Upload
will-schroeder
View
1.039
Download
0
Embed Size (px)
Citation preview
Protecting Your Gold
Will Schroeder, Specter Ops
Standard Image Analysis With PowerShell
Agenda
• PowerUp
• Common Privesc Primitives
• Service (Binary) Permissions
• %PATH% hijacking
• Processes, Threads, and User Rights
• Autoruns
• Provisioning Leftovers/Grab Bag
• “Rotten Potato“
• Custom Software Analysis
• Discovery
• Delivery
• Exploitation
• C2 Installation
• Privilege Escalation
• Lateral Movement
• Data Collection
• Data Exfiltration
Cyber Kill Chain
Discovery Delivery Exploitation C2 Installation
Privilege Escalation
Lateral Movement
Data Exfiltration
Data Collection
Privilege Escalation
• Most attackers (and us) try to find a way to escalate privileges to local administrator/SYSTEM after initial access is gained
• Everyone isn’t a local admin any more!
• The two main approaches tend to be 0day/exploits and the abuse of misconfigurations
• You should examine your gold base system images every time there’s a major change!
• Great place for persistence as well…
• A self-contained PowerShell tool that automates the audit and exploitation of a number of common privilege escalation misconfigurati
PowerUp
• Now part of PowerSploit(.\Privesc\PowerUp.ps1)
• Strict Version 2 compatibility
• (Now) doesn’t start any additional processes, nor does it depend on any external binaries
• I.E. uses ChangeServiceConfig() instead of “set Svc binPath= malicious command”
• Uses PSReflect for Win32 API access
• “Abuse” functions are present for most
PowerUp’s Approach
• Services are a defined Windows securable object
• So we can use QueryServiceObjectSecurity()
• Services themselves sometimes have misconfigured permissions (rare, but it happens)
• More common are misconfigured permissions on the binary associated with the service
• If an unprivileged user can replace the binary for a service, they can gain code execution when the service/machine restarts
• PowerUp:
• Get-ModifiableService and Get-
Vulnerable Services
• When a Windows application tries to load a particular .DLL, it searches specific locations in a predefined order
1. The directory from which the application is loaded
2. The 32-bit system directory (C:\Windows\System32)
3. The 16-bit system directory (C:\Windows\System)
4. The Windows directory (C:\Windows)
5. The current working directory
6. Any directories that are listed in the PATH environment variable
Sidenote: DLL Load Order
• When a process tries to load a DLL, there is a predefined search order for the DLL location
• The last search location is any folder in %PATH%
• One service on Windows 7 (IKEEXT) tries to load a DLL that doesn’t exist (wlbsctrl.dll)
• Translation: if we can write to any folder in %PATH% on a Windows 7 machine (like C:\Python27\) we can escalate privileges whenever the machine reboots!
%PATH% Hijacking
• Processes and threads are securable objects as well
• Something we’re going to look more heavily heavily into this year
• User Rights include specific privileges
Processes, Threads, and User Rights
• Anything that’s set to automatically run in a (potentially) elevated context is a candidate for hijacking
• For the registry:
• Enumerate all autoruns in HKLM
• Check if the current user can modify any binary or arguments for any discovered autoruns
• PowerUp: Get-ModifiableRegistryAutoRun
• For scheduled tasks:
• Enumerate scheduled tasks where the current user can modify any file in the associated task action string
Hijacking Autoruns and Scheduled Tasks
• We occasionally find left over Unattended.xml answer files that have passwords set for local account provisioning
• PowerUp: Get-UnattendedInstallFile
• Some Group Policy Preference files contain a decryptable cpassword attribute (Get-GPPPassword…)
• These GPOs are sometimes cached on the host
• PowerUp: Get-CachedGPPPassword
Provisioning Leftovers
• If [HKLM|HKCU|\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is set, all .MSI files run elevated…
• PowerUp: Get-RegistryAlwaysInstallElevated
Misc. Grab-bag
• In late 2016, researchers from FoxGloveSecurity released an attack called “Rotten Potato”
• This allows you to escalate from a service account (or any account with SeImpersonatePrivilege) to SYSTEM
• It does this by abusing a bug class disclosed by James Forshaw
• DCOM/RPC is tricked into authenticating with NTLM to the same endpoint, and the resulting token is impersonated from an account with impersonation privileges
• Now how would an attacker get code
Rotten Potato
• Custom internal development is the most common root cause of escalation vectors we find
• Why? Security is hard! Same with a SDL!
• Part of our standard process is to search for any custom/internally developed software on any machines we gain initial access to
• Bonus points if it’s C#!
• This is actually very similar to dynamic malware analysis!
Custom Software Analysis
Analysis Demo
Summary
• Privilege escalation is sometime that most actors attempt during their attack chain
• You should examine your gold image whenever there’s a major modification!
• Misconfigurations are often unintentionally introduced due to custom development or third-party applications
• PowerUp automates the checks for most of these misconfigurations
• You can analyze any custom-developedsoftware pretty easily using existingmalware dynamic analysis techniques!
• Now: 15 min break
• Grab a coffee
• Stay here to enjoy next presentation
• Change track and switch to another room
• Ask me questions or meet me in a breakoutsession room afterwards
Next Steps...
Questions?
• Will Schroeder (@harmj0y)
• http://blog.harmj0y.net | will [at] harmj0y.net
• Red teamer and offensive engineer forSpecter Ops
• Co-founder:
• Veil-Framework | Empire/EmPyre | BloodHound
• Developer of:
• PowerView | PowerUp | current PowerSploitdeveloper
• Microsoft CDM/PowerShell MVP
• Veteran trainer
About_Author