Attack and Defense insights on weakness due to unquoted Service Path

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Service paths  and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe").  (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program.  

This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

The words are exactly as per mitre  Hijack Execution Flow: Path Interception by Unquoted Path.The purpose of this blog is to understand how the process looks like on Attack side, specifically to highlight which is the crucial area the defender can use to spot the attacker. 

Lets review the attack side first

Auditing the system to know the options attacker has on the system

The Output will be similar to do this

Now lets see how the attacker uses the unquoted service path weakness in the system

Attack VS Defense : 

Now lets have a top level understanding of where the defense team has opportunity to spot the attacker. on the above mentioned process.

Attacker : Attacker loaded powersploit module after execution policy bypass in powershell

Defender: Defender can monitor powershell commands executed where execution policy bypass may be a low severity indicator , however invoke expression pointing towards github page is definite suspicious behavior.

Attacker : Attacker created services.exe and renamed it to filezilla.exe after placing them in relavent path and restarted the machine to have the persistence

Defender : All the actions performed here are suspicious behavior,if sufficient monitoring is in place on windows telemetry

Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.

Defense Strategy

Auditing

Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations

Execution Prevention

Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate

Restrict File and Directory Permissions

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.

Code execution with powersploit using Invoke-DLLInjection

 

Attackers may use malicious DLL to run in the context of another process for various intent like privilege escalation ,defence evasion etc.DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend.

The purpose of the blog is to demonstrate how the process flow looks on an attackers standpoint with the help of open source pentesting tools and from where it is possible for a defender to start analysis on the post exploitation attacker activity.

The images shown below shows details of commands related to msfvenom to create a dll to spawn a shell towards attacker machine on port 5555

The actions mentioned below are performed on the machine belonging to the victim.The Webserver created on the attacker system using python on port 8080 is accessed to download the malicious dll created.Then the Dll is injected into notepad process using powersploit.The command used on this case is Invoke-Dllinjection.On successfull exploitation the victim system contacts the attacker environment with shell access on port 5555 

On a Attacker vs defender standpoint -

Did you note how many known malicious behavior we have seen during this entire chain ?

Attacker : 1  - creating malicious. DLL using MSF venom,attacker creating a webserver and listner

Defender : out of the radar

Attacker :Attacker accessing url with browser to download malicious dll 

Defender : Yes network connection might be captured , A file may be present in the filesystem however these are all usual events and will be sinked in ocean of data defender have to deal with. A chance of signature based detection may point at malicious dll and quarantine at some cases

Attacker :Attacker might have disabled execution policy in powershell ,module of powersploit has been loaded,Invoke DLL has been used to create a session with attacker system

Defender : A definite indicator is found here starting from powersploit module. is being loaded and commands executed in the system memory , injection of dll is done in the genuine windows process ,may be some persistence using task schduler,anomalous tcp session on port 5555,beaconing towards the attacker machine

Now from the known bad behavior the defender can pivot through all the indicators and collect all traces attacker has left during this attack cycle.

Detection

data sources:

• API monitoring
• Windows Registry
• File monitoring
• DLL monitoring
• Process monitoring
• Named Pipes

Process monitoring

Process monitoring is a minimum requirement for reliably detecting Injection. Even though injection can be invisible to some forms of process monitoring, the effects of the injection can become harder to miss once you compare process behaviors against expected functionality.Generally on windows system integrity native windows process is a top candidate to monitor for spawning high or system integrity application or making abnormal filesystem,registry,network & memory activities

API monitoring

monitor API system calls that include CreateRemoteThread. This will indicate a process is using the Windows API to inject code into another process. 

Registry monitoring : Look for persistence due to modification in registry

File monitoring,DLL monitoring,Named Pipes, there are no direct indicator to write at this point however it have to be correlated with other known bad behaviors