Edit

Module 4: Windows Server Side Attacks

Credential Abuse

The Security Account Manager (SAM) and Windows Authentication

On Windows, hashed passwords are stored in the Security Account Manager (SAM) database. To deter offline SAM database password attacks, Microsoft introduced the SYSKEY feature, which partially encrypts the SAM file. Though it was successful, it has been discontinued since the encryption key length is considered insecure.

SYSKEY was also being used for ransomware scams. Microsoft has since recommended BitLocker as an alternative to SYSKEY to protect not only the SAM but entire hard drive volumes.

Windows NT-based OS', up to and including Windows 2003 store two different password hashes: LAN Manager (LM), which is based on Data Encrypt Standard (DES), and NT LAN Manager (NTLM), which uses MD4 hashing.

LAN Manager is very weak since passwords longer than seven characters are split into two strings and each piece is hashed separately. They are also converted to all upper-case characters before hashing, and does not include salt, making a hash-lookup attack feasible.

Starting in Vista, LM is disabled by default, using NTLM. Unfortunately, NTLM is still not salted.

Authentication occurs by converting a user's password into a hash via Local Security Authority (LSA) and is then compared to the one stored in the system's SAM.

Suspicious Logins

Potentially Suspicious Logon Event during Off-Hours

Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime="4/30/2021 19:00:00"; EndTime="5/3/2021 07:00:00"; ID=4624 }

Querying the full details of the identified suspicious logon event

[192.168.51.11]: PS C:\Users\Administrator> Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime="5/1/2021 03:21:26"; EndTime="5/1/2021 03:21:27"; ID=4624 } | Format-List

TimeCreated  : 5/1/2021 3:21:26 AM
ProviderName : Microsoft-Windows-Security-Auditing
Id           : 4624
Message      : An account was successfully logged on.
               
...
               
               Logon Information:
                Logon Type:             10
...

               New Logon:
                Security ID:            S-1-5-21-1253842116-4206507704-3578910670-500
                Logon ID:               0x323466
                Account Name:           Administrator
                Account Domain:         SERVER01
...
                Workstation Name:       SERVER01
                Source Network Address: 192.168.51.50
...

The Logon ID is unique to each session. This can be used to differentiate between two or more administrators. It can also help correlate other events.

Custom Function Get-SecurityEvent

Finding all logoff events after the suspicious Logon event

Brute Force Logins

Events generated by a brute force logon attempt

Logon Failure Events from brute force attack

Format-List Custom Field with Logon Type for Logon Failure Events

Format-List Custom Fields with User Name, Workstation Name, and IP Address for Logon Failure Events

Format-List Custom Fields with Status and Substatus for Logon Failure Events

One of the status codes for a logon failure is C000006F: User logon outside authorized hours. Account policy supports the ability to restrict when user accounts can log in to a system. It is important to note that this restriction cannot be applied to Administrator accounts. But such a configuration can reduce the likelihood of compromised user accounts authenticating during off-hours.

Custom Output for querying Logon Failure Events using Get-SecurityEvent

NLA is recommended for enterprise networks that support RDP for remote access. It requires later versions of software, reduces the risk of denial-of-service, and in one case thwarts a means of persistence. For more information, look up the Accessibility Features sub-technique of Event Triggered Execution in the MITRE ATT&CK Framework.

Logon Success after brute force authentication

Web Application Attacks

Internet Information Services (IIS)

IIS is Microsoft's built-in web server solution. In addition to web and file transfer protocols, IIS can server .NET scripts and applications.

Logs are saved to C:\inetpub\logs\LogFiles. Each log file begins with u_ex followed by a date formatted as YYMMDD. Example: u_ex210506.log.

Example IIS Log Entry

Common W3C fields and their descriptions

  • s-ip - IP address of the server receiving the web activity

  • cs-method - Requested HTTP method from client (e.g., GET)

  • cs-uri-stem - Target file requested from web server

  • s-port - Server port of the web service (e.g., 80)

  • c-ip - IP address of the client requesting the web page

  • cs(User-Agent) - User-Agent string of the client's web browser

  • cs(Referer) - HTTP Referer of previous page that sent user to the target file, if relevant

  • sc-status - HTTP Status Code from server (e.g., 200 for found, 404 for missing)

Local File Inclusion

Local File Inclusion (LFI) allows an attacker to access arbitrary files on the underlying file system.

Local File Inclusion Proof-of-Concept for Site Import Plugin from Exploit-DB

In Windows, web applications like WordPress are typically installed within the wwwroot folder. The full path would be C:\inetpub\wwwroot\wordpress\wp-config.php.

IIS Log with LFI Attack Entry

Command Injection

Command Injection allows an attacker to insert arbitrary commands that can be executed by the host operating system rather than the application receiving them.

HTTP POST Excerpt from Plainview Activity Monitor command injection

Command Injection Results

IIS Log entry for command injection

The only suspicious data in this log entry is the time milliseconds elapse while executing the query β€” 3731. If a baseline of 200-400 milliseconds is expected then that could lead us to look into this further.

Sysmon ProcessCreate event log entries

Getting Sysmon ProcessCreate events with chain of execution

IUSR is the built-in "user" account for IIS.

File Upload

Coupled with command injection, a user may be able to download a remote file for further actions.

Certutil is just one of several native binaries that can be used to download files to Windows. However, we chose this utility because it is installed on Windows by default, and modern attackers have learned to leverage these tools for interesting purposes in a technique known as Living off the Land (LotL). The security community has compiled a list of these useful Windows binaries in a project titled Living Off The Land Binaries and Scripts (LOLBAS).

Setting up Python 3 Simple HTTP Server on port 8000

Uploading nc.exe using a Plainview Monitor exploit script

Python HTTP server activity

Directory listing for C:\Windows\Temp showing netcat file downloaded successfully

New FileCreate event from Command Injection following ProcessCreate events

FileCreate event from Command Injection with Certutil

Batch file loader 'stage.bat'

PowerShell script loader 'load.ps1'

Running http_netcat.sh to open a netcat listener and set up Simple HTTP Server

Running plainview_up_exec to download and execute stage.bat and load.ps1

Web activity from HTTP Server and command prompt from Windows Server 2019

Confirming that stage.bat was deleted

All Sysmon events for the attack using plainview_up_exec.py

Initial ProcessCreate events from the plainview_up_exec.py script

Initial FileCreate events from the plainview_up_exec.py script

We could also consider FileCreate events in which the TargetFile is in C:\Windows\Temp. Some malware relies on obscurity to remain undetected, but watching this directory may provide clues as to how we can trace an infection back to its origin process.

Secondary FileCreate event from the plainview_up_exec.py script

ProcessCreate events with PowerShell running netcat, and netcat running cmd.exe

NetworkConnect events with PowerShell and netcat

Extra Mile

  1. Identify all the IIS logs generated after running extramile_up_exec.sh.

  2. Identify all of the ProcessCreate and FileCreate events that occur after running extramile_up_exec.sh.

Binary Exploitation

Binary Attacks

Starting SyncBreeze Service so we can exploit it

Executing Sync Breeze buffer overflow with Metasploit Framework via syncbreeze_exp.sh

Confirming hostname and current user context

SyncBreeze is neither a part of IIS nor does it have itw own auditing mechanism for logon attempts. Sysmon however catches events regarding this activity.

Sysmon events created with buffer overflow

Inspecting the ProcessCreate events

Inspecting the NetworkConnect events

Additional processes created after the connection

Shell commands hostname and whoami run inside the reverse shell

Windows Defender Exploit Guard (WDEG)

WDEG provides additional auditing and control mechanisms for local malware. It was developed to address the proliferation of file-less malware.

It is an extension of the Microsoft Windows Enhanced Mitigation Expereince Toolkit (EMET). There are four major components:

  1. Attack Surface Reduction (ASR): This can block executable content or network communications from Adobe Reader, VBScript, and JavaScript.

  2. Controller folder access: With this, Windows can prevent applications from writing or making changes to directories specified by policy. The default is to protect C:\Users\<user account>\.

  3. Network protection: This relies on Microsoft's Intelligent Security Graph as a threat intelligence resource for domain/IP reputation. Anything less-than-reputable can be stopped independently of what process or application started it.

  4. Exploit protection: This replaced EMET β€” it allows enterprises to further configure Windows Defender's behavior for applications and mechanisms not native to Windows. An Administrator must import an XML configuration file to set this up.

Enabling RopCallerCheck for Sync Breeze using Set-ProcessMitigation

Validating the configuration for Sync Breeze

After restarting the service, we can test the exploit again to see if the protection stops it

Failed buffer overflow exploitation

The events for these actions are not stored in Windows Security logs, but rather in the Security-Mitigations logs.

Security Mitigation event for Sync Breeze showing exploit being blocked

Clearing the Process Mitigation configuration for Sync Breeze from Windows Registry

If we did not delete the registry key and attempted to run Set-ProcessMitigation, we would likely encounter a PowerShell exception: "Destination array was not long enough. Check destIndex and length, and the array's lower bounds."

Enabling RopCallerCheck's Audit-Only mode for Sync Breeze

After restarting the service, we can then test our exploit again to confirm it is only auditing, not stopping.

Successful buffer overflow exploit

Process Mitigation Audit-only events for Sync Breeze Exploitation

PreviousModule 3: Windows Endpoint IntroductionNextModule 5: Windows Client-Side Attacks

Last updated