reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemAction:
| Learning Domains/Level of Learning:
|
Army General Learning Outcomes:
| Safety Requirements:
|
Privilege escalation and maintaining persistence are among the many post-exploitation skills and tasks that attackers must grasp. Attackers and defenders need to understand how privilege escalation can occur and how persistence can be maintained on a system. This understanding allows attackers to move freely through a network, and allows defenders to prevent privilege escalation, detect attacker movement, and detect/prevent attacker persistence mechanisms.
Identify and perform privilege escalation and integrity-level elevation
Familiarization with OS auditing and logging
Perform log cleaning and blending in
Identify artifacts
Kernel Mode vs User Mode
Privileged vs Unprivileged
Access Tokens
Security Identifier (SID) associations and Token associations
Security Descriptors
DACL
SACL
ACEs
Executables check the following locations (in successive order):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
The directory the the Application was run from
The directory specified in in the C+ function GetSystemDirectory()
The directory specified in the C+ function GetWindowsDirectory()
The current directory
Integrity Levels
Untrusted | Anonymous SID access tokens |
Low | Everyone SID access token (World) |
Medium | Authenticated Users |
High | Administrators |
System | System services (LocalSystem, LocalService, NetworkService) |
Always Notify
Notify me only when programs try to make changes to my computer
Notify me only when programs try to make changes to my computer (do not dim my desktop)
Never notify
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemRequested Execution Levels:
asInvoker
highestAvailable
Actions that allow an adversary to obtain a higher level of permissions on a system or network
Items to evaluate include:
Write Permissions
Non-Standard Locations
Unquoted Executable Paths
Vulnerabilities in Executables
Permissions to Run As SYSTEM
schtasks /query /fo LIST /vIdentify Vulnerability
Take advantage of the default search order for DLLs
NAME_NOT_FOUND present in executable’s system calls
Validate permissions
Create and transfer Malicious DLL
wmic service list full
sc queryIdentify Vulnerability
Validate permissions
Validate Executable Paths
Replace with Malicious File
Unpatched Kernel Vulnerabilities
Unpatched Systems
Unpatched Applications
The objective of this is to provide yourself unrestricted access to a system, and identify methods to execute malicious activity, through a basic command line prompt
Sysinternals
Schedule Task
UAC Bypass
System changes or binary uploads that provide the adversary continued access to system
Survives:
Reboots
Credential changes
DHCP IP reassignment
Etc.
Considerations include:
File naming
File location
Timestomping
Port selection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run
RunOnce
What are the differences?
Do you need to blend in?
Permission Levels Considerations:
What is your objective?
Do you need to blend in?
At Startup
Perform Multiple Functions
Typically require Administrative Access
When does planning start?
Prior Initial Access? After Initial Access? Before Exit?
What will happen if I do X?
Logs
Checks
Where are things?
Hide
File locations, names, times
Know the system!
Artifacts
Determine which events will create a log
Event Logs
Applications, Security, Setup, System
Blending In
TimeStomping
Where should you run commands from?
Locally?
Remote?
Are system resources a important, and how can we check them?
wmic
net
netstatauditpol /get /category:*auditpol /get /category:* | findstr /i "success failure"4624/4625 | Successful/failed login |
4720 | Account created |
4672 | Administrative user logged on |
7045 | Service created |
Storage: c:\windows\system32\config\
File-Type: .evtx/.evt
wevtutil elwmic ntevent where "logfile="<LOGNAME>" list fullGet-Eventlog -ListWindows CLI CMD history is per instance (doskey /history)
Powershell can be set to log sessions
2.0 little evidence
Nothing about what was executed
3.0 Module logging (EventID 4103)
4.0 Module logging
5.0 Can set module, script block (EventID 4104) and transcription
reg query hklm\software\microsoft\powershell\3\powershellengine\
powershell -command "$psversiontable"reg query [hklm or hkcu]\software\policies\microsoft\windows\powershell
reg query hklm\software\microsoft\wbem\cimom \| findstr /i logging
# 0 = no | 1 = errors | 2 = verbose%systemroot%\system32\wbem\Logs\forfiles /P c:\windows\system32 /S /D +05/14/2019
wmic datafile where name='c:\\windows\\system32\\notepad.exe' get CreationDate, LastAccessed, LastModified
copy /b filename.ext +,,$(Get-Item file.ext).lastaccesstime=$(date) |$(Get-Item test.txt).lastaccesstime=$(Get-Date "07/07/2004")Clear Event Logs (produces logging!):
wevtutil clear-log ApplicationClear-Eventlog -Log Application, SystemLet’s add a backdoor, hidden in plain-sight!