Understanding & Detecting C2 Frameworks — HARS (HTTP/S Asynchronous Reverse Shell)

Introduction

Hello and welcome to the third blog post in this series about understanding and detecting C2 frameworks.

HTTP/S Asynchronous Reverse Shell

https://raw.githubusercontent.com/onSec-fr/Http-Asynchronous-Reverse-Shell/master/Images/Concept.png

HARS_Server.py

The server portion of the code is located in “HARS_Server.py”. As always let’s dive straight into main an go from there.

“__main__”

InitFile

“InitFile” Function
Example N°1
Example N°2

start_server

“start_server” Function
Server: BaseHTTP/0.3 Python/2.7.18
Server: Microsoft-IIS/8.5
“server.pem”
Self-Signed (RED) Vs. Signed (Green)

MyHandler

“MyHandler” Class
  • do_GET
  • log_message
“_set_headers” Function
Response from server
Cache-Control: private, max-age=0Content-Type: text/html; charset=utf-8Vary: Accept-EncodingConnection: close
Log file example
“do_GET” Function
“HELLO” Response from the server
“stop_server” Function
Printing results
Web Server “Handler” Logic
Rest of “__main__”

HARS.exe

The client side of HARS is written in .NET (C#) and must be compiled if want to use it. We’ll take a look at the executable later but first let’s dive into the code.

  • Ask for instructions from the C2
  • Send results back to the C2
  • Exit / Terminate communications

Main.cs

  • Hide itself by setting the “Opacity” to 0, setting the window state to “Minimized” and removing itself from the taskbar by setting the “ShowInTaskbar” to “False”.
  • Create a PowerShell process that will handle all the commands sent by the C2.

InitializeComponent

Main_Load

Default “Error” message
ErrorMsgTitle = "This application could not be started.";ErrorMsgDesc = "Unhandled exception has occured in your application. \r\r Object {0} is not valid.";

Init

“Init” Function
GET /search?q=search+something&qs=n&form=QBRE&cvid=QVMNZNTKDGWBPWARAMXZGWFJTQNUJXYK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateCookie: SEVMTE8=Host: 127.0.0.1Connection: close
search?q=search+something&qs=n&form=QBRE&cvid=

FetchCmd

GET /search?q=search+something&qs=n&form=QBRE&cvid=IOSAHOBIBKFHYEQUMTGVKSAWXVLXGXUZ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateCookie: QVNLHost: 127.0.0.1Connection: close

ReplyCmd

“ReplyCmd” Function
GET /search?q=search+something&qs=n&form=QBRE&cvid=ZHSKOMDXYBOCTPZPJHTXFUOPJJBAVIAH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateCookie: d2luLTYyY3B2NXQ2N2FhNjkxXGMyHost: 127.0.0.1Connection: close

“Config.cs”, Assembly Information And Strings

The “Config.cs” that we’ve glossed over quickly contain some useful information for detection. We’ve looked at some, like the default error messages and the URI path. But it also contain the default callback interval which in this case is between 2 and 5 seconds. This can be useful to correlate between requests.

Assembly Information

Conclusion

That’s it for this blog post. Hopefully it was helpful and you got something out of it. If you want to get another perspective from a defensive point of view read the following blog by Lee Kirkpatrick

Indicators

Network Artifacts (Agent Side)

  • URI : /search?q=search+something&qs=n&form=QBRE&cvid=[Random_Base64]
  • HTTP Header (HELLO) : “Cookie : SEVMTE8=”
  • HTTP Header (ASK) : “Cookie : QVNL”
  • HTTP Header (EXIT OK) : Cookie : RVhJVCBPSw==”
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: close

Network Artifacts (C2 Side)

  • Response from C2 contain the following headers
Server: Microsoft-IIS/8.5Cache-Control: private, max-age=0Content-Type: text/html; charset=utf-8Vary: Accept-EncodingConnection: close
Self-Signed (RED) Vs. Signed (Green)

Assembly Information (HARS Agent)

  • Title: $Title
  • Description : $Description
  • Company : $Company
  • Product : $Product
  • Copyright : $Copyright
  • Assembly Version : 1.0.0.0
  • File Version : 1.0.0.0
  • GUID : aca853dc-9e74–4175–8170-e85372d5f2a9

Endpoint Telemetry

  • Look for “Powershell.exe” as a child process of “HARS.exe”
  • Look for processes making HTTP(S) outbound connection

Other

Default error messages when launching the agent

  • “Unhandled exception has occured in your application. \r\r Object {0} is not valid.”

MITRE ATT&CK

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.