Sunday, October 22, 2023

Using command line redirection and DLL ordinals to potentially bypass detections

I came across this during a pentest. The techniques mentioned here are not new and there are already some detections in place but I don't see these techniques being used regularly...

Command redirection

The concept of redirection for command line is well known and is commonly used. (This should provide more info:

For example, you can do `COMMAND > output.txt` to save output from a command.

There is also `<` where you can pass input from a file to an interactive binary or executable.

Additionally, you can also do | to pass input to a binary. 

Here are examples:

The redirection technique using < is what I observed during an alert from a pentest.

Essentially, the attacker added their commands for ntds dump to a text file then passed the text file to ntdsutil.exe using <. so `ntdsutil < filewithcommands.txt`

Usually, this is what you may see: ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q 

If your detections are looking specifically for command w/ "ac i ntds" and "create full" and the attacker uses the redirection technique, you may miss a detection.

There are sigma rules here that would and wouldn't miss this:

I just thought it was interesting for the attacker to write commands to text file and dump ntds.dit this way since I've never seen it being done like that.

Rundll32 w/ ordinals

This once again is not new. If you've done malware analysis, you've probably seen dll functions being called by the ordinal #. 

Essentially, you can call a function by ordinal instead of the function name.

These articles should explain the concept better:

Here's an example:

instead of using LaunchApplication, I can use #1 as that's the ordinal.

The way this technique was abused during pentest was for lsass dump. The attacker used rundll32 w/ C:\windows\System32\comsvcs.dll to dump lsass.

Typical command you'll see for this is ".\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full"

If we go look at comsvcs.dll and for MiniDump, we'll see MiniDumpW at 18 (hex -> decimal would be 24)

Instead of writing MiniDump with comsvcs.dll in rundll32, the attacker replaced it with #24. If you're looking specifically for comsvcs and minidump, the rule would miss this. Again, this was the first time I've seen someone do lsass dump this specific way.

There are some rules here that would and wouldn't detection this technique:

Just wrote this to share and to keep this in mind when looking at alerts, hunting, or writing detections. 

This assumes you only have 4688/command line logs. I'm aware that there are other ways to detect this activity but 🧂 sometimes you're lucky to even have 4688. 🧂 (yeah I work for a managed security provider)

Saturday, October 7, 2023

Installing Whonix Gateway on Proxmox for threat & malware research


Whonix is a tool for routing traffic through Tor.  Whonix VM's come as Desktop/with UI or CLI. They provide two types of VM's, one is gateway and one is workstation. Whonix gateway can be used to route traffic through tor when you attach other VM's to it. 

In this post, I'm just setting up Whonix Gateway CLI so I can route my VMs through tor while I'm reaching malware or threats. 

This set up may not always be ideal for research as some C2's, phishing kits, and OSINT research sites may block tor exit nodes.

Warning: This method isn't officially supported by Whonix and I can't guarantee this is 100% safe and won't leak anything or won't allow an attacker to escape the whonix network or fingerprint you. Do your threat modeling and risk assessment for what you're planning to research or allow to execute in VM's. Follow official Whonix guidelines if you don't know what you're doing or don't feel comfortable doing this.

Proxmox Network Preparation

We need to create a new Linux Bridge/virtual network for Whonix so VM's can communicate with Whonix Gateway.

In proxmox host network settings, add a new Linux Bridge

Click "Apply Configuration" at the top to finish creating the bridge.

fyi: you may see vmbr1 if you don't have another bridge set up already.

Creating a VM

We need to create a VM to run to run Whonix Gateway in. We'll create the VM first then import the Whonix Gateway VMDK into it.

Pick a name

Click Do not use any media
Delete the disk, we'll import a disk later

CPU & Memory can be left at default values, however, I'm lowering my memory to 1024.
Network can be left as default vmbr0. We'll add 2nd interface later.

Once the VM is created, go to VM Hardware and add Network Device.

Pick and add Whonix bridge

That's all.

Loading the Whonix Gateway disk

Download Whonix CLI OVA file from here:

SCP the file to Proxmox.

Use tar to extract the OVA file, which will give you VMDK files.

Use qm import command to import the disk to your VM

The whonix-gateway-cli VM I created earlier has the id of 100. My storage is local-lvm (it's default proxmox storage). 

Once the Importing is done and you get the message of successful import, run qm rescan.

Feel free to remove the extracted files and ova file.

Modifying the Whonix Gateway VM again

Now we need to enable the disk and change our boot settings.

Go to Whonix-gateway-cli VM and Hardware tab and double click on "Unused disk 0" then click Add

Go to Options, double-click Boot Order and modify it to boot from scisi0/the disk we just loaded.

Configuring networking inside whonix-gateway-cli VM

Make sure to remember the MAC addresses for net0 and net1 listed in hardware tab.

Essentially, we want to make sure that net1/vmbr2/whonix network has IP.

net0/vmbr0/normal network needs to be configured w/ static IP.

Start the VM and go to the console.

Login with user/changeme then go through all the set up steps.

When the machine is trying to connect to tor, press control+c to cancel the script and get a shell.

Edit the network configuration

Change the default eth0 configuration to configuration that matches your network. Since Proxmox VM isn't behind NAT, it should be matching the network your proxmox machine is on.

This is default:

This is what I changed the configuration to:

Reboot the VM.

Login and run "ip a" command to ensure that Whonix network has IP and eth0 has an actual IP for your normal network. Check the MAC address to make sure it matches the hardware you have attached.

Run "sudo systemcheck" to make sure you're connected to tor.

Check your IP and make sure it's not your IP.

Reboot the VM.

Attaching a VM or Container

I'm attaching a container to the whonix network but you pretty much do the same with VM but static IP assignment needs to be done inside the VM rather than proxmox webui. Check whonix docs and links below.

I have created an Ubuntu container with the following network settings

Check IP


Have fun researching threats & malware!