Empire icon indicating copy to clipboard operation
Empire copied to clipboard

Published 20 hours ago verified publisher icon EmpireProject

Empire runas module throws Access Denied error

Open 123dshark opened this issue 6 years ago • 9 comments

Empire Version

Latest version of Empire

OS Information (Linux flavor, Python version)

Ubuntu 18.04

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

Error in runas: Exception calling "Start" with "1" argument(s): "Access is denied"

screen shot 2018-07-07 at 3 32 14 pm screen shot 2018-07-07 at 3 33 16 pm

Screenshot of error, embedded text output, or Pastebin link to the error

Any additional information

The runas module fails with access is denied error message.

The username, domain and password is correct and I unset the CredID. I also manually verified by RDPing into the host and running runas /user:domain\username notepad.exe locally. This works, but the module does not.

123dshark avatar Jul 07 '18 05:07 123dshark

Tried using CredID only as well, by unsetting username, password & domain. However, that doesn't work either.

123dshark avatar Jul 07 '18 05:07 123dshark

Having the same issue as here too : https://github.com/EmpireProject/Empire/issues/885

Can't get PTH to adopt the new rights either. The new process is created using the original user. The account that I'm using is DA. Trying to impersonate a lower priv domain user account.

123dshark avatar Jul 07 '18 06:07 123dshark

tried runas, PTH, etc. on another compromised server (Windows server 2008 R2) and the commands are working as expected.

But on the Domain Controller (Windows server 2008 R2) runas, spawnas, PTH, steal_token don't work as expected for some reason:

  • Runas - throws access denied
  • Spawnas - throws access denied
  • PTH - does not create process with provided hash and username and does not adopt new rights. Continues to use old privs.

Tried this on Windows 7 Professional too, original session of DA. None of the above worked and could not impersonate another domain user.

Very inconsistent results for some reason with the above modules. Any assistance or pointers would be awesome. Thanks.

123dshark avatar Jul 07 '18 07:07 123dshark

On system where it worked:

RDP -> Opened CMD.exe -> ran launcher script -> then from there used runas, PTH as usual -> WORKED

On systems where it didn't work

RDP -> Opened CMD.exe -> ran launcher script -> Used invoke-wmi to connect to another host -> ran runas , PTH, etc. - FAILED

123dshark avatar Jul 07 '18 09:07 123dshark

Also noticed when running pth, impersonation is set to No.

impers. : no

Also tried switching to processes with debug + impersonate privileges. This makes the runas command work (no errors shown), however, when I run runas, the process is never created and I can't see it using tasklist and as such can't use steal_token to migrate to it

Not really sure what the issue could be. Any help would be appreciated.. thanks.

123dshark avatar Jul 07 '18 13:07 123dshark

Hello, I had the same behavior during my last assessment. On an infected W10, it was impossible to use management/spawn, but management/spawnas with the same account was OK. Moreover management/spawas with a DA account (builtin Administrator) thrown an "Access is denied".

Need time to perform some debug on my lab 🌻

ThePirateWhoSmellsOfSunflowers avatar Jul 08 '18 10:07 ThePirateWhoSmellsOfSunflowers

Any update on this? Thanks.

123dshark avatar Jul 25 '18 06:07 123dshark

Hey, I quickly perform some tests but was unable to reproduce this behavior on my lab (W10 pro).

🌻

ThePirateWhoSmellsOfSunflowers avatar Jul 25 '18 11:07 ThePirateWhoSmellsOfSunflowers

Thanks.. Unsure what to do at this point..

123dshark avatar Aug 03 '18 23:08 123dshark