Malware Development
  • Golang Malware Development
  • Malware Development In Golang - Introduction
    • Golang Programming Intro
      • 1. Preparing the Go Environment
      • 2. Hello World
      • 3. Calling MessageBox winAPI from GO
      • 4. Shellcode Runner
  • Code Injection Techniques
    • Shellcode Injection
      • 1. Classic Shellcode Injection
      • 2. Process Hollowing
      • 3. QueueUserAPC
    • DLL Injection
      • 1. Dll Injection
      • 2. Reflective DLL Injection
  • Payloads
    • Payloads
      • 1. Basic DLL using Golang
      • 2. Malicious DLL using Golang
      • 3. Malicious XLL using Golang
    • Shellcode development
      • 1. Keystone Engine
      • 2. Windows x64 Shellcode Development intro
      • 3. Transforming DLLs into Shellcode
  • Evasion
    • AV Bypass
      • 1. Introduction
      • 2. Remove the shellcode from the payload
      • 3. Delay Execution
        • 1. time.Sleep() 1/2
        • 2. time.Sleep() 2/2
        • 3. Custom Sleep function
      • 4. XOR Encryption
      • 5. AMSI Bypass
    • EDR Bypass
      • 1. Setting up a testing environment
      • 2. Userland Hooks
        • 1. What are userland hooks?
        • 2. Load a fresh copy of the dll from disk
        • 3. Programmatically detect ntdll hooks
        • 4. Direct and Indirect Syscalls (shellcode runner)
      • 3. VPN abuse for Endpoint Protection Evasion
        • 1. Global Protect Abuse 1/2
        • 2. Global Protect Abuse 2/2
Powered by GitBook
On this page
  • Introduction
  • Connecting to the target network
  • Defending against this type of attack
  • Machine Certificates
  • Host Information Profile (HIP)
  • Conclusion
  • References

Was this helpful?

  1. Evasion
  2. EDR Bypass
  3. 3. VPN abuse for Endpoint Protection Evasion

2. Global Protect Abuse 2/2

#globalprotect #redteaming #globalprotect #VPNabuse

Last updated 1 year ago

Was this helpful?

Introduction

In part 1 on this blog post we explored how to collect usernames, certificates, credentials and how to bypass MFA with the aim of gaining access to the target network.

In this blog post we will see how we can connect to the target network and how we can harden our VPN configuration in order to stop attackers using this attack vector.

Connecting to the target network

With all the information we have now all that is left to do is to login the portal, download the VPN client and connect to the target network.

In our lab the GlobalProtect Portal can be found on https://192.168.198.250/global-protect/login.esp

Using the credentials captured previously through our sliver implant we can login.

We can then download the vpn client on our attacking machine

Once the client is installed all we will need is the portal url, credentials and potentially get the user to authenticate again if we get prompted for Multi Factor Authentication.

When the client is installed we will see the following on the bottom right of our screen. If not we can click on the global protect icon showing up next to the time and date.

We type in the portal IP or DNS name and hit connect. We will then get a prompt to type in our credentials.

And that's it we are in.

We can now run our favourite tooling without worrying about any sort of endpoint protection. (Obviously that doesn't include any network level protection.)

Defending against this type of attack

There are a number of ways this attack could stop be stopped.

  • Use machine certificates for client authentication.

  • Make use of Host Information Profile (HIP)

Machine Certificates

When using machine certificates for authentication they are much harder to extract than user certificates. Machine Certs require Local / Domain Administrator privileges to extract. Although not impossible to get, it is considerably harder to achieve straight after getting foothold on the network.

The Host Information Profile (HIP) feature allows you to collect information about the security status of your endpoints, and the decision is based on whether to allow or deny access to a specific host based on adherence to the host policies you define.

HIP allows for granular checks on the endpoint. One example is to check the use of Anti-Malware solutions. A default windows installation would pass this check since Defender comes pre installed. Global Protect gives the administrator the option of specifying the following parameters for the Anti-Malware object.

Firstly we can set up the vendor and the product as shown below

We can then add additional checks such as the definitions being up to date, last scan was not greater than 10 days etc.

Additional Checks regarding the host can be added as shown below:

After setting up the HIP and applying it we receive the following pop up message from GlobalProtect.

I have set up a notification to pop up when the HIP checks fail. In a real world environment a security policy should be set up to isolate the machine from the network.

Ideally HIP policy should be as strict and granular as possible. That will make the life of an attacker very difficult if they are trying to match the target environment.

Conclusion

This technique is a viable solution to join an attacker controlled machine to a target network. In the references section I have listed all the articles / videos I have read to prepare my lab environment and test the attack scenario.

References

[1]

[2]

[3]

[4]

[5]

[6]

Host Information Profile (HIP)
Palo Alto GlobalProtect VPN Configuration Step by Step [2023]
Palo Alto firewall lab using VMware Workstation
How to Build an Active Directory Hacking Lab
PA-VM Trial
Setting up HIP
PaloAlto with external CA
Login Using phished creds
Download the Client
GlobalProtect Client Installed
Login as dave.daves
Success
HIPS Anti-Malware
Product and vendor
Anti-Malware HIP
Host information
HIP notification