We Have C2 at Home - Leveraging Microsoft's C2 Framework

[Music] so thanks everyone for coming I know it's a really really nice day on a Saturday lunchtime and you chose to spend it with me so thank you um but welcome to my talk we have C2 at home uh leveraging Microsoft C2 framework so a little bit about myself my name is Garrett Foster I am a senior consultant on the adversarial simulation team over at spectr Ops uh prior to that I was on the attack and Pen team at Optive and then uh before that I would play in kind of uh alert whacka at per security working as a sock analyst uh my Twitter is at gar Foster I guess it's X now um I

whatever um I'm a perennial you know kind of like retweeter I don't have a lot of content on there but if you did want to follow me that's that's my handle so on the agenda today uh we're going to talk about what Microsoft C2 framework is uh in my opinion and essentially that uh it's secm um and then we're going to talk about a service that's installed on secm that's not very well known called the administration service and then I'm going to share some some updates to a tool I wrote called secm Hunter and um before I jump into that there's a lot of Prior work that I'd like to acknowledge first uh so Chris

Thompson Matt Nelson Dwayne Michael they're all co-workers of mine over at Spectre have done a ton of research on secm and related topics uh Brandon collie is over at TR Mark security Christopher payi um is at NWR cyber security did a great talk at Devcon 30 and then Dave Kennedy and Adam just over trust like there's a ton more but if you want to do some more research on this topic after this after this talk follow any of them look them up it's there's a lot of good stuff okay so Microsoft C2 framework we kind of kind of cover what SCM is in a way so we're going to go real real high level and then try to to

move off off of that so secm is just device and application management for an Enterprise at scale right so to to kind of give you a kind of a picture of what that looks like is that we're all users we all have our devices right each one of us probably has a laptop cell phone whatever it may be and for me as the administator to manage that I'll use something like secm so those devices and users are organized in secm by what's called a collection so you could imagine a collection is we're in track two so this is collection track two and then you have collection track one which is the other room and all the other users

other other devices and other are separate right and then you have some pretty much static components which are the primary and uh database server primary site server and database server the management point and a distribution point and I'll I'll get a bit deeper in just a second so to to kind of understand how it works you have to really understand the architecture so I want you to put your your red teamer hat on and and kind of think about how you would stand up red team infostructure right so I refer to the primary site server as the team server that's the the where you're operating from that's kind of where you want to hide everything and

that and have no connectivity whatsoever so it's just us operating there's no visibility so and then the distribution point I would refer to as the payload host so this is where you're going to host all of your software your malware whatever it may be and then you have uh a management point and I refer to these as your redirectors so this is what you're going to put in front of your team server to make sure that the traffic that's coming in is what you want it to be and then right there at the bottom is the clients and that's where your victims are so essentially if you walk your way up you'll see that the

clients only communicate to the management point and distribution points and those from there communicate to the primary site server that's where all of the commands are trickled down so if you were to log inm as the administrator this is what you would be met with so when you when you actually sign in over on the left is your ability to navigate secm and that's where you're going to see your collections so each of the users and and the devices are in the default collection when they're joined and then you have the option to kind of split them out um kind of an interesting caveat with the collections is you can only have devices in and and devices in a device

collection and users in a user collection you can't overlap you can have them members of multiple but no overlab and then I highlighted the devices so these are all of the clients that are enrolled in secm but what's fun is if you look to the left of it you'll see that the icon is there so the green check mark indicates that it's enrolled that it's calling back and that it's actually active on the network and I was lucky enough to grab one where I had the question mark where that's the client is up but is not necessarily uh calling back in a default poll rate so secm has a poll for every 15 minutes that the

client checks in and just asks for policies so there's a lot of power in this tool it's basically got system level access in every single client that is enrolled so from an administrative perspective that's great I can manage all the software in in in the the Enterprise but then from an attacker perspective that's great I can handle everything in the Enterprise so what's really more fun about it is the ENT higher thing is very very vulnerable to takeover so Chris and I have published a few blogs uh kind of demonstrating the ability to do so to compromise the entire infrastructure um so that was over the last six or seven months I believe and and recently uh Chris published another

blog that made us learn that it's not just a site take over it's actually an entire hierarchy so if you were to compromise a primary site server and it's a member of a hierarchy that change gets replicated down makes sense but also gets replicated up so if you become an admin in the middle you're admin everywhere so that's the perspective that we're going to take now like okay so what have we done we're admin what can we do with it right so it's already been demonstrated pretty heavily that if you have control over this you can push out malare you can push out whatever it may be basically anywhere that you choose to uh Dave Kennedy his talk at Defcon 20 was

basically him popping shells and it just rain shells left and right so that's awesome it's a lot of fun but what else right so sometimes we get uh different perspectives that we want to take so and find new different tactics and and ways of doing things so my I I I focused heavily on on what can I do from a red teaming perspective so it's not always about okay let's go in let's grab da and then just we're done so a lot of red teaming is very very goal or action on objective focused right so it may not necessarily be da the client may want you to say hey can you get to our backup

servers or can you compromise one of our users to get control over our CI CD pipeline right so user hunting is very very valuable for us so if we can find out where a user what device they're using where they're logging in that's awesome and SCM makes it very easy to do so you can query for it and then actually find out where they're where they're logging in from so and then there's a tool called CM pivot which is extremely valuable um so essentially what the way that tool works is it uses a protocol called uh fast Channel and essentially the way that works is so all the clients that are enrolled when you execute a from CM pivot it sends a few

packets that says hey wake up ask for policies and then we'll send them out to you and then it'll it'll run whatever commands you had and then you also have the ability to create and execute custom Powershell scripts on endpoints anywhere in the environment so if it's active and it's and enrolled you can create scripts and run them okay so hopefully this works out because the videos on on PowerPoint or rough but I'm going to try to walk through uh kind of what it looks like here so in the first step I'm going to show you how you can query for the user so you're the administrator I want to go find out where a certain user is is set

as the primary user of that device right so it's very simple you just run the query you add the primary user search for PC through your user and then you get the query back the in it's PC3 so great so now we're going to start CM pivot and I'll show you kind of the power of this tool so if you look here I'm going to scroll down and these are all different queries on the host that you can look up so if it's enrolled in bit Locker you can look at Services you can look at processes you can look at local administrators a ton of information and you know in this industry information is king So if we can grab that and leverage

it in the way it's awesome so that was just an example of grabbing services so I could see what started was stopped and then uh and kind of just grab that information so here I'm going to show you a script right and I'll stop right here so this is a script that I just put in to kind of show the way it'll work so let's look at the local administrators group okay cool then let's just add any user we want and then check to make sure that that would that it completed right obviously you wouldn't do this but it's a good demonstration right um so we'll go back to PC3 because that's where we're going after we want to grab

the the PC3 user so you run the script and then after a short time you'll get the actual results back so it'll come in Json and then raw and I know this is difficult to read for in the back but I know there's another TV but you can kind of see the result of the query okay so domain admins and then now lower is a a member of Da or the local administrators group so interesting stuff right different perspectives okay so now I I think I need to explain myself a little bit um yes power cell is ioc like crazy you know you don't necessarily want to run in the environment command line logging that kind of thing uh however

both CM pivot and uh custom Powershell scripts are run from the same directory and it's on every single client is this CCM script store directory and it's great because Microsoft recommends that you exclude this from all of your antimalware and Antivirus Solutions right so we can basically live there um and I'll show you why they say just to do so so this is a um just an elastic search query for invoke command um and this is I only have one of my clients in my lab that are actually U pushing logs back so it's a cismon and elastic search so I search the invoke command and these are all legitimate CM pivot and and Powell

script or the CM pivot and secm script results and the reason why they tell you to allow list it is because it uses a bunch of malicious looking uh arguments so non-interactive no profile and then the whole thing's Bas 64 encoded so if you've ever worked in a sock done incident response you see alerts like this cross the line all the time and Microsoft makes a ton of them so not only are you potentially going to follow Microsoft recommendation but again I need to stress this is one client over two days where me just playing if you are at an Enterprise in scale and you have thousands of devices imagine how many of this are going to come across

what's the likelihood that you FP that directory and you never see it again I think it's pretty high okay oh I missed that one piece so that blob up there is actually from Microsoft's website where they recommend it because they want you to allow these features to run without any kind of interference so I'll just add my features too okay so the administration service is um man I I I'm big fan of this so the most recent blog post that I shared is this admin service is a it's an API that grants access to SC secm over htps it's awesome um it's vulnerable to ntlm relaying so if you can relay the correct account you can actually compromise secm

with it and and then you're off to the races but its intended purpose was to give um administrators the ability to create some custom applications uh so if you had like a lot of secm is very compliance focused right so you want to have U metrics and statistics of how things are going so you can create custom apps that create reports right Everyone likes pie charts and everything else so then there's a community Hub uh the community Hub is a way to share like some really gnarly CM pivot queries for specific things so they use the API to kind of um transfer that data up and then in tune tenant attach which is interesting and we'll touch on that a

little bit later it has two routes so both of them start at admin service and then it'll be a wmi and then V1 um in Microsoft fashion it is very poorly documented essentially um if you go to the metadata for the API it's like they copy and past it and put it up in GitHub and that's your that's your reference so um not only that it's not very well known um if you search it on Reddit there's a lot of post like there's a few power users right um but there was a a book called config manager Unleashed and this kind of like the goto for uh running uh secm in your environment 1,700 Pages not a single reference to

this API okay so we'll take a look at how both routes look so they're both in Json they're different structures right so you kind of get get weird with how you quy the data but this is the same device on both endpoints so um I started playing and digging more into it like okay so what would I want to do in the guey that I can do on the API can I look at devices can I look at collections can I look at users and it just like I would throw a dart and it would land and be like okay I can do that with the API I can do that with the API and then

ultimately it was you know I I can do anything I want to with this API so and since it's not very well known that means they're not paying attention to it right um so this is where I lead into the secm 100 updates so originally secm Hunter was developed to uh help enumerate the environment to build these compromise and takeover paths uh but now it's it's kind of grown a bit so knowing and understanding this API there's a lot of new features added so I created an interactive C2 CLI um all of the objects that I just showed you devices users and and so on are identified by a unique identifier just be a string and you can that's how

everything is called and executed against that so I will let you interact on the CLI with that device or with that collection and then execute whatever commands you want um so this is the CM pivot stuff I was talking about now I'm going to refer to that as situational awareness if you're familiar with trusted sex situational awareness bof collection it's very similar to that just information gathering tell me everything that's that I would be interested in as an attacker about this host and then the database commands so previously I was pulling everything out of the of secm and then storing it locally in sqlite database now it's going to be if you're looking for a

device it'll check if you've already checked like ran that query otherwise it'll save it so it'll it do the API pull and then grab it and then save it locally and then there's very a lot of postex Focus right I don't want to be um plank in anymore I want to know exactly what my game plan is after I compromise this thing so postex you'll be able to run a custom script so before we show I showed you the net local group administrators you can throw whatever you want in a script and then run it against the interactive endpoint right then you have the addition the ability to add admins so with the relay works

you know you could do the administrator ad that way but there's some cases where secm limits you on um script execution so by default you have to have a secondary set of credentials to approve it so I'm giving you the power to just add another arbitrary user and it can be a machine account it doesn't have to be a user so you can add a machine and then use those creds uh on the command line and it'll do all of your approval for you and then fun thing about CM pivot okay so the way that tool works is uh every endpoint will have a script installed on it and is the same script everywhere it's not visible from the

guey so administrators can't see it they can't go and make changes to it it's only available from the database or from the API um there is no Integrity checking it is stored than data datase with a GD which is universal so I tweeted out like hey does anyone have this GD in their um in their environment and everyone was like yep that's that's the same one and then it'll have it stored as the GD and it'll have it stored as the file hash and when it gets dropped to disk it is named GD uncore file hash and so if you change the contents of it and the hash will change that's fine but it'll write it to the disk like your end

points and then it'll be like okay cool does this script line up with what I have it does cool we're good we we'll run it and so you can you can back door that and get pretty creative with with things so so this is the new help uh menu for the module uh so essentially you'll you'll jump in this will be the CLI and um yeah I've got a demo of how that works so I'm going to again I didn't do too bad on the last one but hopefully this video works well okay so right off the bat you can kind of see uh pause it see I already I edit it to myself I said

I did good um so I ran a command and you can see that I'm using it the TAC Au and Tac AP those are the alternate user alternate password so when you need that script approval requirement you just have to throw the creds on there and it'll store them so that anytime you run a script it'll just handle the approval for you right so build a database we got a log directory we're going to try to keep as much information as possible um lots of time stamps and logging if you are a consultant you do reporting screenshots right um need to have all that stuff in there okay so so we're going to start with the help command and

then we're going to run some of the data collection and database commands so here I ran a get collection star so you're going to pull down all of the collections first it's not a huge pull um I think the most I've seen is like 50 in an environment and it was like a fortune 10 company um so they're Global so it's an easy one and then from then on you can get collection you can run the same command for the collection ID so we're starting to see those identifiers I was talking about earlier right okay move that so now we're going to look for a specific user this is low priv and this is all coming from the API

I'll pause it after the next command right here and then we'll walk through it cool right there so I'm just checking on the low privilege User it's a member of secm so I can pull information of it lots of valuable stuff right you can see the Sid unique username email all that good stuff so useful stuff then the next command is get last log on administrator look at how bad am with my da account I am logged in everywhere so now you can go hunting for that if you were looking for a way to grab da right so now you know every machine that that that that account is currently signed in to so you

can either try to you know steal a ticket get into a session whatever it may be then we have a get P user which is the primary user of PC like so Cory for PC3 user who's our Target for this assessment right where are they where is their primary daily driver device that they've been issued PC3 okay so now we'll get to we Cory for his device or their device so PC3 and now we know that the device ID is 16777 226 and we're going to interact with that so now any commands that we execute from this CLI are going to be against that device okay so now we'll run the PS command this is part of the situational

Awareness stuff so just what's the running processes we'll pull that all back okay so now we know what antivirus EDR whatever solute if they have command line logging so we can really like think about our next steps right we're not doing anything malicious yet we're doing all default living off the land type stuff that that is always in their environment so this this is a fun feature so you can actually list the file system okay um so on the command line You'll see that it's got the device ID and then a c col slash or backs slash so you'll just change your directory you'll have to put the full path I'm I'm not a great developer but you can put

the full path that's your there that's uh on that CLI and then run the ls and then cat commands to actually look at files so if it's a plain text file txt CSV PS1 whatever may be you can actually view that there's a there's a size limit to 4kb so you can't pull the entire thing but you get some of it useful for SSH Keys okay so oh yeah I did it I knew I was going to do it all right so now it's going to run into the script so the script just has a bunch of different commands thrown in there just to show a demonstration of of what you could do if you wanted like I'm going to

just bunch of net commands whatever and then run the script so the way I designed the the script execution is it will create the script and then it will approve it with the approval credentials and then it'll grab the operation ID and then it's self-d deleting I don't want to leave anything on disk so that path that directory the script store directory when the script is done it deletes itself when the script is done from secm it deletes itself I don't want want to give free wins I want you to work so you can go into the logs and you can find it you can go into the database and you can find the results and script

results only live in the database for 24 hours because they want to save space so yes nighttime testing okay so now now we're going to Pivot off that and we're going to focus on collections okay so I chose sms1 which is everything so we're going to go after all the systems and now now we're focused on what I was talking about with CM pivot so there's a backup command and there's guard rails in place that will not let you back door the script until you've backed up the script I do not want PLL requests or like ATS on Twitter saying hey I ran this and I broke the environment nope if you got around the the the guard

rails that's that's on you so we'll run the backup it already exists and then now we're going to back door the script so it's going to take whatever I did to the script and then actually upload it and change it so it modified it it approved it and now we're going to run just an IP config command so the script when if you take a look at it it's really interesting because there's certain wmi calls that aren't going to work with the dll it loads so it has some custom stuff so you could find one cm pivot command they never run and use that and that's your back door command so that the the tool will still work for

their normal day-to-day stuff and never have a call back but if you have admin still and you need the call back you know which one to run so we ran IP config I back door at ip config and all it was is holding a power shell Cradle to to Cobalt strike and now I have a C2 in your C2 and I'm persistent and so now you'll go back and like good Consultants we are going to restore the CM pivot script so there's no more back door and that's that okay so what's next um this isn't allinclusive for the Post EXP exploitation that I want to do this is just a release that I wanted to share

with everyone here um I want to add support for packages and applications which is what we were talking about earlier where the research is already been done um my buddy Chris who wrote sharp secm he has a lot of support for this already so if you're running like inline execute assembly or something with the the C sharp binary sharp secm all this is available through there um I also had some support for task sequences so if you're familiar like you're a recovering assisted men who has had to support this uh um you know how Tas sequences are vulnerable to this type of thing and how much power those have um I do have currently have some logging so

essentially it's going to time stamp it and then just spit out the the the standard out output so that you know if you needed to have a screenshot that you missed which never happens right um You can pull the logs up and actually see that and then it is python I am well versed in how much everyone hates python so I want to dockerize it so and kind of take away the uh the issues with dependency hell right um and then one last thing we talked about in tune tenant attach CM pivot script execution it's all available from in tune so yeah if you get completely kicked out of the environment you have access here you're right back in

So Okay so that was it uh thank you so much for for listening have um I have a few minutes if anyone has questions yeah you first right here Hawaiian yes sir so you mentioned getting kicked out I I kind of wonder it sounds like you're shooting fish a barel one there's no real hope of anyone having good security here but have you actually used this and not been successful because it's been a bit T down no so the question was have I used any of this and not been successful because it was locked down um unfortunately the answer to that is no so at this point you know the my boss Matt Nelson's been doing research on

secm since like 2016 and there's he's been shouting it already and it if it hasn't been changed from from then now I you know we got to keep yelling I guess just a little bit louder a little bit higher um and that's that's the the goal with this is to facilitate that like so if you can demonstrate to your clients these issues then the likelihood of them fixing it just goes that much better especially because I feel like this our industry overall is getting more focused to living off the land type stuff so if you just have 30,000 system level beacons waiting for me to get them I'm going to go straight to it so um but there are

there are a lot of opportunities for hardening which is which is great so there was another question sorry you're next uh so what I was going to ask is from like a system analysis perspective if you were trying to analyze it right let's say you didn't follow the recommendation you didn't shut down those draws how do you even detect someone who was doing malicious behavior in the flow so I've got so many things are going to pop the system administra level how do I identify the was just Behavior if I didn't follow Microsoft recommendations and just like lock it out because I cannot follow it now that I know I need to identify it if I got

all this all the mess all the noise yeah see I mean that's that that's uh why detection engineering is a career field right um you know from my perspective when I worked in it I actually talked to a friend of mine who's Here Blake somewhere um the hash itself so that name that's what I would do and that's what he he suggested to is monitor that file that'll be dropped on endpoints for a change so the GD is universal that will never change but the hash will so if I mess with it the hash has changed so there's your detection right there for the back door on the CM pivot if that file name changes to a different

hash that's your alert you can't I I don't I can't help you with the scripts those are they're named the same way and they change every time but if you want to detect the back door that's it and then I don't know good luck the rest of the way I'm sorry yeah and then one more question what what is the minimum level of privilege that you can actually start using this I I can imagine that the answer is like just basically getting your first Toe Hold on the domain you might be able to start making use of this but like what's the minimum level of privilege that you can use this to start the secm abuse or this CLI

specifically the secm oh um well essentially everything starts from authenticated so if I have a credential in your environment and you have secm I feel pretty confident I could go get it um because there's a lot of over privilege that over Plage defaults and anyone who's supported this infrastructure knows that it's one of those tools where it works don't change anything and so and that lives forever so this is like a situation where like any level of AD credentials could lead to potentially yes so a lot of what the abuse is is that that sight server machine account uh I think the most common thing I see is that we'll overprivileged it enough to give it

admin over all servers and workstations there was a Reddit post two days ago that said that they did that explicitly because it was more more secure um I can control that machine and send it anywhere so if you have SMB signing disabled I I win um and then there's the issue with like uh the old school network access accounts where you're using a service account to push uh installations places but those credentials live on disk in perpetuity so you could you could say like it's unenrolled from secm but it's privileged and I can pull it out of dpapi which is a blog post by Dwayne Michael called the na must die so you should go check that out it's really

interesting there's a lot of um abuse potential so but unfortunately that is my time I don't want to eat into the next speaker's time so if you have any other questions I'll be in the hallway but thank you again so much you guys appreciate [Music] it