The accessibility features provide additional options (on screen keyboards, magnifier, screen reading etc.) that could assist people with disabilities to use Windows operating systems easier. However, this functionality can be abused to achieve persistence on a host that RDP is enabled and Administrator level privileges have been obtained. This technique touches the disk, or modification of the registry is required to execute a stored remotely payload.

The easiest implementation of persistence via accessibility features is by replacing the binary of sticky keys (sethc.exe) with a legitimate cmd.exe or any other payload.

- persistence sticky keys replace binary - Persistence – Accessibility Features | Penetration Testing Lab
Persistence – Sticky Keys Binary Replacement

Pressing the Shift key 5 times will enable the sticky keys and instead of the legitimate sethc.exe the rogue sethc.exe will executed which will provide either an elevated session or an elevated (SYSTEM) command prompt.

- persistence sticky keys cmd - Persistence – Accessibility Features | Penetration Testing Lab
Persistence – Sticky Keys CMD

Narrator

In Windows 10 operating systems Narrator is a screen reading that assist people with visibility issues. Giulio Comi discovered that it is possible to modify the registry in order to create file-less persistence when narrator is executed. Before implementing this technique Giulio suggests a series of modifications on the host in order to start Narator automatically and to make it less noisy. The following settings are recommended:

This technique has been demonstrated firstly in his blog and has two components:

  1. Deletion “DelegateExecute” Registry Key
  2. Modification of “Default” Registry Key to execute command.

Both of these keys are stored under the following registry location:

ComputerHKEY_CURRENT_USERSoftwareClassesAppXypsaf9f1qserqevf0sws76dx4k9a5206Shellopencommand
- persistence narrator registry key - Persistence – Accessibility Features | Penetration Testing Lab
Narrator – Registry Key

The Metasploit Web Delivery module can be used to capture the session once the Narrator Provide Feedback command is executed.

- persistence narrator metasploit web delivery module - Persistence – Accessibility Features | Penetration Testing Lab
Meterpreter – Narrator

Metasploit

Metasploit Framework provides a post exploitation module which can be used to automate the persistence technique of sticky keys. The module will replace the chosen accessibility feature binary (sethc, osk, disp, utilman) with a CMD.

use post/windows/manage/sticky_keys
- persistence sticky keys metasploit module - Persistence – Accessibility Features | Penetration Testing Lab
Metasploit – Sticky Keys Module

When the screen on the target host is locked executing the utilman utility will open a command prompt with system level privileges.

- persistence sticky keys metasploit cmd - Persistence – Accessibility Features | Penetration Testing Lab
Command Prompt – Sticky Keys Utilman

This technique requires an elevated Meterpreter session and the system to have remote desktop protocol enabled. In the majority of the organisations this protocol is enabled by default in order administrators to provide support to users and perform tasks on the hosts remotely. If not RDP can be enabled via the following Metasploit module:

use post/windows/manage/enable_rdp
- persistence sticky keys metasploit enable rdp module - Persistence – Accessibility Features | Penetration Testing Lab
Metasploit – Enable RDP Module

Replacing one of the accessibility features binaries with a malicious payload will return a Meterpreter session instead of a CMD with system level privileges.

- persistence sticky keys metasploit meterpreter payload - Persistence – Accessibility Features | Penetration Testing Lab
Metasploit – Meterpreter Payload

Empire

Similar to Metasploit Framework PowerShell Empire has a module which can implement the sticky keys persistence technique. Compare to Metasploit supports more binaries (Narrator, Magnify) and instead of replacing the binaries with a CMD will modify the debugger registry key in order to store the PowerShell command that will execute the stager.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exeDebugger

The following binaries can be backdoored through this Empire module:

  • sethc.exe
  • Utilman.exe
  • osk.exe
  • Narrator.exe
  • Magnify.exe
usemodule persistence/misc/debugger/*
- persistence sticky keys empire - Persistence – Accessibility Features | Penetration Testing Lab
Empire – Sticky Keys Module

Misc

The sticky keys persistence technique is widely known and some threat actors are using it during during their cyber attacks. There are scripts that can be used to automate this method outside of Metasploit and Empire. Preston Thornburg wrote the following PowerShell script which can achieve persistence through the registry modification.

$registryPath = "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options"
$keyName = "sethc.exe" 
$stringName = "Debugger"
$binaryValue = "C:WindowsSystem32cmd.exe"

IF (Test-Path ($registryPath + $keyName))
{
    # Sticky Keys  exists.
    write-host "Registry key found. Let's remove it."
    #New-Item -Path $registryPath -Name $keyName | Out-Null
    Remove-Item -Path ($registryPath + $keyName) | Out-Null
    write-host "Sticky Key  has been removed."
}
ELSE {
    # Sticky Keys  does not exist, let's add it.
    write-host "Registry key not found. Attempting to add Sticky Keys  to registry."
    New-Item -Path $registryPath -Name $keyName | Out-Null
    New-ItemProperty -Path ($registryPath + $keyName) -Name $stringName -Value $binaryValue | Out-Null
    write-host "Sticky Keys  added."
}
- persistence sticky keys powershell script - Persistence – Accessibility Features | Penetration Testing Lab
Sticky Keys PowerShell Script

Other scripts which implement the technique include batch files and executables from the logon_backdoor GitHub project.

- persistence logon backdoor sticky keys - Persistence – Accessibility Features | Penetration Testing Lab
Persistence Sticky Keys – logon backdoor batch version

The option 1 will modify the “Debugger” key to include the path of the command prompt.

- persistence logon backdoor debugger registry key - Persistence – Accessibility Features | Penetration Testing Lab
Persistence Sticky Keys – Logon Backdoor

Pressing the Shift key 5 times will enable the sticky keys and will execute a CMD from an elevated context.

- persistence sticky keys logon backdoor cmd - Persistence – Accessibility Features | Penetration Testing Lab
Persistence – Logon Backdoor CMD

Both versions include an option for clean-up which removes the “Debugger” registry key.

- persistence sticky keys backdoor logon executable - Persistence – Accessibility Features | Penetration Testing Lab
Persistence – Backdoor Logon Executable Version

The Sticky-Keys GitHub project provides an additional option which is to give a SYSTEM console to the user. However the implementation of this technique is very similar to logon_backdoor project.

- persistence sticky keys batch file system console - Persistence – Accessibility Features | Penetration Testing Lab
Persistence – Sticky Keys Project SYSTEM Console

References





Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here