This document discusses techniques used by threat actors to move laterally within corporate networks. It begins with an introduction and covers post-exploitation techniques including Mimikatz for credential theft, Skeleton Key and Wdigest for password dumping, webshell deployment on IIS and Exchange servers, and other miscellaneous techniques such as abusing VPNs and using rootkits. Precautions are provided for each technique discussed.

1. Aragorn Tseng
Charles Li

2. ✚ ADFarm's penetration
✚ Webshell
✚ Miscellaneous technique
AGENDA
✚ Introduction

3. Charles Li
1P 2PCTO
Aragorn Tseng
Malware Researcher

4. How APT actors move laterally in corporate networks(Operation: I am Tom)
The operation name came from:

5. How APT actors move laterally in corporate networks(Operation: I am Tom)
This talk covers:
• Post-exploitation techniques abused by threat actors in corporate
networks for the following purposes:
• Lateral movement
• Bypass detection or thwart analysis
• Observed in real incident response cases by TeamT5
• They are leveraged by Chinese threat actors and discussed in some
Chinese forums

6. How APT actors move laterally in corporate networks(Operation: I am Tom)
Core-level host
Application-level host

7. Core-level host
AD Farm 's penetration
How APT actors move laterally in corporate networks(Operation: I am Tom)

8. LSA
NTLMSSP
Kerberos
CredSSP
SSPI
Active Directory
Authentication
NTLM
Remote Desktop
 SSP： Security Support Provider
 SSPI： Security Support Provider Interface
 LSA： Local Security Authority
MimikatzMemSSP
mimilib
msv1_0.dll
kerberos.dll
credssp.dll

9. Mim ilib - SSP
 Mimilib is a tool of Mimikatz
Copy mimilib.dll to
c:¥windows¥system3
2
Modify registry:
HKEY_LOCAL_MACHINE¥Sys
tem¥CurrentControlSet¥Co
ntrol¥Lsa¥Security
Packages¥
After rebooting,
kiwissp.log will generate
at
c:¥windows¥system32

10. Mim ilib - SSP

11. Mim ilib - SSP

12. Mim ilib - Mem SSP
 Mimilib also support patch ssp(lsass.exe) in memory
Run Mimikatz
type misc::memssp
inject Lsass.exe’s
memory
Once someone login or
run “Runas”， mimilsa.log
will be generated in
c:¥windows¥system32

13. Mim ikatz m em ssp – m em ory status

14. Mim ikatz m em ssp – password

15. Mim ikatz m em ssp – patched dll
Patched dll

16. Skeleton Key
 Skeleton Key is installed in 64bit domain server
 Support Windows Server 2003—Windows Server 2012 R2
 Inject shellcode into lsass.exe to change its execution flow
 Allow all domain users to log in with the same universal password
 All domain users can still log in with the original password
 It will fail after restart
Run Mimikatz
type misc::skeleton
inject Lsass.exe’s
memory
Just use "mimikatz" can
log in

17. Mim ikatz skeleton key

18. Mim ikatz skeleton key – injected lsass

19. Mim ikatz skeleton key – injected shell code

20. Mim ikatz skeleton key – patch dll
Patched dll

21. Wdigest – clear text passwords
 For Windows 7, 8, Server 2008 R2 and Server 2012
 KB2871997 update
 HKEY_LOCAL_MACHINE¥System¥CurrentControlSet¥Control¥SecurityProviders¥W
Digest¥UseLogonCredential set to 1
Picture source : https://blog.stealthbits.com/wdigest -clear-
text-passwords-stealing-more-than-a-hash/

22. Registry ACL

23. clear text passwords

24. Mim ikatz bypass AV
 VMP
 Mimikatz variant
https://www.freebuf.com/articles/system/234365.html

25. ntds.dit
 Windows password is stored after being hashed and stored locally in
hklm¥SAM and HKLM¥system in the registry
 In the domain, password is stored in C:¥Windows¥ntds¥ntds.dit and
HKLM¥SYSTEM of the domain controller
Take snapshot
of ntds.dit
Copy ntds.dit
and delete the
snapshot
Get the key
from registry
Use
NTDSDumpEx to
get all user’s
password hash
https://msdn.Microsoft.com/en-
us/library/windows/desktop/gg294074.aspx

26. Precautions
 Remove or limit access to Windows shares
 Disable the remote registry service
 Limit the possibility of DLL injection by removing users and groups from the
‘Debug Programs’ policy setting (SeDebugPrivilege)
 Lsass.exe process protection
 Protected Users Group
 NTLM is not used. Kerberos or third party SSP is required
 Kerberos tickets have a shorter life span
 Windows Digest is not cached

27. Application-level host
Webshell
How APT actors move laterally in corporate networks(Operation: I am Tom)

28. IIS Module
Use APPCMD
Install IIS
Module
Need to obtain the administrator rights of the IIS server
first
Use IIS
Administration
Tool to register
register
IIS Web
The process where the dll
is located is w3wp.exe
https://github.com/0x09AL/IIS -Raid

29. IIS-Raid
 Compiling
 Installing

32. IIS Module Precautions
 Check whether IIS is installed with a backdoor by viewing Modules
 1. Use APPCMD.EXE command line tool
 C:¥Windows¥system32¥inetsrv¥APPCMD.EXE list module
 2. Use IIS Administration Tool for interface operations
 Run inetmgr.exe and enter the IIS manager
 Select Modules
 Also note that only when the module is successfully loaded, the module-
related dll can be found in w3wp.exe

33. Exchange privilege
Default system permissions!!!

34. Webshell

35. Add malicious
code in javascripts
of Logon.aspx
The malicious code will
post username and
password to errorFE.aspx
Add malicious
code in
errorFE.aspx
The malicious code will save the
username and password into
C:¥Windows¥Debug¥errorFE.tmp
Modify the source code

38. HyperShell
 APT34Leaked Tools
 For Exchange webshell
 Add code to ExpiredPassword.aspx
 Request URL： https://<domain>/owa/auth/ExpiredPassword.aspx
 The default permission of webshell under this path is System
https://www.zdnet.com/article/source-code-of-iranian-
cyber-espionage-tools-leaked-on-telegram/

39. curl " https://<dom ain>/owa/auth/expiredpassword.aspx" --data "url=..%2F&usernam e=…..&newPwd2=….."

40. Com pile dll (iis cache)
 Csc.exe compile will generate a compile dll cache file
 Only after the aspx file is executed
 It can be used when checking,
to see when the file was generated

41. Precautions
 Modify directory permissions
 File check (number of files, file hash)
 fciv.exe(Microsoft)
https://support.microsoft.com/zh-tw/help/841290/availability-
and-description-of-the-file-checksum-integrity-verifier-u
https://www.microsoft.com/en-
us/download/details.aspx?id=11533

42. Exchange Antivirus Whitelist
 Mailbox servers
 Client Access servers
 Web components
 %System Root%¥System 32¥Inetsrv
 Inetpub¥logs¥logfiles¥w3svc
 %System Root%¥Microsoft.NET¥Framework64¥v4.0.30319¥Tem porary ASP.NET Files
Ref: https://docs.microsoft.com/zh-tw/exchange/anti-
virus-software-in-the-operating-system-on-exchange-
servers-exchange-2013-help

43. Exchange Antivirus Whitelist

44. (De)Serialization overview
 ASP.NETViewstate deserialization
 CVE-2020-0688 : Remote code Execution on Exchange Server

45. Microsoft .NET Viewstate
 Object passed between client & server
 Stores both user-submitted and application information
 Protected by HMAC crypto
 If server-side HMAC routine checks out, ViewState is processed
 If HMAC check fails, ViewState error occurs
 Viewstate is serialized by LosFormatter and deserialized by
ObjectStateFormatter
 ysoserial.net supports ObjectStateFormatter
https://github.com/pwntester/ysoserial.net

46. Machinekey Elem ent
 Validation Key
 used to sign the ViewState HMAC
 Decryption Key
 used for ViewState symmetric crypto
 Load Balanced Environment Considerations
 Keys can not be autogenerated (default behavior)
 Must hard-code keys on all IIS servers in the pool
 These values are stored in the file web.config

47. When you got a web config

48. Exploitation Path
 Utilize ysoserial.net to generate a malicious ObjectStateFormatter payload
 Sign the payload with a valid HMAC
 Submit this payload as a ViewState
 The server will:
 Validate the HMAC
 Deserialize the malicious payload

49. Picture source : https://cyku.tw/play -with-dotnet-viewstate-
exploit-and-create-fileless-webshell/

50. Precautious
 Review your open source projects for default keys
 If your web server is ever compromised or has a file read and XXE flaw,
regenerate your keys or set to autogenerate
 Encrypt the machine key

51. TEBShell
 TEBShell is a backdoor based on HTTP API. After it is executed, it will use
Windows HTTP Server API to open an Http server service and register a
specific URL for actors to control. It is a backdoor for listen port.

52. TEBShell
(White) Benign EXE (Black) Malicious DLL
(Black) Encrypted Payload
payload
dll hijack
Inject process
Ex:dllhost.exe
webshell
query specific
urls to access
webshell
Ex: https://www.cnn.com/request.html
register

53. TEBShell 3.0

54. Miscellaneous technique
How APT actors move laterally in corporate networks(Operation: I am Tom)

55. "StickKeys" Backdoor
 C:¥windows¥system32¥sethc.exe
 shift * 5
 copy /y cmd.exe C:¥windows¥system32¥sethc.exe
 HKEY_LOCAL_MACHINE¥SOFTWARE¥Microsoft¥Windows
NT¥CurrentVersion ¥Image File Execution Options¥sethc.exe
 Debugger set to cm d.exe

56. Attacker’s trap?
2020-09-01 IISlog attacker access a.aspx
2020-09-01 eventlog Del c:¥inetput¥wwwroot¥a.aspx
2020-09-01 eventlog Del c:¥inetput¥wwwroot¥b.aspx
2020-09-03 IISlog attacker access a.aspx
2020-09-03 eventlog Del c:¥inetput¥wwwroot¥a.aspx
2020-09-04 IISlog attacker access a.aspx
2020-09-04 eventlog eventlog clear
2020-09-05 IISlog attacker access a.aspx
2020-09-05 eventlog eventlog clear

57. Rootkit to hide directory
 In the beginning, the attacker used normal Webshell to operate and pull a lot
of data
 After incident response, the hacker used Rootkit (Easy File Locker) to hide the
file directory.
Dropper
Rootkit
Hide the
directory of
Webshell

58. Easy File Locker
1b09d7e0d250236f510420dd8b848fbd

59. Check source host MAC??

60. VPN abuse
different attack’s source MAC
Fail to host check policy
Pass host check policy
Same attack’s source IP

61. VPN abuse
different attack’s Hostname
Find host in TWdomain， bypass security policy

62. Virtual Directory

63. Thanks!
aragorn@teamt5.org
charles@teamt5.org
We hope you gained !!!