ITSEC Newsletter 2024-05-30

In this three-part blog series, we will explore different approaches to achieving passive persistence in an Active Directory (AD) environment. Specifically, we'll examine whether it is possible to survive a remediation process that contains steps such as rotating passwords, resetting AD service accounts, revoking logon sessions and removing backdoors on AD components such as domain controllers. In this blog - the first in the series - we tackle the scenario of password rotation for compromised accounts, exploring how attackers can intercept and adapt to these changes.

It doesn’t matter where symbols come from, as long as you can get them to help clean up your analysis. Ghidra offers the ability to automatically download symbols on your behalf. It takes some configuration, but it is really useful once you get going.

While reading this article from James Forshaw on leveraging COM to inject code into a process, I discovered a syscall that I didn’t known about: NtSystemDebugControl. Being unfamiliar with this syscall, I decided to look for more information. I found this PowerShell snippet, which worked well to dump kernel-mode memory. Looking for more, I found that the Flags argument was an enum that contained a IncludeUserSpaceMemoryPages. As the name suggests, if this flag is specified, the memory dump will include user-mode pages that are not swapped out. From what I could gather, this flag used to be available to userland, but was later restricted to drivers only in an earlier Windows version, up until Windows 11. I decided to give it a try anyways, and, to my surprise, it actually worked!