Protecting Your Gold

Will Schroeder, Specter Ops

Standard Image Analysis With PowerShell

Agenda

• PowerUp

• Common Privesc Primitives

• Service (Binary) Permissions

• %PATH% hijacking

• Processes, Threads, and User Rights

• Autoruns

• Provisioning Leftovers/Grab Bag

• “Rotten Potato“

• Custom Software Analysis

• Discovery

• Delivery

• Exploitation

• C2 Installation

• Privilege Escalation

• Lateral Movement

• Data Collection

• Data Exfiltration

Cyber Kill Chain

Discovery Delivery Exploitation C2 Installation

Privilege Escalation

Lateral Movement

Data Exfiltration

Data Collection

Privilege Escalation

• Most attackers (and us) try to find a way to escalate privileges to local administrator/SYSTEM after initial access is gained

• Everyone isn’t a local admin any more!

• The two main approaches tend to be 0day/exploits and the abuse of misconfigurations

• You should examine your gold base system images every time there’s a major change!

• Great place for persistence as well…

• A self-contained PowerShell tool that automates the audit and exploitation of a number of common privilege escalation misconfigurati

PowerUp

• Now part of PowerSploit(.\Privesc\PowerUp.ps1)

• Strict Version 2 compatibility

• (Now) doesn’t start any additional processes, nor does it depend on any external binaries

• I.E. uses ChangeServiceConfig() instead of “set Svc binPath= malicious command”

• Uses PSReflect for Win32 API access

• “Abuse” functions are present for most

PowerUp’s Approach

• Services are a defined Windows securable object

• So we can use QueryServiceObjectSecurity()

• Services themselves sometimes have misconfigured permissions (rare, but it happens)

• More common are misconfigured permissions on the binary associated with the service

• If an unprivileged user can replace the binary for a service, they can gain code execution when the service/machine restarts

• PowerUp:

• Get-ModifiableService and Get-

Vulnerable Services

• When a Windows application tries to load a particular .DLL, it searches specific locations in a predefined order

1. The directory from which the application is loaded

2. The 32-bit system directory (C:\Windows\System32)

3. The 16-bit system directory (C:\Windows\System)

4. The Windows directory (C:\Windows)

5. The current working directory

6. Any directories that are listed in the PATH environment variable

Sidenote: DLL Load Order

• When a process tries to load a DLL, there is a predefined search order for the DLL location

• The last search location is any folder in %PATH%

• One service on Windows 7 (IKEEXT) tries to load a DLL that doesn’t exist (wlbsctrl.dll)

• Translation: if we can write to any folder in %PATH% on a Windows 7 machine (like C:\Python27\) we can escalate privileges whenever the machine reboots!

%PATH% Hijacking

• Processes and threads are securable objects as well

• Something we’re going to look more heavily heavily into this year

• User Rights include specific privileges

Processes, Threads, and User Rights

• Anything that’s set to automatically run in a (potentially) elevated context is a candidate for hijacking

• For the registry:

• Enumerate all autoruns in HKLM

• Check if the current user can modify any binary or arguments for any discovered autoruns

• PowerUp: Get-ModifiableRegistryAutoRun

• For scheduled tasks:

• Enumerate scheduled tasks where the current user can modify any file in the associated task action string

Hijacking Autoruns and Scheduled Tasks

• We occasionally find left over Unattended.xml answer files that have passwords set for local account provisioning

• PowerUp: Get-UnattendedInstallFile

• Some Group Policy Preference files contain a decryptable cpassword attribute (Get-GPPPassword…)

• These GPOs are sometimes cached on the host

• PowerUp: Get-CachedGPPPassword

Provisioning Leftovers

• If [HKLM|HKCU|\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is set, all .MSI files run elevated…

• PowerUp: Get-RegistryAlwaysInstallElevated

Misc. Grab-bag

• In late 2016, researchers from FoxGloveSecurity released an attack called “Rotten Potato”

• This allows you to escalate from a service account (or any account with SeImpersonatePrivilege) to SYSTEM

• It does this by abusing a bug class disclosed by James Forshaw

• DCOM/RPC is tricked into authenticating with NTLM to the same endpoint, and the resulting token is impersonated from an account with impersonation privileges

• Now how would an attacker get code

Rotten Potato

• Custom internal development is the most common root cause of escalation vectors we find

• Why? Security is hard! Same with a SDL!

• Part of our standard process is to search for any custom/internally developed software on any machines we gain initial access to

• Bonus points if it’s C#!

• This is actually very similar to dynamic malware analysis!

Custom Software Analysis

Analysis Demo

Summary

• Privilege escalation is sometime that most actors attempt during their attack chain

• You should examine your gold image whenever there’s a major modification!

• Misconfigurations are often unintentionally introduced due to custom development or third-party applications

• PowerUp automates the checks for most of these misconfigurations

• You can analyze any custom-developedsoftware pretty easily using existingmalware dynamic analysis techniques!

• Now: 15 min break

• Grab a coffee

• Stay here to enjoy next presentation

• Change track and switch to another room

• Ask me questions or meet me in a breakoutsession room afterwards

Next Steps...

Questions?

• Will Schroeder (@harmj0y)

• http://blog.harmj0y.net | will [at] harmj0y.net

• Red teamer and offensive engineer forSpecter Ops

• Co-founder:

• Veil-Framework | Empire/EmPyre | BloodHound

• Developer of:

• PowerView | PowerUp | current PowerSploitdeveloper

• Microsoft CDM/PowerShell MVP

• Veteran trainer

About_Author