Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “features”

© Black Hills Information Security | @BHInfoSecurity
Mike Felch & Beau Bullock
A few novel techniques for exploiting Microsoft “features”

Who We Are
• Mike Felch - @ustayready
• Pentest / Red team at BHIS
• Involved w/ OWASP Orlando & BSides Orlando
• Host of Tradecraft Security Weekly
• Host of CoinSec Podcast
• Beau Bullock - @dafthack
•Pentest / Red team at BHIS
• Host of Tradecraft Security Weekly
• Host of CoinSec Podcast
• Avid OWA enthusiast

What We’re Covering
1. Mystery #1: Attribution
2. Mystery #2: Reconnaissance
3. Mystery #3: Persistence
4. Mystery #4: Weaponization
5. Questions / Comments

Mystery 1:
The curious case of
event logs with no
attribution

Failed Login Alerting
• Customers have vastly different alerting setups
• Some log pretty much everything they can…
• … others log nothing
• Password attack detections have been hit or
miss…
• Password spraying
• 1 attempt per user within observation window
• Doesn’t lock out accounts & usually results in a
low number of failed logins per account
Access Denied: You’ve failed to meet the minimum meme threshold

Blue Team Game on Par
• DomainPasswordSpray - PowerShell script
to perform password spraying within a
domain
• https://github.com/dafthack/DomainPasswo
rdSpray
• This generates failed login events at the
DC
• Had a customer who alerted
• Started thinking of new ways to evade
• What are some other protocols you can
authenticate to that are tied to AD?
Classic domain spraying...

Evading Failed Login
Detection
• One possibility is OWA
• Failed logins are in the IIS logs, not in the
Windows Security log
• But… are you watching the IIS logs?
• Many of our customers have seen us use or
talk about MailSniper and have adjusted
their logs accordingly.
• Where else could we try authenticating?
OWA spraying...

Evading Failed Login
Detection
• What about RDP?
• Tested out xFreeRDP from Linux against a
Windows Server
• To our surprise the failed login event did not
contain the source IP address…
• Hostname was in the log… but xFreeRDP has
an option to set the client hostname (wat?)
• Set out to write a spraying tool for RDP
RDP spraying?

NLA FTW
• Why was there no IP in the log?
• It turns out RDP w/ NLA (Network Layer Authentication) doesn’t log
source IP in the security log
• NLA pre-authenticates prior to RDP access
• Causes Logon type 3 (Network) instead of 10 (RemoteInteractive)
• Allegedly there is supposed to be a log with the IP located here:
Applications and Services Logs > Microsoft > Windows >
RemoteDesktopServices-RdpCoreTS > Operational (Event ID 140)

What log?
• This is what a failed RDP using NLA should look like:
• …But authenticating via NLA doesn’t <ALWAYS> generate this log…
Because this alert is very, VERY misleading.
• It turns out this alert only fires when the USER is invalid.
• Valid user + invalid password = No eventID 140 log
Remember this is an “Applications and Services Log”... not “Security”

DEMO:
RDPSpray PoC

What’s next?
• Here are some items on my “todo” list with
this:
• Build a standalone tool to do this from
Windows
• Add functionality to quickly find servers with
NLA enabled for RDP

How do I detect/stop this?
• Windows Server 2016 logs the IP
• For other versions:
• Correlate the Applications and Services logs
with the Security logs
• See: http://purerds.org/remote-desktop-
security/auditing-remote-desktop-services-logon-
failures-1/
• It might be worth looking at firewall logs for
alerting on access to port 3389 multiple times
from the same system

Mystery 2:
The mysterious Azure
Active Directory sync

External Active Directory
• You can query Active Directory
• Know everyone in an org
• Know AD group memberships
• Know user device & versions
• Create “guest” AD users & MFA devices
• … with only a low-privileged set of creds
• *Externally*
What if I told you, in most circumstances...

First, A Quick Glimpse
DirSync
Azure AD Sync
+ Forefront Identity Manager
Azure AD Connect
On-Prem: Azure AD Connect sync engine
Azure: Azure AD Connect sync service
http://www.windowstricks.in/2015/06/difference-between-dirsync-azure-ad-sync-and-azure-ad-connect.html

Azure Password Hashing
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
Password Sync
1. MD4 hash isn't sent, SHA256 hash of hash is
2. DC sends salt
3. Avoids PTH primitive for on-prem
4. Envelope decrypted and hash stored
Authentication
1. Requires 2nd auth if not using Seamless SSO
2. MD4+usersalt+PBKDF2+HMAC-SHA256
3. Compares cloud hash with on-prem hash
4. Session created

So, what does this mean?
• Users: Identify Users & Read Properties
• Groups: Identify Security Groups
• Applications: Identify Attack Surfaces
• Devices: Identify Device Info for users
• Directory: Identify Domains & Partners
• Roles & Scopes: Identify All Memberships
• + more!
*Add a limited access guest account*
With a single set of phished/sprayed credentials...
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions

Let’s Do It!
• az login
• az ad user list
• az ad group list
• az ad group member list --group='<group name>'
• az vm list
Azure CLIAzure Portal
• Connect-AzureRmAccount
• Get-AzureRmADUser
• Get-AzureRmADGroup
• Get-AzureRmADGroupMember -GroupObjectId <group id>
• Get-AzureRmVM
AzureRM
AzureRM: https://docs.microsoft.com/en-us/powershell/azure/overview
AZ CLI: https://docs.microsoft.com/en-us/cli/azure/

DEMO:
Azure CLI PoC

Lock Things Down
Azure Portal Configuration
Azure AD Conditional Access
??? umm.. okay, now what?

Azure CLI Work-around
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
Phew! (Thanks Derrick Rauch)

Mystery 3:
The force-fed Microsoft
Outlook hook

O365 Creds, so what?
• Maybe you password sprayed
• Perhaps you phished some creds
• But is it useful to pivot internally or persist?
• You can obviously harvest data via
email/SharePoint/Azure
• You may have heard of using Outlook
“rules”
• This has been patched by Microsoft though…
• Let’s talk about some new hotness
Gained access to creds, now what?

Microsoft Add-Ins
• Microsoft allows for add-ins to various
products
• There are two types of Outlook Add-ins
• Legacy COM or VSTO add-ins
• Code physically installed on desktop client
• Web Add-ins
• No code installed on client
• Manifest file points to JavaScript/HTML that
loads in the browser
Let’s have a chat about Add-ins

Outlook Web Add-Ins
• WEB ADD-INS SYNC ACROSS WEB CLIENT
BROWSERS & DESKTOP CLIENTS
• I’ll give you a sec to contemplate life…
• … ready?
• So here is the attack path:
• Attacker gets creds
• Adds malicious Add-in to Outlook web client
• Malicious add-in syncs across victims browser
sessions and desktop client
Here’s the kicker…

Some Hurdles to Jump
• No.
• When you install an add-in it shows up as an
icon
• Typically the user would have to click to run
• Pinnable Taskpanes make it so the user
doesn’t even have to click anything
• Attacker opens add-in
• Clicks the pin icon
• The pinned add-in syncs to the victims browser
• Next email victim opens the pinned taskpane
runs add-in
So does the user have to click something?

Outlook Add-in Potential
• Well… you can literally point the browser at
any code you want.
• Every time the add-in launches it uses the
Manifest file provided to point the client at a
web server
• We can host whatever html/js we want
• Note: Outlook desktop client uses Edge
browser
• Let’s walkthrough a few examples
Ok so what can these add-ins do?

How to Install Add-In
Settings > Manage add-ins > My add-ins > Add a custom add-in > Add from
file and point it to your manifest.xml file

How to Install Add-In
• Use Visual Studio to create a new “Outlook
Web Add-In”
• Host the html/js files on your own web
server, point to it in the manifest.xml file
• Outlook requires the site be HTTPS
• Here’s a basic tutorial for creating an Add-in
that reads some attributes of email items
• https://docs.microsoft.com/en-
us/outlook/add-ins/quick-start?tabs=visual-
studio
Server-side setup

Outlook Add-in Backdoor
• Create an add-in that reads the content of
email
• Forward content of email to attacker
• Delete sent email so no trace of being sent
• Allows for having access to 2fa codes,
password resets etc…
• We have PoC code for doing this on desktop
client and will share web client code soon
Steal emails and other stuff...

Outlook Add-In Browser
Hook
• Browser Exploitation Framework (BeEF)
• Inject hook.js into add-in
• Can now utilize BeEF plugins
• Enumerate system/browser/LAN
• Makes it easy to inject additional iframes
• Can pop credential box, deploy hta, etc...
• More research is needed on the potential for
internal pivoting via browser hook
We can hook the users browser with BeEF!

Outlook Add-In Crypto-
Miner
• Can totally inject the Coinhive miner
• JavaScript based cryptocurrency miner
• Uses CPU to mine Monero (and others)
• Listed as #1 malware throughout this year
• This works and will demo shortly
XMR when moon sir?

Add-In Mass Deployment?
• O365 admin can config add-ins too
• Can deploy to all users
• Make it mandatory that it’s
installed
• They can enforce so that no user
can uninstall
• Use your imagination for how bad
this could…
What if we are an O365 admin?

DEMO:
Outlook Add-In PoC

Outlook Add-In Defense
• Ok let’s go blue team:
• All of this requires an attacker has a cred
• 2FA and strong password policy are your friends
but not perfect (See Credsniper)
• …?
• Any ideas?
Thx for the nightmares… what now?

Mystery 4:
The silently weaponized
Windows Kernel

Windows Kernel: WNF
• Publish/Subscribe Windows Subsystem
• Uses State names to track
• User-mode/Kernel Notifications
• Persistent/Volatile Data Storage
• Cross-platform Mobile/App/Xbox
• Undocumented/Potentially Undetectable
• Sub before pub!
Windows Notification Facility
*Major props to Alex Ionescu & Gabrielle Viala*

WNF State Details
• State names: 64-bit GUID structure
• Lifetime
• Well-known: Reserved by Windows
• Permanent: Bound beyond reboot
• Volatile: Bound until reboot
• Temporary: Bound until process exit
• Scope
• User/Process/Session/Global
• Security Descriptors / DACL
WNF State Names/Lifetime/Scope

WNF Kernel Fun
• Lot’s of low-level/high-level calls
• Ntdll subscribes to low-level on process behalf
• Zw* vs Rtl* / Ex* / Nt*
• Code-execution in subscriber on event
• Rtl* in host event logs :(
• Create a secret IPC layer between processes
• Across process/user/kernel boundaries
• Hide data/binary in state names
• Inject data/code into processes

WNF Kernel API Calls
Low-level API
Consume:
ZwQueryWnfStateData
Publish:
ZwUpdateWnfStateData
Create:
ZwCreateWnfStateName
Delete:
ZwDeleteWnfStateName
High-level API
Subscribe:
RtlSubscribeWnfStateChangeNotificatio
n

Research: Guidance
• State Names are found in registry
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlNotifications
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNotifications
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionVolatileNotifications
• Windows Internal Names & Descriptions
• Symbols in perf_nt_c.dll via Microsoft ADK
• NT Kernel Hooks: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/etw/callouts/hookid.htm
• NativeAPI Signatures
• *WNF*
• https://processhacker.sourceforge.io/doc/ntzwapi_8h_source.html
Get Started Researching

Research: CasperWNF

WNF Hidden Data
1. Code execution runs Stage 1 payload
2. Stage 1 checks if Stage 2 payload in State name
a. Yes: run Stage 2
b. No: Fetch Stage 2 from C2
i. Publish in State name then run
3. Stage 2 subscribe to shutdown/user-presence
a. Shutdown callback
i. Write Stage 1 to disk for start-up
b. User-presence callback
i. Change jitter? Commands? Nuke the box?
WNF Side-channel Data Persistence

WNF Subscriptions
Stage 1: Dropper
Stage 2: Malware
Shutdown State
WNF_SYS_SHUTDOWN_IN_PROGRESS
0x4195173EA3BC0875
User-presence State
WNF_SEB_USER_PRESENT
0x41840B3EA3BC6875
‘Nuke the box’ State
WNF_HOLO_FORCE_ROOM_BOUNDARY
0xE8A0125A3BC2835c

DEMO:
Weaponized WNF PoC

WNF Attack Mitigations
• Event Tracing for Windows
• Only works for Rtl* function calls not Zw*
• Hooks NT Kernel Logger Events
• Hooking Ntdll system calls
• Great idea if you're crazy or writing malware
• Monitor read/writes to registry keys
• System service which is loud
• Filter on specific entries? *shrug*
TLDR; we’re screwed...

Finishing Up:
Dear Microsoft...

Dear Microsoft...
A few requests...
• WNF Documentation & Native API logging
• Azure Portal locked-down by default
• Azure AD Conditional access w/o upgrade costs
• Fix the phantom host info w/ RDP NLA
• Make it easy for O365 admins to find rogue add-ins

Questions?
• Twitter
• Mike - @ustayready
• Beau - @dafthack
• Black Hills Information Security
• http://www.blackhillsinfosec.com/
• Code from demos
• https://github.com/ustayready/CasperStager
• https://github.com/ustayready/CasperWNF
• https://github.com/dafthack/RDPSpray

Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “features”

More Related Content

What's hot

Similar to Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “features”

Recently uploaded

Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “features”