Blog Preface – “Windows Kits”
While running through some MITRE techniques, I happened upon the ADK tools and SDK tools and found a great collection of programs used for development, debugging, and administration. It just so happens, they’re also great for Red Teaming. Many of them are Digitally Signed by Microsoft, making them a great bypass for Applocker / Application Whitelisting.
In this post, we’ll talk about one of the core principles of Red Teaming.
T1003 – Credential Dumping
https://attack.mitre.org/techniques/T1003/
For the sake of quality and reference, ADK is Windows Assessment and Deployment Kit. The “kit” is nothing more than an intermediate installer for a selection of other tool-kits.
For our discussion, we’ll be using the Debugger Kits. These are found in the SDK, or WDK. Software Development Kits and Windows Debugger Kits respectively.
When you install the SDK, the wizard will prompt you to select the kits that you want to use. All you need to install in order to follow along is that Debugger Kit. This will give you a collection of dev and debugger tools provided from MS.
Selecting only the debugger kit installs quite a selection of tools. I intend on doing a series of blog posts about each of the interesting tools that I’ve worked with, but for today we’re going to focus on “adplus”.
Once installed, these kits can be found in C:\Program Files (x86)\Windows Kits\
We’ll be working in ..\Windows Kits\10\Debuggers\x64 where you’ll file a large number of tools, including adplus.exe (and the adplus vbs and others)
If you right click “adplus.exe” and go to Properties, you’ll see that we have a Digital Signature by Microsoft.
I feel like I see a lot of blogs referencing tools that are signed by Microsoft. Often, people see Microsoft related things when they look at the “Details” tab of the Properties section and they called it a Digitally Signed binary, but in reality, it’s just metadata and not a signature. If it’s signed, we’ll have a Digital Signature tab where we can see the certificate.
For example, in C:\Windows\System32\cmstp.exe or notepad.exe you can right click to go to Properties and see the Details tab showing “Microsoft”. You’ll also see that there is no Digital Signature tab. It took me much longer than I’d like to admit to learn that some binaries are in a catalogue of known hashes, which also qualifies them as signed binaries. So just because you don’t see a Digital Signature tab, doesn’t automatically mean it’s not digitally signed.
Although we’ll be going over several of these tools in this blog series, I’ll mention an interesting thing about the tools I’ve used so far. They’re all Portable Executables. This means that we don’t need to install these Kits on the victim. If you can download the file, you can execute it.
But What does it do?!
Why am i here?!
i have no idea
I can only tell you what it does. I wasn’t looking into this tool specifically, I just happened across it and ran the exe to find out what it does. /? WTF is this thing. I’ve used adplus, but only in Chrome… joke… it’s obviously different.
Pair these pictures with a little bit of google searching on the tool…
Does any of this sound familiar to you? I quickly began to realize that this sounds just like a procdump style tool. While I was still not entirely positive what the flags meant, I continued through the help menu and determined that I probably wanted the “hang mode” of the command. I also liked the option to specify by a process ID, instead of a name, more on that later.
I tested with notepad.exe first, and sure enough received the DMP file from the process. With that in the bag, I went straight to lsass.exe
.\adplus.exe -hang -pn lsass.exe -o C:\tempHere’s the real reason I cared about this
I do most of my testing against a fully patched windows 10 machine with Windows Defender in it’s default state. Despite the grief it gets, it does a decent job against a wide variety of things. This includes protecting Lsass, actually. By default, a memory dump of the lsass process is triggered by Defender as an LSASSAttack and the corresponding DMP file is completely deleted before you can do anything with it.
In addition to that, blue teams like to watch for procdump. While there are other ways / tools to dump the process, procdump is a golden standard and go-to Red Team tool for it. There are plenty of other methods, but I haven’t seen adplus.exe listed anywhere yet. If I haven’t seen it around yet, it’s unlikely that you’ll have many blue teams detecting the command line string for this executable. Further, the command line string doesn’t have to indicate a memory dump of the lsass process. If we use the process ID, we avoid putting the word lsass into that string, requiring a little more IR work to determine what the action was.
Instead of “procdump” (a known tool) doing a memory dump on lsass (the obvious credentials dump process) and specifying the lsass.dmp file… we’re now running adplus (a less known tool) against a process id (not an immediate red flag as opposed to lsass.exe) and then that’s it, no indication that we’re about to write a DMP file.
There is a caveat to this tool. Adplus more or less automates the dumping process for you, through the usage of cdb.exe. CDB.exe is also a Digitally Signed Microsoft tool within the Debugger Kit directory. This means the two tools need to be in the same directory together when you run them. In my test, I copied adplus.exe and cdb.exe to the C:\temp directory of the victim.
This actually clears up why you don’t see it as an lsass tool, since the tool we’re actually leveraging is cdb.exe, which is it’s own MITRE technique T1127.
I’ll also be going over cdb.exe usage in my next blog post, leveraging that DigSig binary to inject your own shellcode into memory to produce reverse shells.