Full Report
Stephan Borosh // The year of 2021 has presented some interesting challenges to securing Windows and Active Directory environments with new flaws that Microsoft has been slow to address. In June, @Harmj0y and @tifkin_ […] The post Admin’s Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path’s for Profit appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: PetitPotam
## Overview
PetitPotam is a tool designed to exploit vulnerabilities related to RPC protocols (specifically MS-EFSRPC) to entice a remote host (server or workstation) to send its machine account hash back to the adversary. This allows an attacker to capture hashes without prior authentication.
## Technical Details
- Type: Tool
- Platform: Windows
- Capabilities: Triggers remote hosts to send machine account hashes via MS-EFSRPC, enables relaying authentication to AD CS servers.
- First Seen: July 2021 (based on context of related vulnerability disclosure)
## MITRE ATT&CK Mapping
- T1558 - Steal or Forge Kerberos Tickets
- T1558.003 - Kerberoasting
* *(Note: The primary function described here is hash theft/relay for subsequent authentication, directly supporting credential access and lateral movement)*
- T1078 - Valid Accounts
- T1078.003 - Local Accounts
- T1558.004 - NTLM Relay
- *(Indirectly, as the captured hash can be immediately relayed or used)*
## Functionality
### Core Capabilities
- Invokes the MS-EFSRPC protocol on a target system.
- Entices the target remote host to send its machine account hash (authenticated or not) back to the attacker.
### Advanced Features
- Allows an attacker to obtain a machine account hash from any user on the network by simply invoking the MS-EFSRPC protocol against the target, regardless of current authentication state.
## Indicators of Compromise
- File Hashes: N/A (Tool execution)
- File Names: Petitpotam.py (if using Python script distribution)
- Registry Keys: N/A
- Network Indicators: Communication leveraging the MS-EFSRPC protocol (port 135/TCP or dynamically assigned ports via MSRPC).
- Behavioral Indicators: Outbound MSRPC connections attempting to bind to the MS-EFSRPC interface on target systems.
## Associated Threat Actors
- Not explicitly named as being used by a specific APT, but leveraged in conjunction with other Red Team/Adversary Emulation tools (Cobalt Strike, Rubeus, Impacket).
## Detection Methods
- Signature-based detection: Detection of the PetitPotam executable or script file.
- Behavioral detection: Monitoring for unusual invocation of the MS-EFSRPC interface or outgoing traffic indicative of hash scraping attempts directed from the local host to remote systems.
## Mitigation Strategies
- Patching systems against related credential leakage vulnerabilities (though PetitPotam often targets design features like MS-EFSRPC interaction).
- Disabling anonymous access or known attack vectors related to MS-EFSRPC if possible.
- Implementing strong network segmentation to limit which hosts an attacker can target with PetitPotam.
## Related Tools/Techniques
- SpoolSample (Uses MS-RPRN to entice authentication via Print Spooler)
- Impacket/ntlmrelayx.py (Used to relay captured hashes or perform AD CS relay attacks)
- CVE-2021-36934 (Used in the example methodology to gain initial access/privilege escalation)
***
# Tool/Technique: SpoolSample
## Overview
SpoolSample is a tool used to invoke the MS-RPRN RPC service via the Print Spooler on a target machine. Its purpose is to trick systems (often internal servers) into authenticating back to an adversary-controlled host.
## Technical Details
- Type: Tool
- Platform: Windows
- Capabilities: Invokes MS-RPRN RPC service to force target systems to authenticate to an adversary-controlled host.
- First Seen: Unknown (Related research context: Pre-July/June 2021)
## MITRE ATT&CK Mapping
- T1078 - Valid Accounts
- T1078.003 - Local Accounts
- T1558.004 - NTLM Relay
- *(Used specifically to capture credentials that can then be relayed)*
## Functionality
### Core Capabilities
- Triggers remote authentication back to the attacker using the Print Spooler service's MS-RPRN functionality.
### Advanced Features
- Requires the adversary to possess Active Directory user credentials to operate effectively in some environments. (Contrast with PetitPotam which can capture machine hashes without existing credentials).
## Indicators of Compromise
- File Hashes: N/A
- File Names: SpoolSample
- Registry Keys: N/A
- Network Indicators: Outbound connections utilizing the Print Spooler service (Port 135/TCP or dynamic ports for RPC).
- Behavioral Indicators: Unusual network connections initiated by system processes targeting exposed SPN/RPC services on an adversary-controlled endpoint.
## Associated Threat Actors
- Not specified, associated with researchers who published AD CS exploitation research.
## Detection Methods
- Behavioral detection: Monitoring for invocation of MS-RPRN RPC service endpoint.
- Network Monitoring: Detecting outbound MSRPC connections triggered by local user interaction or automated processes.
## Mitigation Strategies
- Disabling the Print Spooler service on potentially exposed systems if not strictly required.
- Hardening permissions related to Print Spooler configuration.
## Related Tools/Techniques
- PetitPotam (Similar goal of capturing hashes via protocol manipulation)
- Impacket/ntlmrelayx.py (Used for relaying captured credentials)
***
# Tool/Technique: CVE-2021-36934 (MSHTML/Windows Kernel Elevation Vulnerability)
## Overview
This refers to a vulnerability (often associated with a tool exploiting it or a specific patch release) that allows any user on a system to read the SAM and SYSTEM registry hives from a shadow copy if present, leading to local privilege escalation.
## Technical Details
- Type: Vulnerability/Technique (Exploit context)
- Platform: Windows
- Capabilities: Local non-administrative users can read SAM and SYSTEM hives from shadow copies, allowing extraction of credential hashes (e.g., Administrator hash).
- First Seen: July 2021 (Contextual date for public disclosure/exploitation)
## MITRE ATT&CK Mapping
- T1003 - OS Credential Dumping
- T1003.002 - Security Account Manager
- T1003.005 - Cloud Instance Metadata Service API
- *(Note: Mapping focuses on SAM/SYSTEM dump aspect)*
- T1068 - Exploitation for Privilege Escalation
## Functionality
### Core Capabilities
- Bypassing standard file permissions to access critical SAM/SYSTEM hives via Volume Shadow Copy Service (VSS).
### Advanced Features
- When combined with tools like Mimikatz, this allows retrieval of local administrator password hashes, enabling subsequent Pass-the-Hash attacks.
## Indicators of Compromise
- File Hashes: N/A (Implied use of an exploit/launcher DLL)
- File Names: The associated .NET tool executed in memory via `execute-assembly`.
- Registry Keys: Access/creation related to Volume Shadow Copies.
- Network Indicators: N/A (Local privilege escalation activity).
- Behavioral Indicators: File access attempts on VSS components or registry hives that should be protected from the executing user context.
## Associated Threat Actors
- Not specified, demonstrated in research methodology.
## Detection Methods
- Behavioral detection: Monitoring for non-standard access patterns to registry hives (SAM/SYSTEM) by low-privilege processes, especially involving VSS components.
## Mitigation Strategies
- Applying Microsoft security updates addressing CVE-2021-36934.
## Related Tools/Techniques
- Mimikatz (Used post-exploitation to parse the dumped hives)
- Sharp-SMBExec (Used subsequently to leverage stolen hashes for lateral movement/privilege escalation)
***
# Tool/Technique: Sharp-SMBExec
## Overview
Sharp-SMBExec is a tool used to execute commands on a remote system via SMB, leveraging the ability to Pass-the-Hash (PtH). In the context described, it is used locally to execute a payload as SYSTEM after obtaining a password hash via CVE-2021-36934 exploitation.
## Technical Details
- Type: Tool
- Platform: Windows (likely .NET based)
- Capabilities: Executes commands on a target host using a provided username and NTLM hash (PtH).
- First Seen: Unknown (Part of community tools ecosystem)
## MITRE ATT&CK Mapping
- T1021 - Remote Services
- T1021.002 - SMB/Windows Admin Shares
- T1550 - Use Alternate Authentication Material
- T1550.002 - Pass the Hash(PTM)
## Functionality
### Core Capabilities
- Executes remote commands via the SMB protocol using hashed credentials.
### Advanced Features
- Capable of executing payloads (like implanting a Cobalt Strike beacon) with high privileges (e.g., SYSTEM).
## Indicators of Compromise
- File Hashes: N/A (Executed via `execute-assembly`)
- File Names: Sharp-SMBExec.exe
- Registry Keys: N/A
- Network Indicators: SMB traffic (Port 445/TCP) directed towards the target host (`localhost` in the example).
- Behavioral Indicators: Injection of processes or execution of shell commands via SMB service channels.
## Associated Threat Actors
- Not specified, used in the overall attack methodology chain.
## Detection Methods
- Behavioral monitoring of remote process execution over SMB.
- Signature matching on the tool assembly.
## Mitigation Strategies
- Network restrictions on lateral movement via SMB (Firewalls/ACLs).
- Applying LAPS for local administrator passwords to prevent hash reuse.
## Related Tools/Techniques
- Cobalt Strike (Used for initial access and staging/execution)
- Impacket (Similar SMB execution capabilities)
***
# Tool/Technique: PortBender / WinDivert
## Overview
PortBender (utilizing the WinDivert driver) is used to establish advanced traffic manipulation within the compromised host's network stack. It allows the adversary to proxy traffic originating from the compromised host (BENDERPC) back to the Cobalt Strike Team Server, bypassing NAT or firewall issues related to C2 communications.
## Technical Details
- Type: Tool/Utility (Driver-based approach)
- Platform: Windows
- Capabilities: Diverts and forwards network traffic through a SOCKS proxy channel established by the Cobalt Strike beacon, effectively bridging local network access to the external command infrastructure.
- First Seen: Unknown
## MITRE ATT&CK Mapping
- T1090 - Proxy
- T1090.003 - Multi-hop Proxy
## Functionality
### Core Capabilities
- **Traffic Diversion:** Reroutes inbound/outbound traffic on specific ports (e.g., redirecting port 445 traffic to beacon's reverse port forwarder).
- **Proxy Chaining:** Enables traffic flow through the Cobalt Strike agent (`rportfwd`) via a SOCKS proxy.
### Advanced Features
- Allows the adversary to maintain persistent command and control and launch internal attacks (like the AD CS relay) from the compromised internal host, even if that host does not have direct internet access for the attacker's controller.
## Indicators of Compromise
- File Hashes: N/A (Uses WinDivert driver)
- File Names: PortBender utility files.
- Registry Keys: N/A
- Network Indicators: Unusual traffic patterns on internal hosts involving ports commonly used for internal reconnaissance/lateral movement (e.g., 445, 135) being routed unexpectedly.
- Behavioral Indicators: Installation/use of network filter drivers (WinDivert).
## Associated Threat Actors
- Not specified, standard pivoting/C2 evasion technique.
## Detection Methods
- EDR detection of driver installations/modifications related to network filtering (WinDivert).
- Network traffic analysis showing protocol tunneling or unexpected port usage.
## Mitigation Strategies
- Strict control over the installation of network filtering drivers or custom packet manipulation software.
## Related Tools/Techniques
- Cobalt Strike SOCKS Proxy function.
- NTLMRelay traffic used for AD CS attack.
***
# Tool/Technique: NTLMRelayx.py (Modified for AD CS Attack)
## Overview
NTLMRelayx.py is a component of the Impacket suite, modified specifically to exploit vulnerabilities in Active Directory Certificate Services (AD CS). The tool relays captured NTLM hashes during the authentication process to the AD CS server to obtain a forged certificate for the relayed user/machine account.
## Technical Details
- Type: Tool/Framework Component (Modified)
- Platform: Linux/Cross-Platform (Requires Python environment)
- Capabilities: Relays NTLM authentication from an unauthenticated source to an AD CS server to obtain a certificate for the target account. Used here across a SOCKS proxy configured via PortBender.
- First Seen: Updated version used in release context (Post-June 2021 research).
## MITRE ATT&CK Mapping
- T1558.004 - NTLM Relay
- T1136 - Create Account
- T1136.002 - Domain or Cloud Account
* *(Achieved via certificate abuse leading to domain takeover)*
- T1113 - Credential Dumping
- *(Leads to certificate forgery which facilitates further attacks)*
## Functionality
### Core Capabilities
- Listens for NTLM authentication attempts (relayed via PetitPotam or other means).
- Relays this negotiation to the specified AD CS endpoint (`certfnsh.asp`).
- Requests enrollment for a certificate template (e.g., "domaincontroller").
### Advanced Features
- Support for SMBv2.
- Ability to operate through a proxy chain (using `proxychains`) to communicate with internal C2 infrastructure post-pivot.
## Indicators of Compromise
- File Hashes: N/A (Script execution)
- File Names: ntlmrelayx.py
- Registry Keys: N/A
- Network Indicators: Connection attempts to the AD CS endpoint over HTTP/HTTPS, carrying NTLM negotiation data relayed over SMB or HTTP.
- Behavioral Indicators: Execution of Python scripts involving high volume MSRPC/SMB traffic targeting certificate services endpoints.
## Associated Threat Actors
- Not specified, researchers/red team operations exploiting AD CS configurations.
## Detection Methods
- Monitoring AD CS logs for unusual certificate requests associated with relayed NTLM hashes.
- IDS/IPS rules detecting NTLM packets being directed to the AD CS front-end where standard user/machine authentication would typically occur via standard domain controllers.
## Mitigation Strategies
- Restricting AD CS configuration to only allow enrollment from trusted, authorized sources.
- Implementing security updates regarding certificate vulnerabilities (e.g., "Certified Pre-Owned").
## Related Tools/Techniques
- PetitPotam (The preceding tool that generates the required authentication challenge).
- Rubeus (Used immediately after to utilize the acquired certificate).
***
# Tool/Technique: Rubeus
## Overview
Rubeus is a C# tool designed to interact with the Kerberos protocol on Windows. In this context, it is used to take the newly acquired AD CS certificate (which granted control over a machine account, such as DC01$) and inject the corresponding ticket into the current session's memory, impersonating the high-privileged account.
## Technical Details
- Type: Tool
- Platform: Windows (.NET executable)
- Capabilities: Imports Kerberos tickets via the /ptt (Pass-the-Ticket) flag; capable of manipulating Kerberos objects and performing attacks like DCSync.
- First Seen: Part of GhostPack suite (Known prior to 2021).
## MITRE ATT&CK Mapping
- T1558.003 - Kerberoasting
- T1558.001 - Kerberos Ticket Request/Acquisition
- T1003.001 - LSASS Memory (Related to credential access post-ticket use)
## Functionality
### Core Capabilities
- Accepts a certificate (base64 encoded) and imports the associated Kerberos ticket into the current session.
- Enables the attacker session to authenticate as the machine account associated with the certificate.
### Advanced Features
- Allows subsequent high-impact attacks like DCSync against the Domain Controller, effectively granting domain administrator equivalent privileges.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Rubeus.exe
- Registry Keys: N/A
- Network Indicators: If used for follow-on attacks (like DCSync), LSA protection bypass or manipulation of Kerberos traffic initiated from the compromised host.
- Behavioral Indicators: Memory injection into privileged processes with commands related to Kerberos ticket manipulation, often executed via `execute-assembly` from Cobalt Strike.
## Associated Threat Actors
- Widely used by various threat actors and red teams due to its comprehensive Kerberos manipulation capabilities.
## Detection Methods
- EDR monitoring for `execute-assembly` invocation of Rubeus.exe.
- Monitoring LSASS process API calls for unauthorized credential access or ticket manipulation.
## Mitigation Strategies
- Enforcing credential Guard and LSA Protection on critical systems (like DCs).
- Hardening monitoring around ticket injection by unmanaged processes.
## Related Tools/Techniques
- DCSync (The attack performed using the injected ticket).
- Cobalt Strike (Used as the delivery mechanism for `execute-assembly`).