hunting (l)users using WinAPI calls only
2016-12-03 20:57:26 by rui
During Red Team engagements it is common to track/hunt specific users. Assuming we already have access to a desktop as a normal user (no matter how, always "assume compromise") in a Windows Domain and we want to spread laterally. We want to know where the user is logged on, if he is a local administrator in any box, to which groups he belongs, if he has access to file shares, and so on. Enumerating hosts, users, and groups will also help to get a better understanding of the Domain layout.
You might be thinking, "use Powerview". Lately, one of the most common problems I encounter during Red Team exercises is the fact that PowerShell is heavily monitored. If you use it, you'll get caught, sooner or later. By now everyone is well aware how powerful PowerShell is, including Blue Teams and Security Vendors.
There are multiple ways to work around this. To avoid using multiple old school tools (psloggedon.exe, netsess.exe, nltest, netview, among others) and to reduce the amount of tools uploaded to compromised systems I created a simple tool that doesn't require Administrative privileges to run and collect the information listed below, and relies only on the Windows API.
You might end up dealing with white list bypass (however, based on my experience, its easier to find an environment with PowerShell properly locked down and heavily monitored than an environment with proper whitelisting implemented) and process evasion (there are some security tools that collect information about processes running, however, this leads us to a different discussion), but I'll leave that for another day because this discussion will end in long sequence of if's and ... let's keep this post short.
If you are asking yourself, "wouldn't these queries also trigger security events"? Yes, they will. However, at the moment they will most likely slip under the radar when compared with PowerShell, since PowerShell is getting a lot of attention these days.
In the meantime, is not new that Microsoft is taking security seriously and it is funny that they just released the following PowerShell script. Here's the description:
"SAMRi10" tool is a short PowerShell (PS) script which alters remote SAM access default permissions on Windows 10 & Windows Server 2016. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim's network.
Basically, a script that changes some 'registry' values. Nothing special though.
Blue Teams with Advanced Threat Analytics (ATA) can also see Red Teams enumerating sessions via 'net session', PowerShell, or (l)user hunter. However, ATA architecture is a bit complex and in some setups you may need to install the 'ATA Lightweight Gateway' directly on the domain controllers (which removes the requirement for port mirroring). Additionally, ATA can leverage Windows events (forwarded directly from the domain controllers or from a SIEM and analyze the data). Again, I haven't found that many organizations using ATA yet. I've seen a lot of organizations using SIEMs, but either they aren't collecting the right logs or they are completely overwhelmed with logs that inexperienced security analysts (most of the time juniors) can't make sense of. Also common is companies running default SIEM setups and without a clue on how to set it up properly.
Anyway, these are all valid reasons why I would like to eventually rewrite the 'min' and 'max' values delay between queries. In the meantime though we can still keep enumerating users, sessions, etc. low and slow.
- Retrieves current configuration information for the specified server (via list of hosts or domain enumeration). - OS Version - Server Type (DC, Backup DC, Workstation or Server, Terminal Server, MSSQL Server)
- Lists information about all users currently logged on to the workstation. - interactive, service and batch logons.
- Lists information about sessions established on a server.
- Retrieves information about each shared resource on a server. - checks if current user as read access.
- Returns results for the NS_DNS namespace, IPv4 protocol.
- Checks if current user is an Administrator on a server.
- Retrieves information about all user accounts on a server or DC.
- Retrieves a list of global groups to which a specified user belongs on a server or DC.
- Retrieves information about each global group in the security database, SAM database or Active Directory.
- Retrieves a list of the members in a particular global group in the security database, SAM database or Active Directory.
- Retrieves information about a particular user account on a server or DC.
- Enumerate the domain controllers in the local domain.
Additionally, for hosts enumeration there's a minimum and maximum delay value in seconds you can add to avoid detection/noise.
Expect further developments, specially on the 'error handling' side and 'look and feel'. I have a few more ideas that I would like to incorporate.
For usage examples refer to the GitHub repository, where I added some screenshots.