DOCSLIB.ORG

Finding Privesc with Procmon

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Finding Privesc with Procmon FINDING PRIVESC WITH PROCMON Vetle Økland ::1 • Pentester @ Nagarro • Live here in Oslo • Too young to understand why Windows does anything • Twitter: @bordplate • Blog: https://bordplate.no/blog/en What is Procmon? Process Monitor Boot logging • Consider disabling anti-virus scanning for smaller log files What are we looking for? Image from: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation- cve-2019-0841/ DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed Paths and Files • PATH NOT FOUND • NAME NOT FOUND Both of these in a user-writable folder indicate you can influence the program. Will wary based on file type and the program handling the files. Image from a vulnerability found by Florian Bogner at bogner.sh: https://bogner.sh/2018/02/local-privilege-escalation-in-crashplans-windows-client/ SetSecurityFile / Permission Overwrite CVE-2019-8452 – Permission Overwrite Hard links to any file • Courtesy of James Forshaw from Google’s Project Zero • Normal mklink tool does not allow hard links to files you don’t have write-access to • ZwSetInformationFile does not enforce that check • CreateHardLinkW does however • Native-HardLink.ps1 from https://github.com/ FuzzySecurity/PowerShell-Suite/blob/master/Native- HardLink.ps1 by @fuzzysec (Ruben Boonen) Unquoted service paths DLL search order hijacking Configuration • Need to have local admin Useful filters • SYSTEM • NAME NOT FOUND / PATH NOT FOUND • SetSecurityFilter (by its own) Exporting for other tools • Exports to CSV and XML • Exporting for XML with stack traces can create *really* big files Exploring in Procmon Hunting in registry • Not seen any potential for abuse • Include SYSTEM user • Exclude starting with HKLM and HKCU AccessEnum .
Load more

Recommended publications
  • Crypto Ransomware Analysis and Detection Using
    CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR by ASHWINI BALKRUSHNA KARDILE Presented to the Faculty of the Graduate School of The University of Texas at Arlington in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE IN COMPUTER SCIENCE THE UNIVERSITY OF TEXAS AT ARLINGTON December 2017 Copyright © by Ashwini Balkrushna Kardile 2017 All Rights Reserved ii Acknowledgements I would like to thank Dr. Ming for his timely guidance and motivation. His insights for this research were valuable. I would also like to thank my committee members Dr. David Levine and Dr. David Kung for taking out time from their schedule and attending my dissertation. I am grateful to John Podolanko; it would not have been possible without his help and support. Thank you, John, for helping me and foster my confidence. I would like to thank my colleagues for supporting me directly or indirectly. Last but not the least; I would like to thank my parents, my family and my friends for encouraging me and supporting me throughout my research. November 16, 2017 iii Abstract CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR Ashwini Balkrushna Kardile, MS The University of Texas at Arlington, 2017 Supervising Professor: Jiang Ming Ransomware is a faster growing threat that encrypts user’s files and locks the computer and holds the key required to decrypt the files for ransom. Over the past few years, the impact of ransomware has increased exponentially. There have been several reported high profile ransomware attacks, such as CryptoLocker, CryptoWall, WannaCry, Petya and Bad Rabbit which have collectively cost individuals and companies well over a billion dollars according to FBI.
    [Show full text]
  • Development Environment
    BLUESPAWN BLUESPAWN Dev Team Apr 28, 2021 CONTENTS 1 Our Mission 3 2 What is BLUESPAWN 5 3 Get Involved & Contribute to the project7 4 Why we made BLUESPAWN9 4.1 Contact Us................................................9 4.2 Sponsoring................................................9 4.3 Licensing.................................................9 4.4 Project Authors.............................................. 10 4.5 Publications............................................... 11 4.6 Hunts................................................... 11 4.7 Scan Mode................................................ 11 4.8 Mitigations................................................ 11 4.9 Reactions................................................. 11 4.10 Logging and Output........................................... 11 4.11 Agent7 Integration............................................ 11 4.12 Getting Started.............................................. 11 4.13 Examples of BLUESPWAN in Action.................................. 13 4.14 Using Mitigations............................................ 14 4.15 Getting Involved............................................. 18 4.16 Setting up your Development Environment............................... 18 4.17 Software Architecture Info........................................ 19 4.18 Project Roadmap............................................. 21 i ii BLUESPAWN CONTENTS 1 BLUESPAWN 2 CONTENTS CHAPTER ONE OUR MISSION BLUESPAWN helps blue teams monitor systems in real-time against active attackers by detecting
    [Show full text]
  • Multiband Plasma-Process Monitor C10346-01
    Multiband plasma-process monitor C10346-01 C10346-01 is a multiband plasma process monitor designed for real-time, monitoring of wide spectrum. Monitoring Plasma (Emission Spectrum) in Real-Time C10346-01 is a monitoring system to detect wide spectrum plasma emission during the process of etching, spattering and CVD in semiconductor manufacturing . With the various analysis functions, it can be used for setting up end-point detection conditions and automatic detection of etching and cleaning, estimation of plasma species and monitoring (plasma) contamination and abnormal discharges. Features Simultaneous measurements of wide (plasma) spectrum Easy measurement using optical fibers Captures wide spectrum (emission) from (plasma) radicals or ions. The equipped optical fiber can be easily attached to plasma C10346-01 : 200 nm to 950 nm chambers through a SMA connector widely used. Real-time plasma (emission) measurement Operation with multiple chambers Continuously measures up to 15 000 spectra at an interval of 20 ms A single analysis unit can control up to four C10346-01 (50 ms with concurrent running of detection software) Multiband plasma-process monitor via a USB 2.0 interface. Highly accurate and reliable measurements Data acquisition software A high resolution spectrometer and a ultra-high sensitive photo The data acquisition software stores the spectrum data into detector are firmly locked in position to assure the acquisition of the database during plasma process. This stored data can accurate spectrum and precise spectrum responsivity data then be used for spectrum data calculations. through sharply focused plasma emission spectrum images. Optional software High-sensitivity detection in UV spectrum region High sensitive endpoint detection and real-time monitoring of Detects the UV spectrum region from 200 nm with high process abnormality are achieved by creating ''detection model''.
    [Show full text]
  • Process Monitor
    Моим коллегам — специалистам по устранению неполадок Windows. Никогда не отступайте и не сдавайтесь! – Марк Руссинович Элизе, благодаря ей сбываются самые прекрасные мечты! (И она гораздо круче меня!) – Аарон Маргозис SIN_Titul.indd I 29.12.2011 13:41:15 Mark Russinovich Aaron Margosis Windows® Sysinternals Administrator's Reference SIN_Titul.indd II 29.12.2011 13:41:15 Марк Руссинович Аарон Маргозис Предисловие Дэвида Соломона Утилиты Sysinternals Справочник администратора 2012 SIN_Titul.indd III 29.12.2011 13:41:15 УДК 004.738.5 ББК 32.973.202 P89 Руссинович Марк, Маргозис Аарон P89 Утилиты Sysinternals. Справочник администратора. / Пер. с англ. — М. : Издательство «Русская редакция» ; СПб. : БХВ-Петербург, 2012. — 480 стр. : ил. ISBN 978-5-7502-0411-3 («Русская редакция») ISBN 978-5-9775-0826-1 («БХВ-Петербург») Эта книга — исчерпывающее руководство по использованию утилит Sysin- ternals. Авторы книги — создатель утилит Sysinternals Марк Руссинович и при- знанный эксперт по Windows Аарон Маргозис — подробно разбирают многочис- ленные функции утилит для диагностики и управления файлами, дисками, си- стемой безопасности и встроенным инструментарием Windows. Рекомендации авторов проиллюстрированы многочисленными примерами из реальной жизни. Изучив их, вы сможете справиться с неполадками в ИТ-системах так, как это делают настоящие профессионалы. Книга состоит из 18 глав и предметного указателя. Она предназначена для ИТ-специалистов и опытных пользователей Windows, которые хотят применять утилиты Sysinternals с максимальной эффективностью. УДК 004.738.5 ББК 32.973.202 © 2011-2012, Translation Russian Edition Publishers. Authorized Russian translation of the English edition of Windows® Sysinternals Administrator’s Reference, ISBN 978- 0-7356-5672-7 © Aaron Margosis and Mark Russinovich. This translation is published and sold by permission of O’Reilly Media, Inc., which owns or controls all rights to publish and sell the same.
    [Show full text]
  • JTB Process Monitor
    JTB Process Monitor About JTB Process Monitor makes it possible to monitor usage of more applications than the core JTB FlexReport handles. There is a service part and a client part of Process Monitor. You need to first install the service and configure it and then install the client and configure it. The data is saved into the JTB FlexReport core database and reports on the usage can be done in the normal way. This means that JTB FlexReport Core and JTB FlexReport Chart Service/Client also need to be installed. The client computer to monitor does not need to be connected to the network all the time. It still can monitor the usage and when connected again it will send back the data to the server. The client-server solution is based on WCF (Windows Communication Foundation) and XML Web services. System requirements .NET Framework 4.0 or newer is needed for the service and client. Other than that most Windows operating systems are supported like Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016. Both 32-bit and 64-bit systems are supported. One limitation is that processes that run in Windows compatibility mode cannot be monitored. Installation of Service The service needs to be installed on one location and it is recommended to be on the same computer where JTB FlexReport’s other services are installed as it needs to save the usage to the JTB FlexReport database. For a trial it can be installed on a workstation if that is easier for the evaluation.
    [Show full text]
  • Windows Rootkit Analysis Report
    Windows Rootkit Analysis Report HBGary Contract No: NBCHC08004 SBIR Data Rights November 2008 Page 1 Table of Contents Introduction ................................................................................................................................... 4 Clean Monitoring Tool Logs......................................................................................................... 5 Clean System PSList ................................................................................................................. 5 Clean System Process Explorer ................................................................................................ 6 Vanquish......................................................................................................................................... 7 PSList Vanquish ........................................................................................................................ 7 Vanquish Process Monitor (Process Start – Exit) .................................................................. 8 Process Explorer Thread Stack Vanquish .............................................................................. 8 Process Monitor Events Vanquish ........................................................................................... 9 Vanquish Log File (Created by rootkit, placed in root directory “C:”) ............................. 21 Process Explorer Memory Strings Vanquish ........................................................................ 23 NTIllusion....................................................................................................................................
    [Show full text]
  • Application Help for SAP Business Planning and Consolidation, Version for SAP Netweaver Company
    PUBLIC SAP Business Planning and Consolidation for SAP NetWeaver 10.1 Document Version: 1.0 – 2021-06-09 Application Help for SAP Business Planning and Consolidation, version for SAP NetWeaver company. All rights reserved. All rights company. affiliate THE BEST RUN 2021 SAP SE or an SAP SE or an SAP SAP 2021 © Content 1 SAP Business Planning and Consolidation, version for SAP NetWeaver...................4 1.1 Getting Started..............................................................10 Preferences..............................................................10 Grid....................................................................11 1.2 Home Page and Navigation......................................................11 1.3 Business Process Flows........................................................12 My Activities.............................................................13 1.4 Process Monitor.............................................................15 1.5 Library....................................................................16 1.6 Documents (Standard only).....................................................17 1.7 Run Consolidation (Standard only)................................................18 Consolidation Monitor (Standard only)...........................................19 Controls Monitor (Standard only)..............................................24 Journals (Standard only)....................................................30 Ownership Manager (Standard only)............................................41 1.8 Run
    [Show full text]
  • Prmon: Process Monitor
    prmon: Process Monitor Serhan Mete (Argonne) and Graeme A Stewart (CERN) Grid Deployment Board Meeting September 9, 2020 What is Process Monitor (prmon)? ● “... a small stand alone program that can monitor the resource consumption of a process and its children.” ○ An open source HSF project, completely application agnostic and self-contained ■ The only external library dependency is nlohmann/json (and only for the build) ○ Tracks (process-level) CPU/GPU, memory, disk I/O, and (device-level) network I/O usage ■ Metrics are primarily collected from ProcFS (except for GPU which comes from nvidia-smi) ● Adding support for additional hardware is in the future plans ○ It produces two main outputs: ■ Time-series text file that contains the measurements at each capture ■ JSON file that contains averages and maxima along with some hardware information ○ It includes python-based software to visualize the time-series data https://github.com/HSF/prmon 2 Building/Distributing/Using prmon... ● prmon has been used in ATLAS distributed computing for many years ○ Predecessor was named MemoryMonitor, which was the starting point for prmon ● There are two main build/deployment options: ○ Integrating prmon as an external software and building it from scratch ■ Primarily requires C++11, Cmake 3.3+, and nlohmann/json ■ For GPU support, needs nvidia-smi installed ○ Using statically built prmon (published for each release, approx. 1 MB) ○ In either case, the binaries can be (are) distributed via CVMFS ○ More information can be found at https://github.com/HSF/prmon#build-and-deployment ● There are two main ways to execute: ○ Attach to an existing process w/ PID : prmon --pid PID ○ Start the program with prmon : prmon [prmon options] -- program [program options] ○ More information can be found at https://github.com/HSF/prmon#running Latest Release: v2.1.0 on Sep 8 3 Available options, monitors, and output formats..
    [Show full text]
  • Legoos: a Disseminated, Distributed OS for Hardware Resource
    LegoOS: A Disseminated, Distributed OS for Hardware Resource Disaggregation Yizhou Shan, Yutong Huang, Yilun Chen, and Yiying Zhang, Purdue University https://www.usenix.org/conference/osdi18/presentation/shan This paper is included in the Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’18). October 8–10, 2018 • Carlsbad, CA, USA ISBN 978-1-939133-08-3 Open access to the Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation is sponsored by USENIX. LegoOS: A Disseminated, Distributed OS for Hardware Resource Disaggregation Yizhou Shan, Yutong Huang, Yilun Chen, Yiying Zhang Purdue University Abstract that can fit into monolithic servers and deploying them in datacenters is a painful and cost-ineffective process that The monolithic server model where a server is the unit often limits the speed of new hardware adoption. of deployment, operation, and failure is meeting its lim- We believe that datacenters should break mono- its in the face of several recent hardware and application lithic servers and organize hardware devices like CPU, trends. To improve resource utilization, elasticity, het- DRAM, and disks as independent, failure-isolated, erogeneity, and failure handling in datacenters, we be- network-attached components, each having its own con- lieve that datacenters should break monolithic servers troller to manage its hardware. This hardware re- into disaggregated, network-attached hardware compo- source disaggregation architecture is enabled by recent nents. Despite the promising benefits of hardware re- advances in network technologies [24, 42, 52, 66, 81, 88] source disaggregation, no existing OSes or software sys- and the trend towards increasing processing power in tems can properly manage it.
    [Show full text]
  • Brno University of Technology Vysoké Učení Technické V Brně
    BRNO UNIVERSITY OF TECHNOLOGY VYSOKÉ UČENÍ TECHNICKÉ V BRNĚ FACULTY OF INFORMATION TECHNOLOGY FAKULTA INFORMAČNÍCH TECHNOLOGIÍ DEPARTMENT OF INTELLIGENT SYSTEMS ÚSTAV INTELIGENTNÍCH SYSTÉMŮ AUTOMATED SECURITY COMPLIANCE SCANNING OF MS WINDOWS OPERATING SYSTEM USING OPENSCAP PROJECT AUTOMATIZOVANÉ OVĚŘOVÁNÍ KONFIGURACE OPERAČNÍHO SYSTÉMU MS WINDOWS POMOCÍ PROJEKTU OPENSCAP MASTER’S THESIS DIPLOMOVÁ PRÁCE AUTHOR Bc. JAN ČERNÝ AUTOR PRÁCE SUPERVISOR Ing. ALEŠ SMRČKA, Ph.D. VEDOUCÍ PRÁCE BRNO 2018 Abstract This work deals with security compliance of computer systems, namely operating systems, applications and system services. Concept of security policies, their evaluation and their enforcement is described. Security compliance automation and the SCAP standard are presented. OpenSCAP project, which is used as an SCAP scanner, is described together with its tools and its usage. An idea to add support of Microsoft Windows within Open- SCAP, which was previously unsupported, is presented. The core part of the thesis is to identify necessary changes of OpenSCAP and to design an extension of this project. All these modifications are implemented. The solution is demonstrated on security policies for Windows. The solution is evaluated and further improvements are discussed. Abstrakt Tato práce se zabývá problematikou bezpečné konfigurace výpočetních systémů, jako jsou operační systémy, aplikace a služby. Seznamuje čtenáře s konceptem bezpečnostních poli- tik a jejich ověřováním. Soustředí se na problematiku automatizace bezpečné konfigurace s důrazem na standard SCAP. Popisuje projekt OpenSCAP, který se používá jako SCAP scanner, jeho aplikace a jejich použití. Navrhuje rozšířit OpenSCAP i na operační sys- tém Microsoft Windows, který doposud nebyl podporován. Těžištěm práce je identifikace nutných změn projektu OpenSCAP a návrh jeho rozšíření.
    [Show full text]
  • Sysinternals Learning Resources
    THE PERSONAL COMPUTER SPECIALIST Sysinternals Learning Resources Help and Support Sysinternals Learning Resources Help Desk Books Windows Internals Book Homepage The official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon. Windows Sysinternals Administrator's Reference The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use. Articles Inside the Windows Vista Kernel: Part 1 Inside the Windows Vista Kernel: Part 2 Inside the Windows Vista Kernel: Part 3 Inside Windows Vista User Account Control Inside Windows Server 2008 Kernel Changes Mark's Blog Articles Hunting Down and Killing Ransomware Scareware, a type of malware that mimics antimalware software, has been around for a decade and shows no sign of going away. The goal of scareware is to fool a user into thinking that their computer is heavily infected with malware and the most convenient...(read more) Monday, Jan 7 The Case of the Unexplained FTP Connections A key part of any cybersecurity plan is “continuous monitoring”, or enabling auditing and monitoring throughout a network environment and configuring automated analysis of the resulting logs to identify anomalous behaviors that merit investigation. This...(read more) Tuesday, Oct 30 Windows Azure Host Updates: Why, When, and How Windows Azure’s compute platform, which includes Web Roles, Worker Roles, and Virtual Machines, is based on machine virtualization. It’s the deep access to the underlying operating system that makes Windows Azure’s Platform-as-a-Service (PaaS) uniquely...(read more) Wednesday, Aug 22 The Case of the Veeerrry Slow Logons This case is my favorite kind of case, one where I use my own tools to solve a This case is my favorite kind of case, one where I use my own tools to solve a problem affecting me personally.
    [Show full text]
  • Instrument .NET Applications
    Instrument .NET Applications AppDynamics Pro Documentation Version 4.0.x Page 1 Instrument .NET Applications . 3 .NET Supported Environments . 5 Install the .NET Agent . 9 Configure the .NET Agent . 11 Enable SSL for .NET . 15 Instrument Windows Services and Standalone Applications . 20 Name .NET Tiers . 24 Automatically Name .NET Nodes . 26 Unattended Installation for .NET . 27 Upgrade the .NET Agent . 33 Resolve .NET Agent Installation and Configuration Issues . 37 Uninstall the .NET Agent . 48 Install AppDynamics for Windows Azure with NuGet . 49 Register for AppDynamics for Windows Azure . 56 Administer the .NET Agent . 61 .NET Agent Directory Structure . 62 .NET Agent Configuration Properties . 64 Configure Multiple Business Application Support for .NET . 80 Disable Instrumentation for an IIS Application Pool . 87 Configure Application Domain Monitoring . 87 Instrument the DefaultDomain for Standalone Applications . 92 Configure the .NET Machine Agent . 94 Enable Monitoring for Windows Performance Counters . 96 Enable Correlation for .NET Remoting . 97 Enable Thread Correlation for .NET . 100 Enable Instrumentation for WCF Data Services . 101 Configure Machine Snapshots for .NET . 102 Page 2 Instrument .NET Applications On this page: Before You Begin Instrument Your CLR with the .NET Agent Related pages: AppDynamics Essentials Install the .NET Agent AppDynamics for Windows Azure with NuGet Watch the video: Quick Install: .NET Agent Rate this page: For AppDynamics to gather performance data about your .NET applications, you must install the .NET Agent (agent) on the servers where the applications run. You only need to install the agent once per server even if you want to monitor multiple applications on one server. The agent instruments your application and sends performance data back to the AppDynamics Controller.
    [Show full text]