Execution and Other Tactics

Execution

Command and Scripting

This is a MITRE ATT&CK technique widely used for obtaining Execution. One of the many examples in which it has been used is PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (CISA alert February 2024).

• Windows cscript man page.
• Windows Scripting Host and Javascript
• What is PowerShell and how to use it: The ultimate tutorial
• Command Line Commands – CLI Tutorial Windows shell tutorial.
• Bash Scripting Tutorial – Linux Shell Script and Command Line for Beginners
• Getting started with VBA in Office Windows VisualBasic for Office (Excel etc)

Reverse shells

This is a "concept" not mapped easily on MITRE ATT&CK Techniques. Essentially, it is a specific form of malware executed on a victim machine in the Execution Tactic.

• Reverse Shell Generator An interactive webapp where one specifies the software tools and platforms available on the target, those available on the listener and it generates the corresponding commands. A myriad of options are supported. Have a look.

• Collections of reverse shell commands for a variety of different platforms:

  • Reverse Shell Cheat Sheet.
  • Reverse Shell Cheat Sheet: PHP, Python, Powershell, Bash, NC (netcat), JSP, Java, Perl.

• How to Use The Netcat (nc) Command: An In-Depth Tutorial Netcat is one of the most versatile networking tools for system administrators – it is called the Swiss army knife of Networking. This tool can be used for creating any connections over TCP or UDP protocol...Netcat can also perform port scanning, file transfer, and sometimes it might be used by the hackers or penetration testers for creating a backdoor into a system.

• netcat man page

Shellcodes and Command injection

Shellcodes are roughly related to the Execution Tactic (how to construct exploit payloads, more or less).

• Wikipedia has a nice description of shellcodes (i.e., first-stage malware).
• msfvenom is a payload generator (part of Metasploit) for writing shellcodes in a specified format, given an input program. Another example of usage below in this page

One of the many examples of command injection vulnerability, which is much easier to exploit as the payload is merely a shell command:

• CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster "...The “REMOTE_USER” and “REMOTE_PASS” parameters, which can be controlled by any unauthenticated user by sending a basic authentication request, are used to construct a command ... and then passed into a “system()” call without any validation or sanitization." with a suitable choice of injected shell commands, one can take full control of the platform.

Persistence

• PERSISTENCE A list of 39 (thirty nine) different techniques for obtaining Persistence in Windows.

Web shells

Sub-technique of Server Software Component).

• Build A Simple Web shell (PHP)
• Breaking Down the China Chopper Web Shell Part I and Part II. This web shell is one of those included in the Joint report on publicly available hacking tools mentioned above.

Some of the many alerts about web shell implants.

• Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells An alert by CISA to notify of the explolitation of a certain unauthenticated remote code execution (RCE) vulnerability to drop a webshell in critical infrastructure organizations.
• Tomcat Under Attack: Exploring Mirai Malware and Beyond Not particularly sophisticated and much less relevant and surprising than claimed in the post...just a few hundreds web shells planted by using default Tomcat credentials. Nice to read and well written, though.

Privilege Escalation

A few Linux-focused documents.

• Part 1 and Part 2.
• CVE-2021-4034 A local privilege escalation vulnerability was found on polkit’s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

DLL Abuse

This is a "concept" related to several MITRE ATT&CK techniques in Persistence, Privilege Escalation, Defense Evasion.

Dynamic-link libraries (DLLs) are code modules that contain sets of functions that other executables can call. Unlike statically linked libraries, which become part of an executable during the compilation process, DLLs can live on their own outside of the application that uses them. There are two ways to perform linking with DLLs:

• In implicit linking, during the compilation phase, the application links with an import library file provided by the developer of the DLL. When the application is loaded, the Windows loader will identify that there is a dynamically linked reference and load the DLL into the application’s address space.
• In explicit linking, the application loads the DLL with the use of the LoadLibrary function, and resolves pointers to functions that it would like to call by calling GetProcAddress.

Resources

• DLL Hijacking – Juggernaut Pentesting Academy We will be focusing on two different types of DLL hijacking, which can both be leveraged to obtain a SYSTEM shell.
• DLL Injection: Background & DLL Proxying. The first of a 5-part and in-depth analysis of DLL injection in Windows. Next parts are: Windows Hooks, Remote Threads, Thread Context Hijacking, Manual Mapping.
• Persistence – DLL Proxy Loading Technique in which an arbitrary DLL exports the same functions as the legitimate DLL and forwards the calls to the legitimate DLL in an attempt to not disrupt the execution flow so the binary is executed as normal. The technique falls under the category of DLL Hijacking and it is typically utilized as a stealthier method to load an arbitrary DLL without breaking the original operation of a process which might be an indicator of compromise for defenders.

Examples

• Hackers Hijacked Notepad++ Plugin to Execute Malicious Code Hackers have successfully manipulated a plugin within the Notepad++ package, mimeTools.dll. By altering this dll file, they disguised the malicious code as a legitimate part of the Notepad++ package.
• Technical Advisory: Vulnerabilities Identified within ListServ ListServ is a widely used email list management application. In October 2023 a DLL hijacking vulnerability was identified (section "Local Privilege Escalation via DLL Hijacking").
• Writeup of hacking a vulnerable machine called Bruno in VulnLab. One the steps (SampleScanner APP) is based on a form of DLL hijacking. A malicious DLL is written in a folder determined with process monitor and dnspy. Actual writing occurs with a path traversal in unzipping.

Tools

• A listing of the DLLs loaded by an executable can be obtained with Process Monitor from sysinternals.
• Decompilation of a specified DLL (in order to see which files are possibly loaded by that DLL from which directory) can be done with dnspy. This conversation with ChatGPT colink explains how to use DNSpy for DLL analysis.
• List of DLL Hijacking candidates: A mapping between DLLs and vulnerable executables is kept and can be searched via this website. For defenders, this project can provide valuable information when trying to detect DLL Hijacking attempts.