An ACE in the Hole: Stealthy Host Persistence via Security Descriptors

Presented at DerbyCon 7.0 Legacy (2017), Sept. 22, 2017, 5 p.m. (55 minutes)

"Attackers and information security professionals are increasingly looking at security descriptors and their ACLs, but most previous work has focused on escalation opportunities based on ACL implementation flaws and misconfigurations. However, the nefarious use of security descriptors as a persistence mechanism is rarely mentioned. Just like with Active Directory ACLs, it's often difficult to determine whether a specific security descriptor was set intentionally by an IT administrator, intentionally set by an attacker, or inadvertently set by an IT administrator via a third-party installation program. This uncertainty decreases the likelihood of attackers being discovered, granting attackers a great opportunity to persist on a host and in a network. We’ll dive deep into ACLs/DACLs/SACLs/ACEs/Security Descriptors and more, giving you the background to grasp the capabilities we’re talking about. Then we’ll describe dive into several case studies that demonstrate how attackers can use securable object takeover primitives to maliciously backdoor host-based security descriptors for the purposes of persistence, including, “gold image” backdooring, subverting DCOM application permissions, and more. We’ll conclude with an exhaustive overview of the deployment and detections of host-based security descriptor backdoors. All along the way we’ll be releasing new tooling to enumerate, exploit, and analyze host-based security descriptors. " Lee Christensen (@tifkin_) is a red team operator, threat hunter, and capability engineer for SpecterOps. Lee has performed red team and hunt engagements against Fortune 500 companies for 5 years, and has trained information security professionals about offensive/defensive tactics at events throughout the world, including Black Hat USA/Europe/Asia. Lee is the author of several offensive tools and techniques, including UnmanagedPowerShell (derivatives now incorporated into the Metasploit, Empire, and Cobalt Strike toolsets) and is a co-author of KeeThief. Matt Nelson (@enigma0x3) is a red teamer and security researcher for SpecterOps. Matt has a passion for offensive PowerShell, is an active developer on the PowerShell Empire project, and helps build offensive toolsets to facilitate red team engagements. He has published research on a number of novel UAC bypasses and holds CVEs for his Device Guard bypass research. Will Schroeder (@harmj0y) is an offensive engineer and red teamer for SpecterOps. He is a co-founder of Empire/Empyre, BloodHound, KeeThief, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences, including DEF CON, Black Hat, DerbyCon, Troopers, BlueHat Israel, and various Security BSides. Lee - @tifkin_ Matt - @enigma0x3 Will - @harmj0y