11.Hyper-v-administrators

Last updated 12 days ago

takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

sc.exe start MozillaMaintenance

Virtualization Access:
- Members of have full control over virtual machines.
- This allows them to clone Domain Controllers and extract NTDS.dit files.
.vhdx File Deletion and Hard Links:
- When a .vhdx file is deleted, vmms.exe attempts to restore permissions as SYSTEM.
- This can be abused to create hard links to protected files.
- This is based on CVE-2018-0952 or CVE-2019-0841, or an application that installs a service that runs as system.
Mozilla Maintenance Service Example:
- The Mozilla Maintenance Service can be targeted for this exploit.
- A PowerShell script can be used to grant full control over the maintenanceservice.exe file.
- The file can then be replaced with a malicious executable.
- Starting the service results in SYSTEM-level command execution.
Mitigation:
- The hard-link exploit has been mitigated by the March 2020 Windows security updates.

Approach, Commands, Tools, and Techniques:

1. Virtualization Access:

Technique:
- Clone virtualized Domain Controllers.
- Mount virtual disks offline.
- Extract NTDS.dit files.
Tools:
- Hyper-V Manager.
- Virtual Disk tools.
Outcome:
- Domain wide credential access.

2. Hard-Link Exploit:

Technique:
- Delete a .vhdx file.
- Create a hard link to a protected file (e.g., maintenanceservice.exe).
- Replace the linked file with a malicious executable.
- Start the associated service.
Tools:
- PowerShell (for hard-link creation).
- takeown (for file ownership).
- sc.exe (for service management).
Commands:
- takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
- sc.exe start MozillaMaintenance
PowerShell:
- PowerShell script to create the hard link and modify file permissions.
Outcome:
- SYSTEM level command execution.

3. Considerations:

Vulnerability:
- The hard-link exploit relies on specific vulnerabilities (CVE-2018-0952, CVE-2019-0841) or vulnerable services.
- The core hard link exploit is patched as of March 2020.
Mitigation:
- Keep systems patched.
- Implement least privilege for Hyper-V administrators.
- Monitor for unauthorized virtual machine operations.
Virtualization Security:
- Treat virtualized Domain Controllers with the same security as physical ones.
- Segregate virtualization administration.

Last updated 12 days ago

takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

sc.exe start MozillaMaintenance

Virtualization Access:
- Members of have full control over virtual machines.
- This allows them to clone Domain Controllers and extract NTDS.dit files.
.vhdx File Deletion and Hard Links:
- When a .vhdx file is deleted, vmms.exe attempts to restore permissions as SYSTEM.
- This can be abused to create hard links to protected files.
- This is based on CVE-2018-0952 or CVE-2019-0841, or an application that installs a service that runs as system.
Mozilla Maintenance Service Example:
- The Mozilla Maintenance Service can be targeted for this exploit.
- A PowerShell script can be used to grant full control over the maintenanceservice.exe file.
- The file can then be replaced with a malicious executable.
- Starting the service results in SYSTEM-level command execution.
Mitigation:
- The hard-link exploit has been mitigated by the March 2020 Windows security updates.

Approach, Commands, Tools, and Techniques:

1. Virtualization Access:

Technique:
- Clone virtualized Domain Controllers.
- Mount virtual disks offline.
- Extract NTDS.dit files.
Tools:
- Hyper-V Manager.
- Virtual Disk tools.
Outcome:
- Domain wide credential access.

2. Hard-Link Exploit:

Technique:
- Delete a .vhdx file.
- Create a hard link to a protected file (e.g., maintenanceservice.exe).
- Replace the linked file with a malicious executable.
- Start the associated service.
Tools:
- PowerShell (for hard-link creation).
- takeown (for file ownership).
- sc.exe (for service management).
Commands:
- takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
- sc.exe start MozillaMaintenance
PowerShell:
- PowerShell script to create the hard link and modify file permissions.
Outcome:
- SYSTEM level command execution.

3. Considerations:

Vulnerability:
- The hard-link exploit relies on specific vulnerabilities (CVE-2018-0952, CVE-2019-0841) or vulnerable services.
- The core hard link exploit is patched as of March 2020.
Mitigation:
- Keep systems patched.
- Implement least privilege for Hyper-V administrators.
- Monitor for unauthorized virtual machine operations.
Virtualization Security:
- Treat virtualized Domain Controllers with the same security as physical ones.
- Segregate virtualization administration.