there's many more you can go with so how is this cross-platform it's written in go essentially this whole thing is sort of leveraging the power of the compiler to make cross-platform malware for anybody to be using here number five it's secure we ran into this at CCDC where we had our droppers essentially be reverse engineered very easily by just looking at the powershell logs i'm excited to release this today because i'm excited to see how hard it is for somebody to actually reverse engineer one of these binaries that is a challenge to let me know if you do I'd love to see it and the number one thing that is new to anybody who has seen Genesis in the past is now you can actually call native go from within your JavaScript we'll get into that I know that sounds kind of wacky so we talked
about this initially but this diagram kind of gives you a little bit more context as to what happens you've got your main of your final binary and when that gets run you have all of these engines that are in their own isolated namespace essentially get created they initialize the JavaScript virtual machine within them they inject the scripts all the assets and any libraries native go libraries that you've called into it and then it calls that deployed function that entry point if you will on each of those and that happens pending any custom order of operations with your macros that happens all concurrently so what does GCM really let you do it lets you focus on what you're stager is doing not how am I gonna implement this for OS X even though I don't really know OS X or Windows or Linux so this has been a
process for us right I'm not a computer science you know master's student who's studied the deep internals of how software is made I would like to say I was but I definitely wasn't I started to take an operating systems class in college and I was way over my head so this has been a learning experience for
me and this is sort of some of the technology that I've figured out and implemented here within G scripts so when you go to do a compile what happens straightforward the first thing that happens is it looks through all your scripts and gets a essentially a mapping of all the macros that you've defined the next thing it's gonna do is it's gonna walk the app tracks in the abstract syntax tree of your JavaScript notating things like oh you imported a go library with this macro and then you called it down here in registers you know things like how many arguments are you calling with it what what might the type beat what can i infer the type might be of that argument it then goes through all the go packages that you've included in that as well and does the same thing walks all the ast they're looking for places where functions are defined that you've called from your JavaScript next it's going to start marrying those together it's going to essentially create foreign function interface wrappers in go on the fly for all of the functions that you've called in JavaScript that are instrumented in native go so that you're and then inject those into the VM that we're bundling itself together that's a probably another three talks worth of material to get into but if you'd like to it's definitely on github you can go check it out after that we embed all the assets we encrypt them each VM has its own encryption key that all the assets get embedded with and the embed the assets themselves don't actually get decrypted until you call them within your script so until you retrieve the asset the the asset isn't sitting in memory unencrypted and then the final step optional but we do enjoy it is the option step so we do the application both before and after native compilation and we've got some interesting stuff we'll kind of cover as to how that works
there so creating these standalone executables right how do we go about doing that well I said we leverage the go compiler to do that now what's interesting about this is if you can kind of see up here on this on the picture we take your scripts and payload and we actually write out an entire go program that contains the logic and everything needed that we just covered it into this go program now there's flags and our compiler you can go look at that code and see what that looks like it's incredibly unreadable we needed to make it that way for security right but it's been a really interesting thing to consider that you know we're in a place in time where it's no longer enough to just write malware you have to write code that writes code that writes here the right your malware right so we
talked about this before too and now I want to dive into this linking JavaScript go I I was called crazy a couple times in the process of this this was definitely one of those and I still think it might be crazy it's probably not as the safest thing you can be doing in the world but it's it it's crazy thank you it it's an interesting thing right there you've got two languages on completely opposite ends of the spectrum in terms of how they work and figuring out a way for a user to almost not know the difference between them is a fascinating endeavor for me and Dan for us to kind of implement this and somebody in the back who shall remain nameless so here I've got a little example right so we use the go import macro the compiler macro we talked about we're gonna import Redis we're gonna import Redis because as far as I know other than nodejs there's really just not an easy Redis library for for JavaScript there certainly isn't one for G Script you can import nodejs modules into this so how are we gonna we're going to interact with Redis and G Script well we're an import to go the go package for Redis so we import that and from there you import it as you see there as Redis that as blank blank is equal to the name space within the JavaScript program that you're defining here in your G script so on the next one I called the functions directly so ready to stock parts URL is actually a exported function within that within that go package and I can call it just like I would and go it now one thing to note there's no multiple assignment in JavaScript this were in es5 not es6 so in this version there's no there's no multiple assignment so if you look on line five you'll see R 0 R 0 is because in our linker that we we do when we see that you're calling a go function that's returning multiple assignment we actually make a dynamic array of that and give you back the return of that inside a single a single object that is an array of various types so R 0 and that is going to actually be the Redis client the Redis connection URL so line 5 we create a Redis client and line 6 we simply interact with it as we would any go program right and then down there you look at the script we compiled it normally and ran it and boom got the was able to interact with Redis right from G script using this native bridge so you I
wouldn't give you something incredibly incredibly unsafe without some way to at least play around with it and see how it worked and test your stuff right so we we spent a lot of time on an interactive debugger it's pretty nice and easy to
use so at any time after you've installed G script you can simply do G script shell and it will drop you into a repple right there the repple has the entire standard library which we'll get into bundled into it and you can do kind of some various things so for example we talked about macros how do you get a macro into the shell when it's something that compiler knows well in G script shell you can just pass the dash into it with macros you can pass multiple as many as you'd like into it and then when it drops into that shell it's as if you've dropped into the deploy function with that that VM instrumented other
things you can do is you can step through your code so in this you can see that I'm essentially doing the exact same thing that we were in the previous demonstration of the native linking except now I've got some functions that as I'm stepping through helped me understand a little bit more about what's going on so the function type of which you can see is the the third function I'm calling there it's actually showing me that under the hood in JavaScript this is actually a pointer to a Redis client object in gos namespace and that's a that's a pretty nice thing to have to be able to use here as well also anytime you're in a script if you want to compile your binary for yourself but then be able to drop into a debugger we have a compiler flag enabled debugging and you can just use the function debug console just like you would be buggar and Chrome or anything like that and when you run your binary it will drop you into this same console right where you're at in the context of your script
outside of that as I mentioned before type of we have a bunch of specialty functions that are only available from within the debugger that's been something we've expanded on the last last several weeks to try and make the native native linking a lot more easy for people to do another one is symbol table so you can call the symbol table function in the interactive debugger and that's actually gonna go through and show you all the functions within goes namespace that you've imported in there our standard library is actually instrumented ingo you don't have to import it as a go module the compiler is smart enough to know oh you're calling a standard library function I need to link against that so
we talked about how cool it is there are some limitations and we'll just get these out of the way real quick first
thing no FreeBSD support I know that some of you neckbeards in the crowd I'm looking front row here are gonna be real upset about that but I don't think it's impossible it's just something where it was on a medium priority list for us to go and get done I think as go becomes more FreeBSD compliant in things like its OS and user Lib will be able to extend support to this as well one of the other two limitations that kind of people I've seen have have issues with is these are large binaries if you've ever worked with go before you know that go binaries are never known to be the smallest tiniest payloads in the world another limitation is the regular expressions if you're gonna do any regular expressions in JavaScript they need to be essentially compliant with the re2 library that's that go uses so things like look Ahead's and stuff like that you're not gonna have compatibility in that so you got to be careful you can't use crazy complex regular expressions in it one of the another thing that's been kind of difficult for us has been versioning goes versioning story has not been the the greatest part of the language as it's evolved over the years and that made it hard for us to do things like lock you into a specific version of it so as dan and I have done this day and it'll go write a bunch of G scripts and then I'll come around and I'll make a compiler change that'll break all his scripts and he'll be like oh why can't I still will stick with the old version well a lot of that has been tied to this this go versioning problem in the future go is releasing in 1.11 their new go mod support I think in the next next major version of G script will actually release with an ability to lock your your engines to a specific version of G script and be able to have backwards compatibility as we said before five is the only thing we support right now working on es6 support there's complicated reasons why that's difficult for us but something we'd like to do as we talk to people to write a lot of JavaScript they seem to think that would have been a really nice feature for us so we're working on that also something that we don't have is a lot of the JavaScript concurrency primitives that you guys might be used to just like in es6 you have async we don't have that stuff right now because our virtual machine is actually instrumented in native go we have to do all of this concurrency actually outside of that virtual machines namespace but as I
mentioned before we have the standard library you don't need to be a go programmer to to know how to use this on a basic level we've got libraries that
cover almost every type of basic OS functionality you'll need they're entirely cross-platform they're supported by us if there's ever a bug in one of these that you find please file it against us we will fix it immediately it is exactly the type of stuff where as we sat down and use G script in yeah you know in our jobs and at C CDC we were able to say oh there's some parts of go that are just complicated and maybe not straightforward for for the normal person so let's just go kind of wrap that basic functionality and in our standard library and present that to users for ease so with that I'm gonna
hand it back to Dan Dan's gonna talk about some of the ways that we've used this in the real world and why it just has really been powerful for us so like
Alex was saying one of the number one reasons we use it is because we encounter a wide array of systems Windows Linux and Mac and we didn't want to keep rewriting our techniques for these different operating systems it was really kind of a pain so we really like the cross-platform features of it you can actually write G scripts completely system like you can write them completely cross-platform with a binary itself will determine which operating system it's on using go and then execute according to that obviously you have to compile it to a specific architecture so at the compilation time there's always that and when you're embedding assets you still need to embed assets that can run out in that specific architecture but the platform itself is cross-platform so I love that it's also really easy to use originally we were considering like having people write the golang for that original genesis dropper and then use that to embed their stuff and it was a really hard kind of ask for people to learn golang so instead we decided to roll this out because now all they have to do is learn JavaScript and JavaScript is really forgiving unlike golang where it's really opinionated and you have to like handle all your errors so we think the barrier to entry with javascript is a lot lower than going another neat feature of that is when we added the golang native linking now it's also a good like gateway to learn go lang right you can start with JavaScript you can play around in the debugger and eventually you can just start writing your own golang native libs and then call them from g script which is pretty cool just like I was saying where you can call any golang native library like all hub which is really freaking sweet you can also wrap your existing tools so you don't really have to change any of your existing tactics or any of your existing methodology you can just instrument them now with G script which leads me to my next point which is this is now like persistence and techniques as code it's very auditable we can give somebody this script that says this is exactly what it's going to do when it hits disk which is really nice because as you'll see we've been building a community around documenting all of these different G scripts or I'm sorry documenting leiter attack techniques in G script so now if you're familiar with my air attack where you have these small little atomic techniques we've been writing G scripts such that you can compile native unsigned binaries with these techniques it's kind of neat because this way you can see can I detect an unsigned binary doing this from a blue team perspective as opposed to like a script doing this which might be easier or harder depending on your termination so like I was saying we've
been writing a ton of G scripts and we've been writing them to the miter attack framework I tried to make them as atomic as possible so I try to keep the techniques as as small as I can because you can compile n number of G scripts into a single binary so the idea is you have a bunch of little techniques that all play well together and again we really want people to contribute stuff we want to continue to catalog that might our attack framework such that we can compile it these native binaries so again this tool was really built with a community in mind this tool was built with multiple red teamers contributing payloads to build a single binary it's really collaborative like collaborative post exploitation is the idea we want everybody to contribute a G script and an implant and we're gonna run them all on the victim because we're a team
so here's a quick little example just showing some stuff up here we have a go import of a native package which is OS we're going to use this to create a temp directory later but we also import a special library we call we made called the X library we had a lot of help with a unnamed person in the back and this is an amazing library because these are the functions that yes they're platform-specific but we would be remissed to leave them out right this is Windows registry editing this is process injection this is kind of that fancy stuff that is platform specific and again we move that into the X library because the core of G script is supposed to be cross-platform and then below that we're embedding this Crisanta XE this is any arbitrary executable in our case it pops or croissant because croissant rock we croissant okay so first thing we're doing is in this first block this is just prepping the asset this is just saying we have an embedded asset from compile time and we're just going to create this random temp directory string and that's where we're going to write this asset access at execution here we're actually using the standard library just to write that file to a path we're dropping a file so this is like a great detection exercise and then here is in run one ski and we're just adding this to show this persistence method so the idea here is we're creating persistence as code and we're abstracting the implant from it right so now you have this arbitrary now you have this arbitrary persistence technique and you can just persist any old implant and it's great for detection ops because do we detect persistence technique it's also really cool for
hunting ops one thing that I really like is this idea of compiling a G script with multi techniques in it like a technique a and a technique B and we can run this and then later a blue team can find this they can dissect this and they can understand the techniques in it then they can hunt on those techniques let's say they had a an alert for technique a they reverse it and they learn about technique B then they can hunt their data for technique B then we can play these games where we also compiled a binary wood technique B and technique C and do they find that right something they may not have the alert for so it's kind of cool for these like advanced hunt operations if you can get there in your organization so kind of just like
why do we really love this like if I could give you like one line and number of techniques we keep the techniques really small and auditable we wrap our existing tools so nothing really changes we still use our C twos we still use all of our favorite tools on disk or in memory but we can codify the techniques of how we're instrumenting them and then run them with a single click so like what's not to love so this always works
right one really cool part about CCDC Dave Cohen is like the Grand Master and he has this great strategic vision and at the end of day two at some point he really liked young leashes the hounds he kind of like lets us go right and we have to burn things down so like taking down services is pretty straightforward right like service whatever stop pretty basic and boring so you want to get creative with it you want to have some fun so one thing we we like to do is make these troll payloads or troll where if you will so here we've bundled a ton of
different troll ware and we're just executing on a Windows machine the idea here is you just see how much stuff can happen at once and what you can really
do with it it's a little overwhelming when it will execute and then it blue screens the box
but it's cool so I'm just stepping into
the directory where it is I'm making the screen bigger so you can kind of see stuff as it happens but once we execute this the whole machine just goes to you know goes to hell so this is kind of run multiple payloads this runs the MEMS which was made by leoric popularized by dan cute we had a good friend reversed like a bunch of malware on the internet and we we
instrumented that so that's just some of the troll where we like to throw around all right one demo down one more to go yeah the next one is actually live that was just a video but we're gonna do this one live too we had another demo as well planned our IP in the back there but we'll we'll save that for for next year right so I'm gonna boot up a virtual machine here called DEFCON 26 demo this is just a standard OSX virtual machine
I'll make it fullscreen in a minute here but first thing I want to do is is I'm gonna let's go through and make one of these together right so I've got my terminal up here you guys can read that I'll make a little bit a little bit bigger for you guys cool so I've got my terminal I'm gonna do an LS I've got in here we'll just go ahead and remove my test one so we can actually do it live in it I've got a a folder with a bunch of G scripts right this is all just Mac persistence technique doing things like to say blowing the firewall and enabling guests and doing some SSH key persistence right and all of these I'll show you one like a service installer it goes through and uses a library that we wrote called X service so this is an experimental library but it actually is a cross-platform service installer so it doesn't matter if there's an it D or excuse me if there's like sis V and net or system B or it's a Windows box you can very easily in one unified library install a system service which is always fun and we'd love to do that when we're red teaming so I've got all these scripts I'm gonna just go through and make one now live here with you so I'm going to do G script compile - - output file users demo OS X live dot bin and then I'm going to say G scripts star dot GS and we're gonna run this it's going to take a minute but relatively fast for considering what it's doing most of the time it's spending right now on this it's spending actually embedding and encrypting all of the payloads that we're putting into this into the binary itself so I think this takes about 20-30 seconds right now but as you see here it does tell you all the scripts that it's it's essentially bundling into this executable it lets you see some information that we're doing this for a Darwin here's the output file and some of those compiler flags which I talked about before so being able to keep the
build directory which will show you the source code that was used to make this enabling upx compression disabled by default a lot of different options will give you and don't scroll down it's done I'm going to look in there it is a 26 megabyte binary what payloads are you putting in here lord thank god that's local and we have internet cool i am going to while i'm
here ssh into our merlin server team ox there we go we've got some old dummy agents but that's fine then not connected yet let's go into our vm now and take the
executable that we just built OS x live copy it over there we go I don't have logging enabled I didn't
able any of that so it's gonna be silent so we're gonna say sudo dot slash desktop OS X live inter and a bunch of stuff is happening and then enter my password that's not fishing at all
boom so something happened I don't really know what if I look back at my
Merlin I've now received a new agent check in live demo thank you and we'll just come
in here and look and see some things so File Sharing remote login remote management all this stuff was turned on so all of the attack techniques that we
just bundled into this were actually run on this machine right so if you're if you're a red teamer I think you can extrapolate why this is so valuable tool to use in your tool chain if you're a blue team err if you work at a company that has a bunch of detection systems man how many of you guys have always wanted to know whether your vendor was actually telling the truth that they detect this thing or not you can write the G script and I promise you they're not going to detect the binary if they detect the actual activity then you can validate that and that's really the fundamental problem right now in the blue team space is how do I trust that when a vendor sells me something that says it does X that I actually know it can actually do that what we're trying to do here is provide blue and red teams alike the ability to codify these techniques in a way where basic signature detection on a file is not going to just cheat the the actual result of saying yeah I detect when something does shell code injection will do you do you actually detect that or you just detect that a file has a string in it that matches a certain thing right this is the type of evolution in security that we're trying to present to the world so I will come back to our talk here and that's it version 1 is
live right now on github I've written some documentation Zout I've got some shout outs for some awesome people who helped us with this on the side as well as somebody totally unnamed who didn't help at all with this project and he's not here he didn't help us his name is not at the bottom of that list of authors there so with that I'd like to open it up to you guys for questions comments anything thank you anybody questions you just raise your hand yes right there say it say that one more time you probably could I've not so the big problem with it has been the regular expression compatibility so the question was could you run a normal JavaScript application within within G scripts yes as long as it didn't break the regular expression or the asynchronous incompatibilities right now it should be fine so something like underscore for example does work within it you can you can load an underscore library into that and it would work just fine the the es6 compatibility is something where i think if we can get that actually implemented it'll give us a lot more flexibility in being able to being able to allow more current JavaScript tools to be able to be brought inside of it yes right here good yes no no everything is so the question was does the the dropper fetch things from the github URL it doesn't when you run G script compile it contains everything you need right than in there into the binary so everything happens at compile time all the embedding does it was one thing we were kind of on the fence about of saying okay do-- are should our droppers reach out and get stuff or should we just really try and pack them tightly and safely internally one of the ideas there is when you're in a high security context solution you may only have one or two ways out so you want to do things locally and then use that existing C to channel to shuttle stuff over right so we have a request library and you can like pull stuff down but personally I like to kind of do stuff and then go out of existing C two channels and just operate through those channels I think we had a question over here yes yeah so the the encryption of the assets is just a es 256 I'm not gonna claim to be a crypto expert but I try and just follow best practices on that it is isolated per VM and its unique every time you compile so it's not it's not generated in any sort of deterministic way now the obvious Gatien I'm glad you asked the obfuscation I would say is implemented in a way that assures zero reproducibility of builds so if you're trying to reproduce a an md5 hash of two exact same inputs and outputs of a G script binary I doubt that would actually ever happen the Optus cater is meant to try and remove the ability to find static strings within it it's meant to randomize things like function names and address space within the binary itself and then we also have a post office cater that is not turned on by default but you can play with it it works really well on Windows and OS X Windows excuse me it works really well on Linux and OS X Windows it kind of has some has some problems with sometimes it basically after go compiles your native binary it just goes through and starts patching stuff out of like the native executable it's really dirty but it does actually work it does a great job sometimes yeah sometimes that's why we test right anybody else have a question we've got about five minutes left I move you over here I haven't no come on everybody just wants to go to sleep right yeah we got a question in the back there what if you want to write your own compiler that's a great question so we've implemented G script basically as in everything you've seen here that was from the obfuscator to the compiler to the engine itself it's all implemented itself as a library so if you wanted to implement your own compiler you could actually take the engine library figure out how to translate whatever it is you wanted as your input into an engine itself bundle that together and whatever way you want and then boom you've got you've implemented your own essentially G script compiler we've got some stuff on the works if you're going to be at our workshop to if you're gonna be at our workshop
tomorrow we'll touch on on that a little bit of how we're we're actually looking at implementing AC 2 in G script so that the C 2 itself can supply the binary with G scripts at execution time and so there's not actually something bundled into it or it can say hey switch up the C to channel talk to me now on this other channel interesting stuff like that is I think what you'd probably see from us next year and another follow up talk yes right here yeah so we don't have a slack we probably should have a slack that's probably a good idea we at this point it's just been on github we if you send me a pull request I would love it we put a lot of effort into this it's particular taken a lot of engineering hours and we're excited to kind of share it with the community a lot of stuff we do at CCBC we don't necessarily always release so this has been something where we're excited to say look here it can it can be good for the greater community at large we have a few contributor guidelines too and then there's a lot of ways to get involved you can write G scripts you can help write different native libraries you can help add to the compiler itself and you can even just help with the documentation right like anybody that wants to get involved we're really receptive to people helping I think we're one more where me yes yes so inside the documentation if you go to this github there will be a link to Dan's repo where he is actually doing all of that mitre mapping in a separate repo I'm open to a suggestion so when you check it out if you think there's a better folder structure right now I was just doing it based on platforms and then I have each of the techniques linked in like the meta information in the top but if there's a better way to organize it I'm all ears cool I think two minutes left anything else anybody raise your hand you think you might use this at some point you little sweet awesome maybe we'll have a little G Script con sometime thanks guys [Applause]
Feedback