SolarWinds Post-Exploitation for Red Teams (and Fun)

talk is called solar winds post exploitation for red teams and fun. My name is James Donlin. I am a red team operator at Armanin. Uh Armanin is a new company. We were founded by Kevin Mandia. Uh and really we are developing the ultimate attacker that uses AI agents to execute complex attacks ch attack chains across multiple modalities at machine speed. Um so this presentation this will be just kind of a short presentation about some things that we have found during several red team assessments uh when we had access to solar winds um via a compromised user. So no new vulnerabilities or disclosures here but just some interesting methodology and things that we thought um would other red teams

might benefit from um just to kind of to show off some methodology and and stuff there. So moving into the agenda, like I said, this will be a very short presentation. Uh we will just give kind of some existing research that we have found um that we saw in the past five or so years. Um and then from there we'll move into what we have found. So essentially some passback attacks from Solar Winds that can result in hashed credential disclosure as well as plain text credential disclosure. um as well as some uh relay attacks including a passback to LDAP as well as MSSQL. So just a quick overview for anyone who's unfamiliar, what is Solar Winds?

Um so previously it was called Solar Winds Orion. Now they have a full platform. I believe it's called observability. Uh, basically there's different ways you can use it, but the one that I was testing is a self-hosted platform. Essentially, what it's used for is for network application uh and configuration monitoring and alerting. So, for example, if you have, you know, a bunch of uh machines with Solar Winds running on it, you can kind of monitor if one of them goes down, if CPU CPU usage spikes, um, etc. There's a lot more to it but uh that's that's basically it. So existing research um there is quite a bit of research into solar winds um from

a red team perspective. Uh so just kind of quick overview just some things that we found that um has been really useful for red teams. Starting with this one over here. Um, back in like 2020 or 2021, um, I had found this blog post and had basically found a way to use Solar Winds or use Solar Winds to deploy uh, C2 beacons. So, this blog post here is very interesting, very useful. Uh, we'll kind of recap this research here in a second. Um, in addition, Rob Fuller did some really good research way back um, 2020 and I think even before, basically looking at how to dump passwords from Solar Winds Orion. So, you know, once

you compromise Solar Winds, if you have access to the database itself, um, you know, how encryption works and everything there. And he actually had a a tool that was very useful for a while called Solar Flare. Um, since then, their encryption has changed a little bit. um and kind of talking about that treaties partners they had um a decent blog post looking specifically at the um cryptography used within solo rins. Um so as far as the actual database and encryption, we're not going to really talk about that here. Um it's going to be a little bit higher level and a little bit different just kind of getting to that access before we start, you know, dumping passwords, etc.

Um, so talking about some previous research, I mentioned we could use Solar Winds Orion to deploy C2 beacons for example. So just going to go through that flow, kind of show what that looks like. Um, so as I mentioned within Solarins, you have the ability to configure alerts. Um, so there's all kinds of different things you can alert on, um, you know, within a network, um, or hostbased. Um so you have alert manager and within there you can create a trigger action. So when an alert uh happens or is sent you can have a trigger action to do something. Um and the cool thing is uh for red team there's a lot of different actions you can configure within a

trigger action. Uh one of those which uh is very interesting is you can execute an external program or a VP script. Uh so this one in particular is very useful because you can configure a trigger that will execute an arbitrary executable for example uh that you can configure to happen whenever you want. Um so the classic example back in like 2021 I did actually use this on a large financial client. Um so what we did is we set up cobalt strike. This is uh you know this is not this is not how you do it in a real environment but just purely for example pointing to you know beacon x64.exe exe you can uh configure to

point to that and then basically just show the UNCC path. So it'll reach out to an arbitrary machine. In this case, this is an attacker machine. Um and then you can also configure authentication which in this case is not really needed. Uh so whenever you add the action and you go ahead, you can actually simulate the action. So you don't need to actually wait for it to happen. Um you can immediately, you know, use this now. So you can select for example a domain controller, hit execute and it will reach out, pull down your beacon and execute it. So this was uh very useful on a red team that I was on way back in

2021. Uh we had some very limited access and we ended up finding a user that had access to Solar Winds. Um and within Solar Winds they had the ability to add alerts and manage them. And then from there we kind of went with this flow and it ended up with full domain compromise. Um so the good thing is that Solar Winds has changed this since then so that if you try to create this type of alert for both executables uh or programs as well as the VB script um it requires approval by an administrator. So you can no longer just, you know, take a compromised user and immediately compromise the domain. You do need to

have this approved. Um, and the interesting thing here is from this um, this change here is actually when a coworker and I found two different vulnerabilities that uh, were related to this specific um, functionality. Uh we can't really talk about that here just because they're not um they haven't been fixed yet, but we should have a blog post coming out pretty soon talking about this once um Solar Winds actually fixes that and has a CD. Um so yeah that uh this yeah this is the disclosure here. So just you know starting February 10th and you know as recent as yesterday uh they should have a CVE soon for one of those issues. We'll uh like I said have a blog post

for those soon. So next section um moving on from the previous research some of the stuff that I found more recently um that I don't believe has been um disclosed. So like I said these are not going to be new new vulnerabilities. These are purely just going to be um some methodology to kind of take advantage of how Solar Winds works. So starting with stored credential passbacks. Um, so passback attack if anyone has ever seen or is familiar with the classic example I believe would probably be from a printer. So if you have a printer in an environment that is configured with LDAP um there's a lot of cases where you can cause a passback where you can change

the IP address um and you know try to trigger an authentication flow to LDAP but instead of the LDAP server you're actually sending it to yourself. So you can uh capture credentials that way. So running through this flow within Solar Winds, you have the ability to deploy an agent on the network. So uh you know deploying the Solar Winds agent to a system so that Solar Winds can monitor that system. Um so just running through this you can add you know an IP address or host name. Um and then you can assign credentials. Um so this is you know purely functionality within Solar Winds. This is not a vulnerability, but um since you can choose an arbitrary IP

address, what you can do is just point it to your attacker box. And the nice thing for Red Team is that uh if there's credentials stored within Solar Winds, you can go ahead and select whatever you want uh and then assign that credential and go ahead and validate it. So in this case, this is purely a lab example, but we have a domain domain administrator saved here in Solar Winds. Uh the nice thing is you can go ahead and test that credential. So in the previous step we selected our attack IP. We selected our domain admin. We're going to test that. And what happens is if you have a listener like responder for example, it

sends a NLM v2 authentication attempt with that stored credential. Um so that by itself is useful. Um you know you could take this offline try to recover it with something like hashcat. uh if there's a system that does not require SMB signing, you know, you could potentially relay that over SMB. That is, you know, still a thing but le less less of a thing in more mature environments. Um so taking that further if you uh find the uh MSSQL uh instance for Solar Winds you can go ahead and set up a relay to that database if it is exposed externally which is the recommended configuration. So instead of sending this to yourself and just capturing it

you can relay to the MSQL database. So same thing test and this is my NLM relay targeting the MSQL instance and from here you can see we're able to authenticate against the MSQL database uh and start an interactive shell. So from here this is where you know the typical credential dumping um decryption or maybe even adding a new user or adding uh permissions to you a compromised user. That way you can have, you know, full admin over Solar Winds. There's a lot of additional post exploitation that can be done here. We're not going to delve into that here. We're just purely showing this uh this relay attack. Uh so just going to show that full flow

here. Um so first thing we're going to do, we're going to set up our listener and our relay to the MSQL database. Now we are choosing the credential. We're just going to hit test. You can see very quickly it already worked. So uh captured that authentication attempt relayed it against MSQL and then now we have a shell uh interactive session uh within the the SQL database. So now just kind of showing you know utilizing that session. We're going to enume the DB. So this is just the typical Solar Winds uh database configuration. Then you have Orion the logs flow storage.

We're going to use Solar Winds Orion. So connecting to that specific database. And from here, you know, we can this is how we're going to pull down account ids, password hashes, salts, uh, etc. Whether the account is enabled, you know, if they're an admin, etc. So, here's the admin. You know, this is when I was testing adding a backdoor account, etc. There's a lot you can do here. Um, here's the domain admin. Oops, it already looked off the gosh. The domain admin, um, is right down here. That's stored uh, stored password for that. So, that's the full flow there. That is very useful. um you know for red teams if you are able to get into this

um uh functionality within Solar Winds that is a very useful flow for you know potentially relaying to the database and doing all kinds of stuff there. So moving on.

So the next thing we're going to talk about and this is even more useful uh in my experience is HTTP authentication to LDAP relay. So in the previous uh step we saw SMB authentication uh and in this step we're going to see HTTP authentication which can be relayed to LDAP. Um, so within Solar Winds, you have another trigger action where you can send a get or post request to a web server. And unlike the previous uh attack where we were able to execute an executable or a program, this one does not require admin um administrative uh approval. So this one is very simple. You just configure a URL. So in this case, my attacker box. Uh and then you can choose

the authentication type that you want. So in this case, we have NLM. And just like the other one, we can choose a stored credential. In this case, we're just going to choose the domain admin. If we set up a relay against an LDAP server, uh we can go ahead and simulate the action. We don't actually need to save it and and wait for it to happen. Click execute. You can see our relay. We have caught HTTP authentication and we have relayed that against the LDAP server. From here, you know, there's a lot of things you could do. Um, you know, you could have an interactive session. You could do some sort of kerose delegation. There's

a lot of different things here. In this case, we're a domain admin, so we are privileged. Um, so yeah, there's a lot of different things there. So, just showing this flow. So within alert manager, we're going to go ahead and create the alert. We're going to configure it. So you can see here, just as I showed before, we're just targeting our attacker box.

We're going to select NLM authentication. We're going to choose our domain admin that is stored within Solar Winds. Setting up our relay over here and then we're going to go ahead and test the action. So, this here doesn't matter. You can select whatever you want. Once you hit execute, you can see it works. In my lab, I was too lazy to set up uh L LDAPS or uh so part of it fails um to actually do anything against LDAP. But in a real world scenario, uh you know, they would probably have LDAPS. Um but yeah, you can see the relay has worked. It's trying to create a user, adding to enterprise admins, etc. Um that is probably not something you want

to do in a real world scenario. You probably want to be a little bit more surgical. Um but yeah, our relay has succeeded. And then a little extra here. Uh let's see. So we're going to go back to edit the action. We're going to set up a responder listener instead of a relay. And in here if you notice before with an authentication if you choose basic authentication and select our domain admin instead of a relay we are going to collect the plain text password for the user. So what it does is it pulls it down and just sends a basic authentication request with the clear text uh or plain text domain admin password. So, that's a good way to uh if

you don't want a relay, you could just um selectively pull out any credentials you want that are stored within Solar Winds.

Okay, so this is just showing the flow there. Um and then this is the plain text password. So, when I saw this, I was kind of surprised. I didn't really expect that to happen, but here we are. Conclusion. Um, so yeah, short and sweet. Uh, conclusion is that there's a lot more. There's several other products that Solar Winds has. There's more trigger actions. There's a lot more attack surface that I have not um, you know, finished exploring and doing research on. There is active exploitation of Solar Winds help desk for example as of like a month ago. um that is a completely different product and you know for example web help desk there were some research uh that

discovered additional deserialization issues um a lot of attack service there a lot of um stuff that you can look at so really the main conclusion here is if you are a red team operator or even just an internal pentester look at applications and services this is something um that I've seen on so many networks and just kind of glossed over because you know generally we're getting DA uh via other compromised paths that are specific to active directory. However, there are always going to be a lot of other services applications on networks that have a lot of attack surface and if you get um you know access to one of those services like Solar Winds there is quite a bit of

impact that you can have on an internal network. Um, so just kind of talking about research. If you find something interesting like Solar Winds, um, look to see if there's a trial that you can download, Solar Winds makes it really easy to download trials for observability, for web web help desk. Um, lab it up. So that's what I did. So Ludus, uh, if anyone's unfamiliar, check out Lutus. It is awesome for, uh, standing up quick and easy lab scenarios. You can have a full active directory environment with uh all kinds of different misconfigurations for testing out vulnerabilities or attack paths. Lab it up. Um download trials is on there twice. Do research. So once you

have it labbed up, just um do research. Look at different potential attack paths. Write up methodology. um you know you can have quite a bit of internal methodology for specific services that is completely outside of the normal you know active directory attack chains. Um so that's pretty much it. Uh like I said there are some probably some additional research that we'll be doing. Um we should have a blog post here soon for those two vulnerabilities that we found in Solar Winds. Um, and the last thing I want to say is that, uh, like I mentioned before, none of this is, um, you know, a vulnerability in and of itself. Um, Solar Winds does a pretty

good job of having, um, permissions properly enforced. So, all of the previous stuff, um, which I probably should have mentioned before, um, you do need, um, a good amount of, um, access to Solar Winds to actually perform, you know, those attacks. So the ability to create an alert, you need the ability to manage alerts. Um, you know, a low-level user cannot do that. So this is purely for a red team performing post exploitation. Um, so you know, if you if you're on a red team and you do compromise a user with access to Solar Winds, definitely look at it. There's a lot you can do there. Um, so that's it for me. Thank you.