Pentest Red Team Techniques - Defense Evasion

[dEEpEst]

Access Token Manipulation​

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. Administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.

Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.

 

[dEEpEst]

Parent PID Spoofing​

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.

Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment. This spoofing could be executed via Visual Basic within malicious Office document or any code that can perform Native API.

Explicitly assigning PPID mal also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (ie. Administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.

Example:

This technique was introduced by Didier Stevesn. A proof of Concept was was written in C++ it was released to the public (SelectMyParent) that could allow the user to select the parent process by specifying the PID (process identifier). The "CreateProcess" function was used in conjunction with the "STARTUPINFOEX" and "LPROC_Thread_ATTRIBUTE_LIST".

Here is a sample of the Demo working

As you can see the payload in now a child process of Firefox with the PID 2696.

We also have another tool from Julian Horoszkiewics which is based of the work of Didier and we can verify the same goal was reached when spoofing our Parent Process. This is achieved through the CreateProcess API

 

[dEEpEst]

Make and Impersonate Token​

Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.

This link is hidden for visitors. Please Log in or register now.

 

[dEEpEst]

Create Process with Token​

Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with DuplicateToken(Ex) and use it with CreateProcessWithTokenW to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.

Example:

In simple terms, this is when a token of an already exisiting accoes token present in one of the running processes on the victim host, is retrieved, duplicated and then used for creating a new process

Step

Win32 API

Open a process with access token you want to steal

OpenProcess

Get a handle to the access token of that process

OpenProcesToken

Make a duplicate of the access token present in that process

DuplicateTokenEx

Create a new process with the newly aquired access token

CreateProcessWithTokenW

I will weaponize this technique using the following code:

Code:


Copy
<span><span>#include "stdafx.h"#include #include int main(int argc, char * argv[]) {char a;HANDLE processHandle;HANDLE tokenHandle = NULL;HANDLE duplicateTokenHandle = NULL;STARTUPINFO startupInfo;PROCESS_INFORMATION processInformation;DWORD PID_TO_IMPERSONATE = 3060;wchar_t cmdline[] = L"C:\\shell.cmd";ZeroMemory(&amp;startupInfo, sizeof(STARTUPINFO));ZeroMemory(&amp;processInformation, sizeof(PROCESS_INFORMATION));startupInfo.cb = sizeof(STARTUPINFO); processHandle = OpenProcess(PROCESS_ALL_ACCESS, true, PID_TO_IMPERSONATE);OpenProcessToken(processHandle, TOKEN_ALL_ACCESS, &amp;tokenHandle);DuplicateTokenEx(tokenHandle, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &amp;duplicateTokenHandle); CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, NULL, cmdline, 0, NULL, NULL, &amp;startupInfo, &amp;processInformation);std::cin &gt;&gt; a; return 0;}</span></span>
My target here is notepad as it is running with Administrator privileges and for the sake of demonstration purposes. Compiling the previous code with use the proper API calls to grab the token, duplicate it and open cmd prompt with Administrator privileges.

As you can see when running the compiled binary using PowerShell as the parent process of the ConsoleApplication running as the user but cmd process running as Administrator

Create a Process with Token

References:

 

[dEEpEst]

Token Impersonation/Theft​

Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token.

An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.

Example:

PrintSpoofer.exe

Impersonate Privileges with a Named Pipe for this to work the tool tricks NT AUTHORITY\SYSTEM account into connecting and authenticating to an RPC server they control by leveraging some peculiarities of the Istorage COM interface. This exploit is well known by using the RottenPotato or RogueWinRm Exploits.

During the authentication process, all the messages are relayed between the client - the SYSTEM account here - and a local NTLM negotiator. This negotiator is just a combination of several Windows API calls such as AcquireCredentialsHanlde() and AcceptSecurityContext() which interact with the lsass procces through ALPC. In the end if all goes well, you get SYSTEM.

Here I am as the current user with the privileges needed.

Then I move to using the PrintSpoofer exploit which will abuse the Print System Remote Protocol this is used with a tooled called SpoolSample the exploit is based on a single RPC call to a function exposed by the Print Spooler service.

According to documentation, this function create a remote change notification object that monitors changes to printer objects and send change notifications to a print client using either RpcRouterReplyPinter or RpcRouterReplyPrinterEx.

But how are these notifications sent? "via ROC… over a named pipe". The thing here is that it communicates with a named pipe called "\pipe\spools" . It4man implements a trick on his PrintSpoofer tool to trick and control the path used by a server. With some slight adjustments we canc reate a server path and trick the RPC to communicate into a SYSTEM controlled pipe onto our controlled one and receive SYSTEM access.

Path Manipulation

As a prerequisite, the only required privilege is SeImpersonatePrivilege

Referenes:

 

[dEEpEst]

Abuse Elevation Control Mechanism​

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.

 

[dEEpEst]

Bypass User Account Control​

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact of the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. An example of this is of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional methods are regularly discovered and some used in the wild, such as:

· Eventvwr.exe can auto-elevate and execute a specified binary or script.

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.

Examples:

In the first example, why not DisableUAC for its entirety??. We can do this by changing the EnableUA Key and we won't receive prompts no more on anything that is executed with high privileges!!.

Warning: This will need Administrator Permissions. And this will prompt the user a warning that UAC will need a restart to turn it off

Once we apply the key we can simply restart the target machine and have it disabled

And that's it anytime we execute a payload or anything that enables a prompt it won't use UAC it will simply execute. But this is a very noticeable feature, just demonstrating as it is very simple to use.

Let's try another attack

Fodhelper the great about this one is that we can work with User privileges and have it execute our payload. In this example I will have it execute cmd with Administrator Privileges

Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened.

 

[dEEpEst]

De-obfuscate/Decode Files or Information​

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.

Example:

Here is a simple obfuscation trick from PowerShell that executes base64 encoded commands.

What is that base64 encoded string, Get-Process.

For some reason when I encoded using the web or linux the string is always incorrect so I used PowerShells method for encoding strings to base64

Update: Thanks to a user init5 it was pointed out that we need to make sure to be using UTF-16LE for hen we are encoding on Linux to have work on Windows

And this decodes correctly on Linux.