An ACE in the Hole Stealthy Host Persistence via

Security Descriptors

Who We Are× @tifkin_ / @enigma0x3 / @harmj0y× Red teamers/researchers at

SpecterOps× Code on code on code× Cons on cons on cons

2

What This Is× Offensive applications× Intro to securable objects× Our Research Process× Securable object takeover primitives× Case studies/demos× Defense

3

1.Offensive ApplicationsWHY this is useful

4

“As an offensive researcher, if you can dream it, someone has

likely already done it...and that someone

isn’t the kind of person who speaks at security

cons”

5

Matt “f’ing” GraeberBlackHat 2015

6

7

Why Care (really)?× It’s often difficult to determine whether a

specific security descriptor misconfiguration was set maliciously or configured by accident

× These changes also have a minimal different forensic footprint and grant:

× Bug longevity! Privesc! Persistence!

× They might already be on your system ;)

× Living off the land++ (existed since NT was born!)

8

Big Point(s)× Most defenders are not aware of this

general persistence approach, much less how to find and remediate it!

× You don’t need to leave malicious code/logic on a system to regain access!

× What if this change was made to an organization’s “gold image”?

9

Responsibly Evil ;)× Also, you don’t need to set the

principal/trustee (who has the rights) to S-1-1-0!

× Security descriptor backdoors can be set for specific trustees in a targeted manner so exposure in the environment is minimized

10

¯\_(ツ)_/¯× “if an attacker has code execution on your

system, you’re screwed already, so who cares“

× “You need admin rights to do this, this is stupid!“

× To this we say: domain joined boxes != isolated home systems

× we guess the defensive industry should just pack up and leave…

11

2.Intro to Securable ObjectsSecurity Descriptors 101

12

What is a“Securable Object”?A windows object

that can have a security descriptor

SECURITY_DESCRIPTOR

https://msdn.microsoft.com/en-us/library/windows/hardware/ff556610(v=vs.85).aspx 14

15

DACLACE’s

Where are these descriptors?× Found in the registry, the file system, in

the kernel, ntds.dit....× Really depends on the type of object

× Finding what objects are securable, much less exactly where their descriptors are located, isn’t as easy as you’d think...

16

From DACLs to SACLs

17

× Access Control List (ACL) is basically shorthand for the DACL/SACL superset

× An object’s Discretionary Access Control List (DACL) and Security Access Control List (SACL) are ordered collections of Access Control Entries (ACEs)

× DACL - What principals/trustees have what rights over the object

× The SACL - Specifies how to audit access to the object

Standard vs. Object-Specific

18http://searchwindowsserver.techtarget.com/feature/The-structure-of-an-ACE

More on DACLs

19

× Null DACL != no DACL

× Inheritance… can be a >_<

× General interpretation:× Explicit Deny× Explicit Allow× Inherited Deny× Inherited Allow

Our Securable Object Research Methodology

20

Our Research ApproachObjects accessible from user-mode with a focus on one's usable for persistence/lateral movement

1. Discover securable object1. Offline and Online Security Descriptors Enumeration1. Analyze Access mask

a. What object-specific rights are there (if any)?b. What rights permit persistence/lateral movement?

1. Operational Weaponization and Detection

21

1. Discovering Securable Objects× Windows documentation lists about 20-30 securable

objects*

× We’ve identified 70+! (There’s *many* more)

× Microsoft Protocol Specifications× Very useful for RPC servers

× Find-RegistrySecurityDescriptors.ps1

22*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx

23

Find-RegistrySecurityDescriptors

2. Online vs Offline Security Descriptors

× Where do objects get their security descriptor?× Offline - Security descriptor derived from

registry, file, ntds.dit, etc.× Online - Security descriptor is in memory

Our approach to enumeration:× Locally as an unprivileged user× Locally as a privileged user× Remotely as an unprivileged user× Remotely as a privileged user 24

Existing Tooling× Use existing tools

× Accesschk.exe× WindowsDACLEnumProject× Google’s sandbox analysis tools

× NtObjectManager woot woot!× BloodHound

× Most do not distinguish between online/offline security descriptors

× Implication: How do you know if an object has been modified after creation?

25

Enumeration Caveats× “Online” vs offline security descriptors

× Necessary token privileges

× Some objects are “invisible” to user-mode enumeration

× Kernel private namespaces

× Does an object with no name have a security descriptor?

× https://googleprojectzero.blogspot.co.uk/2014/10/did-man-with-no-name-feel-insecure.html

26

3.Access Mask AnalysisTaking back what’s yours ;)

27

Deriving Access Mask Meaning× MSDN Documentation

× Technical Specifications

× Reversing

× Trial and error ¯\_(ツ)_/¯

28

Generic Object Takeover Primitives× Attacker is owner (implies WRITE_DAC)× Attacker has WRITE_DAC/WRITE_OWNER× Attacks has STANDARD_RIGHTS_ALL× Attacker has GENERIC_ALL*× Object has NULL security descriptor (implies

Everyone has GENERIC_ALL)

29Depends on how the object maps the generic right to standard/object-specific rights. Usually this includes WRITE_DAC/WRITE_OWNER, but doesn’t have to

Object-specific Takeover Primitives× Each securable object can define its own

rights× Example: Process Rights

× PROCESS_CREATE_PROCESS× PROCESS_CREATE_THREAD× PROCESS_SUSPEND_RESUME× PROCESS_QUERY_INFORMATION× PROCESS_TERMINATE

× The specific object and its rights determine its offensive usefulness (priv esc, lateral movement, persistence, etc.)

30

4.Operational Weaponization and DetectionCase studies of certain securable objects

31

Service Control Manager RPC Server× “RPC server that enables service

configuration and control of service programs.” - MS-SCMR

× Applicable Securable Objects× Service Control Manager Server× Windows Services

32

SCM Server Applicable Rights

33

SC_MANAGER_CONNECT Permits connecting to service

SC_MANAGER_CREATE_SERVICE Ability to add a new service

SC_MANAGER_ENUMERATE_SERVICE List out services

By default, unauthenticated users can enumerate the security descriptor of the SCM Server!

34

SCM Demo

https://youtu.be/tETNO22zVKM

WinRM/WinRS× Windows Remote

Management/Windows Remote Shell× Provides the ability to remotely interface

with a host× Think PowerShell Remoting

× Create backdoored ACE and apply it to either the WinRM or WinRS DACL

× Or both!!

× Defined user (via SID) will be able to remotely interact with the host without admin privs 35

WinRM/WinRS× Security Descriptor can be accessed by pulling the

SecurityDescriptorSDDL property of Get-PSSessionConfiguration

× Build the new DACL via DiscretionaryAcl.AddAccess() of Security.AccessControl.CommonSecurityDescriptor

× PowerShell Remoting: × Set the new DACL via -SecurityDescriptorSddl of

Set-PSSessionConfiguration × WinRS

× Set WSMan:\localhost\Service\RootSDDL to the new DACL via Set-Item

36

WinRM/WinRS× Already weaponized here:

https://github.com/ssOleg/Useful_code/blob/master/Set-RemoteShellAccess.ps1

× In 2014….

× Takes a domain SID and adds an ACE for that SID to both PowerShell Remoting and WinRS DACLs

× Allows that specific user/group to remotely interface with WinRM/WinRS without having any additional privilege

37

DCOM× Distributed Component Object Model

× Been around since 1996… >_<

× Secured via Launch and Activation Permissions

× Local/Remote, perms reside in the registry

× Can you use interesting DCOM applications to get code-execution?

× Applications with “ExecuteShellCommand()” × Backdoor your favorite DCOM application for a

specific user/group’s SID :-)

38

DCOM× Access is determined via machine-wide permissions first

and then application specific permissions× Add target user/group to allow machine-wide Remote

Activation/Launch Permissions× Instead of editing the Default, just edit the Limit

× HKLM:\Software\microsoft\ole\MachineLaunchRestriction

× A;;CCRPLC;;;$SID

× Backdoor a specific DCOM Application for a domain user/group× HKLM:\Software\Classes\AppID\{GUID}\LaunchPermission× HKLM:\Software\Classes\AppID\{GUID}\AccessPermission× Requires: SeTakeOwnershipPrivilege, SeRestorePrivilege,

SeSecurityPrivilege if installing locally 39

DCOM

40https://msdn.microsoft.com/en-us/library/windows/desktop/ms679714(v=vs.85).aspx

41

DCOM Demo

https://youtu.be/e-tYtfmcoWk

WMI NameSpaces× Contains a collection of WMI classes that

host various methods/properties× Each namespace has associated DACLs

× Windows checks the DCOM machine-wide launch permissions for the first stage of access

× If successful, the DACLs on the WMI namespace are then checked

× Backdoor a NameSpace that contains a class with a useful method

× Create() method of Win32_Process, for example42

WMI NameSpaces× Call GetSecurityDescriptor() on the target WMI

namespace (local requires SeSecurityPrivilege)

× Use Win32_Ace to set our Access Mask and flags

× Use Win32_Trustee to assign the user× Set the “Trustee” property of Win32_Ace to our

Win32_Trustee object

× Add our new ACE to the target namespace DACL: $NameSpaceACL.DACL += $Ace.PSObject.ImmediateBaseObject

× Call SetSecurityDescriptor() with the newly updated NameSpace object to set it

43

WMI NameSpaces

44https://msdn.microsoft.com/en-us/library/aa394679(v=vs.85).aspx

45

WMI Namespace Demo

https://youtu.be/C1OpX_n7HlY

× Securable Objectsa. Printer Servers

HKLM\SYSTEM\CurrentControlSet\Control\Print\ServerSecurityDescriptor

a. Printer ObjectsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Security

a. Print Jobs - Not very interesting offensively

Specifications: MS-RPRN, MS-PAR, MS-PAN, MS-PRSOD46

Printers

47

Print Server Control - Spooler

48

Print Server Control - Drivers

49

Get-NetPrinter

50

Get-NetShare Additions

Remote Registry× Allows permitted users/groups to access the

registry remotely via .NET/Win32 API× [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey()

× The RemoteRegistry service has to be enabled and the calling user has to have access

× By default in Windows 7/10, this service is disabled

× Remote access to the registry == ability to dump hashes (among other things) 😈

51

Remote Registry× Imagine this scenario: Remotely dumping an

endpoint’s machine account hash as an unprivileged user

× Remotely backdoor the winreg key for a specified user/group

× Located at HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

× The DACL on this key decides who is allowed to connect via remote registry

52

Remote Registry× Can be accomplished via WMI’s StdRegProv

provider× Call SetSecurityDescriptor() with an ACE that defines the

user/permissions for the backdoor

× Why not just use StdRegProv?× Dumping the machine account hash requires obtaining

various Registry Key classes.× Can only be obtained via RegQueryInfoKey()

× Use Set-Service to remotely set the service StartupType to “Manual”

× Set-Service -Name "RemoteRegistry" -ComputerName $Computer -StartupType "Manual"

53

Remote Registry× Remotely take ownership of the SECURITY registry hive

and add an ACE to the DACL for the backdoor user× As that user, remotely call RegConnectRegistry()

× Open the required keys and pull the Key’s Class× SYSTEM\CurrentControlSet\Control\Lsa\<JD,Skew1,GBG,DATA>× RegOpenKeyEx(), RegQueryInfoKey()

× Combine these Class values and compute the BootKey

× Use the BootKey to decrypt the LSA key

× Use the LSA key to decrypt the machine account hash54

55

Remote Registry

56

Remote Registry Demo

https://youtu.be/pOHO3hdTKyw

6.DefenseAll is not lost!

57

× A system access control list

× “Enables administrators to log attempts to access a secured object”

× Not used as extensively as they should be!

SACLs:the other ACL

58

Defensive Enumeration× More research is needed- you can’t

defend against what you aren’t aware of!× Defensive PowerUp++ ? Operational

test framework for the detection of backdoor scenarios?

× Integration into BloodHound?59

Takeaways× The host-control graph is *MUCH* bigger than

“is member of local admin group”

× What is the real attack surface of a Windows host?

× Many “forgotten” or unexplored RPC/DCOM servers

× Many other securable objects we haven’t looked at

60

61

× Implications of other securable objects× Real-time analysis× Enumeration of objects visible only to the

kernel× Chaining host + AD security descriptor

abuse

Takeaways & Future Work

62

Thanks!Any questions?

@tifkin_ / @enigma0x3 / @harmj0yhttps://specterops.io/

63