Windows 10 URI persistence technique
- 1. Backoori Tool Aided Persistence via Windows URI Schemes Abuse
- 2. I’m Giulio Security Engineer Passion for different IT security areas: web, mobile, thick clients, network, OS hardening, code reviews https://twitter.com/giulio_comi https://github.com/giuliocomi/ https://www.secjuice.com/author/giulio_comi/ https://www.linkedin.com/in/giuliocomi/ https://github.com/giuliocomi/backoori whoami
- 3. https://github.com/giuliocomi/backoori 1. URI persistence technique o Abstract of the research behind Backoori o Comparison to other common userland techniques o Raise of URI persistence: Manual Demo of novel Narrator Accessibility Feature Abuse o Behind the scene: Mapping URI scheme to its Universal App handler o Benefits and Constraints 2. Backoori o Go & Powershell, an unexpected duo o Tool Architecture o Tool Output Sample o Demo 1: Hijacking ‘tel:’ URI - User triggered persistence scenario o Example of Analysis Before and After the Agent execution o Demo 2: Hijacking Multiple URIs o Demo 3: Going beyond User triggered persistence via web ‘attack surface’ o Live Demo: Hijacking ‘https’ URI to mess with Powerpoint itself o Few words about Detection 3. Morale Agenda
- 4. Backoori ("Backdoor the URIs") is a Proof of Concept tool aimed to automate the fileless URI persistence technique in Windows 10 targets. “The widespread adoption of custom URI protocols to launch specific Windows Universal App can be diverted to a nefarious purpose. The URI schemes in Windows 10 can be abused in such a way to maintain persistence via the 'Living off the Land' approach. Backdooring a compromised Windows account in userland context is a matter of seconds. The operation is concealed to the unaware victim thanks to the URI intents being transparently proxyed to the legitimate default application. The subtle fileless payloads can be triggered in many contexts, from the Narrator available in the Windows logon screen to the classical ‘web attack surface’.” ‘feedback-hub://’ URI https://github.com/giuliocomi/backoori ‘https://’ URI ‘ms-settings://’ URI Abstract of the research behind Backoori
- 5. Partial list of common userland persistence techniques Have a look at a more complete list curated by Mitre: https://attack.mitre.org/tactics/TA0003/ https://github.com/giuliocomi/backoori Technique Low privileges Fileless Stealthy “Run” Registry keys ✔ ✔ ✖ Scheduled Tasks ✔ ✔ ✖ Startup Folders ✔ ✖ ✖ Image File Execution Options ✖ ✔ ✔ COM Hijacking ✔ ✖ ✔ Create backdoor account ✖ ✖ ✖ WMI Event Subscription ✖ ✔ ✔ Install Service ✖ ✖ ✖ Accessibility Features ✖ ✖ ✖ URI persistence ✔ ✔ ✔ Comparison to other common userland techniques
- 6. Major advantages… • Living of the Land mindset (payload is saved in a Windows Registry string) • Does not require administrator privileges when targeting Standard User victim • Stealthy: icon in the Settings “default apps by protocol” is not modified • Stealthy: the request is transparently forwarded to the legitimate default handler • Antivirus likely will not detect the technique Demo videos playlist ...but along with advantages come constraints • Fileless persistence techniques pops for few milliseconds a visible window • Often requires User Interaction => User triggered persistence technique Note: not easy to know in advance or generalize for non User triggered persistence scenario: it really depends if apps on the victim computer use constantly some URI schemes in background However, for example with a malicious website we overcome this problem, more on this at the end ;-) https://github.com/giuliocomi/backoori Benefits and Constraints
- 7. https://github.com/giuliocomi/backoori Raise of URI persistence: manual demo of novel Narrator Accessibility Feature Abuse
- 8. Procmon to the rescue! …old but gold to tracking down the flows Try out Procmon Why? Also valuable for finding Local Privilege Escalations via ACL misconfigurations Luckily, all of this is implemented in Backoori https://github.com/giuliocomi/backoori Behind the scene: Mapping URI scheme to its Universal App handler
- 9. CLI menu to parse the available payloads and fill them with the user input parameters • Fun to code • Pointers • Building cross-platform in one built-in command: $ env GOOS={OS} GOARCH=amd64 go build -o backoori main.go • Statically typed Agent to run in the post exploitation scenario to add a URI persistence backdoor • ‘Living of the land’ ideal candidate (payload is saved in a Windows Registry value) https://github.com/giuliocomi/backoori Go & Powershell, an unexpected duo
- 10. Payloads templates URIs and payloads parameters URI list agent Fill agent template with gadgets and parameters BACKOORI *Optionally* (“--online”) start a custom webserver to deliver the gadgets that will be downloaded by the agent cli Payloads to drop crafter ingestor https://github.com/giuliocomi/backoori resources Tool Architecture
- 13. https://github.com/giuliocomi/backoori Demo 1: Hijacking ‘tel’ URI - User triggered persistence scenario
- 14. https://github.com/giuliocomi/backoori Default state for ‘feedback-hub’ URI State after a hijack Example of Analysis Before and After the Agent execution
- 15. https://github.com/giuliocomi/backoori Demo 2: Hijacking Multiple URIs
- 16. https://github.com/giuliocomi/backoori Demo 3: Going beyond user triggered persistence via web ‘attack surface’
- 17. https://github.com/giuliocomi/backoori Live Demo: Hijacking ‘https’ URI to mess with Powerpoint itself
- 18. Being URI persistence undocumented, no security solutions as reason to monitor these registry keys Dirty approach: monitor the “Default” string value under each Universal App: https://github.com/giuliocomi/backoori Few words about Detection The idea is that if one of them is not empty or not calling a legitimate binary (false positive), then it will be almost certainly the result of an hijacked Universal App
- 19. The URI persistence has many benefits over other well-known techniques At the same time there are limitations to overcome Golang is powerful to design standalone tools Powershell is an easy-win choice when it comes to scripting in Windows https://github.com/giuliocomi/backoori Morale
- 20. Adding logging and symmetric payload encryption to the web server that deploys the gadgets Support gadget interactions Weaponizing the tool from standalone project to Metasploit persistence module https://github.com/giuliocomi/backoori Potential next steps
- 21. on the URI persistence technique? on Backoori? on using Golang and Powershell in your next tool? Please get in touch https://github.com/giuliocomi/backoori @giulio_comi Feedbacks
- 22. https://github.com/giuliocomi/backoori Special Thanks to... @BlackHatEvents @ToolsWatch team my colleagues @ ING Belgium Volkan, @alexs1us, Flavio for review And last but not least, to You for listening! Enjoy Black Hat !
- 23. Source Code: https://github.com/giuliocomi/backoori Demo playlist: https://www.youtube.com/playlist?list=PL3SG0KtxnwECfDk8RtOF4MFr57bVv4LED https://github.com/giuliocomi/backoori References