Articles

Abusing network shares for efficient lateral movements and privesc (DirSharePivot)

Image
Background
About a year ago my team and I had were called to perform a forensic analysis on a customer network. The reason for this was that a computer was first infected by a ransomware, and for some (unknown) reasons, several other workstations were getting "infected" after only 3 hours.
After 5 hours (time of my intervention) I discovered that:
- 80% of the workstations were infected
- The network was partially segmented but the infection occurs on all segments
- A malware process was even running on the file Server as... "Domain Administrator" :-/
- No track of 4624 (Logon Type 3) events or any other track of lateral movements/authentications
Interesting... hum :)

In this article I will describe my analysis of the threat and also how to take advantage of this method in a "safer" and more "controlled" way to  move laterally (or even perform privesc) in red team operations. (practical exploitation code will be provided).
This method may be particular…

CVE-2017-0199 Practical exploitation ! (PoC)

Image
Introduction
Since several days the security community has been informed  thanks to FireEye publication of different malware campaigns (Dridex...) spreaded using CVE-2017-0199.
Several other publications were related to this vulnerability but no working exploit was published.
After digging a while I found the way to exploit this vulnerability in an easy way, which seems to be a bit different than the current works already done by other researchers.

I decided to publish this work as Microsoft officially published a patch on 11 of Apr 2017.

Technical background It is possible to include OLEv2 links to existing documents.  These objects (once included) will reflect the current content of the source link once loaded in the document. What is amazing is that if you try to include HTA link as an OLEv2 object it will be executed once (at the creation) but Winword will return an error like:

The problem in this case is that the HTA file will not be persistent (to make it persistent you would ha…