11.Hyper-v-administrators

takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

sc.exe start MozillaMaintenance

Key Points:

  • Virtualization Access:

    • Members of Hyper-V Administrators have full control over virtual machines.

    • This allows them to clone Domain Controllers and extract NTDS.dit files.

  • .vhdx File Deletion and Hard Links:

    • When a .vhdx file is deleted, vmms.exe attempts to restore permissions as SYSTEM.

    • This can be abused to create hard links to protected files.

    • This is based on CVE-2018-0952 or CVE-2019-0841, or an application that installs a service that runs as system.

  • Mozilla Maintenance Service Example:

    • The Mozilla Maintenance Service can be targeted for this exploit.

    • A PowerShell script can be used to grant full control over the maintenanceservice.exe file.

    • The file can then be replaced with a malicious executable.

    • Starting the service results in SYSTEM-level command execution.

  • Mitigation:

    • The hard-link exploit has been mitigated by the March 2020 Windows security updates.

Approach, Commands, Tools, and Techniques:

1. Virtualization Access:

  • Technique:

    • Clone virtualized Domain Controllers.

    • Mount virtual disks offline.

    • Extract NTDS.dit files.

  • Tools:

    • Hyper-V Manager.

    • Virtual Disk tools.

  • Outcome:

    • Domain wide credential access.

2. Hard-Link Exploit:

  • Technique:

    • Delete a .vhdx file.

    • Create a hard link to a protected file (e.g., maintenanceservice.exe).

    • Replace the linked file with a malicious executable.

    • Start the associated service.

  • Tools:

    • PowerShell (for hard-link creation).

    • takeown (for file ownership).

    • sc.exe (for service management).

  • Commands:

    • takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

    • sc.exe start MozillaMaintenance

  • PowerShell:

    • PowerShell script to create the hard link and modify file permissions.

  • Outcome:

    • SYSTEM level command execution.

3. Considerations:

  • Vulnerability:

    • The hard-link exploit relies on specific vulnerabilities (CVE-2018-0952, CVE-2019-0841) or vulnerable services.

    • The core hard link exploit is patched as of March 2020.

  • Mitigation:

    • Keep systems patched.

    • Implement least privilege for Hyper-V administrators.

    • Monitor for unauthorized virtual machine operations.

  • Virtualization Security:

    • Treat virtualized Domain Controllers with the same security as physical ones.

    • Segregate virtualization administration.

Previous10.DNSadminsNextKey Concepts:

Last updated