BADministration – Solarwinds

Hey all,

I hope all is well, it’s been a while! This post is going to discuss application propagation and introduce BADministration, a tool a colleague (@DarknessCherry) and I are currently putting together. More specifically, we’re going to be looking at how one could leverage SolarWinds Orion server from an offensive standpoint. Before going further, one thing I would like to make clear – this is not a Solarwinds issue or vulnerability. This post instead discusses features and architecture issues, similar to spanning a trusted domain to a less-trusted network.

Application propagation, improper application segmentation, or whatever you call it, is the act of reusing management applications across differing trust zones. This is especially relevant to OT environments as we often see IT management applications reused or propagated to the OT systems. The consequences of this type of spanning is if an attacker lands on that IT management server they most likely have privileged access to all its clients, including the OT systems. Breaching the IT/OT boundary or escaping the OT DMZ in this fashion is far too easy.

A perfect example of leveraging an administration application to attack clients is WSUSpendu, a powershell script which can deploy Windows updates to clients via WSUS. This type of attack is exacerbated if the WSUS server serves updates to more trusted networks, video example here – ijwrtpost.

BADministration – https://github.com/ThunderGunExpress/BADministration

2

How to Defend

To put it simply, when dealing with a critical trust boundary like the IT/OT, segment applications similar to how networks or domains are segmented. Attackers are looking to management applications which have server —control—> client relationships throughout the environment to find slip-ups by defenders. If those management applications serve clients which are a higher trust than the server, you have an issue. For example, if your domain controller has the keys to the kingdom and it’s a client of the NMS server, by extension the NMS server probably has access to the keys to the kingdom as well.

I find the IT/OT relationship is an interesting one. IT security budget often exceeds the OT security budget but OT is the more critical environment, which makes this recommendation weird – assign trust level 0 to the IT network. From an OT perspective, be wary of any delegated administration or authentication, not because their security is shit (it’s often real good), but instead because it’s out of your control. Also, the IT environment and most of its servers are often one or two hops away from the internet, a non-requirement for OT environments.

In my travels I often see one critical OT architectural flaw time and time again: the OT DMZ serves as a semi-trusted intermediary / management zone. The intermediary part is good; however, having management applications with critical OT clients is not. Unfortunately, deep diving this issue is out-of-scope for this post but for now, I’m going to toss out the idea of an Admin OT network which has one-way communications into the DMZ and Critical Control environments (old news to some, I’m sure). When configured correctly this type of configuration can be extremely potent, but the devil is in the details … post for another day.

Drawing2

Current Solarwinds Modules

The modules below leverage the Solarwinds API

  • solarwinds-enum – Enumerates all Solarwinds clients
  • solarwinds-listalerts – Lists Solarwinds alerts
  • solarwinds-alertremove – Removes the malicious alert used in the syscmd module
  • solarwinds-syscmd – Executes system commands on the NMS server
  • BADministration_SWDump.exe – Standalone memory scraper which (hopefully) retrieves Solarwinds WMI credentials

Code References

Video!

Drawing4.jpg

In this video we’re going to steal Ingrid-DMZ’s credentials, who also happens to be an NMS Administrator. With those credentials, we’ll interface with Solarwinds via the API and proceed to enumerate clients, WMI accounts, and alerts. We’ll gain a SYSTEM session on the Solarwinds server by delivering a malicious alert, then we practice GOOD TRADECRAFT by cleaning up that alert after execution. With SYSTEM access to the NMS server we complete the attack chain by scraping memory and getting access to domain administrator credentials used for WMI polling.

Bonus Video!

I don’t want to be that 1337-hax0r guy showing you how I pwned all ur systems with a single thought … but I really think this is a cool video which emphasizes the risks of application propagation. Note, this module isn’t included in BADministration and you should probably never do this in an engagement, it’s unnecessary.

 

 

Network Connection Footprinting with WMI and Neo4j

Hey all,

This post is about remotely enumerating established TCP connections via WMI and importing that data into a Neo4j databaseNeo4j is a graph database application which is great for graphically displaying relationships between data. If the name sounds familiar it might be because you have leveraged it while using BloodHound. Nowhere near the same level, this post will be using the built-in Neo4j desktop to display relationships in a simple way. Below is example output of a Neo4j query to determine clients connecting to a WSUS server over TCP/8530.

ThunderQuery3.jpgEnumerating network communications can provide valuable information regardless if you’re on the offensive or defensive side. Offensively, enumerating dataflows can uncover new networks outside initial visibility or establish critical systems as wedge points into other networks. Defensively, enumerating dataflows is good practice to identify all sorts of malicious traffic; however, I would imagine defenders have much more advanced tools than this.

In the past I’ve seen netstat performed remotely using something like PsExec. In my opinion, this is a bit overkill and generates quite a bit of noise, so I tried to take an alternative route. ThunderQuery, is a C# application that will continuously enumerate established TCP connections via WMI. ThunderQuery will poll the provided list of targets and generate two CSV files (locally, so beware): profiles.csv and networkconnections.csv. Profiles.csv has system information of each polled target while networkconnections.csv has established TCP connections and is continuously appended to. See the github page for further details … I wrote a README this time!

Example run of ThunderQuery from Cobalt Strike using execute-assembly.

ThunderQuery.jpg

Continue reading “Network Connection Footprinting with WMI and Neo4j”

Browser Pivot for Chrome

Hey all,

Today’s post is about Browser Pivoting with Chrome. For anyone unaware of Browser Pivoting, it’s a technique which essentially leverages an exploited system to gain access to the browser’s authenticated sessions. This is not a new technique, in fact, Raphael Mudge wrote about it in 2013. Detailed in the linked post, the Browser Pivot module for Cobalt Strike targets IE only, and as far as I know, cannot be used against Chrome. In this post we’re trying to achieve a similar result while taking a different approach – stealing the target’s Chrome profile in real time. Just a FYI, if you have the option to use Cobalt Strike’s Browser Pivot module instead, do so, it’s much cleaner.

You might be thinking – “why go through the trouble?” If I’ve exploited the system I can mimikatz or keylog to get the target’s credentials and by extension, the resources they have access to. Well, one major application that comes to mind is multi-factor authentication (MFA). Organizations are catching on that a single password alone is not nearly sufficient in protecting valued network resources, which is fantastic news! Personally, I have the opportunity to do offensive engagements on OT targets which often have multiple tiers of authentication and networking; it’s my generalization that MFA-less sites tend to fall much quicker than MFA sites – hours or days vs weeks or not at all, respectively. In my opinion, MFA at a security boundary is one of the most important security controls one can implement.

You also might be thinking – “here you are touting the potency of MFA, yet you are talking about hijacking MFA sessions”. Again, this technique has been around since 2013 and the specific code developed for this PoC is all publicly accessible. Advanced adversaries have access to and are most likely employing this technique. Our offensive engagements need to emulate these threats because that’s how we get better from a defensive standpoint – steel sharpens steel.

How To Defend

First off, if you’ve forced an attacker to go beyond traditional credential theft to gain access to critical network resources, congratulations! This walkthrough has quite a few (loud) indicators that can point to malicious activity. We’re starting and stopping services, modifying system32 files, modifying registry, creating and deleting VSS snapshots, and ending it with a remote desktop session to the target. All this activity can easily be detected.

What Does It Do?

High level, this PoC attempts to do the following:

  1. Modify the system to allow multiple Remote Desktop connections and remove RemoteApp restrictions.
  2. Using VSS, copy the target’s in-use Chrome profile to another file folder.
  3. Using RemoteApp and proxychains, remotely open a Chrome instance pointing to that copied profile path.
    • If you prefer, I think the profile could be copied over to the attacking VM and leveraged using proxychains and chromium. That being said, I would imagine this type of technique is time sensitive.

Continue reading “Browser Pivot for Chrome”

OT Network Attack Demonstration

Hey all,

Recently we put together an attack demonstration targeting our simulated lab OT network using a few of the tools that have been explored on this site. The video is linked at the bottom.

Some of the techniques employed are nasty, especially the Outlook hooking and WSUS angle. Regardless of the nastiness level, all these techniques are publicly available and in some cases, have actively been used against our networks. However there is good news, everything explored in this demonstration can be detected and thwarted with relative ease. Additionally, I’m going to link the ATT&CK identifiers in brackets where applicable.

Scenario

In this demonstration, our adversary is APT123 and is masquerading as Causenoevil.com, a local cybersecurity consulting company. They are targeting M2Generation.com, a power generation company. APT123 wants to take full control of OT systems and perform a DoS attack.

APT123 has a Cobalt Strike (S0154) team server and an attacking Windows 10 system accessible on the internet. During the demonstration we truncate the file transfer process and a few other non-sexy activities. Just a FYI, if you see a Windows 10 machine with a skull and crossbones, that is APT123’s system.

Initial Foothold

APT123 gains a initial foothold on the M2Generation enterprise network using a malicious macro inside an xls document (T1193, T1064, T1203). In the demonstration we take a look at the macro and see that it spawns a “legitimate” iexplore.exe process which automatically browses to causenoevil.com. Additionally, hidden from view the macro also spawns an illegitimate iexplore.exe process while downloading and injecting shellcode via createremotethread. The macro code structure is pretty standard but it has been modified with our custom stager to bypass standard AV and traffic inspection.

Picture1.jpg

Attackers love malicious macros and are actively using them. One or two clicks away from code execution with a widely used application garners attention. However, as defenders we have a plethora of options to protect our networks against this angle, to list a few:

Continue reading “OT Network Attack Demonstration”

Multi-Session RemoteApp

Hey all,

It’s been a while! Lately, I’ve been looking for something similar to browser pivoting but for Chrome. I went down a deep rabbit hole using Headless Chrome, Selenium, Puppeteer, and a few others I cannot remember. I was able to remotely control Chrome on an exploited system but was unable to get it to a point where I felt there was something worthwhile to post. That being said, I do think there is opportunity with Chrome Devtools; a post for another day I suppose.

In this post, I’m going to explore public information that shows how to modify a system to allow multiple remote desktop (RDP) sessions on workstation Operating Systems like Windows 10 and 7. This opens the door to establish RemoteApp connections to a system which already has an active console session. With leveraging RemoteApp, the devil is in the details, so in later posts I’m going to explore potential engagement use cases.

How to Defend

Remote desktop is an action which is virtually always initiated by another user. Windows generates audit logs specifically for RDP sessions which can be used to potentially trigger alerts or investigation. In my opinion, security administrators should be looking for remote desktop sessions as attackers often leverage RDP to gain graphical access to exploited systems.

pic10.jpg

Just a thought, as an end user I also like the idea of creating a task that generates a popup or an email if a remote desktop connection is initiated.

Continue reading “Multi-Session RemoteApp”

Leveraging WSUS – Part One

Hey all,

After an extended hiatus, I’m back. I was waylaid with OSCE training, exam writing, and overall frustration, but I’m going to brag for a second to say I passed :). The material was a bit dated but I was happy with the overall course and still learned quite a bit; I have nothing but good things to say about the guys over at Offensive Security. Anyways, to the blog post.

While at a conference I was speaking with some colleagues about leveraging WSUS from an offensive standpoint. I was aware of WSUSpect but unaware of any type of attack that could leverage existing WSUS server access. While researching I came across WSUSpendu and was surprised that I hadn’t heard of it before. WSUSpendu is a powershell script that can deploy updates to update clients to get remote code execution. Two applications come to mind when employing this type of technique.

  • Escalating to Domain Administrator
  • Attacking Downstream WSUS Servers

How often have you seen a WSUS group policy pushed out to all systems including domain controllers via GPO? I see it quite often. If the domain controller happens to be an update client and you have WSUS server access, you’re domain administrator.

WSUSpendu can deploy updates, create and delete WSUS groups, assign computers to groups, and delete updates. To keep inline with the new hotness, I re-wrote WSUSpendu in C#.

Links

How To Defend

The key to defending this technique is understanding it. Understanding the restrictions, what a malicious update looks like, the exposure of trusting a WSUS server for updates, and understanding security controls that can work in unison with those restrictions.

One restriction for example is, any files deployed from WSUS need to be digitally signed by a trusted authority like Microsoft. WSUSpendu recommended using psexec or bginfo with command-line arguments for remote code execution. This is a significant restriction if an attacker is trying to cross a security boundary. For part two, I’m going to play around with alternative payloads to mix it up a bit.

Continue reading “Leveraging WSUS – Part One”

The ICS Perimeter – A Line in the Sand

Hey all,

This is going to be a non-technical post, so if you’re looking for some sort of tool or walkthrough this post probably isn’t for you. I’m going to make an argument that the perimeter for Industrial Control Systems (ICS) is one of if not the most important security control. I understand that some might see this as antiquated way of thinking and are probably calling me a dinosaur. My response is to read below and that I think of myself more as a crustacean from the Proterozoic era looking for about tree-fiddy.

I have the opportunity to do offensive and defensive work for Critical Infrastructure. Critical Infrastructure (Utilities, Generation, Transmission, O&G, etc.) is an interesting industry from a cybersecurity standpoint. In the Enterprise space, cybersecurity is often viewed as risk mitigation. For example, our organization makes $1B dollars, the consequences of a cyber-incident is ABC, our threats are XYZ; therefore, we’re going to spend $1M dollars. Just like in the Enterprise space, Critical Infrastructure sites vastly vary in size and revenue. I’ve seen sites with one person handling all IT administration and cybersecurity to sites with large fully financed security teams. Regardless of size, staffing, and solutions implemented; Critical Infrastructure usually has one thing in common – the extreme consequence of a security incident can result in loss of life.

What is my point? Resources for cybersecurity at Critical Infrastructure can be limited while the consequences are severe. Why is that important? Well I imagine it could be overwhelming trying to secure Critical Infrastructure. Also, the next thing I’m going to say might ruffle some feathers so I wanted to give a bit of context.

The Industrial Control Systems (ICS) perimeter is one of the most important security controls when it comes to Critical Infrastructure … I can hear your collective moan from here. You say – “Nearly every security professional has adopted the ‘assume breach’ mantra, you’re taking us back years!”, my reply is to finish this paragraph. I understand why one needs to assume breach in the Enterprise space. The internet is a cesspool with exploits flying around, nasty emails, C2 traffic, etc. Enterprise infosec has to deal with thousands of end users reaching out to the internet downloading junk and having junk land in their inboxes each with an itchy trigger finger. Your perimeter will be breached and it will be breached often. However, what if I told you, that in order to breach your perimeter you had to come through one of five endpoints, welcome to Critical Infrastructure networks.

Drawing1.jpg

Continue reading “The ICS Perimeter – A Line in the Sand”

Schtasks without Schtasks.exe via Reflective DLL

Hey all,

I’m back from Vegas and trying to work off all those late nights and delicious beers. Before I get down to business, I want to talk about the training I attended at Black Hat. My colleague and I had the opportunity to attend SpecterOps’ Red Team Ops training and it was absolutely fantastic. I doubt any the SpecterOps crew will read my humble blog, but if for some reason you find yourself here – thank you, it was terrific.

Windows services get a lot of attention. There is a reason why PSExec is a mainstay when laterally moving – it works, it’s stable, and it brings you in on a privileged session; however, it’s noisy. So I put together a reflective DLL which accomplishes the same thing but using scheduled tasks instead, while not calling schtasks.exe. It’s a similar level of noisy, but in my opinion it’s less likely to attract attention and it’s an alternative option.

I think there are quite a few potential applications for this code. Lateral movement is one. Including persistence in your custom foothold payload without calling schtasks.exe might be another. Using it to start a SYSTEM session could also be a use case.

The code includes a reflective DLL and an Aggressor script. The Aggressor script takes care of uploading the binary and calling the DLL. The DLL creates, executes, and deletes the scheduled task. Everything is pretty commented so if you’re adverse to writing a binary you could execute a one-liner instead. **NOTE** The Aggressor script or DLL will not clean up the binary, that is on you.

Drawing1.jpg

You can find the code at https://github.com/ThunderGunExpress/Reflective_Schtasks

Drawing2

Once again, this is skeleton code and has the following limitations:

  • Use an IP address for remote targets and 127.0.0.1 for local targets
  • If running against a local target you’ll need to be in a high integrity context

Custom Stager – C# & PHP Payload

Hey all,

The first payload through the front door has a tough job. Consider all the security products specifically made to scrutinize its footprint on both the endpoint and network, life is not easy. Personally, I like to get a bit more visibility into who (or what) is executing payloads. To get that additional visibility, I slapped together a janky C# payload with a PHP delivery program.

Code – https://github.com/ThunderGunExpress/CustomStager

How to Defend

Defense in depth. Standard AV won’t detect this but I would expect the more advanced products might. AWL will definitely block this from executing. NGFW won’t detect the custom stager but might detect the subsequent C2 stager. Manual network traffic analysis and poking of updates.php will uncover it’s purpose pretty quickly. It’s the same old cat and mouse game – people are going to run executable code, as security professionals we have to ensure that we increase the chance of detection.

So at the moment, I’ve only tested this with a staged payload. Why would one want to stage a stager? Well number one, we’re injecting directly into memory with custom written software, so we’ll bypass a good deal of endpoint protection software. Number two, visibility and control.

We’re all security professionals here, so I’m not going to do a deep dive on visibility and control examples but a few come to mind:

  • Determine if something like a NGFW is dropping your C2 staging traffic. For Cobalt Strike users, check out the following.
  • Control who is delivered exploitation code based on username, email address, or whatever … the possibilities are endless with C#
  • Avoid delivery to hostile machines.

So this is skeleton code waiting to be built upon. It could be used in an office macro or maybe a MSI. Here is a quick rundown of the C# program.

pic2.jpg

  1. Get the version from updates.php while sending the username to the web server. This is where you would add logic to the payload delivery system.
  2. Grab and parse the appropriate bitness payload
  3. Create a thread in the current process with the parsed shellcode

pic3.jpgThe single spaced shellcode is read from payload_x86.xyz or payload_x64.xyz which is in the same directory as updates.php. Note the “|” which will be at the head and tail of the shellcode, it’s required by the C# payload. The shellcode can be crafted via something like Cobalt Strike, msfvenom, or whatever.

OutlookToolbox v2 – Now With Less Meh

Hey all,

This post is a revisit to a tool that was introduced in 2017 – OutlookToolbox. When the code was published I was happy with the overall functionality but unhappy with the execution. I wanted to write a C# DLL and forced the implementation. The old version used rundll32 to access C# functions which were exported with using Robert Giesecke’s Unmanaged Exports. The final result was a DLL and Aggressor script that wrote the DLL to disk and received status updates via txt files; so janky. Well enter Cobalt Strike’s new feature – in-memory .NET assembly execution. Long story short, we can run OutlookToolbox in-memory with only the odd csv or msg file ever touching the disk.

Code – https://github.com/ThunderGunExpress/OutlookToolbox_v2

What It Is

A C# console application that interfaces with Outlook in the background.

How to Defend

Sophisticated threat-actors are using this tactic. They are harvesting our emails for information that allows them to get closer to their objectives. The good news it that we can control how external background access to Outlook is handled – see Microsoft’s link here. If I recall correctly, if Outlook is set to Always warn me about suspicious activity the tool will stop during the SanityCheck (anti-popup) function. OutlookToolbox will do just fine with the other two configurations, the check AV one is the default.

Features

  • SanityCheck – Checks Outlook’s popup configuration (via registry and wmi) and attempts to determine if interfacing with Outlook will cause a popup.
  • EnumerateFolders – Lists all the folders within Outlook (inbox, sent items, conversation history, and so on).
  • FolderToCSV – Exports all the contents of a folder to CSV which includes – From, To, Type (it can get at Lync messages),  . The message’s body is truncated to 1000 characters.
  • ExportMessage – Exports target email or collection of emails from a specific sender.
  • EnumerateTarget – Check the GAL for target user’s details like manager, colleagues (reports to same manager), title, and alias. Could be used in conjunction with EmailPivot.
  • EmailPivot – Sends a crafted email on behalf of the target session. Great for getting in that trust chain (or whatever it’s called) between two people. Also has the ability to send replies from the TO user directly to deleted items with Outlook rules. Don’t do this unless you absolutely know what you are doing. Clean up could be difficult and it’s incredibly nasty.

image1

Check out the old OutlookToolbox post for screenshots. There are some minor changes but the UI is pretty much the same.