This post is about remotely enumerating established TCP connections via WMI and importing that data into a Neo4j database. Neo4j is a graph database application which is great for graphically displaying relationships between data. If the name sounds familiar it might be because you have leveraged it while using BloodHound. Nowhere near the same level, this post will be using the built-in Neo4j desktop to display relationships in a simple way. Below is example output of a Neo4j query to determine clients connecting to a WSUS server over TCP/8530.
Enumerating network communications can provide valuable information regardless if you’re on the offensive or defensive side. Offensively, enumerating dataflows can uncover new networks outside initial visibility or establish critical systems as wedge points into other networks. Defensively, enumerating dataflows is good practice to identify all sorts of malicious traffic; however, I would imagine defenders have much more advanced tools than this.
In the past I’ve seen netstat performed remotely using something like PsExec. In my opinion, this is a bit overkill and generates quite a bit of noise, so I tried to take an alternative route. ThunderQuery, is a C# application that will continuously enumerate established TCP connections via WMI. ThunderQuery will poll the provided list of targets and generate two CSV files (locally, so beware): profiles.csv and networkconnections.csv. Profiles.csv has system information of each polled target while networkconnections.csv has established TCP connections and is continuously appended to. See the github page for further details … I wrote a README this time!
Example run of ThunderQuery from Cobalt Strike using execute-assembly.
Continue reading “Network Connection Footprinting with WMI and Neo4j”
Today’s post is about Browser Pivoting with Chrome. For anyone unaware of Browser Pivoting, it’s a technique which essentially leverages an exploited system to gain access to the browser’s authenticated sessions. This is not a new technique, in fact, Raphael Mudge wrote about it in 2013. Detailed in the linked post, the Browser Pivot module for Cobalt Strike targets IE only, and as far as I know, cannot be used against Chrome. In this post we’re trying to achieve a similar result while taking a different approach – stealing the target’s Chrome profile in real time. Just a FYI, if you have the option to use Cobalt Strike’s Browser Pivot module instead, do so, it’s much cleaner.
You might be thinking – “why go through the trouble?” If I’ve exploited the system I can mimikatz or keylog to get the target’s credentials and by extension, the resources they have access to. Well, one major application that comes to mind is multi-factor authentication (MFA). Organizations are catching on that a single password alone is not nearly sufficient in protecting valued network resources, which is fantastic news! Personally, I have the opportunity to do offensive engagements on OT targets which often have multiple tiers of authentication and networking; it’s my generalization that MFA-less sites tend to fall much quicker than MFA sites – hours or days vs weeks or not at all, respectively. In my opinion, MFA at a security boundary is one of the most important security controls one can implement.
You also might be thinking – “here you are touting the potency of MFA, yet you are talking about hijacking MFA sessions”. Again, this technique has been around since 2013 and the specific code developed for this PoC is all publicly accessible. Advanced adversaries have access to and are most likely employing this technique. Our offensive engagements need to emulate these threats because that’s how we get better from a defensive standpoint – steel sharpens steel.
How To Defend
First off, if you’ve forced an attacker to go beyond traditional credential theft to gain access to critical network resources, congratulations! This walkthrough has quite a few (loud) indicators that can point to malicious activity. We’re starting and stopping services, modifying system32 files, modifying registry, creating and deleting VSS snapshots, and ending it with a remote desktop session to the target. All this activity can easily be detected.
What Does It Do?
High level, this PoC attempts to do the following:
- Modify the system to allow multiple Remote Desktop connections and remove RemoteApp restrictions.
- Using VSS, copy the target’s in-use Chrome profile to another file folder.
- Using RemoteApp and proxychains, remotely open a Chrome instance pointing to that copied profile path.
- If you prefer, I think the profile could be copied over to the attacking VM and leveraged using proxychains and chromium. That being said, I would imagine this type of technique is time sensitive.
Continue reading “Browser Pivot for Chrome”
Recently we put together an attack demonstration targeting our simulated lab OT network using a few of the tools that have been explored on this site. The video is linked at the bottom.
Some of the techniques employed are nasty, especially the Outlook hooking and WSUS angle. Regardless of the nastiness level, all these techniques are publicly available and in some cases, have actively been used against our networks. However there is good news, everything explored in this demonstration can be detected and thwarted with relative ease. Additionally, I’m going to link the ATT&CK identifiers in brackets where applicable.
In this demonstration, our adversary is APT123 and is masquerading as Causenoevil.com, a local cybersecurity consulting company. They are targeting M2Generation.com, a power generation company. APT123 wants to take full control of OT systems and perform a DoS attack.
APT123 has a Cobalt Strike (S0154) team server and an attacking Windows 10 system accessible on the internet. During the demonstration we truncate the file transfer process and a few other non-sexy activities. Just a FYI, if you see a Windows 10 machine with a skull and crossbones, that is APT123’s system.
APT123 gains a initial foothold on the M2Generation enterprise network using a malicious macro inside an xls document (T1193, T1064, T1203). In the demonstration we take a look at the macro and see that it spawns a “legitimate” iexplore.exe process which automatically browses to causenoevil.com. Additionally, hidden from view the macro also spawns an illegitimate iexplore.exe process while downloading and injecting shellcode via createremotethread. The macro code structure is pretty standard but it has been modified with our custom stager to bypass standard AV and traffic inspection.
Attackers love malicious macros and are actively using them. One or two clicks away from code execution with a widely used application garners attention. However, as defenders we have a plethora of options to protect our networks against this angle, to list a few:
Continue reading “OT Network Attack Demonstration”
It’s been a while! Lately, I’ve been looking for something similar to browser pivoting but for Chrome. I went down a deep rabbit hole using Headless Chrome, Selenium, Puppeteer, and a few others I cannot remember. I was able to remotely control Chrome on an exploited system but was unable to get it to a point where I felt there was something worthwhile to post. That being said, I do think there is opportunity with Chrome Devtools; a post for another day I suppose.
In this post, I’m going to explore public information that shows how to modify a system to allow multiple remote desktop (RDP) sessions on workstation Operating Systems like Windows 10 and 7. This opens the door to establish RemoteApp connections to a system which already has an active console session. With leveraging RemoteApp, the devil is in the details, so in later posts I’m going to explore potential engagement use cases.
How to Defend
Remote desktop is an action which is virtually always initiated by another user. Windows generates audit logs specifically for RDP sessions which can be used to potentially trigger alerts or investigation. In my opinion, security administrators should be looking for remote desktop sessions as attackers often leverage RDP to gain graphical access to exploited systems.
Just a thought, as an end user I also like the idea of creating a task that generates a popup or an email if a remote desktop connection is initiated.
Continue reading “Multi-Session RemoteApp”
After an extended hiatus, I’m back. I was waylaid with OSCE training, exam writing, and overall frustration, but I’m going to brag for a second to say I passed :). The material was a bit dated but I was happy with the overall course and still learned quite a bit; I have nothing but good things to say about the guys over at Offensive Security. Anyways, to the blog post.
While at a conference I was speaking with some colleagues about leveraging WSUS from an offensive standpoint. I was aware of WSUSpect but unaware of any type of attack that could leverage existing WSUS server access. While researching I came across WSUSpendu and was surprised that I hadn’t heard of it before. WSUSpendu is a powershell script that can deploy updates to update clients to get remote code execution. Two applications come to mind when employing this type of technique.
- Escalating to Domain Administrator
- Attacking Downstream WSUS Servers
How often have you seen a WSUS group policy pushed out to all systems including domain controllers via GPO? I see it quite often. If the domain controller happens to be an update client and you have WSUS server access, you’re domain administrator.
WSUSpendu can deploy updates, create and delete WSUS groups, assign computers to groups, and delete updates. To keep inline with the new hotness, I re-wrote WSUSpendu in C#.
How To Defend
The key to defending this technique is understanding it. Understanding the restrictions, what a malicious update looks like, the exposure of trusting a WSUS server for updates, and understanding security controls that can work in unison with those restrictions.
One restriction for example is, any files deployed from WSUS need to be digitally signed by a trusted authority like Microsoft. WSUSpendu recommended using psexec or bginfo with command-line arguments for remote code execution. This is a significant restriction if an attacker is trying to cross a security boundary. For part two, I’m going to play around with alternative payloads to mix it up a bit.
Continue reading “Leveraging WSUS – Part One”
This is going to be a non-technical post, so if you’re looking for some sort of tool or walkthrough this post probably isn’t for you. I’m going to make an argument that the perimeter for Industrial Control Systems (ICS) is one of if not the most important security control. I understand that some might see this as antiquated way of thinking and are probably calling me a dinosaur. My response is to read below and that I think of myself more as a crustacean from the Proterozoic era looking for about tree-fiddy.
I have the opportunity to do offensive and defensive work for Critical Infrastructure. Critical Infrastructure (Utilities, Generation, Transmission, O&G, etc.) is an interesting industry from a cybersecurity standpoint. In the Enterprise space, cybersecurity is often viewed as risk mitigation. For example, our organization makes $1B dollars, the consequences of a cyber-incident is ABC, our threats are XYZ; therefore, we’re going to spend $1M dollars. Just like in the Enterprise space, Critical Infrastructure sites vastly vary in size and revenue. I’ve seen sites with one person handling all IT administration and cybersecurity to sites with large fully financed security teams. Regardless of size, staffing, and solutions implemented; Critical Infrastructure usually has one thing in common – the extreme consequence of a security incident can result in loss of life.
What is my point? Resources for cybersecurity at Critical Infrastructure can be limited while the consequences are severe. Why is that important? Well I imagine it could be overwhelming trying to secure Critical Infrastructure. Also, the next thing I’m going to say might ruffle some feathers so I wanted to give a bit of context.
The Industrial Control Systems (ICS) perimeter is one of the most important security controls when it comes to Critical Infrastructure … I can hear your collective moan from here. You say – “Nearly every security professional has adopted the ‘assume breach’ mantra, you’re taking us back years!”, my reply is to finish this paragraph. I understand why one needs to assume breach in the Enterprise space. The internet is a cesspool with exploits flying around, nasty emails, C2 traffic, etc. Enterprise infosec has to deal with thousands of end users reaching out to the internet downloading junk and having junk land in their inboxes each with an itchy trigger finger. Your perimeter will be breached and it will be breached often. However, what if I told you, that in order to breach your perimeter you had to come through one of five endpoints, welcome to Critical Infrastructure networks.
Continue reading “The ICS Perimeter – A Line in the Sand”
I’m back from Vegas and trying to work off all those late nights and delicious beers. Before I get down to business, I want to talk about the training I attended at Black Hat. My colleague and I had the opportunity to attend SpecterOps’ Red Team Ops training and it was absolutely fantastic. I doubt any the SpecterOps crew will read my humble blog, but if for some reason you find yourself here – thank you, it was terrific.
Windows services get a lot of attention. There is a reason why PSExec is a mainstay when laterally moving – it works, it’s stable, and it brings you in on a privileged session; however, it’s noisy. So I put together a reflective DLL which accomplishes the same thing but using scheduled tasks instead, while not calling schtasks.exe. It’s a similar level of noisy, but in my opinion it’s less likely to attract attention and it’s an alternative option.
I think there are quite a few potential applications for this code. Lateral movement is one. Including persistence in your custom foothold payload without calling schtasks.exe might be another. Using it to start a SYSTEM session could also be a use case.
The code includes a reflective DLL and an Aggressor script. The Aggressor script takes care of uploading the binary and calling the DLL. The DLL creates, executes, and deletes the scheduled task. Everything is pretty commented so if you’re adverse to writing a binary you could execute a one-liner instead. **NOTE** The Aggressor script or DLL will not clean up the binary, that is on you.
You can find the code at https://github.com/ThunderGunExpress/Reflective_Schtasks
Once again, this is skeleton code and has the following limitations:
- Use an IP address for remote targets and 127.0.0.1 for local targets
- If running against a local target you’ll need to be in a high integrity context
The first payload through the front door has a tough job. Consider all the security products specifically made to scrutinize its footprint on both the endpoint and network, life is not easy. Personally, I like to get a bit more visibility into who (or what) is executing payloads. To get that additional visibility, I slapped together a janky C# payload with a PHP delivery program.
Code – https://github.com/ThunderGunExpress/CustomStager
How to Defend
Defense in depth. Standard AV won’t detect this but I would expect the more advanced products might. AWL will definitely block this from executing. NGFW won’t detect the custom stager but might detect the subsequent C2 stager. Manual network traffic analysis and poking of updates.php will uncover it’s purpose pretty quickly. It’s the same old cat and mouse game – people are going to run executable code, as security professionals we have to ensure that we increase the chance of detection.
So at the moment, I’ve only tested this with a staged payload. Why would one want to stage a stager? Well number one, we’re injecting directly into memory with custom written software, so we’ll bypass a good deal of endpoint protection software. Number two, visibility and control.
We’re all security professionals here, so I’m not going to do a deep dive on visibility and control examples but a few come to mind:
- Determine if something like a NGFW is dropping your C2 staging traffic. For Cobalt Strike users, check out the following.
- Control who is delivered exploitation code based on username, email address, or whatever … the possibilities are endless with C#
- Avoid delivery to hostile machines.
So this is skeleton code waiting to be built upon. It could be used in an office macro or maybe a MSI. Here is a quick rundown of the C# program.
- Get the version from updates.php while sending the username to the web server. This is where you would add logic to the payload delivery system.
- Grab and parse the appropriate bitness payload
- Create a thread in the current process with the parsed shellcode
The single spaced shellcode is read from payload_x86.xyz or payload_x64.xyz which is in the same directory as updates.php. Note the “|” which will be at the head and tail of the shellcode, it’s required by the C# payload. The shellcode can be crafted via something like Cobalt Strike, msfvenom, or whatever.
This post is a revisit to a tool that was introduced in 2017 – OutlookToolbox. When the code was published I was happy with the overall functionality but unhappy with the execution. I wanted to write a C# DLL and forced the implementation. The old version used rundll32 to access C# functions which were exported with using Robert Giesecke’s Unmanaged Exports. The final result was a DLL and Aggressor script that wrote the DLL to disk and received status updates via txt files; so janky. Well enter Cobalt Strike’s new feature – in-memory .NET assembly execution. Long story short, we can run OutlookToolbox in-memory with only the odd csv or msg file ever touching the disk.
Code – https://github.com/ThunderGunExpress/OutlookToolbox_v2
What It Is
A C# console application that interfaces with Outlook in the background.
How to Defend
Sophisticated threat-actors are using this tactic. They are harvesting our emails for information that allows them to get closer to their objectives. The good news it that we can control how external background access to Outlook is handled – see Microsoft’s link here. If I recall correctly, if Outlook is set to Always warn me about suspicious activity the tool will stop during the SanityCheck (anti-popup) function. OutlookToolbox will do just fine with the other two configurations, the check AV one is the default.
- SanityCheck – Checks Outlook’s popup configuration (via registry and wmi) and attempts to determine if interfacing with Outlook will cause a popup.
- EnumerateFolders – Lists all the folders within Outlook (inbox, sent items, conversation history, and so on).
- FolderToCSV – Exports all the contents of a folder to CSV which includes – From, To, Type (it can get at Lync messages), . The message’s body is truncated to 1000 characters.
- ExportMessage – Exports target email or collection of emails from a specific sender.
- EnumerateTarget – Check the GAL for target user’s details like manager, colleagues (reports to same manager), title, and alias. Could be used in conjunction with EmailPivot.
- EmailPivot – Sends a crafted email on behalf of the target session. Great for getting in that trust chain (or whatever it’s called) between two people. Also has the ability to send replies from the TO user directly to deleted items with Outlook rules. Don’t do this unless you absolutely know what you are doing. Clean up could be difficult and it’s incredibly nasty.
Check out the old OutlookToolbox post for screenshots. There are some minor changes but the UI is pretty much the same.
I’m back in the pocket after doing the deep dive into hack the box. I really enjoyed the bulk of the challenges and learned some new great tricks and techniques. One box I highly recommend is Reel. It’s a great challenge with domain privilege escalation techniques that you might see in a pentest. Anyways, after reaching Guru status I decided to take a step back for a while, it’s a part-time job working all the newly released boxes.
Before I went dark I was testing Cobalt Strike’s built-in PSExec module against various Endpoint Protection Platform (EPP) products and was getting flagged. It was pretty clear that the EPPs weren’t detecting the binary but was instead flagging via heuristic analysis. It might have been the randomized filename of the binary, the timing, writing to the $ADMIN share, or some sort of combination. I wrote some skeleton code that can be further customized to help bypass heuristic analysis. The current flow of the reflective DLL and Aggressor script can be seen below.
You can find the code at https://github.com/ThunderGunExpress/Reflective_PSExec
The code and script is pretty crude and has the following limitations at the moment:
- Use an IP address as the target, not a hostname
- If running against a remote target ensure the session is in a medium integrity context
- If running against a local target ensure the session is a high integrity context