SeeSeeYouExec: Windows Session Hijacking via CcmExec

Over the last several years, the security community has witnessed an uptick in System Center Configuration Manager (SCCM)-related attacks. From extracting network access account (NAA) credentials to deploying malicious applications to targeted devices, SCCM attacks have aided in accomplishing complex objectives and evading existing detections. Mandiant’s Red Team has utilized SCCM technology to perform novel attacks against mature clients where conventional methodology was not possible. One such SCCM attack is introduced in this blog post.
在过去几年中,安全社区见证了与 System Center Configuration Manager (SCCM) 相关的攻击的增加。从提取网络访问帐户 (NAA) 凭据到将恶意应用程序部署到目标设备,SCCM 攻击有助于实现复杂目标并规避现有检测。Mandiant 的 Red Team 利用 SCCM 技术对传统方法无法实现的成熟客户进行新颖的攻击。这篇博文中介绍了一种这样的 SCCM 攻击。

There was a time when red teamers with elevated privileges on a Windows system could effortlessly inject shellcode into an unsuspecting user’s processes. This allowed red teamers to carry out post-exploitation activities within that new process, such as keylogging or accessing LDAP as the affected user. However, as endpoint detection and response (EDR) systems have improved, remote process injection has turned into a risky operation, pushing red teamers to seek alternative methods to hijack a user’s session.
曾经有一段时间,在 Windows 系统上具有提升权限的红队成员可以毫不费力地将 shellcode 注入毫无戒心的用户进程中。这允许红队成员在该新进程中执行开发后活动,例如键盘记录或以受影响用户的身份访问 LDAP。然而,随着端点检测和响应 (EDR) 系统的改进,远程进程注入已成为一种危险的操作,促使红队成员寻求替代方法来劫持用户的会话。

Enter CcmExec, a service native to SCCM Windows clients that has an interesting design that is useful for red teamers. In this blog post, we delve into how the CcmExec service can be utilized for session hijacking and introduce CcmPwn, a tool designed to facilitate this technique. Finally, we will discuss detection strategies for security teams.
进入 CcmExec,这是 SCCM Windows 客户端的原生服务,它具有有趣的设计,对红色团队很有用。在这篇博文中,我们将深入探讨如何利用 CcmExec 服务进行会话劫持,并介绍 CcmPwn,这是一种旨在促进此技术的工具。最后,我们将讨论安全团队的检测策略。

AppDomainManager Injection
AppDomainManager 注入

Before diving into CcmExec, it is important to understand the intricacies of AppDomainManager injection, a loader hijacking technique used by attackers to execute arbitrary code within a .NET application. In essence, the .NET framework provides a way to manage application domains, which are isolated environments where .NET applications can run code. The AppDomainManager class is a key part of this infrastructure, responsible for creating and managing these application domains. However, if an attacker were to override the AppDomainManager class constructor, they could force the hosting application to run attacker-defined behavior when creating an application domain.
在深入研究 CcmExec 之前,请务必了解 AppDomainManager 注入的复杂性,AppDomainManager 注入是攻击者用来在 .NET 应用程序中执行任意代码的一种加载程序劫持技术。实质上,.NET Framework 提供了一种管理应用程序域的方法,这些域是 .NET 应用程序可以运行代码的隔离环境。AppDomainManager 类是此基础结构的关键部分,负责创建和管理这些应用程序域。但是,如果攻击者重写 AppDomainManager 类构造函数,则可以在创建应用程序域时强制宿主应用程序运行攻击者定义的行为。

The most common method to perform AppDomainManager injection is through a .config file. This approach involves modifying the application’s configuration file to specify a custom dynamic-link library file (DLL) and AppDomainManager to be executed by the .NET application. Here’s how it’s done:
执行 AppDomainManager 注入的最常见方法是通过 .config 文件。此方法涉及修改应用程序的配置文件,以指定要由 .NET 应用程序执行的自定义动态链接库文件 (DLL) 和 AppDomainManager。操作方法如下:

  1. Create a custom AppDomainManager: Develop a class that derives from AppDomainManager and includes malicious code. Compile this class into a DLL.
    创建自定义 AppDomainManager:开发派生自 AppDomainManager 并包含恶意代码的类。将此类编译为 DLL。

  2. Create a configuration file: Modify or create the application’s .config file (e.g., “application.exe.config“) and add the following XML elements to specify the custom DLL and AppDomainManager:
    创建配置文件:修改或创建应用程序 .config 的文件(例如“ application.exe.config ”),并添加以下 XML 元素以指定自定义 DLL 和 AppDomainManager:

        <appDomainManagerAssembly value="YourDLL, Version=, 
    Culture=neutral, PublicKeyToken=null" />
        <appDomainManagerType value="YourAppDomainManager" />


  3. Execute the application: When the .NET application is executed, the .NET runtime reads the .config file located in the same folder and loads the specified custom AppDomainManager. The code within the AppDomainManager is then executed within the context of the application.
    执行应用程序:执行 .NET 应用程序时,.NET 运行时将读取位于同一文件夹中的 .config 文件,并加载指定的自定义 AppDomainManager。然后,AppDomainManager 中的代码在应用程序的上下文中执行。

Hijacking CcmExec  劫持 CcmExec

When analyzing the CcmExec service’s process, CcmExec.exe, with a process analyzing tool such as Process Explorer, a couple of things immediately stand out. The first thing that catches the eye is that the process spawns the C:\Windows\CCM\SCNotification.exe process for every interactive session on the Windows system, as shown in Figure 1. SCNotification.exe is a component of the SCCM client responsible for displaying notifications to the user, such as software installation prompts or restart notifications.
在分析 CcmExec 服务的进程时, CcmExec.exe 使用进程分析工具(如 Process Explorer)时,有几件事会立即脱颖而出。首先引起注意的是,该进程会为 Windows 系统上的每个交互式会话生成该 C:\Windows\CCM\SCNotification.exe 进程,如图 1 所示。 SCNotification.exe 是 SCCM 客户端的一个组件,负责向用户显示通知,例如软件安装提示或重新启动通知。

SeeSeeYouExec: Windows Session Hijacking via CcmExec

Figure 1: CcmExec.exe child processes
图 1:CcmExec.exe子进程

Upon further inspection, it turns out that the SCNotification.exe file is a .NET application, which comes with its application configuration file at C:\Windows\CCM\SCNotification.exe.config. Do you see where this is going?
经过进一步检查,发现该 SCNotification.exe 文件是一个 .NET 应用程序,其应用程序配置文件位于 C:\Windows\CCM\SCNotification.exe.config .你明白这是怎么回事了吗?

By having administrator privileges on a Windows system configured as an SCCM client, we could modify the configuration file to instruct the .NET application to load a malicious DLL and obtain code execution on behalf of every logged-in user! The attack is simple:
通过在配置为 SCCM 客户端的 Windows 系统上拥有管理员权限,我们可以修改配置文件以指示 .NET 应用程序加载恶意 DLL 并代表每个登录用户获取代码执行!攻击很简单:

  1. Upload a malicious DLL to the target system: This DLL contains the AppDomainManager code to be executed in the user’s session.
    将恶意 DLL 上传到目标系统:此 DLL 包含要在用户会话中执行的 AppDomainManager 代码。

  2. Modify the SCNotification.exe.config configuration file: Point to the malicious DLL within this file.
    修改 SCNotification.exe.config 配置文件:指向此文件中的恶意 DLL。

  3. Restart the CcmExec service: This action causes the CcmExec.exe process to restart and run SCNotification.exe for every logged-in user.
    重新启动 CcmExec 服务:此操作会导致 CcmExec.exe 进程重新启动并针对每个登录用户运行 SCNotification.exe 。

This technique provides a stealthy way to execute code across multiple user sessions without having to rely on remote shellcode injection.
这种技术提供了一种隐蔽的方式来跨多个用户会话执行代码,而不必依赖远程 shellcode 注入。

Weaponizing Session Hijacking with CcmPwn
使用 CcmPwn 将会话劫持武器化

Weaponizing this technique is straightforward. Using the Impacket library, we developed CcmPwn to execute the aforementioned attack and hijack user sessions. CcmPwn is equipped with various modules. The exec module uploads a custom configuration and DLL file to the target system, remotely restarts the CcmExec service, and then reuploads the original configuration file. An example is illustrated in Figure 2 and Figure 3, where using CcmPwn provided us with Cobalt Strike beacons for the hijacked sessions.
将这种技术武器化很简单。使用 Impacket 库,我们开发了 CcmPwn 来执行上述攻击和劫持用户会话。CcmPwn配备了各种模块。该 exec 模块将自定义配置和 DLL 文件上传到目标系统,远程重新启动 CcmExec 服务,然后重新上传原始配置文件。图 2 和图 3 中展示了一个示例,其中使用 CcmPwn 为我们提供了用于劫持会话的 Cobalt Strike 信标。

SeeSeeYouExec: Windows Session Hijacking via CcmExec

Figure 2: CcmPwn exec module
图 2:CcmPwn exec 模块

SeeSeeYouExec: Windows Session Hijacking via CcmExec

Figure 3: Cobalt Strike beacon for every logged-in user

Additionally, CcmPwn features a coerce module, which coerces an SMB or HTTP authentication request for every logged-in user. Red teamers can leverage these coerced authentications to attempt password cracking or conduct relay attacks. This module does not require a DLL, as it simply uploads a malicious configuration file to the target. This file instructs SCNotification.exe to load a file from an attacker-controlled file share, as shown in Figure 4 and Figure 5.
此外,CcmPwn 还具有一个 coerce 模块,该模块强制每个登录用户发送 SMB 或 HTTP 身份验证请求。红队成员可以利用这些强制身份验证来尝试破解密码或进行中继攻击。此模块不需要 DLL,因为它只是将恶意配置文件上传到目标。此文件指示 SCNotification.exe 从攻击者控制的文件共享加载文件,如图 4 和图 5 所示。

SeeSeeYouExec: Windows Session Hijacking via CcmExec

Figure 4: CcmExec coerce module
图 4:CcmExec 强制模块

SeeSeeYouExec: Windows Session Hijacking via CcmExec

Figure 5: Obtaining coerced password hashes
图 5:获取强制密码哈希

Defensive Considerations 防御考虑

Depending on the security information and event management (SIEM) or EDR solution in use, this attack can be detected in a variety of ways. The following defensive measures are recommended:
根据所使用的安全信息和事件管理 (SIEM) 或 EDR 解决方案,可以通过多种方式检测此攻击。建议采取以下防御措施:

  • Monitor for 1026 Events for SCNotification.exe: Event ID 1026 is associated with .NET runtime errors. When using CcmPwn’s coerce module, SCNotification.exe attempts to load a non-existent DLL from an attacker-controlled file share. Since the DLL cannot be found, the application produces a System.IO.FileLoadException error. An example of this behavior is shown in Figure 6.
    监视 1026 SCNotification.exe事件:事件 ID 1026 与 .NET 运行时错误相关联。使用 CcmPwn coerce 的模块时, SCNotification.exe 尝试从攻击者控制的文件共享加载不存在的 DLL。由于找不到 DLL,因此应用程序会生成 System.IO.FileLoadException 错误。图 6 显示了此行为的示例。
SeeSeeYouExec: Windows Session Hijacking via CcmExec

Figure 6: .NET Runtime error for SCNotification.exe
图 6:SCNotification.exe 的 .NET 运行时错误Figure 6: .NET Runtime error for

  • Monitor for 7036 Events and Remote Logon Type 3: The 7036 event corresponds to the starting and stopping of services. By monitoring this event, security teams can detect suspicious restarts of the CcmExec service, which may indicate an attempt to hijack user sessions. When using CcmPwn, a logon type 3 (network logon) event will occur at the same time as the service stop, followed by a 20-second delay before the service is started again. Monitoring for this pattern can help triage these service events and provide context around potentially malicious activity.
    监视 7036 事件和远程登录类型 3:7036 事件对应于服务的启动和停止。通过监视此事件,安全团队可以检测到 CcmExec 服务的可疑重新启动,这可能表示有人试图劫持用户会话。使用 CcmPwn 时,登录类型 3(网络登录)事件将在服务停止的同时发生,然后是 20 秒的延迟,然后再次启动服务。监视此模式有助于对这些服务事件进行会审,并提供有关潜在恶意活动的上下文。
  • Monitor File Modification and Configuration Strings: Since attackers need to modify the SCNotification.exe.config file to execute this attack, monitoring for changes to this file can provide an early warning. Additionally, the presence of the “AppDomainManagerType” string in the configuration file should be scrutinized, as it is used in AppDomainManager injection attacks. Security teams should investigate any unexpected occurrences of this string in SCNotification.exe.config.
    监视文件修改和配置字符串:由于攻击者需要修改 SCNotification.exe.config 文件才能执行此攻击,因此监视此文件的更改可以提供早期警告。此外,应仔细检查配置文件中是否存在 “ AppDomainManagerType ” 字符串,因为它用于 AppDomainManager 注入攻击。安全团队应调查此字符串在 SCNotification.exe.config 中出现的任何意外情况。

By implementing these defensive measures and adapting them to the specific capabilities of their SIEM or EDR solutions, organizations can enhance their ability to detect and respond to session hijacking attacks via the CcmExec service.
通过实施这些防御措施并使其适应其 SIEM 或 EDR 解决方案的特定功能,组织可以增强其通过 CcmExec 服务检测和响应会话劫持攻击的能力。

原文始发于Andrew Oliveau:SeeSeeYouExec: Windows Session Hijacking via CcmExec

版权声明:admin 发表于 2024年3月30日 下午3:21。
转载请注明:SeeSeeYouExec: Windows Session Hijacking via CcmExec | CTF导航