Full Report
This is my password,” said the King as he drew his sword. “The light is dawning, the lie broken. Now guard thee, miscreant, for I am Tirian of Narnia. C.S. Lewis tl;dr You are part of the red team who’s just compromised the entire AD infrastructure. The blue team quickly changes the password, which is always recommended, but is this effective in preventing the red team from still inflicting damage?
Analysis Summary
# Tool/Technique: HTTP Basic Authentication Credential Collector & Password Hooking DLL
## Overview
This summary describes a technique used by a red team to intercept credentials, specifically targeting two methods: capturing credentials via an HTTP Basic Authentication listener (using Metasploit) and intercepting password changes on a Domain Controller using a custom DLL injected via Empire's reflective DLL injection capabilities. The goal is to demonstrate that simply changing a password post-compromise does not negate the initial breach if the attacker has implanted persistence or mechanisms to capture new credentials immediately.
## Technical Details
- Type: Tool & Technique (Metasploit module, Custom DLL, Framework module)
- Platform: Windows (specifically targeting x64 systems for the DLL injection success, Domain Controllers mentioned)
- Capabilities: Capturing HTTP Basic Authentication credentials, Hooking Windows API functions (specifically for password changes) via DLL injection, Reflective DLL loading.
- First Seen: The techniques detailed are derived from existing concepts, though the specific combination and article date are November 2016.
## MITRE ATT&CK Mapping
This scenario combines multiple adversary actions:
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping
- T1003.001 - LSASS Memory (Implied by targeting processes like lsass.exe for injection/hooking on DC)
- T1552 - Unsecured Credentials
- T1552.001 - Credentials in Files (If the collected creds were written to disk)
- **TA0005 - Defense Evasion**
- T1055 - Process Injection
- T1055.001 - Dynamic-link Library Injection (Specifically using Reflective DLL Injection)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Using Empire agent)
## Functionality
### Core Capabilities
1. **HTTP Basic Authentication Credential Collection:** Setting up a listener using Metasploit's `auxiliary/server/capture/http_basic` module to catch credentials sent via HTTP basic authentication.
2. **Password Change Interception (Hooking):** Deploying a custom compiled DLL (`HookPasswordChange.dll`) designed to hook password-related functions in the target process (likely NTDLL/Kernel32 related to domain controller password flows) to capture credentials immediately after a user types them in or they change.
### Advanced Features
1. **Reflective DLL Injection:** Utilizing Empire's `invoke_reflectivepeinjection` module to load the custom DLL directly into the memory space of a running process (specifically targeting `lsass.exe` PID 508 in the example) without writing the DLL to disk, enhancing stealth.
2. **Persistence/Bypassing Password Reset:** The core premise is that by capturing new passwords via hooking, simply changing the old compromised password does not stop the attacker from immediately gaining the new valid credentials.
## Indicators of Compromise
*Note: Based on the specific configuration used in the scenario:*
- File Hashes: N/A for standard components (Metasploit/Empire), custom DLL hash would be specific to the attacker's build.
- File Names: `HookPasswordChange.dll` (The custom payload).
- Registry Keys: Not explicitly mentioned for this technique set.
- Network Indicators:
- C2/Listener Host: `172.24.42.46` (Defanged: `172[.]24[.]42[.]46`)
- Listener Port: `8085`
- Module Used: `auxiliary/server/capture/http_basic`
- Behavioral Indicators:
- Execution of `invoke_reflectivepeinjection` via an Empire agent against a high-integrity process (e.g., `lsass.exe` PID 508).
- Network traffic directed to the configured SRVHOST/SRVPORT listener for basic auth credentials.
## Associated Threat Actors
The article attributes the general technique concepts to references in the cybersecurity community, but the specific execution shown uses **Empire**, which is commonly associated with various Red Team operations and sophisticated threat groups utilizing fileless techniques.
## Detection Methods
- **Signature-based detection:** Signatures for known versions of Metasploit modules or known Empire PowerShell commands. (Limited effectiveness against custom DLLs/hooking).
- **Behavioral detection:** Monitoring for suspicious DLL injection attempts into critical processes like `lsass.exe` or `lsass`, especially reflective loading techniques. Detecting the initiation of `auxiliary/server/capture/http_basic`.
- **YARA rules:** YARA rules targeting the compiled `.dll` structure or known strings within the custom DLL if available.
## Mitigation Strategies
- **Prevention measures:** Disabling or tightly controlling Empire usage (e.g., application control like AppLocker/WDAC).
- **Hardening recommendations:** Restricting process injection capabilities where possible. On Domain Controllers, enforce least privilege strictly. Regularly audit memory for signs of injection or hooking activity in sensitive processes. Ensure application environments (e.g., web servers interacting with Basic Auth) are hardened or use Kerberos/Negotiate authentication instead of Basic Auth.
## Related Tools/Techniques
- **Metasploit:** `auxiliary/server/capture/http_basic`
- **Empire:** `code_execution/invoke_reflectivepeinjection`
- **Techniques:** Function Hooking (via IAT/inline hooking within the DLL), Reflective DLL Injection (PowerSploit/Bypassing disk utilization).