Part Two of Two
Introduction
This article is the second part of a two-part series. It focuses on how CBI took the initial access achieved in Part 1 and used it to move laterally, bypass advanced security controls, and escalate privileges to gain access to critical systems and data.
Initial Challenges
While working on a red team engagement during the external portion of a penetration test for a client with an extensive global presence, we had a few early wins:
- Password spraying gained us access to some mailboxes with sensitive data
- We gained FTP and then web admin access to a 3rd party system at a remote location
- We brute-forced our way into SSH on a router in another field office
Unfortunately for us, MFA coverage was excellent on the external perimeter; every authentication realm we could find had MFA enabled, and none of our footholds allowed significant enough ingress to breach the internal network.
Challenge Accepted
Just as our attack-path options were dwindling, I received a timely message from Evan Malamis, Senior Application Consultant at CBI and author of Part 1 of this technical brief. Evan was coordinating on the engagement and needed to send a netcat shell from an application that the CBI application security team was actively working. I immediately spun up a handler and provided the IP and port. Seconds later, Evan sent a shell from one of the in-scope applications. After a quick whoami && ipconfig /all, I realized I was in the DMZ, on an IIS server, running as a user named for the compromised application that was utilizing the vulnerable “Telerik.UI” library.
I began some usual next steps and attempted to upgrade from a telnet shell to a Cobalt Strike beacon for the implant’s additional functionality. Standard go-to’s like PowerShell or regsvr32 one-liners were immediately blocked, terminating my shell in the process, likely indicating the presence of EDR software. The web application team re-exploited the application, and I checked tasklist /v and was able to identify the EDR software that was running. I invested a few more hours trying various payloads and different public bypass methods, but none of them were valid at this point.
Obfuscation
At this point, it was time to think about payload obfuscation. After discussion with the CBI Red Team, we decided to deploy the “Execution Guardrails” technique in MITRE ATT&CK parlance. I keyed a payload to our target environment and downloaded it with a PowerShell command. Since download and execute one-liners had already been detected by EDR software in earlier testing, I executed the payload in a separate step and was rewarded with a new beacon in the Cobalt Strike console!
From here, I spawned backup beacons and immediately started to carefully look through the system to identify what other critical technologies or data were accessible. I eventually identified that the web app user I was running could browse directories for other applications running on this server. Finally, I found that this server was running an application that interacted with internal AD utilizing a privileged account. I captured the credentials from this file and then turned my attention back inwards, realizing that despite the apparent DMZ, this system could reach into the internal network.
Release the Hounds
I injected SharpHound, a C# information gathering tool utilizing Cobalt Strike’s execute-assembly function. SharpHound provides json output files and can be imported into BloodHound, which draws privilege graphs based on the relationships between objects within the Active Directory and builds attack-paths that are valuable for red, blue, and purple teams alike.
The credentials borrowed earlier from a neighboring IIS application proved to be highly privileged within the environment. I applied them to spawn a privileged shell on the local system and injected it into a SYSTEM process. Using Cobalt Strike’s blockdlls feature to prevent EDR from injecting into my child processes, I went back to execute-assembly and injected a copy of SafetyKatz in-memory. I acquired an lsass.exe memory dump, which I downloaded, and then processed on my attacking system.
The Pièce de Résistance
Having been able to successfully dump credentials and gain a privileged shell on a webserver with top-tier EDR software deployed, I was ready to try for the pièce de résistance: Doing the same thing again to a domain controller with the same EDR software installed.
I prepared another payload to be executed on the domain controller with appropriate guardrails, uploaded it over SMB utilizing Cobalt Strike’s built-in file browser, and then executed it with the privileged credentials over WMIC. I was now greeted with another privileged beacon, this time from a domain controller!
I looked for a process with SeDebugPrivilege, using Cobalt Strike’s “getprivs” command from inside injected SYSTEM processes. Once one was found, a similar process of using “blockdlls” followed by SharpDump to get a full lsass.exe memory dump, which was then downloaded and processed on my attacking system.
Outcome
CBI’s Red Team successfully netted NTLM credentials for every user in the domain with the ability to impersonate every employee in the organization. While this is where many penetration tests end, for CBI, it’s where the exciting part starts – but that part of the story is only between the client and us.
Recommendations
- Web Application Firewalls (WAF) can provide some good insight into an attacker probing your application stack for vulnerabilities. The real value of a WAF is not so much in the prevention, but its ability to alert you to an advanced attacker taking the early steps at exploiting your environment. Seeing an adversary take thorough steps to evaluate your application attack surface using advanced Tactics, Techniques, and Procedures (TTPs) is a strong sign that you have a willing and skilled threat actor involved.
- Evaluate and enhance the policies within your endpoint security and EDR solutions. Work to apply the highest level of security policy as you can.
- Cached credential attacks continue to be a viable method for lateral movement and privilege escalation. Take a holistic approach to ensure all of your systems are protected against this threat, using tools like Microsoft’s Credential Guard and industry-leading EDR technologies.
- Continually assess your access control rules from the DMZ. We often find many opportunities to move laterally from the DMZ into the corporate LAN. Quarterly assessments of the appropriate firewall ACL rules can provide significant value.
It is important to understand that security controls are not perfect. Having appropriate defense-in-depth measures and the ability to detect an attacker’s TTPs early in the attack life cycle is instrumental to reducing the likelihood of a malicious adversary gaining complete control of your organization.
For more information on CBI and Advanced Testing Services, contact us.
Missed Part One? Read it now.
