Part Two of Two
This article is the second part of a two-part series. It focuses on how CBI took the initial access achieved in Part 1 and used it to move laterally, bypass advanced security controls, and escalate privileges to gain access to critical systems and data.
While working on a red team engagement during the external portion of a penetration test for a client with an extensive global presence, we had a few early wins:
Unfortunately for us, MFA coverage was excellent on the external perimeter; every authentication realm we could find had MFA enabled, and none of our footholds allowed significant enough ingress to breach the internal network.
Just as our attack-path options were dwindling, I received a timely message from Evan Malamis, Senior Application Consultant at CBI and author of Part 1 of this technical brief. Evan was coordinating on the engagement and needed to send a netcat shell from an application that the CBI application security team was actively working. I immediately spun up a handler and provided the IP and port. Seconds later, Evan sent a shell from one of the in-scope applications. After a quick
whoami && ipconfig /all, I realized I was in the DMZ, on an IIS server, running as a user named for the compromised application that was utilizing the vulnerable “Telerik.UI” library.
I began some usual next steps and attempted to upgrade from a telnet shell to a Cobalt Strike beacon for the implant’s additional functionality. Standard go-to’s like PowerShell or regsvr32 one-liners were immediately blocked, terminating my shell in the process, likely indicating the presence of EDR software. The web application team re-exploited the application, and I checked
tasklist /v and was able to identify the EDR software that was running. I invested a few more hours trying various payloads and different public bypass methods, but none of them were valid at this point.
At this point, it was time to think about payload obfuscation. After discussion with the CBI Red Team, we decided to deploy the “Execution Guardrails” technique in MITRE ATT&CK parlance. I keyed a payload to our target environment and downloaded it with a PowerShell command. Since download and execute one-liners had already been detected by EDR software in earlier testing, I executed the payload in a separate step and was rewarded with a new beacon in the Cobalt Strike console!
From here, I spawned backup beacons and immediately started to carefully look through the system to identify what other critical technologies or data were accessible. I eventually identified that the web app user I was running could browse directories for other applications running on this server. Finally, I found that this server was running an application that interacted with internal AD utilizing a privileged account. I captured the credentials from this file and then turned my attention back inwards, realizing that despite the apparent DMZ, this system could reach into the internal network.
I injected SharpHound, a C# information gathering tool utilizing Cobalt Strike’s execute-assembly function. SharpHound provides json output files and can be imported into BloodHound, which draws privilege graphs based on the relationships between objects within the Active Directory and builds attack-paths that are valuable for red, blue, and purple teams alike.
The credentials borrowed earlier from a neighboring IIS application proved to be highly privileged within the environment. I applied them to spawn a privileged shell on the local system and injected it into a SYSTEM process. Using Cobalt Strike’s blockdlls feature to prevent EDR from injecting into my child processes, I went back to execute-assembly and injected a copy of SafetyKatz in-memory. I acquired an lsass.exe memory dump, which I downloaded, and then processed on my attacking system.
Having been able to successfully dump credentials and gain a privileged shell on a webserver with top-tier EDR software deployed, I was ready to try for the pièce de résistance: Doing the same thing again to a domain controller with the same EDR software installed.
I prepared another payload to be executed on the domain controller with appropriate guardrails, uploaded it over SMB utilizing Cobalt Strike’s built-in file browser, and then executed it with the privileged credentials over WMIC. I was now greeted with another privileged beacon, this time from a domain controller!
I looked for a process with SeDebugPrivilege, using Cobalt Strike’s “getprivs” command from inside injected SYSTEM processes. Once one was found, a similar process of using “blockdlls” followed by SharpDump to get a full lsass.exe memory dump, which was then downloaded and processed on my attacking system.
CBI’s Red Team successfully netted NTLM credentials for every user in the domain with the ability to impersonate every employee in the organization. While this is where many penetration tests end, for CBI, it’s where the exciting part starts – but that part of the story is only between the client and us.
It is important to understand that security controls are not perfect. Having appropriate defense-in-depth measures and the ability to detect an attacker’s TTPs early in the attack life cycle is instrumental to reducing the likelihood of a malicious adversary gaining complete control of your organization.
For more information on CBI and Advanced Testing Services, contact us.
Missed Part One? Read it now.