Lead Offensive Cyber Security Team at Axians Italy
Diego served 15 years as an Engineer Officer and tackled many problems that had real-life operational impact. He has 5+ years of experience in information security positions for both Public and Private sector focusing on both offensive and defensive security.
During this time, he focused mostly on pen testing, adversarial emulation, and reverse engineering. In the past he has been in charge of "hacking the RF Spectrum" for the Italian Army. He is now leading an Offensive Cyber Security Team for a Multinational Company in Italy.
In recent years the offensive infosec community has shifted from Powershell tooling to
C#. Other less popular lanuages like Nim, Rust, F#, Boolang have also been leveraged to
create custom tooling. Modern endpoint defenses are deploying kernel callbacks,
userland hooking and ML models to help identify threats. Security-by-default
configuration is also becoming the new mantra that will hopefully challenge attackers
and narrow down their avenues for action.
Furthermore, very popular offensive commercial tools are under increased scrutiny by
security vendors, so there's the need to have alternative capabilities and tools at hand.
For these reasons, it is crucial for pentesters to know the full potential of a language as a
foundational stone for tooling and evasion capabilities that can be brought to the game.
In this context of improving security, Python language has something more to say.
During the talk will be presented several techniques that can be leveraged using a
Python implant to bypass modern defenses by:
1. Importing python modules dynamically and in memory to bring the vast amount
of offensive tooling straight into the interpreter or the implant. Impacket tools and
bloodhound-python will be imported and ran entirely from memory.
2. Executing Cobalt Strikes’s Beacon Object Files (BOF) through the Python implant
and use them to stealthily dump lsass process memory. BOFs are first converted into
shellcode before execution (ref. https://www.naksyn.com/injection/2022/02/16/running-cobalt-strike-bofs-from-python.html ).
3. Decoupling C2 communications to reduce implant network fingerprint.
4. Using Python bundle that comes with a signed interpreter that can be dropped to
a machine with low probability of alerting because of Python's wide adoption.
The tool used to leverage the afore-mentioned capabilities is named Pyramid and will be
published during the talk.
Common post exploitation activities have been performed using Pyramid on endpoints
equipped with top-tier EDRs, leveraging BOFs and in-memory loaded modules. Results
showed that Python is still a viable language for evasion and post-exploitation tasks.
Running scripts in memory through a signed interpreter binary can increase the
probability of getting a non-malicious verdict by Machine Learning models.
Furthermore, modern defenses lack extensive visibility and native prevention
capabilities because currently there is no AMSI for Python where security vendors can
tap into. Python provides “audit hooks” (ref. https://peps.python.org/pep-0578/ ) that
can make Python runtime actions visible to auditing tools. However, audit hooks are not
enabled by default in Python official bundle since they will downgrade performance.
All things considered, Python might currently represent a blindspot for modern defenses
and this could be true for the foreseeable future unless a new surge in popularity as an
offensive tooling language will make security vendors put more efforts into malicious
Python detection, just like it happened for Powershell or C#.
