Shulou(Shulou.com)05/31 Report--

This article is about how to use the Build Events feature to perform code reproduction, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

TAG Security Department disclosed a social engineering attack using Twitter and other social media against security researchers engaged in vulnerability research and development in different companies and organizations. According to the analysis of Green League Science and Technology Shadow Laboratory, it was confirmed that this incident was a targeted network attack by Lazarus organization against the network security industry, and speculated that it might have a deeper attack intention and action. Green League Science and Technology attack Countermeasure Technology Research team M01N

Team also carried out a comprehensive analysis and judgment on this incident, and concluded that this incident is a typical social engineering attack of "repairing the plank road openly and crossing the old warehouse in secret". It will also reveal a new type of indirect command execution attack technology used by Lazarus in this incident.

Lazarus is an APT organization from the Korean Peninsula. The organization has been active since 2007, long-term attacks on South Korea, China, the United States, India and other countries. According to a survey by foreign security companies, the Lazarus organization and the 2014 hacking attack on Sony Pictures, 2016

It is related to the data leak of the Bank of Bangladesh in # and the attacks on US defense contractors, US energy departments and bitcoin exchanges such as the UK and South Korea in 2017. The Wannacry blackmail virus, the most notorious security incident that swept the world in 2017, is also suspected of being carried out by the group.

The specific attack method is to "maintain the account", and then trick security researchers into downloading their POC with malicious code that will trigger malicious commands and code during compilation.

The attackers of the Lazarus organization set up a research blog and multiple Twitter accounts disguised as security researchers, most of which were tagged with Web development, browser vulnerability mining, Windows kernel security and even CTF players, and released some security research developments and forwarded comments to each other to expand their influence.

In addition, their blog (https://blog.br0vvnn[.]

Io) has published several publicly disclosed vulnerability analysis articles, including visit comments from uninformed security researchers, in an attempt to build a higher level of trust among security researchers.

After establishing a certain research influence, attackers will actively look for target security researchers to communicate and express their hope for more in-depth cooperation and communication in vulnerability research. The attacker then shares a Visual with security researchers.

The project project file of Studio, which is the POC code of some vulnerabilities, but contains malicious commands and code that are waiting for the target researcher to compile and execute.

Green League Science and Technology

Https://mp.weixin.qq.com/s/7RwH5_h2rGn3MxGIngal6A

We can know the background and some information of the incident from the article of Green League Science and Technology.

We can learn about the Lazarus organization's attack method using compilation events (Build Events) from the public report, so let's reproduce this method.

Let's first take a look at the information on the compilation event (Build Events) in Microsoft documentation.

By specifying a custom build event, you can automatically run commands

Before a build starts or after it finishes. For example, you can run a

.bat file before a build starts or copy new files to a folder after

The build is complete. Build events run only if the build successfully

Reaches those points in the build process.

Https://docs.microsoft.com/en-us/visualstudio/ide/specifying-custom-build-events-in-visual-studio?view=vs-2019

The Microsoft documentation says that "by specifying custom build events, we can run commands automatically before the build starts or after the build is completed, and the build events will run only if the build successfully reaches those points in the build process." for example:

You can run the .bat file before the build starts, or copy the new file to a folder after the build is complete.

It's not hard to understand.

If we continue to look at the information in the Microsoft documentation, we can see that Build Events has three events, which are:

1.Pre-build event command line pre-generates events; performs custom tasks before compilation

Specifies all commands to be executed before the build starts, and the pre-build event will not run if the project is up-to-date and no build is triggered.

2.Post-build event command line pre-link events; perform custom tasks before linking

Specify all commands to be executed after the end of the build

3.Run the post-build event post-build events; execute custom tasks after compilation is complete

There are the following parameters in this: the option result always runs the post-build event regardless of whether the build is successful or not. Successful build if the build is successful, the post-build event will be run. Therefore, as long as the build is successful, the event will run even against the latest project. When you build update project output, post-build events run only if the compiler's output file (.exe or .dll) is different from the previous compiler output file. Therefore, post-build events are not run if the project is up-to-date. Https://docs.microsoft.com/en-us/visualstudio/ide/reference/build-events-page-project-designer-csharp?view=vs-2019

Among them, the corresponding XML elements are also given in the Microsoft documentation, which can be seen by interested students.

Visual Studio is used in the Lazarus organization, so let's reproduce the use of the technique:

1. Open Visual Studio

two。 Create a new project

3. Enter the properties of the project

You can see that, as seen above, there are three kinds of events.

Let's take a look at the first event.

The first can execute either the command line or the macro code:

If you reproduce it briefly here, we won't discuss a case of macro code.

Malicious scripts that generate powershell directly in cobalt strike.

Put the command in visual studio

Apply and then compile

You can see it directly online.

Then there is the second kind, the computer is relatively stuck, so I will not go online cobalt strike, let's use the play calculator to prove that it is available.

Compile

By the same token, so is the third.

We can also add commands that we need to execute directly in the project file.

Open the project directory to see

The file that ends with .vcxproj is the file we need to use.

* .vcxproj: VS2010 and later versions of VS project files

Open it here with notepad++, and this file is actually a xml file.

Ok, we directly look for the three xml elements of PreBuildEvent,PreLinkEvent,PostBuildEvent.

PreBuildEvent is used here.

You can see that there are parameters in PreBuildEvent, and this is where the command can be executed.

Save it and import it into vs for compilation

Let's share one more trick here. I see that the online analysis articles all say that there are three points of use of PreBuildEvent,PreLinkEvent,PostBuildEvent. In fact, there is still one place for us to use.

We can look back at the .vcxproj file, and then look for Command globally and find that it has four Command parameters.

In addition to the three we talked about, there is one in the middle.

Add commands that we need to execute

Save and compile, but found that it can not be successfully used, by looking at the Microsoft documentation, we know that we also need to build an output parameter.

Then compile and eject the computer

The graphical use of the

In theory, all IDE can be used in this way. Let's take a look at the utilization process in Microsoft Visual.

Open vc and create a new project, find the project in the toolbar above, and then set up

Fill in the commands that we need to execute.

I'll play the computer here and compile it into exe.

Our commands will be executed when compiled.

Of course, there are three kinds of this:

1. Custom build

2.pre-link step

3.Post-bulid step

There are 2 parameters in the custom step

Command and output, respectively.

If the command can put our shellcode output, it's fine.

It can also carry out our orders.

In the same way, post-bulid can execute orders.

I found an interesting article when I was looking through the materials at the back.

I repeated this APT technique in the previous Visual Studio, and we can once again look at the Microsoft documentation and find that there is an engine in Visual Studio-- Microsoft Build Engine.

The Microsoft Build Engine is a platform for building applications.

This engine, which is also known as MSBuild, provides an XML schema

For a project file that controls how the build platform processes and

Builds software. Visual Studio uses MSBuild, but MSBuild doesn't

Depend on Visual Studio. By invoking msbuild.exe on your project or

Solution file, you can orchestrate and build products in environments

Where Visual Studio isn't installed.

Visual Studio uses MSBuild to load and build managed projects. The

Project files in Visual Studio (.csproj, .vbproj, .vcxproj, and

Others) contain MSBuild XML code that executes when you build a

Project by using the IDE. Visual Studio projects import all the

Necessary settings and build processes to do typical development work

But you can extend or modify them from within Visual Studio or by

Using an XML editor.

It is not difficult to understand that MSBuild can orchestrate and build products in an environment where Visual Studio is not installed (which can simply be understood as executing code), and Visual Studio uses MSBuild to load and build managed projects. For example: project files in Visual Studio: .csproj, .vbproj, .vcxproj, etc.

A new feature "Inline Tasks" is supported in .NET Framework 4.0, which is included in the element UsingTask and can be used to execute c # code in xml files.

Does this place look familiar? Ha ha ha

Yes, we know that our point of use is the .vcxproj file in the way we recreate the APT organization, so we can take advantage of it without VS.

We go to Microsoft to download msbuild.exe, of course, we can also find it in. Net.

It is not difficult to generate the utilization code directly in MSF.

We use Microsoft

VisualStudio creates C # code saved in MSBuild format with the suffix * .csproj so that it can be compiled into an executable program using the MSBuild platform. With the help of a malicious build process, we can get the reverse shell of the victim's computer. Next, we need to generate a file.csproj file, and to do this, we first need to generate a C #-based shellcode through msfvenom. After that, put the shellcode into our file.csproj, as shown below.

The specific techniques have been summed up by the seniors.

Https://www.cnblogs.com/backlion/p/10490573.html

Here are some additional tricks.

Execute the powershell command

Here we refer to the techniques of 3gstudent and Casey, but the POC given by Casey is dead, so we can use 3gstudent's POC to take advantage of it.

Https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20PowerShellCommands.xml above is how to use the Build Events feature to perform code reproduction. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.