2024-08-06 –, Florentine E
This research aims to show some phases/techniques used during a red team operation even in a Windows environment.
Thinking about how to use a new way to abuse Windows environments, we mapped three methods that could help you in your assessment with a focus on showing bypass and persistence techniques using Windows.
First, this topic aims to show how we can bypass constrained language using run space with some csharp code.
The second method uses the XML file to create malicious files and elevate the privileges to the NT\AUTHORITY user.
And third, this is a particular point where I demonstrate how we can abuse Windows EventLog to maintain undetectable persistence. I created a new event log containing a HEX shellcode stored in raw data to establish communication with C2.
We can make numerous attacks using windows as our ally. Some protection mechanisms were built in, such as "Applocker to block Powershell Script, Privilege Elevation, and Persistence using the event log.".
To end of this talk, we hope the offensive team can use those new tricks and the defense can figure out some detections and mitigations.
Talk Description.
The idea of this lecture is to show some Phases/Techniques that are used during a redteam operation or even in a pentest in a Windwos environment.
The main focus is to show bypass and persistence techniques using Windows itself as our ally.
All the PoCs here were done in a controlled lab environment where some of the protection mechanisms were built in, like “Applocker to block Porwershell Script, Privilege Elevation and Persistence using event log”
During all the tests, I tried to use different techniques from the existing ones, thus showing a new approach.
- Bypass CLM "PowerShell Constrained Language Mode"
- Elevation of Privilege Using WIX File to gain access as NT/AUTHORITY
- Persistence Using Windows EventLog
The initial idea is to show all the necessary phases during a RedTeam test on equipment controlled with the highest level of protection, and thus gain privileged access and thus allow persistence using EventLog Windows itself as our friend.
During testing it was possible to remain completely undetectable by Windows Defender.
Recon - Bypass Constraint Language Mode
We can use AppLocker to also block the execution of powershell scripts, thus creating a protection mechanism known as "CLM - Constrained Language Mode" which is used to prevent malicious users from executing powershell scripts at the common user level.
Therefore, it can make it difficult for the attacker or pentester to perform basic recons in search of a possible elevation of privilege or in search of credentials that can facilitate lateral movement.
During the CLM bypass we will use the Windows powershell runspace itself to perform a recon and asmi bypass in search of an elevation of privilege.
Execution
For the execution of this phase, it was necessary to create a script in C# to invoke the Powershell runspace and thus be able to do a complete Recon using PowerUp
-> C# script with runspace execution
-> Exploit download using native windows tools "Certutil and bitsadmin"
-> The certutil we use to hide the exploit.
-> The bitsadmin we use to download and build the executable.
After doing this, which is a recon phase, it was possible to move on to the others to do next.
Elevation of Privilege
To carry out the elevation of privilege we will explore msi executables, where it is possible to install a program with nt/authority privilege, however, to carry out this attack we will use a new approach, where it is possible to use mxi "xml" files and Windows binaries to the construction of malicious MSI.
What is AlwaysInstallElevated
You can use the AlwaysInstallElevated policy to install a Windows Installer package with elevated (system) privileges.
Persistence - Windows EventLog
To maintain persistence and undetected by Windows Defender, we will again use Windows as our ally so that we can abuse the Windows event log to execute payloads that will be stored in rawdata, without any detection by Windows Defender.
In the year 2022, Kaspersky did research showing how new malware was using the Windows Event Log to maintain persistence and not be detected by Windows Defender.
After this research, little was heard about the subject and with that came the idea of showing how it is possible to execute this exploit and a redteam operation or in a controlled test in a windows environment.
Execution
To execute this phase, it was necessary to create a C# script with some Win32 APIs so that it would be possible to execute the shellcode stored in the rawdata of the windows event log.
-> Creation of a new EventLog "is only possible after doing the elevation of privilege"
-> To create a new EventLog we use the powershell itself.
-> Creation of a shellcode in hex so that it would be possible to store it in the Eventlog rawdata.
-> After creating a new EventLog, it was necessary to use it in the C# script that we created for the following actions.
-> Read our new EventLog
-> Run the rawdata content stored in HEX
Execution 2
For the execution of using only powershell it was necessary to use the following tools.
-> Creation of a new EventLog "is only possible after doing the elevation of privilege"
-> To create a new EventLog we use the powershell itself.
-> xencrypt to encrypt our shell code in AES256
-> With the command generated by xencrypt it was possible to execute our shellcode stored in rawdata.
Fabricio Gimenes is Offensive Security Directory at Redwolves, specialist “Redteam/Pentest”. Graduated in Cyber Security Defense, he also has some certifications related to offensive security "OSCP/OSWE/OSEP/CRTP".