Hey all,

This post will explore code execution with aspnet_compiler.exe. I’m going to outline how to use the Microsoft signed executable to load & execute a local DLL builder and quickly discuss defensive opportunities. However, before going further, I would like to thank Lee Kagan and Antonlovesdnb for looking at BringYourOwnBuilder from a defensive standpoint.

BringYourOwnBuilder

A couple of weeks ago I was poking around the Microsoft.NET directory and came across aspnet_compiler.exe. Naturally, *_compiler.exe is eyebrow raising, so I decided to take a look at the command-line options; quite a bit to drink in.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u

Inspecting the command above with procmon gives the following results.

Continue reading “The Curious Case of Aspnet_Compiler.exe” →

Hey all,

This post is about leveraging COM hijacking for lateral movement. I’m going to stay away from deep-diving COM internals as hijacking is not a new topic and has been explored by people far smarter than I, check out the references for awesome COM material. Instead, I’ll be taking a look at how tinkering with the registry and calling a COM object remotely (DCOM) can provide lateral movement options.

As a humble net-pen guy, I have to admit I haven’t encountered a target which monitors HKLM\..\CLSID, so I wanted to develop a tool which could explain the importance of doing so. Also, from an offsec standpoint, I like this approach as it provides the ability to live inside a legitimate process without dropping an executable to disk or using one of the “usual suspects” executables to kick off my session. However, there are two risks with using this type of approach: the modifications to the remote registry are clearly malicious and can leave a system in an non-operational state.

Furthermore, there are a ton of interesting use cases when tinkering with the AppID registry key as well. For example, setting RunAs to a different value might kick off our C2 session to a context of our choosing (Interactive User or SYSTEM). I’m hoping to explore this in future posts.

References

• James Forshaw
  • https://www.tiraniddo.dev/
  • OleViewDotNet
  • COM in Sixty Seconds
• COMProxy by Leoloobeek
• SwiftOnSecurity’s Sysmon Configuration
• Abusing DCOM For Yet Another Lateral Movement Technique by bohops
• COM Hijacking Techniques by David Tulis (NCC Group)
• Lateral Movement Using MMC20.Application COM Object by Enigma0x3

Continue reading “COM Hijacking for Lateral Movement” →

Hey all,

Uninspired title, I know. Anyways, this is a simple post exploring the use of Impacket and SOCKS with Kerberos tickets, finishing with Rubeus sprinkled in for a cheesy UAC bypass. Throughout this post we’ll be looking at the following tools:

• Impacket
• Rubeus
• Proxychains
• Dnsmasq
• Ticket_Converter

Impacket, Proxychains, and Kerberos

This has always been a bit clunky for me due to name resolution. In order for Kerberos authentication to work properly we need to be able to resolve the FQDN of target hosts and the KDC. Proxychains uses a predefined DNS server to resolve targets if the proxy_dns configuration is enabled. To get name resolution working, I attempted to take both the /etc/hosts and /usr/lib/proxychains3 route, neither of which worked. The issues looked pretty simple to troubleshoot, but instead I opted to use dnsmasq with a custom configuration as a localhost resolver. It keeps everything nice and organized and bypasses the need to send name requests over proxychains. The screenshot below describes the configurations I used.

This video quickly demonstrates putting everything together to generate a TGT for Jack and using wmiexec to establish a session over proxychains.

TGTDeleg with Rubeus

UAC is not a security boundary, it’s not even a road bump if we have credentials. In the video above we use Jack’s cleartext credentials to generate a TGT to demonstrate the use of Impacket with Kerberos tickets. However, if we don’t have credentials things can get a bit more tricky and we might have to stop by UACMe. This post will take a different route and explore tgtdeleg with Rubeus which was inspired by Kekeo. Harmjoy does a real nice write up, I strongly recommend checking it out.

In the video below we start out in a medium integrity context and use tgtdeleg to grab the domain user’s TGT, convert it to a ccache format using Ticket_Converter, and finish the PoC by establishing a high integrity psexec.py session. Pretty simple. And before you all condemn me to shadow realm for writing executables everywhere, know that my next post will look at COM hijacking with something like this to shrink the footprint.

Hey all,

This post will explore establishing command and control sessions over remote desktop (RDP) virtual channels. As per Microsoft, virtual channels are software extensions that can be used to add functional enhancements to RDP. Audio, shared clipboard, forwarded drives, and printer redirection are all examples of virtual channels in action; doesn’t it make life easier? Well it comes at a risk. Before getting into it, I have to mention that this is not a new area of research, listed below are tools and information I leveraged to put this post together.

• NCCGroup’s Virtual Channel Research
• OutFlank’s External C2 Example
• XPN’s Exploring External C2 Post
• Earthquake’s Universal Dynamic Virtual Channel
• AwakeCoding’s TsTeleport
• Rdp2tcp

While speaking at OT Cybersecurity conferences I’ve always preached the importance of egress filtering. Reason is, whenever we hijack a MFA’d session at the IT/OT perimeter, the first thing we (and attackers) do is attempt to setup an out-of-band command and control session to establish a more permanent foothold in the environment.

Since egress dataflows from the OT to the IT are often few or not required, correctly configured egress filtering can make this difficult bordering on impossible. However, command and control sessions over RDP virtual channels entirely circumvent egress filtering. So having been such an advocate of egress filtering (it’s still important), I felt it was necessary to explore this topic further.

Continue reading “C2 Over RDP Virtual Channels” →

Hey all,

This is another post in the BADministration series where we’ll be exploring Acronis Backup from an offensive standpoint. As always, before going further, one thing I would like to make clear – this is not an Acronis issue or vulnerability. This post instead discusses features and architecture issues, similar to spanning a trusted domain to a less-trusted network. Also once again, a shout-out to CherryDarkness for all the help. Video is at the bottom.

BADministration – https://github.com/ThunderGunExpress/BADministration

Gaining access to the backup solution can be critical during an offensive engagement. Any account with access to a backup share (or server) can mount images to read information from the backed up filesystem, and by extension, local system hashes. These shares or servers can provide an attacker with a potential escalation path, or at a minimum, privileged information about the organization’s security and administrative configurations. However, this post is not about leveraging backup shares, it’s about leveraging the backup server itself!

Other related offsec management application posts:

• BADministration – Solarwinds
• BADministration – McAfee ePO

Continue reading “BADministration – Acronis” →

Hey all,

I hope all is well and everyone is enjoying their Summer2019! It’s that time of year again, conference season. I’m looking forward to Las Vegas to enjoy some delicious beers, put on about five pounds, and feel woefully inadequate due to all the badass intelligent people I hopefully will meet! I’m pretty out-of-the-loop when it comes to these things, so if there are any must attend meetups or anything like that, please let me know on twitter.

This post is about BADministration and leveraging McAfee ePO from an offensive standpoint. Before going further, one thing I would like to make clear – this is not a McAfee issue or vulnerability. This post instead discusses features and architecture issues, similar to spanning a trusted domain to a less-trusted network. Also once again, a shout-out to CherryDarkness for all the help.

BADministration – https://github.com/ThunderGunExpress/BADministration

Other related offsec management application posts:

• BADministration – Solarwinds

Continue reading “BADministration – McAfee ePO” →

Hey all,

I hope all is well, it’s been a while! This post is going to discuss application propagation and introduce BADministration, a tool a colleague (@DarknessCherry) and I are currently putting together. More specifically, we’re going to be looking at how one could leverage SolarWinds Orion server from an offensive standpoint. Before going further, one thing I would like to make clear – this is not a Solarwinds issue or vulnerability. This post instead discusses features and architecture issues, similar to spanning a trusted domain to a less-trusted network.

Application propagation, improper application segmentation, or whatever you call it, is the act of reusing management applications across differing trust zones. This is especially relevant to OT environments as we often see IT management applications reused or propagated to the OT systems. The consequences of this type of spanning is if an attacker lands on that IT management server they most likely have privileged access to all its clients, including the OT systems. Breaching the IT/OT boundary or escaping the OT DMZ in this fashion is far too easy.

A perfect example of leveraging an administration application to attack clients is WSUSpendu, a powershell script which can deploy Windows updates to clients via WSUS. This type of attack is exacerbated if the WSUS server serves updates to more trusted networks, video example here – ijwrtpost.

BADministration – https://github.com/ThunderGunExpress/BADministration

How to Defend

To put it simply, when dealing with a critical trust boundary like the IT/OT, segment applications similar to how networks or domains are segmented. Attackers are looking to management applications which have server —control—> client relationships throughout the environment to find slip-ups by defenders. If those management applications serve clients which are a higher trust than the server, you have an issue. For example, if your domain controller has the keys to the kingdom and it’s a client of the NMS server, by extension the NMS server probably has access to the keys to the kingdom as well.

I find the IT/OT relationship is an interesting one. IT security budget often exceeds the OT security budget but OT is the more critical environment, which makes this recommendation weird – assign trust level 0 to the IT network. From an OT perspective, be wary of any delegated administration or authentication, not because their security is shit (it’s often real good), but instead because it’s out of your control. Also, the IT environment and most of its servers are often one or two hops away from the internet, a non-requirement for OT environments.

In my travels I often see one critical OT architectural flaw time and time again: the OT DMZ serves as a semi-trusted intermediary / management zone. The intermediary part is good; however, having management applications with critical OT clients is not. Unfortunately, deep diving this issue is out-of-scope for this post but for now, I’m going to toss out the idea of an Admin OT network which has one-way communications into the DMZ and Critical Control environments (old news to some, I’m sure). When configured correctly this type of configuration can be extremely potent, but the devil is in the details … post for another day.

Continue reading “BADministration – Solarwinds” →

Hey all,

This post is about remotely enumerating established TCP connections via WMI and importing that data into a Neo4j database. Neo4j is a graph database application which is great for graphically displaying relationships between data. If the name sounds familiar it might be because you have leveraged it while using BloodHound. Nowhere near the same level, this post will be using the built-in Neo4j desktop to display relationships in a simple way. Below is example output of a Neo4j query to determine clients connecting to a WSUS server over TCP/8530.

Enumerating network communications can provide valuable information regardless if you’re on the offensive or defensive side. Offensively, enumerating dataflows can uncover new networks outside initial visibility or establish critical systems as wedge points into other networks. Defensively, enumerating dataflows is good practice to identify all sorts of malicious traffic; however, I would imagine defenders have much more advanced tools than this.

In the past I’ve seen netstat performed remotely using something like PsExec. In my opinion, this is a bit overkill and generates quite a bit of noise, so I tried to take an alternative route. ThunderQuery, is a C# application that will continuously enumerate established TCP connections via WMI. ThunderQuery will poll the provided list of targets and generate two CSV files (locally, so beware): profiles.csv and networkconnections.csv. Profiles.csv has system information of each polled target while networkconnections.csv has established TCP connections and is continuously appended to. See the github page for further details … I wrote a README this time!

Example run of ThunderQuery from Cobalt Strike using execute-assembly.

Continue reading “Network Connection Footprinting with WMI and Neo4j” →

Hey all,

Today’s post is about Browser Pivoting with Chrome. For anyone unaware of Browser Pivoting, it’s a technique which essentially leverages an exploited system to gain access to the browser’s authenticated sessions. This is not a new technique, in fact, Raphael Mudge wrote about it in 2013. Detailed in the linked post, the Browser Pivot module for Cobalt Strike targets IE only, and as far as I know, cannot be used against Chrome. In this post we’re trying to achieve a similar result while taking a different approach – stealing the target’s Chrome profile in real time. Just a FYI, if you have the option to use Cobalt Strike’s Browser Pivot module instead, do so, it’s much cleaner.

You might be thinking – “why go through the trouble?” If I’ve exploited the system I can mimikatz or keylog to get the target’s credentials and by extension, the resources they have access to. Well, one major application that comes to mind is multi-factor authentication (MFA). Organizations are catching on that a single password alone is not nearly sufficient in protecting valued network resources, which is fantastic news! Personally, I have the opportunity to do offensive engagements on OT targets which often have multiple tiers of authentication and networking; it’s my generalization that MFA-less sites tend to fall much quicker than MFA sites – hours or days vs weeks or not at all, respectively. In my opinion, MFA at a security boundary is one of the most important security controls one can implement.

You also might be thinking – “here you are touting the potency of MFA, yet you are talking about hijacking MFA sessions”. Again, this technique has been around since 2013 and the specific code developed for this PoC is all publicly accessible. Advanced adversaries have access to and are most likely employing this technique. Our offensive engagements need to emulate these threats because that’s how we get better from a defensive standpoint – steel sharpens steel.

How To Defend

First off, if you’ve forced an attacker to go beyond traditional credential theft to gain access to critical network resources, congratulations! This walkthrough has quite a few (loud) indicators that can point to malicious activity. We’re starting and stopping services, modifying system32 files, modifying registry, creating and deleting VSS snapshots, and ending it with a remote desktop session to the target. All this activity can easily be detected.

What Does It Do?

High level, this PoC attempts to do the following:

1. Modify the system to allow multiple Remote Desktop connections and remove RemoteApp restrictions.
2. Using VSS, copy the target’s in-use Chrome profile to another file folder.
3. Using RemoteApp and proxychains, remotely open a Chrome instance pointing to that copied profile path.
   • If you prefer, I think the profile could be copied over to the attacking VM and leveraged using proxychains and chromium. That being said, I would imagine this type of technique is time sensitive.

Continue reading “Browser Pivot for Chrome” →

Hey all,

Recently we put together an attack demonstration targeting our simulated lab OT network using a few of the tools that have been explored on this site. The video is linked at the bottom.

Some of the techniques employed are nasty, especially the Outlook hooking and WSUS angle. Regardless of the nastiness level, all these techniques are publicly available and in some cases, have actively been used against our networks. However there is good news, everything explored in this demonstration can be detected and thwarted with relative ease. Additionally, I’m going to link the ATT&CK identifiers in brackets where applicable.

Scenario

In this demonstration, our adversary is APT123 and is masquerading as Causenoevil.com, a local cybersecurity consulting company. They are targeting M2Generation.com, a power generation company. APT123 wants to take full control of OT systems and perform a DoS attack.

APT123 has a Cobalt Strike (S0154) team server and an attacking Windows 10 system accessible on the internet. During the demonstration we truncate the file transfer process and a few other non-sexy activities. Just a FYI, if you see a Windows 10 machine with a skull and crossbones, that is APT123’s system.

Initial Foothold

APT123 gains a initial foothold on the M2Generation enterprise network using a malicious macro inside an xls document (T1193, T1064, T1203). In the demonstration we take a look at the macro and see that it spawns a “legitimate” iexplore.exe process which automatically browses to causenoevil.com. Additionally, hidden from view the macro also spawns an illegitimate iexplore.exe process while downloading and injecting shellcode via createremotethread. The macro code structure is pretty standard but it has been modified with our custom stager to bypass standard AV and traffic inspection.

Attackers love malicious macros and are actively using them. One or two clicks away from code execution with a widely used application garners attention. However, as defenders we have a plethora of options to protect our networks against this angle, to list a few:

• Windows Defender ASR Rules
• Block Office Macros from the Internet
• Endpoint Security Solutions
• Security Awareness Training

Continue reading “OT Network Attack Demonstration” →