BREAKING NETWORK SEGREGATION USING
Transcript of BREAKING NETWORK SEGREGATION USING
![Page 1: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/1.jpg)
![Page 2: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/2.jpg)
BREAKING NETWORK SEGREGATION USING ESOTERIC COMMAND & CONTROL CHANNELS
James Coote & Alfie Champion
![Page 3: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/3.jpg)
C:\> whoami /all
Alfie Champion – Senior Consultant, @ajpc500
James Coote – Senior Consultant, @jkcoote
![Page 4: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/4.jpg)
• Why?• The Lab & C3• Using and Detecting C2 over:
• VMware• Printers• RDP Mapped Drives• LDAP Attributes
AGENDA
![Page 5: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/5.jpg)
Blue team:• Challenge assumed network boundaries• Increasing in popularity
WHY CARE?
Red team:• Bypass network segregation• Target commonly-observed attack surface• Evade detection
![Page 6: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/6.jpg)
LAB
ESXi.UK.MWR.COM
DC2.UK.MWR.COM
DC1.MWR.COM
WRK2.UK.MWR.COMWRK1.UK.MWR.COM
VCENTER.UK.MWR.COM
Manages
TEAMSERVER
C3 SERVER
INTERNET
https://gist.github.com/ajpc500/3a86ba1741d4868b69be5ce3a142d527
HELKSysmon
https://github.com/fireeye/SilkETWhttps://github.com/SwiftOnSecurity/sysmon-config https://github.com/Cyb3rWard0g/HELK
![Page 7: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/7.jpg)
C3
TARGET
https://github.com/FSecureLABS/C3
C2 Medium
BEACON
PACKET
![Page 8: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/8.jpg)
READ, WRITE, DELETE? C2.
TL;DR
![Page 9: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/9.jpg)
VMWARE
![Page 10: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/10.jpg)
SCENARIO
WRK1 WRK2
DENY ALL
DENY ALL
VCENTER.UK.MWR.COM
Manages
![Page 11: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/11.jpg)
• Must have valid credentials and relevant “Guest Operations” privileges in vCenter
• Must have valid credentials for the target VM• Local or domain, no need to be an admin
• Target VM must have VMware Tools installed
OPERATIONAL LIMITATIONS
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html
![Page 12: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/12.jpg)
DATAFLOWWRK1 WRK2
\\SHARE\DIR
POLLING POLLINGUncShareFile
https://github.com/FSecureLABS/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/UncShareFile.cpp
![Page 13: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/13.jpg)
DATAFLOWWRK1 WRK2
C:\USERS\PUBLIC C:\USERS\PUBLIC
C3C3
SHARPSPHERE VCENTER
https://github.com/JamesCooteUK/SharpSphere/releases/tag/1.1.0.0
POLLING POLLING
PACKET
1. Writes packet
2. Download packet
PACKET
![Page 14: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/14.jpg)
DATAFLOWWRK1 WRK2
C:\USERS\PUBLIC C:\USERS\PUBLIC
C3C3
SHARPSPHERE VCENTER
https://github.com/JamesCooteUK/SharpSphere/releases/tag/1.1.0.0
POLLING POLLING
PACKET
3. Writes packet
PACKET
4. Upload packet
![Page 15: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/15.jpg)
WORKFLOW
FIND VCENTER CREATE CHANNEL DOWNLOAD RELAY
UPLOAD TO TARGETEXECUTE RELAYEXECUTE C2
![Page 16: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/16.jpg)
FIND VCENTER
https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/SA/ldapsearch
ldapsearch ( ope r a t i ngSys t e mSe r vi c e Pa c k=*unknown. unknown. unknown*)
l da ps e a r c h ( na me =*vc e nt e r *)
![Page 17: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/17.jpg)
CREATE CHANNEL
![Page 18: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/18.jpg)
CREATE CHANNEL
![Page 19: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/19.jpg)
LIST VMS
![Page 20: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/20.jpg)
UPLOAD TO TARGET HOST
![Page 21: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/21.jpg)
EXECUTE RELAY
![Page 22: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/22.jpg)
ESTABLISH C2
![Page 23: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/23.jpg)
• Restrict network access to vCenter to known administrative hosts (PAWs?)
• Principle of Least Privilege
• Disable “Guest Operations” API methods
• Remove non-essential VMware Tools features from guest VMs
PREVENTION
https://github.com/lamw/vmware-scripts/blob/master/powershell/enable-disable-vsphere-api-method.ps1https://docs.vmware.com/en/VMware-Tools/10.1.0/com.vmware.vsphere.vmwaretools.doc/GUID-E45C572D-6448-410F-BFA2-F729F2CDA8AC.html
![Page 24: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/24.jpg)
DETECTION OPPORTUNITIESWRK1 WRK2
C:\USERS\PUBLIC C:\USERS\PUBLIC
C3C3
SHARPSPHERE VCENTER
File Writes
Network Connections
File Writes
.NET Tooling API Usage Logs
WEL Logon EventsC3 Usage
![Page 25: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/25.jpg)
DETECTION OPPORTUNITIES.NET TOOLING
Yara Rule - https://gist.github.com/ajpc500/7b3f44e6cae093ace68396adb3f27bfa
![Page 26: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/26.jpg)
DETECTION OPPORTUNITIES.NET TOOLING
https://blog.f-secure.com/detecting-malicious-use-of-net-part-1/https://medium.com/threat-hunters-forge/threat-hunting-with-etw-events-and-helk-part-1-installing-silketw-6eb74815e4a0
![Page 27: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/27.jpg)
DETECTION OPPORTUNITIESC3 USAGE
Yara rule - https://gist.github.com/ajpc500/9ae6eb427375438f906b0bf394813bc5https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
![Page 28: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/28.jpg)
DETECTION OPPORTUNITIESNETWORK CONNECTIONS
Rundll32.exe
Relay_x64_6fc1_slack.exe
SPAWNS
VCENTER
![Page 29: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/29.jpg)
DETECTION OPPORTUNITIESPROCESS CREATIONS - EXECUTE
cmd.exe /c whoami > C:\Users\Public\ohq4ccey.hib 2>&1
Vmtoolsd.exe
SPAWNS
https://github.com/JamesCooteUK/SharpSphere/blob/master/SharpSphere/Program.cs#L174
![Page 30: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/30.jpg)
DETECTION OPPORTUNITIESPROCESS CREATIONS - EXECUTE
cmd.exe /c whoami
Vmtoolsd.exe
SPAWNS
No --output == no file writesbut we still have anomalous child processes of vmtoolsd.exe
![Page 31: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/31.jpg)
DETECTION OPPORTUNITIESAPI USAGE LOGS - EXECUTE
https://github.com/JamesCooteUK/SharpSphere/blob/master/SharpSphere/Program.cs#L174
Start Program
List Process IDsUntil process has terminated…
![Page 32: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/32.jpg)
DETECTION OPPORTUNITIESAPI USAGE LOGS - EXECUTE
https://github.com/JamesCooteUK/SharpSphere/blob/master/SharpSphere/Program.cs#L174
Download Output File
Delete Output File
![Page 33: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/33.jpg)
DETECTION OPPORTUNITIESAPI USAGE LOGS - EXECUTE
https://github.com/JamesCooteUK/SharpSphere/blob/master/SharpSphere/Program.cs#L174
/var/logs/vmware/vxpd/vpxd.log
https://williamlam.com/2017/11/how-to-audit-vsphere-api-usage.html
Initial Authentication
![Page 34: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/34.jpg)
DETECTION OPPORTUNITIESAPI USAGE LOGS - EXECUTE
https://github.com/JamesCooteUK/SharpSphere/blob/master/SharpSphere/Program.cs#L174
/var/logs/vmware/vxpd/vpxd.log
https://williamlam.com/2017/11/how-to-audit-vsphere-api-usage.html
Find Virtual Machine by IP
![Page 35: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/35.jpg)
DETECTION OPPORTUNITIESAPI USAGE LOGS - EXECUTE
https://github.com/JamesCooteUK/SharpSphere/blob/master/SharpSphere/Program.cs#L174
/var/logs/vmware/vxpd/vpxd.log
https://williamlam.com/2017/11/how-to-audit-vsphere-api-usage.html
Authenticate to Guest and Start Program
![Page 36: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/36.jpg)
DETECTION OPPORTUNITIESAPI USAGE LOGS - EXECUTE
https://github.com/JamesCooteUK/SharpSphere/blob/master/SharpSphere/Program.cs#L174
/var/logs/vmware/vxpd/vpxd.log
https://williamlam.com/2017/11/how-to-audit-vsphere-api-usage.html
List processes and check if program has terminated
![Page 37: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/37.jpg)
DETECTION OPPORTUNITIESAPI USAGE LOGS - EXECUTE
https://github.com/JamesCooteUK/SharpSphere/blob/master/SharpSphere/Program.cs#L174
/var/logs/vmware/vxpd/vpxd.log
https://williamlam.com/2017/11/how-to-audit-vsphere-api-usage.html
Download program output and delete the file
![Page 38: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/38.jpg)
DETECTION OPPORTUNITIESAPI USAGE LOGS - EXECUTE
https://github.com/JamesCooteUK/SharpSphere/blob/master/SharpSphere/Program.cs#L174
/var/logs/vmware/vxpd/vpxd.log
https://williamlam.com/2017/11/how-to-audit-vsphere-api-usage.html
/var/logs/vmware/vxpd/vpxd-profiler.log
![Page 39: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/39.jpg)
DETECTION OPPORTUNITIESAPI USAGE LOGS - EXECUTE
https://github.com/JamesCooteUK/SharpSphere/blob/master/SharpSphere/Program.cs#L174
/var/logs/vmware/vxpd/vpxd.log
https://williamlam.com/2017/11/how-to-audit-vsphere-api-usage.html
/var/logs/vmware/vxpd/vpxd-profiler.log
![Page 40: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/40.jpg)
DETECTION OPPORTUNITIESAPI USAGE LOGS – C2/var/logs/vmware/vxpd/vpxd.log
https://williamlam.com/2017/11/how-to-audit-vsphere-api-usage.html
![Page 41: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/41.jpg)
DETECTION OPPORTUNITIESFILE WRITES - C2
https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3/https://github.com/FSecureLABS/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/UncShareFile.cpp#L68
![Page 42: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/42.jpg)
DETECTION OPPORTUNITIESFILE WRITES - C2
https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3/https://github.com/FSecureLABS/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/UncShareFile.cpp#L68
![Page 43: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/43.jpg)
DETECTION OPPORTUNITIESFILE WRITES - C2
https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3/https://github.com/FSecureLABS/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/UncShareFile.cpp#L68
![Page 44: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/44.jpg)
DETECTION OPPORTUNITIESFILE WRITES - C2
https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3/https://github.com/FSecureLABS/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/UncShareFile.cpp#L68
![Page 45: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/45.jpg)
DETECTION OPPORTUNITIESWINDOWS EVENT LOGSEID 4624 and 4648s for logon required for guest interaction, produced on target workstation
![Page 46: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/46.jpg)
PRINTERS
![Page 47: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/47.jpg)
SCENARIO
WRK1 WRK2
DENY ALL
DENY ALL
MX470 ON DC2
![Page 48: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/48.jpg)
• Both sides must have network (SMB) access to the same print server
• Execute under the context of the same account on both sides, or an admin
• Unlimited print jobs less stable
• Transfer size of ~1MB per packet
OPERATIONAL LIMITATIONS
![Page 49: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/49.jpg)
DATAFLOW
MX470
WRK2
C3C3POLLING POLLING
WRK1
![Page 50: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/50.jpg)
FIND PRINTERS
https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/SA/ldapsearch
ldapsearch ( obj e c t Ca t e gor y=pr i nt Que ue ) uNCNa me
powe r s he l l Ge t - Pr i n t e r –Comput e r Na me DC2. UK. MWR. COM
wmi c pr i nt e r ge t na me
![Page 51: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/51.jpg)
CREATE CHANNEL
![Page 52: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/52.jpg)
EXECUTE RELAY
![Page 53: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/53.jpg)
DETECTION OPPORTUNITIES
WRK1 WRK2
DENY ALL
DENY ALL
Endpoint UIModule LoadsRPC
Print Server Event Logs
Network Connections
![Page 54: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/54.jpg)
DETECTION OPPORTUNITIESENDPOINT UI
https://labs.f-secure.com/blog/print-c2/
HKCU\ Pr i nt e r s \ Se t t i ngs \ Ena bl e Ba l l oonNot i f i c a t i ons Re mot eHKCU\ Pr i nt e r s \ Se t t i ngs \ Ena bl e Ba l l oonNot i f i c a t i ons Loc a l
Low ink… low paper… printer offline… Any issue could be presented to the compromised user!
![Page 55: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/55.jpg)
DETECTION OPPORTUNITIESPRINT SERVER EVENT LOGS
Computer Configuration > Policies > Administrative
Te mpl a t e s > Pr i nt e r s > Al l ow j ob na me i n e ve nt l ogs
we vut i l . e xe s l ' Mi c r os of t - Wi ndows - Pr i n t Se r vi c e / Ope r a t i ona l ' / e na bl e d: t r ue
![Page 56: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/56.jpg)
DETECTION OPPORTUNITIESPRINT SERVER EVENT LOGS
Computer Configuration > Policies > Administrative
Te mpl a t e s > Pr i nt e r s > Al l ow j ob na me i n e ve nt l ogs
we vut i l . e xe s l ' Mi c r os of t - Wi ndows - Pr i n t Se r vi c e / Ope r a t i ona l ' / e na bl e d: t r ue
![Page 57: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/57.jpg)
DETECTION OPPORTUNITIESMODULE LOADS
https://docs.microsoft.com/en-us/windows/win32/printdocs/addjob
![Page 58: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/58.jpg)
DETECTION OPPORTUNITIESNETWORK CONNECTIONS
Beaconing Behaviour
![Page 59: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/59.jpg)
DETECTION OPPORTUNITIESRPC
logman s t a r t Pr i nt - J ob- RPC - p Mi c r os of t - Wi ndows - RPC 0xf f f f f f f f f f f f f f f f wi n: I nf or ma t i ona l - e t s
l ogma n s t op Pr i nt - J ob- RPC - e t s
t r a c e r pt Pr i nt - J ob- RPC. e t l - o Pr i nt - J ob- RPC. e vt x - of EVTX
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e8f9dad8-d114-41cc-9a52-fc927e908cf4
Method Description OpNum
RpcEnumJobs Retrieves information about a specified set of print jobs for a specified printer.
Opnum 4
RpcAddJob Defines a new print job. Opnum 24
![Page 60: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/60.jpg)
DETECTION OPPORTUNITIESRPC
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e8f9dad8-d114-41cc-9a52-fc927e908cf4
RpcAddJob
![Page 61: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/61.jpg)
RDP
![Page 62: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/62.jpg)
SCENARIO
WRK1 WRK2ONLY 3389
DENY ALL
![Page 63: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/63.jpg)
• For C2, RDP Mapped Drives must be permitted (is by default)
• For RDP execution: • Target’s keyboard must be set to US English• No special characters in the relay name, for example underscores
OPERATIONAL LIMITATIONS
![Page 64: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/64.jpg)
DATAFLOWWRK2
C3POLLING
WRK1
C:\USERS\PUBLIC
https://github.com/0xthirteen/SharpRDP/pull/11
![Page 65: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/65.jpg)
CREATE CHANNEL
![Page 66: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/66.jpg)
DOWNLOAD RELAY
![Page 67: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/67.jpg)
EXECUTE RELAY
![Page 68: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/68.jpg)
DETECTION OPPORTUNITIES
WRK2.UK.MWR.COMWRK1.UK.MWR.COM
RUNDLL32.EXE
Relay_x64_e03e_UNCC:\Users\Public \\tsclient\C\Users\Public
Running SharpRDP
File Writes
.NET Tooling / Module Loads
Network Connections
![Page 69: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/69.jpg)
DETECTION OPPORTUNITIES.NET TOOLING
RUNDLL32.EXE
Relay_x64_e03e_UNC
Running SharpRDP
![Page 70: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/70.jpg)
DETECTION OPPORTUNITIESMODULE LOADS
https://docs.microsoft.com/en-us/windows/win32/termserv/imsrdpclientadvancedsettings-interfacehttps://github.com/0xthirteen/SharpRDP/blob/master/SharpRDP/SharpRDP/Client.cs#L119
![Page 71: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/71.jpg)
DETECTION OPPORTUNITIESMODULE LOADS
RDP ActiveX Client DLL Loaded
![Page 72: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/72.jpg)
DETECTION OPPORTUNITIESNETWORK CONNECTIONS
RUNDLL32.EXE 3389
![Page 73: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/73.jpg)
DETECTION OPPORTUNITIESNETWORK CONNECTIONS
Beacon staging
![Page 74: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/74.jpg)
LDAP
![Page 75: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/75.jpg)
SCENARIO
WRK1 WRK2
DENY ALL
DENY ALL
ANY DOMAIN CONTROLLER
![Page 76: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/76.jpg)
• Both sides should communicate with the same DC
• Both sides must modify the same user’s attributes
• Limited by the size and data type of the target attribute
OPERATIONAL LIMITATIONS
http://www.harmj0y.net/blog/powershell/command-and-control-using-active-directory/https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
![Page 77: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/77.jpg)
DATAFLOW
WRK1 WRK21. Writes to LOCK attribute with destination
ID
2. Writes message to DATA attribute
Target User AD Object
3. Check LOCK attribute for correct ID
4. Read and clear both attributes
![Page 78: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/78.jpg)
CREATE CHANNEL
![Page 79: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/79.jpg)
CHANNEL CREATIONDATA LDAP ATTRIBUTE – Used to send & receive packets. The default is mSMQSignCertificates as it doesn’t require special privileges to modify, is large (1MB), and is rarely ever set. Manually check that it is empty before using.
MAX PACKET SIZE – The maximum size of the packets that C3 should attempt to write to the given Data LDAP Attribute. This will be different if you change the Data LDAP Attribute above.
USERNAME– The UPN of an account with permissions to modify the target user’s attributes (often the target user itself). Must be specified in UPN format, for example [email protected]. Defaults to the user executing the relay if left blank.
USER DISTINGUISHED NAME – The user whose attributes should be changed. This is often the same user as above, however doesn’t need to be. Can’t be left blank, and must be in the DN format, for example CN=james,CN=Users,DC=UK,DC=MWR,DC=com
![Page 80: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/80.jpg)
EXECUTE RELAY
![Page 81: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/81.jpg)
DETECTION OPPORTUNITIES
WRK1 WRK2
DENY ALL
DENY ALL
ANY DOMAIN CONTROLLER
Network Connections
Logon EventsDirectory Service Access/Changes
LDAP Queries
![Page 82: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/82.jpg)
DETECTION OPPORTUNITIES NETWORK CONNECTIONS
DC2.UK.MWR.COM
WRK1.UK.MWR.COM
![Page 83: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/83.jpg)
DETECTION OPPORTUNITIES LDAP QUERIES
https://github.com/FSecureLABS/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/LDAP.cpp
No further action
Check Lock Attribute
![Page 84: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/84.jpg)
DETECTION OPPORTUNITIES LDAP QUERIES
https://github.com/FSecureLABS/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/LDAP.cpp
Check Lock Attribute
Write to Data Attribute
![Page 85: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/85.jpg)
DETECTION OPPORTUNITIES LDAP QUERIES Microsoft-Windows-LDAP-Client
![Page 86: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/86.jpg)
DETECTION OPPORTUNITIES DIRECTORY SERVICE CHANGES
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136https://oidref.com/2.5.5
Dsobject_attribute_type 2.5.5.12 = Unicode string
Event ID 5136
![Page 87: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/87.jpg)
DETECTION OPPORTUNITIES DIRECTORY SERVICE CHANGES
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136https://oidref.com/2.5.5
![Page 88: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/88.jpg)
DETECTION OPPORTUNITIES DIRECTORY SERVICE CHANGES
![Page 89: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/89.jpg)
DETECTION OPPORTUNITIES DIRECTORY SERVICE CHANGES
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136https://oidref.com/2.5.5
Dsobject_attribute_type 2.5.5.10 = String(Octet); A string of bytes
![Page 90: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/90.jpg)
DETECTION OPPORTUNITIES DIRECTORY SERVICE ACCESS
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/6772e5ca-806c-483a-b673-cd8089ba6a3e
https://docs.microsoft.com/en-us/windows/win32/adschema/a-msmqsigncertificates
Event ID 4662
![Page 91: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/91.jpg)
DETECTION OPPORTUNITIES DIRECTORY SERVICE ACCESS
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/6772e5ca-806c-483a-b673-cd8089ba6a3e
https://docs.microsoft.com/en-us/windows/win32/adschema/a-msmqsigncertificates
![Page 92: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/92.jpg)
DETECTION OPPORTUNITIES DIRECTORY SERVICE ACCESS
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/6772e5ca-806c-483a-b673-cd8089ba6a3e
https://docs.microsoft.com/en-us/windows/win32/adschema/a-msmqsigncertificates
![Page 93: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/93.jpg)
DETECTION OPPORTUNITIES DIRECTORY SERVICE ACCESS
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
![Page 94: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/94.jpg)
CONCLUSIONS
![Page 95: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/95.jpg)
• Review the trust boundaries between critical networks. …Are they as air-gapped as you think?
• Is there a data flow that could be exploited?…can these be mitigated? prevented? detected?
• Are there internal or external services that could be leveraged for C2?
…can this attack surface be reduced?
CONCLUSIONS
https://github.com/FSecureLABS/C3
#C3 on BloodHound Slack
![Page 96: BREAKING NETWORK SEGREGATION USING](https://reader031.fdocuments.in/reader031/viewer/2022013001/61cbe14386869e6afc22f366/html5/thumbnails/96.jpg)