This document discusses techniques used by threat actors to move laterally within corporate networks. It begins with an introduction and covers post-exploitation techniques including Mimikatz for credential theft, Skeleton Key and Wdigest for password dumping, webshell deployment on IIS and Exchange servers, and other miscellaneous techniques such as abusing VPNs and using rootkits. Precautions are provided for each technique discussed.
4. How APT actors move laterally in corporate networks(Operation: I am Tom)
The operation name came from:
5. How APT actors move laterally in corporate networks(Operation: I am Tom)
This talk covers:
• Post-exploitation techniques abused by threat actors in corporate
networks for the following purposes:
• Lateral movement
• Bypass detection or thwart analysis
• Observed in real incident response cases by TeamT5
• They are leveraged by Chinese threat actors and discussed in some
Chinese forums
6. How APT actors move laterally in corporate networks(Operation: I am Tom)
Core-level host
Application-level host
7. Core-level host
AD Farm 's penetration
How APT actors move laterally in corporate networks(Operation: I am Tom)
9. Mim ilib - SSP
Mimilib is a tool of Mimikatz
Copy mimilib.dll to
c:¥windows¥system3
2
Modify registry:
HKEY_LOCAL_MACHINE¥Sys
tem¥CurrentControlSet¥Co
ntrol¥Lsa¥Security
Packages¥
After rebooting,
kiwissp.log will generate
at
c:¥windows¥system32
12. Mim ilib - Mem SSP
Mimilib also support patch ssp(lsass.exe) in memory
Run Mimikatz
type misc::memssp
inject Lsass.exe’s
memory
Once someone login or
run “Runas”, mimilsa.log
will be generated in
c:¥windows¥system32
16. Skeleton Key
Skeleton Key is installed in 64bit domain server
Support Windows Server 2003—Windows Server 2012 R2
Inject shellcode into lsass.exe to change its execution flow
Allow all domain users to log in with the same universal password
All domain users can still log in with the original password
It will fail after restart
Run Mimikatz
type misc::skeleton
inject Lsass.exe’s
memory
Just use "mimikatz" can
log in
21. Wdigest – clear text passwords
For Windows 7, 8, Server 2008 R2 and Server 2012
KB2871997 update
HKEY_LOCAL_MACHINE¥System¥CurrentControlSet¥Control¥SecurityProviders¥W
Digest¥UseLogonCredential set to 1
Picture source : https://blog.stealthbits.com/wdigest -clear-
text-passwords-stealing-more-than-a-hash/
25. ntds.dit
Windows password is stored after being hashed and stored locally in
hklm¥SAM and HKLM¥system in the registry
In the domain, password is stored in C:¥Windows¥ntds¥ntds.dit and
HKLM¥SYSTEM of the domain controller
Take snapshot
of ntds.dit
Copy ntds.dit
and delete the
snapshot
Get the key
from registry
Use
NTDSDumpEx to
get all user’s
password hash
https://msdn.Microsoft.com/en-
us/library/windows/desktop/gg294074.aspx
26. Precautions
Remove or limit access to Windows shares
Disable the remote registry service
Limit the possibility of DLL injection by removing users and groups from the
‘Debug Programs’ policy setting (SeDebugPrivilege)
Lsass.exe process protection
Protected Users Group
NTLM is not used. Kerberos or third party SSP is required
Kerberos tickets have a shorter life span
Windows Digest is not cached
28. IIS Module
Use APPCMD
Install IIS
Module
Need to obtain the administrator rights of the IIS server
first
Use IIS
Administration
Tool to register
register
IIS Web
The process where the dll
is located is w3wp.exe
https://github.com/0x09AL/IIS -Raid
32. IIS Module Precautions
Check whether IIS is installed with a backdoor by viewing Modules
1. Use APPCMD.EXE command line tool
C:¥Windows¥system32¥inetsrv¥APPCMD.EXE list module
2. Use IIS Administration Tool for interface operations
Run inetmgr.exe and enter the IIS manager
Select Modules
Also note that only when the module is successfully loaded, the module-
related dll can be found in w3wp.exe
35. Add malicious
code in javascripts
of Logon.aspx
The malicious code will
post username and
password to errorFE.aspx
Add malicious
code in
errorFE.aspx
The malicious code will save the
username and password into
C:¥Windows¥Debug¥errorFE.tmp
Modify the source code
36.
37.
38. HyperShell
APT34Leaked Tools
For Exchange webshell
Add code to ExpiredPassword.aspx
Request URL: https://<domain>/owa/auth/ExpiredPassword.aspx
The default permission of webshell under this path is System
https://www.zdnet.com/article/source-code-of-iranian-
cyber-espionage-tools-leaked-on-telegram/
40. Com pile dll (iis cache)
Csc.exe compile will generate a compile dll cache file
Only after the aspx file is executed
It can be used when checking,
to see when the file was generated
45. Microsoft .NET Viewstate
Object passed between client & server
Stores both user-submitted and application information
Protected by HMAC crypto
If server-side HMAC routine checks out, ViewState is processed
If HMAC check fails, ViewState error occurs
Viewstate is serialized by LosFormatter and deserialized by
ObjectStateFormatter
ysoserial.net supports ObjectStateFormatter
https://github.com/pwntester/ysoserial.net
46. Machinekey Elem ent
Validation Key
used to sign the ViewState HMAC
Decryption Key
used for ViewState symmetric crypto
Load Balanced Environment Considerations
Keys can not be autogenerated (default behavior)
Must hard-code keys on all IIS servers in the pool
These values are stored in the file web.config
48. Exploitation Path
Utilize ysoserial.net to generate a malicious ObjectStateFormatter payload
Sign the payload with a valid HMAC
Submit this payload as a ViewState
The server will:
Validate the HMAC
Deserialize the malicious payload
50. Precautious
Review your open source projects for default keys
If your web server is ever compromised or has a file read and XXE flaw,
regenerate your keys or set to autogenerate
Encrypt the machine key
51. TEBShell
TEBShell is a backdoor based on HTTP API. After it is executed, it will use
Windows HTTP Server API to open an Http server service and register a
specific URL for actors to control. It is a backdoor for listen port.
52. TEBShell
(White) Benign EXE (Black) Malicious DLL
(Black) Encrypted Payload
payload
dll hijack
Inject process
Ex:dllhost.exe
webshell
query specific
urls to access
webshell
Ex: https://www.cnn.com/request.html
register
57. Rootkit to hide directory
In the beginning, the attacker used normal Webshell to operate and pull a lot
of data
After incident response, the hacker used Rootkit (Easy File Locker) to hide the
file directory.
Dropper
Rootkit
Hide the
directory of
Webshell