Adversarial SysAdmin - The Key to Effective Living off the Land
2024-10-27 21:58:44 Author: blog.zsec.uk(查看原文) 阅读量:6 收藏

In my previous role, we frequently employed ‘living off the land’ strategies, rarely using C2 infrastructure and instead relying on insider threat credentials or access to systems via legitimate means. Consequently, I have developed strong skills in manually searching for data and hunting based on keywords. Using built-in tools, manually searching network shares and SharePoint, and finding practical ways to manipulate legitimate data.

The LOLBAS/GTFOBINS projects have been written about tonnes of times and offer lots of methods for using legitimate OS binaries for nefarious purposes. Equally tools such as Snaffler, SauronEye, and SnaffPoint all offer a bit of searching ability inside environments for interesting data.

Neil Lines and I have presented on OffensiveSysAdmin Suite before, which uses PowerShell's ADSISearcher and you just want to gain some quick wins when searching built-in tools to obtain information about shares and Active Directory.

What if you're operating from a Virtual Desktop Environment/Interface(VDI) and you just want to gain some quick wins when searching built-in tools such as Windows Explorer or SharePoint?

When it comes to living off the land, sometimes it really is as simple as using the tools you have instead of bringing additional ones into the environment. SharePoint and Explorer are excellent adversarial tools that, when used correctly, allow you to blend into the environment and hunt out additional credentials and sensitive data.

SharePoint, like on-premise shares, can be a treasure trove of interesting information for an attacker. If not hardened correctly, access control on different files and folders can also be weak.

It has a reasonably decent built-in search that will take search terms like Explorer on Windows, but a little bit of helpful information I learnt recently is that it supports Kusto Query Language (KQL) and thus can take complex queries to hunt out specific file types or files containing certain information.

Before we dive into lots of queries, here are some key pieces of information that are worth knowing when building search queries:

  • Wildcards (*): Use * for partial matches. For example, content:"pass*" finds “password”, “passcode”, etc.
  • Proximity Search: To find terms that appear close to each other, use the tilde (~). For example, content:"password username"~5 finds files where “password” and “username” are within five words of each other.
  • Exclude Terms: To exclude certain words or file types, use NOT. For example, content:"password" NOT FileExtension:txt excludes text files.
  • Case Sensitivity: Searches are case-insensitive, so there’s no need to worry about capitalization.

Here are some queries you can try on your engagements; I've not included every single one but at least a high level of some operators that will help, I've created a repo with more for your usage:

GitHub - ZephrFish/LOLSearches: Living off the land searches for explorer and sharepoint

Living off the land searches for explorer and sharepoint - ZephrFish/LOLSearches

GitHubZephrFish

Find Passwords in Scripts

There are a few queries that can help here, especially when it comes to hunting out passwords, starting off simply with content searches:

content:"password" OR content:"username" OR content:"credential" OR content:"secret" OR content:"key" OR content:"token" OR content:"login"

Or, if you want to hunt out specific extensions:

(FileExtension:ps1 OR FileExtension:bat OR FileExtension:sh OR FileExtension:cmd OR FileExtension:py) AND (content:"password" OR content:"secret" OR content:"key" OR content:"credential" OR content:"token")

Common Script Extensions and Credential Patterns

(
    FileExtension:("ps1" OR "bat" OR "sh" OR "cmd" OR "py" OR "js" OR "ts" OR "rb" OR "pl" OR "php" OR "cs" OR "java" OR "go" OR "r" OR "sql" OR "groovy" OR "scala" OR "kt" OR "vb" OR "vbs" OR "psm1" OR "jsx" OR "tsx")
)
AND
(
    content:("password=" OR "password :" OR "password =>" OR "password :" OR "passwd=" OR "passwd :" OR "passwd =>" OR "pwd=" OR "pwd :" OR "pwd =>" OR "secret=" OR "secret :" OR "secret =>" OR "key=" OR "key :" OR "key =>" OR "api_key" OR "apiKey" OR "token=" OR "token :" OR "token =>" OR "access_token" OR "client_secret" OR "private_key" OR "BEGIN PRIVATE KEY" OR "aws_access_key_id" OR "aws_secret_access_key")
)

To break this query down as it is pretty complex, the following keywords explain the operation in the query:

  • FileExtension: Filters files with common scripting and programming extensions.
  • content: Searches for patterns where credentials are commonly stored or assigned.
  • Operators:
    • AND: Ensures both the file extension and content criteria are met.
    • OR: Includes any of the specified file extensions or content patterns.

Using Proximity Search to find more in code

(
    FileExtension:("ps1" OR "bat" OR "sh" OR "cmd" OR "py" OR "js" OR "ts" OR "rb" OR "pl" OR "php" OR "cs" OR "java" OR "go" OR "r" OR "sql" OR "groovy" OR "scala" OR "kt" OR "vb" OR "vbs" OR "psm1" OR "jsx" OR "tsx")
)
AND
(
    (content:"password*"~5) OR (content:"passwd*"~5) OR (content:"pwd*"~5) OR (content:"secret*"~5) OR (content:"key*"~5) OR (content:"token*"~5) OR (content:"api_key*"~5) OR (content:"apiKey*"~5) OR (content:"access_token*"~5) OR (content:"client_secret*"~5) OR (content:"private_key*"~5) OR (content:"aws_access_key_id*"~5) OR (content:"aws_secret_access_key*"~5)
)

I'm taking a leaf out of Snaffler's book (and I have to Google them each time), but using regular expressions works, too!

(
    FileExtension:("ps1" OR "py" OR "js" OR "java" OR "cs" OR "php" OR "rb" OR "go" OR "kt")
)
AND
(
    content:/.*(\/\/|#|\/\*|\*).*(password|secret|token).*/
)

Diving into scripts and content:

(
    FileExtension:("ps1" OR "bat" OR "sh" OR "cmd" OR "py" OR "js" OR "ts" OR "rb" OR "pl" OR "php" OR "cs" OR "java" OR "go" OR "r" OR "sql" OR "groovy" OR "scala" OR "kt" OR "vb" OR "vbs" OR "psm1" OR "jsx" OR "tsx")
)
AND
(
    content:/.*(password|passwd|pwd|secret|key|token|api_key|apiKey).*(=|:|=>).*/
)

Hunting Sysadmin Scripts

Often, sysadmins and developers like to put credentials in files, so hunting out their scripts can help uncover credentials and deeper understandings of how scripts and systems are put together.

content:"net use" OR content:"ipconfig" OR content:"netstat" OR content:"ping" OR content:"tracert" OR content:"nslookup" OR content:"net user" OR content:"net localgroup"

Hunt out AI and Machine Learning Files

As AI is all the rage these days, sometimes companies want you to hunt for things in your environment related to AI, so here is a quick win query for exactly that.

(FileExtension=pptx OR FileExtension=docx OR FileExtension=xlsx) AND (ContentsContainMetadata:"machine learning" OR ContentsContainMetadata:"deep learning" OR ContentsContainMetadata:"neural network" OR ContentsContainMetadata:"artificial intelligence" OR ContentsContainMetadata:"natural language processing" OR ContentsContainMetadata:"computer vision" OR ContentsContainMetadata:"data mining" OR ContentsContainMetadata:"predictive modeling" OR ContentsContainMetadata:"supervised learning" OR ContentsContainMetadata:"unsupervised learning" OR ContentsContainMetadata:"reinforcement learning" OR ContentsContainMetadata:tensorflow OR ContentsContainMetadata:pytorch OR ContentsContainMetadata:keras OR ContentsContainMetadata:"scikit-learn" OR ContentsContainMetadata:pandas OR ContentsContainMetadata:numpy OR ContentsContainMetadata:matplotlib)

Searching with Explorer

Much like searching with SharePoint, Windows Explorer also supports search operators, allowing for more complex hunting inside environments. I'm sure if you are reading this and you've used explorer to search for things in the past you've probably used things like:

content:password

But you might not know you can combine search operators together to find more juicy information, such as hunting out scripts that contain password:

(ext:.ps1 OR ext:.bat OR ext:.cmd OR ext:.vbs) content:"password"

If you want to find things within a specific date range(it works with UK and US layout but my VMs all have US layout 😦), you can add the following:

datecreated:01/01/2023..12/31/2025 (ext:.ps1 OR ext:.bat OR ext:.cmd OR ext:.py OR ext:.js OR ext:.php OR ext:.rb OR ext:.pl OR ext:.java OR ext:.cs) content:"password"

Find all script files created between January 1, 2023, and December 31, 2025, containing “password”. If you'd rather just have years in the search, you can use something like this too:

datecreated:2023..2025 (ext:.py OR ext:.js OR ext:.rb) content:"password"

If you want more search operators and queries check out the git repo:

GitHub - ZephrFish/LOLSearches: Living off the land searches for explorer and sharepoint

Living off the land searches for explorer and sharepoint - ZephrFish/LOLSearches

GitHubZephrFish


文章来源: https://blog.zsec.uk/lolsysadmin/
如有侵权请联系:admin#unsafe.sh