Finally had a moment to test Winlogon password leaking (a.k.a. notifying) on Windows 11. No big surprise.
And the flow is:
-user enters password
-winlogon loads mpnotify.exe
-mpnotify opens RPC channel
-winlogon sends pass via RPC
-mpnotify forwards to DLL
-DLL stores it on disk
Windows 10 offline admin creation? 😈
Why not?!
Everything happens through built-in offlinelsa and offlinesam DLLs. Official, but not very documented.
Enjoy the source code and the compiled exe, as usual:
WHAT?! 😂
If you provide /FS:FILESYSTEM parameter to the format[.]com utility, the resulting process will try to load ("U"+FILESYSTEM).DLL using the default search path...
The weirdest custom DLL launcher I have meet so far :D
Need an almost invisible, post-exploitation, persistent, fileless, LPE backdoor? There are many, but this one looks really beautiful for me: type "sc.exe sdset scmanager D:(A;;KA;;;WD)" from an elevated command prompt.
Do you detect IIS Application Pool credential dumping by looking for "/text:*"?
Time to update your rules with undocumented /show, /(at)t, and /(at)text.
Didn't described it precisely so far:
If you put 'mpnotify' value into the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, your exe will be launched by winlogon.exe when user logs on. After 30s the process will be terminated.
Eliminate huge part of lateral movement scenarios with one command: "reg.exe add HKLM\SYSTEM\CurrentControlSet\Control /v DisableRemoteScmEndpoints /t REG_DWORD /d 1"
It will make Service Control Manager deaf to remote management. Everything else works properly.
Is
#SysInternals
Sysmon good for discovering the full historical process tree? Of course! Bored with manual process, I have create simple (but fully working) PowerShell script, displaying the tree in a nicely walkable form. Enjoy:
"write.exe" is just ShellExecute() to wordpad.exe. And ShellExecute() reads HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths before reading HKLM.
Which means, you can use "write" to launch anything if you create "wordpad.exe" subkey.
And it explains why I love Windows.🙃
Are you an admin with EXE blocked by
#AppLocker
? You can bypass the protection without any execution traces in the AppLocker Log! Load your DLL, steal the token from spooler and create the child process.
C source code and the compiled binary, as usual:
Looks like the weirdest AV evasion I have ever seen.
1. Not all MsMpEng.exe versions allow to be suspended.
2. You may need to wait before your malware finally starts.
As a fan of non-obvious persistence mechanisms I had to try to collect (and categorize!) them all. It has just started, first 10 entries appeared, and more is coming each day.
I am happy to share it. Enjoy, contribute, use freely -
Yet another DLL sideloading: ShellChromeAPI.dll does not exist, but built-in DeviceEnroller.exe tries to load it when /PhoneDeepLink parameter is present. If you drop your own DLL, it nicely loads.
Four years after publishing my code stealing passwords from WinLogon I have just realized that NPLogonNotify() has a twin!
NPPasswordChangeNotify() obtains old and new cleartext passwords changed via CtrlAltDel. Clearly documented by MS and easy to use:
When attackers use BitLocker to encrypt your drives (sic!), digging through the ntds.dit file and looking for recovery keys may be the best option. And it’s exactly why I created such script. ExtractFVEPasswordsFromNTDS.ps1 Enjoy :)
Netsh.exe relies on extensions taken from Registry, which means it may be used as a persistence.
And what, if you go one step further, extending netsh with a DLL allowing you to do whatever you want? Kinda
#LOLBin
😎
Enjoy the C code and DLL, as usual:
Yet another
#PowerShell
#redteam
tip: use (WCHAR)0x2013, (WCHAR)0x2014, or (WCHAR)0x2015 instead of "-" and "/" to specify powershell.exe parameters. Huge part of detection rules will not spot them.
And if you are blue💙, you know what to do NOW.
BTW, same applies to the PS code.
Want to see all undocumented parameters of certutil.exe?
1. run "certutil -?" under
#WinDbg
2. bp certutil!Usage
3. Find test byte ptr [rbx], 4
4. Replace 4 with 0 (eb 00007ff6`8f417218 00)
5. Let it run
Simple user-level persistence with grpconv.exe:
1. create %userprofile%\setup.ini
2. launch "grpconv.exe -o"
3. profit
Of course, grpconv.exe is provided with Windows 10, because you may need to convert Windows 3.x .grp files some day. 🙃
It is worse than I’ve thought initially! 🤦♂️
If you simply rename your malicious .exe file to msiexec.exe its files will be excluded from realtime scanning. REALLY
#WindowsDefender
?
Simple C# dropper and the eicar-based PoC instruction:
Use the LanMan-old NPLogonNotify() function to sniff every single password used to logon to Windows.
Cleartext. No reboot required.
NPLogonNotify() -
The C source, and fully working DLL -
Fancy Defender evasion? Yet another method, nearly bare hands:
1. Export CurrentControlSet to a file
2. Edit path in a file
3. Import a file as new ControlSet
4. Change "Select" values to new one
5. Reboot
6. Enjoy 😎
A side effect of my "Registry internals" session yesterday 😅
Do you know Windows records most important events related to the boot process in a dedicated binary log?
A history of hundreds of boots. I believe it’s cool
#DFIR
artifact, but never seen any tool parsing it. So, I have written one in PowerShell. Enjoy:
How exactly winlogon.exe leaks user password? 🤔
It checks mpnotify value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, and then launches exe specified there or mpnotify.exe if empty. Exe registers RPC endpoint and winlogon binds to it and passes the password. 🤯
Kerberos tickets dumping in pure PowerShell 😍
I simply love such approach.
So much more beautiful than loading pre-compiled binary blob. And so much harder to detect...
Any Internet-facing Windows machines?
1. Go to
2. Pick your favorite evil country.
3. Select "IP Range" as format.
4. Copy the result to clipboard.
5. Run the script from
Some time ago, I have published the tool allowing you to craft a token containing TrustedInstaller. Today, the Mk2 version appeared: no psexec.exe required, less talkative and with a bit cleaner code.
The C source code and the compiled EXE, as usual:
There is one thing to mention when talking about SystemRoot and cmd.exe: cmd.exe loads %systemroot%\System32\propsys.dll when an executable file is launched. Should I tell you more...? 😈
Simple tool enabling all privileges in the parent process (usually cmd.exe) token. Useful if you have SeBackup or SeRestore and need a cmd.exe ignoring all ACLs.
C code and the compiled .exe as usual.
With a link to the demonstration in the README:
Yet another approach to LSA secrets stealing. I just wanted to try with LsaOpenSecret() / LsaQuerySecret(). And it works (with date/time, and the OldVal as a bonus), so I am sharing the C source code, and the compiled EXE, as usual:
A keylogger/sniffer for the on-screen-keyboard? Sure, ETW is happy to help here with {4F768BE8-9C69-4BBC-87FC-95291D3F9D0C}😁
Enjoy the C source code, and the compiled exe, as usual -
Want to access
#KeePass
database from
#Powershell
? Load keepass.exe as an assembly and call its methods directly.
Very simple (and fully working) script here:
Do you store your "DNS dynamic update registration credentials" in a DHCP?
Cute, it means I have a new tool for you 😁😈
Enjoy the DHCP Server DNS Password Stealer. The C source code, and the compiled exe, as usual:
If you have SeTcbPrivilege, you can put anything into the token, and Windows will use it as an official SID\domain\username for the process.
Yet again dirty trick against
#DFIR
and
#BlueTeam
😎
Source code, and the compiled exe as usual:
Yet another built-in Windows downloader? 🤔
1. create LDIF file containing a http-based attrval-spec,
2. import it with ldifde.exe.
As an effect you can:
3. observe the request on the webserver,
4. find the file on your drive.
Enjoy 😈
Want to avoid shutdown script execution on your laptop? Set Critical Battery Level Action to "Shutdown" and unplug the power. Even if it is 99%, the shutdown scripts do not execute. Why does it work this way? See the short thread below: ⤵
Token stealing (aka duplication) with syscalls only? Not sure if it’s novel approach but had to try anyway. 🤷♂️
NtOpenProcessToken, NtAdjustPrivilegesToken, NtOpenProcess, NtDuplicateToken, and NtSetInformationThread at your service! Enjoy the C code:
Just a friendly reminder for all admins fixing overly privileged service accounts: the previous password is saved on the machine anyway. It means you should:
1. change the service password twice
or
2. change it for an account to make backup secret useless.
🔥🔥I definitely underestimated offlinelsa.dll...🔥🔥
It allows you to manipulate SAM database content offline! What if I give you an app assigning all privileges "Administrators" have to "Users"? 😈
Enjoy the C source code and the compiled exe, as usual:
Have you ever wanted to be TrustedInstaller? Or is it just me...? 🙈
It was the most obvious step, after I have realized I can put anything into the 100% legit security token. 😈
A piece of C, and the compiled EXE, as always:
And what if I tell you sfc.exe loads SSShim.dll (and couple of other DLLs too) from the SCANNED Windows, and not from the scanning one? 😈
Additionally, sfc.exe enforces you to run it as local admin.
Will you scan my OS image, please? 🙏
1. Create file containing only "0".
2. Check the digital signature with
#PowerShell
3. Observe your file is properly signed by Microsoft.
Are you still thinking that digital signatures are complicated? :D
Explorer hides extensions of 16 file types, even if you want to see them all. If such files contain real PE (exe) content, they behave differently when you double click them. Nothing, errors, OpenWith dialog, etc.
And one of them will run actual exe file 😈
Dare to guess?
Yet another one... 🙄
Built-in DeviceEject.exe auto elevates and then loads hotplug.dll from the current path. It verifies parameters before loading the DLL, but it looks like "0 0 0" is good enough to pass the check.
Falling in love with (built-in!) tttracer.exe.
"-launch" works like a charm for
#LOLBIN
scenarios, and there are sooo many more parameters to play with.
Wrap your
#PowerShell
script into simple C# file and compile it on any Windows machine to avoid alerts and bans focused on powershell.exe. 😎
The code and more detailed instruction:
It waited on my backlog for months, even if I smelled some C2 potential within iFilters.
And now I can confirm it, and I LOVE it!
It's enough to send an email with attachment to a victim, to execute commands as LOCALSYSTEM.
Did you expect this? Especially, an undocumented "-encodedarguments"
#PowerShell
parameter.
It may be shortened to "ea" or "encodeda".
Good luck fixing your detection rules 😂
The tool I hope you will never have to use. But if you do some Incident Response, collecting the volatile data is a must. And the tool does it. Neatly and fast. C source code, and the compiled EXE, as usual -
It collects: 👇
TIL: The Process CommandLine is just the process own memory indicated by PEB->ProcessParameters->CommandLine->Buffer. Each process can freely change it, and easily fool all tools trying to read such value. Why anyone trusts it? 🤔
SeManageVolumePrivilege to "Full Admin" escalation:
1. Enable the privilege in the token
2. Create handle to \\.\C: with SYNCHRONIZE | FILE_TRAVERSE
3. Send the FSCTL_SD_GLOBAL_CHANGE to replace S-1-5-32-544 with S-1-5-32-545
4. Overwrite utilman.exe etc.
5. 😎
OH SNAP! 😮
Set the VSS Snapshot type GUID to {F12142B4-9A4B-49af-A851-700C42FDC2BE} to make snapshot disappear, but still work.
The C source code, and the compiled exe, as usual:
Want to know if someone dumped lsass.exe? Maybe your NTFS journal keeps some
#DFIR
traces about *lsass*.dmp. Simple, but working!
Fully functional PoC C source code (and the compiled exe) as usual:
Yet another comspec-based
#LOLBin
to be added to your blue- or red-tinted repos.
For couple dozens of predefined commands, "help xxx" will launch "%comspec% /c xxx /?"
The finding itself is nearly year old, and it's high time I converted it into something practical.
I'm super excited to announce the launch of my "Mastering Windows Internals" pilot program. The goal is to share my knowledge and experiences, along with offering practical insights on using the tools I've developed and continue to update.
#redteam
tip: use logman.exe with -b, -rf, -s, and -rc to create highly-privileged local, and remote scheduled tasks. They are deeply hidden in the Task Scheduler GUI, especially as the actions are masked under "Custom Handler". And no one looks for attackers in Perfmon/DCS.
Yet another "expert" sharing my tool at BlackHat without attributing it to me🤬
Closed source, never made for sharing publicly.
Great choice of speakers (again)
@BlackHatEvents
🙄
And the URL of shame:
A new tool has arrived: offline firewall policy parser. Relies on undocumented fwpolicyiomgr.dll and somewhat documented data structures. Can be useful in some
#DFIR
investigations. Enjoy the C source code and the compiled EXE, as usual:
Are you afraid of Windows Services hidden via ACLs? Find them easily with simple PowerShell script:
Now it's the Red Team turn: improve service hiding with registry ACLs manipulation ;)
As my sideloading technique gained some popularity today, I have decided to share one of the tiniest malicious code I have ever written. Volume label is the payload... 😈
BLUE TEAMS: Watch format's child processes please! 🙏
WHAT?! 😂
If you provide /FS:FILESYSTEM parameter to the format[.]com utility, the resulting process will try to load ("U"+FILESYSTEM).DLL using the default search path...
The weirdest custom DLL launcher I have meet so far :D
There are hundreds of ways of making your Windows unbootable, but some of them are just more interesting. Like the bcedit.exe {badmemory} undocumented option, telling Windows the RAM is "bad" 😅
1000 ought to be enough for anyone.
Some time ago I have realized a process can manipulate its own cmdline, which is quite cool. :)
Today I learned a process can play with the path and current directory as well. The conclusion is simple: don't trust these fields!
Don't be like Process Explorer... 😅
Do you trust RunAsPPL? The "prevent code injection that could compromise credentials" narration? Technically it is right, as you cannot load your DLL into LSASS. But what if LSASS.exe passes cleartext passwords to mpnotify.exe, which automatically loads untrusted DLLs? 😱
Undocumented (what a surprise!) EVTX file format flag, making all internal checksums ignored.
Good to have if you plan to manipulate the log content.🕵️
Simple "try this at home"
#PowerShell
script:
Malicious IFilter? Why not! It’s a DLL waiting patiently (not even loaded) until the file with a particular extension appears. Then it executes as the LOCALSYSTEM. More in a short writeup:
Never. Ever. Trust the "CommandLine" property of the process in your
#DFIR
or
#SOC
procedures. Parent process can put anything there. C source code, and the compiled exe as usual:
Caring about whoami? Despite common belief, it doesn't use GetUserNameEx() unless you specify /UPN or /FQDN param!
Whoami calls OpenProcessToken() to get process token, then GetTokenInformation() to get SID, and finally LookupAccountSid() to get username.
You have been warned ;)
#redteam
tip: use /r instead of /c as a cmd.exe parameter if your blue partners believe their job is about writing signatures :P
Surprisingly clearly documented ;)
If you are responsible for Win11 security baseline, please use the new (I mean fixed after 20+ years) configuration option "Enable MPR notifications" under Windows Components\Windows Logon Options.
Defaults allow to read cleartext credentials from Winlogon with a simple DLL.
Persistency tip: if you have admin rights for a moment, just add “WD” or “DC” to SDDL of any of Windows Services. It will allow you to elevate your privileges back any moment you need.
Good luck finding this, Blue Team...
Want to know what fsutil devdrv actually does? Here you have it:
1. devdrv enable -> FsEnableDevDrive=1 in CCS\Control\FileSystem
2. disallowAv -> FltmgrDevDriveAllowAntivirusFilter=0 in CCS\Control\FilterManager
3. clearFiltersAllowed -> FsFlags + FsGuid in