Adversary Village

Diego Capriotti

Lead Offensive Cyber Security Team at Axians Italy

Diego served 15 years as an Engineer Officer and tackled many problems that had real-life operational impact. He has 5+ years of experience in information security positions for both Public and Private sector focusing on both offensive and defensive security.

During this time, he focused mostly on pen testing, adversarial emulation, and reverse engineering. In the past he has been in charge of "hacking the RF Spectrum" for the Italian Army. He is now leading an Offensive Cyber Security Team for a Multinational Company in Italy.

Talk: Python vs Modern Defenses
Adversary Tradecraft

In recent years the offensive infosec community has shifted from Powershell tooling to C#. Other less popular lanuages like Nim, Rust, F#, Boolang have also been leveraged to create custom tooling. Modern endpoint defenses are deploying kernel callbacks, userland hooking and ML models to help identify threats. Security-by-default configuration is also becoming the new mantra that will hopefully challenge attackers and narrow down their avenues for action. Furthermore, very popular offensive commercial tools are under increased scrutiny by security vendors, so there's the need to have alternative capabilities and tools at hand. For these reasons, it is crucial for pentesters to know the full potential of a language as a foundational stone for tooling and evasion capabilities that can be brought to the game. In this context of improving security, Python language has something more to say. During the talk will be presented several techniques that can be leveraged using a Python implant to bypass modern defenses by:
1. Importing python modules dynamically and in memory to bring the vast amount of offensive tooling straight into the interpreter or the implant. Impacket tools and bloodhound-python will be imported and ran entirely from memory.
2. Executing Cobalt Strikes’s Beacon Object Files (BOF) through the Python implant and use them to stealthily dump lsass process memory. BOFs are first converted into shellcode before execution (ref. ).
3. Decoupling C2 communications to reduce implant network fingerprint.
4. Using Python bundle that comes with a signed interpreter that can be dropped to a machine with low probability of alerting because of Python's wide adoption. The tool used to leverage the afore-mentioned capabilities is named Pyramid and will be published during the talk. Common post exploitation activities have been performed using Pyramid on endpoints equipped with top-tier EDRs, leveraging BOFs and in-memory loaded modules. Results showed that Python is still a viable language for evasion and post-exploitation tasks. Running scripts in memory through a signed interpreter binary can increase the probability of getting a non-malicious verdict by Machine Learning models. Furthermore, modern defenses lack extensive visibility and native prevention capabilities because currently there is no AMSI for Python where security vendors can tap into. Python provides “audit hooks” (ref. ) that can make Python runtime actions visible to auditing tools. However, audit hooks are not enabled by default in Python official bundle since they will downgrade performance. All things considered, Python might currently represent a blindspot for modern defenses and this could be true for the foreseeable future unless a new surge in popularity as an offensive tooling language will make security vendors put more efforts into malicious Python detection, just like it happened for Powershell or C#.