BADministration – Acronis

Hey all,

This is another post in the BADministration series where we’ll be exploring Acronis Backup from an offensive standpoint. As always, before going further, one thing I would like to make clear – this is not an Acronis issue or vulnerability. This post instead discusses features and architecture issues, similar to spanning a trusted domain to a less-trusted network. Also once again, a shout-out to CherryDarkness for all the help. Video is at the bottom.

BADministration – https://github.com/ThunderGunExpress/BADministration

1

Gaining access to the backup solution can be critical during an offensive engagement. Any account with access to a backup share (or server) can mount images to read information from the backed up filesystem, and by extension, local system hashes. These shares or servers can provide an attacker with a potential escalation path, or at a minimum, privileged information about the organization’s security and administrative configurations. However, this post is not about leveraging backup shares, it’s about leveraging the backup server itself!

Other related offsec management application posts:

Application Segmentation

Similar to other administration applications like AV and NMS, backup servers and clients share a trusted relationship. As defenders, it’s not enough to protect critical networks or systems as singular objects; instead, we need to defend their associations as well. For example, if we have a critical OT network, we need to understand all external associations, how they could be maliciously leveraged, and defend them appropriately.

Application segmentation isn’t a new topic, but it’s one that often goes unnoticed. As exploitation of modern apps and OSes becomes more difficult, attackers will increasingly look to inject themselves into the administration chain. For OT networks (and IT aspects), it’s my opinion that the old approach of assessing externally accessible dataflows for known technical vulnerabilities is no longer sufficient. We need to extend our network assessment and segmentation approach to domains, applications, and platforms. As application segmentation is a standalone post, I’ll link it here when it gets done.

3

For Acronis specific controls, access to the management server is controlled by three Windows’ local groups created at installation.

4

In my testing, removing the compromised account from the Acronis Centralized Admins group nullified all BADministration modules (all Acronis management access as well). Furthermore, it appears you can create organizational units to segment administration, but if you’re planning on going down that road I strongly recommend looking at the Acronis Admin Guide instead, rather than listening to some rando on the internet. As an exposure takeaway, if one of the following is compromised, all associated clients will be compromised by extension:

  • Acronis Management Server
  • Any account with local administrator access to the Acronis Management Server
  • Any account with membership to the local Acronis Centralized Admins group on the Acronis Management Server

And also, here is an interesting tidbit that probably warrants further research for another day (comes with the Acronis installation).

5

Current Acronis Modules

2

  • enumerate – Enumerates all Acronis clients
  • list_policy – Lists all backup policies. Initially constructed to check if the BADministration policy was successfully deleted after RCE; however, it could be modified to display share path and other interesting backup details.
  • remove_policy – Removes the hardcoded “CPL_Backup” policy.
  • client_command – Will attempt to back up c:\users\default\ntuser.dat to c:\users\public\thisisatemp while executing the specified BADministration command as a pre-backup command and subsequently deleting the thisisatemp directory as a post-backup command. However, a word of warning, the post-backup command doesn’t always execute correctly, sometimes there will be an empty c:\users\public\thisisatemp directory left behind.

Testing was done on Acronis Backup 12.5. Also, we took a run at a new UI via cmd. This is a humble side project for Cherry and I with learning being one of our primary goals, I’m sure there are quite a few bugs so be kind with your roasting.

Video!

Sorry for the constant choppy highlighting!

BADministration – McAfee ePO

Hey all,

I hope all is well and everyone is enjoying their Summer2019! It’s that time of year again, conference season. I’m looking forward to Las Vegas to enjoy some delicious beers, put on about five pounds, and feel woefully inadequate due to all the badass intelligent people I hopefully will meet! I’m pretty out-of-the-loop when it comes to these things, so if there are any must attend meetups or anything like that, please let me know on twitter.

This post is about BADministration and leveraging McAfee ePO from an offensive standpoint. Before going further, one thing I would like to make clear – this is not a McAfee issue or vulnerability. This post instead discusses features and architecture issues, similar to spanning a trusted domain to a less-trusted network. Also once again, a shout-out to CherryDarkness for all the help.

BADministration – https://github.com/ThunderGunExpress/BADministration

2.jpg

Other related offsec management application posts:

Continue reading “BADministration – McAfee ePO”

BADministration – Solarwinds

Hey all,

I hope all is well, it’s been a while! This post is going to discuss application propagation and introduce BADministration, a tool a colleague (@DarknessCherry) and I are currently putting together. More specifically, we’re going to be looking at how one could leverage SolarWinds Orion server from an offensive standpoint. Before going further, one thing I would like to make clear – this is not a Solarwinds issue or vulnerability. This post instead discusses features and architecture issues, similar to spanning a trusted domain to a less-trusted network.

Application propagation, improper application segmentation, or whatever you call it, is the act of reusing management applications across differing trust zones. This is especially relevant to OT environments as we often see IT management applications reused or propagated to the OT systems. The consequences of this type of spanning is if an attacker lands on that IT management server they most likely have privileged access to all its clients, including the OT systems. Breaching the IT/OT boundary or escaping the OT DMZ in this fashion is far too easy.

A perfect example of leveraging an administration application to attack clients is WSUSpendu, a powershell script which can deploy Windows updates to clients via WSUS. This type of attack is exacerbated if the WSUS server serves updates to more trusted networks, video example here – ijwrtpost.

BADministration – https://github.com/ThunderGunExpress/BADministration

2

How to Defend

To put it simply, when dealing with a critical trust boundary like the IT/OT, segment applications similar to how networks or domains are segmented. Attackers are looking to management applications which have server —control—> client relationships throughout the environment to find slip-ups by defenders. If those management applications serve clients which are a higher trust than the server, you have an issue. For example, if your domain controller has the keys to the kingdom and it’s a client of the NMS server, by extension the NMS server probably has access to the keys to the kingdom as well.

I find the IT/OT relationship is an interesting one. IT security budget often exceeds the OT security budget but OT is the more critical environment, which makes this recommendation weird – assign trust level 0 to the IT network. From an OT perspective, be wary of any delegated administration or authentication, not because their security is shit (it’s often real good), but instead because it’s out of your control. Also, the IT environment and most of its servers are often one or two hops away from the internet, a non-requirement for OT environments.

In my travels I often see one critical OT architectural flaw time and time again: the OT DMZ serves as a semi-trusted intermediary / management zone. The intermediary part is good; however, having management applications with critical OT clients is not. Unfortunately, deep diving this issue is out-of-scope for this post but for now, I’m going to toss out the idea of an Admin OT network which has one-way communications into the DMZ and Critical Control environments (old news to some, I’m sure). When configured correctly this type of configuration can be extremely potent, but the devil is in the details … post for another day.

Drawing2

Continue reading “BADministration – Solarwinds”

Network Connection Footprinting with WMI and Neo4j

Hey all,

This post is about remotely enumerating established TCP connections via WMI and importing that data into a Neo4j databaseNeo4j is a graph database application which is great for graphically displaying relationships between data. If the name sounds familiar it might be because you have leveraged it while using BloodHound. Nowhere near the same level, this post will be using the built-in Neo4j desktop to display relationships in a simple way. Below is example output of a Neo4j query to determine clients connecting to a WSUS server over TCP/8530.

ThunderQuery3.jpgEnumerating network communications can provide valuable information regardless if you’re on the offensive or defensive side. Offensively, enumerating dataflows can uncover new networks outside initial visibility or establish critical systems as wedge points into other networks. Defensively, enumerating dataflows is good practice to identify all sorts of malicious traffic; however, I would imagine defenders have much more advanced tools than this.

In the past I’ve seen netstat performed remotely using something like PsExec. In my opinion, this is a bit overkill and generates quite a bit of noise, so I tried to take an alternative route. ThunderQuery, is a C# application that will continuously enumerate established TCP connections via WMI. ThunderQuery will poll the provided list of targets and generate two CSV files (locally, so beware): profiles.csv and networkconnections.csv. Profiles.csv has system information of each polled target while networkconnections.csv has established TCP connections and is continuously appended to. See the github page for further details … I wrote a README this time!

Example run of ThunderQuery from Cobalt Strike using execute-assembly.

ThunderQuery.jpg

Continue reading “Network Connection Footprinting with WMI and Neo4j”

Browser Pivot for Chrome

Hey all,

Today’s post is about Browser Pivoting with Chrome. For anyone unaware of Browser Pivoting, it’s a technique which essentially leverages an exploited system to gain access to the browser’s authenticated sessions. This is not a new technique, in fact, Raphael Mudge wrote about it in 2013. Detailed in the linked post, the Browser Pivot module for Cobalt Strike targets IE only, and as far as I know, cannot be used against Chrome. In this post we’re trying to achieve a similar result while taking a different approach – stealing the target’s Chrome profile in real time. Just a FYI, if you have the option to use Cobalt Strike’s Browser Pivot module instead, do so, it’s much cleaner.

You might be thinking – “why go through the trouble?” If I’ve exploited the system I can mimikatz or keylog to get the target’s credentials and by extension, the resources they have access to. Well, one major application that comes to mind is multi-factor authentication (MFA). Organizations are catching on that a single password alone is not nearly sufficient in protecting valued network resources, which is fantastic news! Personally, I have the opportunity to do offensive engagements on OT targets which often have multiple tiers of authentication and networking; it’s my generalization that MFA-less sites tend to fall much quicker than MFA sites – hours or days vs weeks or not at all, respectively. In my opinion, MFA at a security boundary is one of the most important security controls one can implement.

You also might be thinking – “here you are touting the potency of MFA, yet you are talking about hijacking MFA sessions”. Again, this technique has been around since 2013 and the specific code developed for this PoC is all publicly accessible. Advanced adversaries have access to and are most likely employing this technique. Our offensive engagements need to emulate these threats because that’s how we get better from a defensive standpoint – steel sharpens steel.

How To Defend

First off, if you’ve forced an attacker to go beyond traditional credential theft to gain access to critical network resources, congratulations! This walkthrough has quite a few (loud) indicators that can point to malicious activity. We’re starting and stopping services, modifying system32 files, modifying registry, creating and deleting VSS snapshots, and ending it with a remote desktop session to the target. All this activity can easily be detected.

What Does It Do?

High level, this PoC attempts to do the following:

  1. Modify the system to allow multiple Remote Desktop connections and remove RemoteApp restrictions.
  2. Using VSS, copy the target’s in-use Chrome profile to another file folder.
  3. Using RemoteApp and proxychains, remotely open a Chrome instance pointing to that copied profile path.
    • If you prefer, I think the profile could be copied over to the attacking VM and leveraged using proxychains and chromium. That being said, I would imagine this type of technique is time sensitive.

Continue reading “Browser Pivot for Chrome”

OT Network Attack Demonstration

Hey all,

Recently we put together an attack demonstration targeting our simulated lab OT network using a few of the tools that have been explored on this site. The video is linked at the bottom.

Some of the techniques employed are nasty, especially the Outlook hooking and WSUS angle. Regardless of the nastiness level, all these techniques are publicly available and in some cases, have actively been used against our networks. However there is good news, everything explored in this demonstration can be detected and thwarted with relative ease. Additionally, I’m going to link the ATT&CK identifiers in brackets where applicable.

Scenario

In this demonstration, our adversary is APT123 and is masquerading as Causenoevil.com, a local cybersecurity consulting company. They are targeting M2Generation.com, a power generation company. APT123 wants to take full control of OT systems and perform a DoS attack.

APT123 has a Cobalt Strike (S0154) team server and an attacking Windows 10 system accessible on the internet. During the demonstration we truncate the file transfer process and a few other non-sexy activities. Just a FYI, if you see a Windows 10 machine with a skull and crossbones, that is APT123’s system.

Initial Foothold

APT123 gains a initial foothold on the M2Generation enterprise network using a malicious macro inside an xls document (T1193, T1064, T1203). In the demonstration we take a look at the macro and see that it spawns a “legitimate” iexplore.exe process which automatically browses to causenoevil.com. Additionally, hidden from view the macro also spawns an illegitimate iexplore.exe process while downloading and injecting shellcode via createremotethread. The macro code structure is pretty standard but it has been modified with our custom stager to bypass standard AV and traffic inspection.

Picture1.jpg

Attackers love malicious macros and are actively using them. One or two clicks away from code execution with a widely used application garners attention. However, as defenders we have a plethora of options to protect our networks against this angle, to list a few:

Continue reading “OT Network Attack Demonstration”

Multi-Session RemoteApp

Hey all,

It’s been a while! Lately, I’ve been looking for something similar to browser pivoting but for Chrome. I went down a deep rabbit hole using Headless Chrome, Selenium, Puppeteer, and a few others I cannot remember. I was able to remotely control Chrome on an exploited system but was unable to get it to a point where I felt there was something worthwhile to post. That being said, I do think there is opportunity with Chrome Devtools; a post for another day I suppose.

In this post, I’m going to explore public information that shows how to modify a system to allow multiple remote desktop (RDP) sessions on workstation Operating Systems like Windows 10 and 7. This opens the door to establish RemoteApp connections to a system which already has an active console session. With leveraging RemoteApp, the devil is in the details, so in later posts I’m going to explore potential engagement use cases.

How to Defend

Remote desktop is an action which is virtually always initiated by another user. Windows generates audit logs specifically for RDP sessions which can be used to potentially trigger alerts or investigation. In my opinion, security administrators should be looking for remote desktop sessions as attackers often leverage RDP to gain graphical access to exploited systems.

pic10.jpg

Just a thought, as an end user I also like the idea of creating a task that generates a popup or an email if a remote desktop connection is initiated.

Continue reading “Multi-Session RemoteApp”

Leveraging WSUS – Part One

Hey all,

After an extended hiatus, I’m back. I was waylaid with OSCE training, exam writing, and overall frustration, but I’m going to brag for a second to say I passed :). The material was a bit dated but I was happy with the overall course and still learned quite a bit; I have nothing but good things to say about the guys over at Offensive Security. Anyways, to the blog post.

While at a conference I was speaking with some colleagues about leveraging WSUS from an offensive standpoint. I was aware of WSUSpect but unaware of any type of attack that could leverage existing WSUS server access. While researching I came across WSUSpendu and was surprised that I hadn’t heard of it before. WSUSpendu is a powershell script that can deploy updates to update clients to get remote code execution. Two applications come to mind when employing this type of technique.

  • Escalating to Domain Administrator
  • Attacking Downstream WSUS Servers

How often have you seen a WSUS group policy pushed out to all systems including domain controllers via GPO? I see it quite often. If the domain controller happens to be an update client and you have WSUS server access, you’re domain administrator.

WSUSpendu can deploy updates, create and delete WSUS groups, assign computers to groups, and delete updates. To keep inline with the new hotness, I re-wrote WSUSpendu in C#.

Links

How To Defend

The key to defending this technique is understanding it. Understanding the restrictions, what a malicious update looks like, the exposure of trusting a WSUS server for updates, and understanding security controls that can work in unison with those restrictions.

One restriction for example is, any files deployed from WSUS need to be digitally signed by a trusted authority like Microsoft. WSUSpendu recommended using psexec or bginfo with command-line arguments for remote code execution. This is a significant restriction if an attacker is trying to cross a security boundary. For part two, I’m going to play around with alternative payloads to mix it up a bit.

Continue reading “Leveraging WSUS – Part One”

The ICS Perimeter – A Line in the Sand

Hey all,

This is going to be a non-technical post, so if you’re looking for some sort of tool or walkthrough this post probably isn’t for you. I’m going to make an argument that the perimeter for Industrial Control Systems (ICS) is one of if not the most important security control. I understand that some might see this as antiquated way of thinking and are probably calling me a dinosaur. My response is to read below and that I think of myself more as a crustacean from the Proterozoic era looking for about tree-fiddy.

I have the opportunity to do offensive and defensive work for Critical Infrastructure. Critical Infrastructure (Utilities, Generation, Transmission, O&G, etc.) is an interesting industry from a cybersecurity standpoint. In the Enterprise space, cybersecurity is often viewed as risk mitigation. For example, our organization makes $1B dollars, the consequences of a cyber-incident is ABC, our threats are XYZ; therefore, we’re going to spend $1M dollars. Just like in the Enterprise space, Critical Infrastructure sites vastly vary in size and revenue. I’ve seen sites with one person handling all IT administration and cybersecurity to sites with large fully financed security teams. Regardless of size, staffing, and solutions implemented; Critical Infrastructure usually has one thing in common – the extreme consequence of a security incident can result in loss of life.

What is my point? Resources for cybersecurity at Critical Infrastructure can be limited while the consequences are severe. Why is that important? Well I imagine it could be overwhelming trying to secure Critical Infrastructure. Also, the next thing I’m going to say might ruffle some feathers so I wanted to give a bit of context.

The Industrial Control Systems (ICS) perimeter is one of the most important security controls when it comes to Critical Infrastructure … I can hear your collective moan from here. You say – “Nearly every security professional has adopted the ‘assume breach’ mantra, you’re taking us back years!”, my reply is to finish this paragraph. I understand why one needs to assume breach in the Enterprise space. The internet is a cesspool with exploits flying around, nasty emails, C2 traffic, etc. Enterprise infosec has to deal with thousands of end users reaching out to the internet downloading junk and having junk land in their inboxes each with an itchy trigger finger. Your perimeter will be breached and it will be breached often. However, what if I told you, that in order to breach your perimeter you had to come through one of five endpoints, welcome to Critical Infrastructure networks.

Drawing1.jpg

Continue reading “The ICS Perimeter – A Line in the Sand”

Schtasks without Schtasks.exe via Reflective DLL

Hey all,

I’m back from Vegas and trying to work off all those late nights and delicious beers. Before I get down to business, I want to talk about the training I attended at Black Hat. My colleague and I had the opportunity to attend SpecterOps’ Red Team Ops training and it was absolutely fantastic. I doubt any the SpecterOps crew will read my humble blog, but if for some reason you find yourself here – thank you, it was terrific.

Windows services get a lot of attention. There is a reason why PSExec is a mainstay when laterally moving – it works, it’s stable, and it brings you in on a privileged session; however, it’s noisy. So I put together a reflective DLL which accomplishes the same thing but using scheduled tasks instead, while not calling schtasks.exe. It’s a similar level of noisy, but in my opinion it’s less likely to attract attention and it’s an alternative option.

I think there are quite a few potential applications for this code. Lateral movement is one. Including persistence in your custom foothold payload without calling schtasks.exe might be another. Using it to start a SYSTEM session could also be a use case.

The code includes a reflective DLL and an Aggressor script. The Aggressor script takes care of uploading the binary and calling the DLL. The DLL creates, executes, and deletes the scheduled task. Everything is pretty commented so if you’re adverse to writing a binary you could execute a one-liner instead. **NOTE** The Aggressor script or DLL will not clean up the binary, that is on you.

Drawing1.jpg

You can find the code at https://github.com/ThunderGunExpress/Reflective_Schtasks

Drawing2

Once again, this is skeleton code and has the following limitations:

  • Use an IP address for remote targets and 127.0.0.1 for local targets
  • If running against a local target you’ll need to be in a high integrity context