Environmental Keyring

Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keyring uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keyring is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.
Values can be derived from target specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses. By generating the decryption keys from target-specific environmental values, environmental keyring can make sandbox detection, anti-virus detection, crowdsourcing of information, reverse engineering difficult. These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques and procedures (TTPs).
Similar to Obfuscated Files or information, adversaries may use environmental keyring to help protect their TTPs evade detection. Environmental keyring may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution. By utilizing target-specific values to decrypt the payload that adversary con avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult. This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
Like Execution Guardrails, environmental keyring can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical Virtualization/Sandbox Evasion. While used of Virtualization/Sandbox Evasion may involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
Example:
This is the most simple and basic example I managed to write since my programming or cryptographic skills barely leave the floor.
First I will create a payload and edit my configuration to use an environmental variable (DESKTOP-ALPHA) which would be the computer name of my target and it's Domain name DC(DominionCyber) to encrypt a payload using these 2 as keys. Once these 2 are found in the system the payload will decrypt and execute.
Will compile the payload and configuration using the Ebowla Tool.
Now I will follow the instructions to compile my payload as this tool contains 3 methods PowerShell, Python and GO.
Now for execution and see what it does for the payload to work. We can see in the output that the payload has a KEY and will find this key strings on our target environment if found it will use these to decrypt and execute with our reverse shell.
Found successfully on our attacking machine a successful shell connected back to us. This was successful since the variables in the target machine match our keys.
And you can see here that the hashes match for a successful decryption as well in here:
Shell
Here is a great resource and understanding on how it would work properly.
GitHub - ohoph/3bowla: Python3 Ebowla... 3Bowla
GitHub

T1480: Execution Guardrails

T1197: BITS Jobs

Last modified 1yr ago

Copy link