Overview:

I was recently performing an Internal Penetration test when I found myself on a Windows Machine with normal domain user privileges. I was not able to escalate my privileges on the host machine and decided to work my way around the network instead. I could run Powershell but Windows Defender was being a pain. There was, however, no application allow-listing/control which allowed me to run some portable applications.

At this point, I didn't know if the Blue team knew where I was and what I've been up to or if they were already on to me. In the meantime, I decided to go with a low profile approach. Generally, I could... totally disconnect from the network and not do anything (what a silly idea), I could heavily obfuscate binary files and Powershell scripts, or I could bring in some somewhat trusted portable apps. It was at this moment that I just wish there was an easier way to know more about the network and move more freely. I then remembered an episode from the NakedSecurity Podcast by Sophos talking about how the Ragnar Locker Ransomware deployed the ransomware in a VirtualBox VM to evade detection. I wondered if I could bring and run a bunch of offensive security tools/OS (ah yes, Kali & friends) on the host in a similar way. I first did a quick search if somebody had already made portable versions of hypervisors such as VMware or VirtualBox. Most did not have a portable version and if they did, it would have required a privileged account (which we don't have here). This is when I found a site that demonstrated how to run a portable version of Qemu (this did not need a privileged user). I tried it and it seemed to have worked.

Below are some steps on how you could get started:


Instructions

Ubuntu - Minimal

  1. Download the Ubuntu-minimal ISO

  2. Download Qemu for Windows and install it (needs a privileged user) on a Windows machine which you have full control of. I used my Windows test VM for this.

    0-Qemu-Installed

  3. Prepare the Ubuntu-Minimal virtual hard disk image

    1. Create the virtual hard disk

      "C:\Program Files\qemu\qemu-img.exe" create -f qcow2 ubuntu-minimal.img 5G
      

      1-Image-Create

    2. Boot and install Ubuntu on the (virtual) disk

      "C:\Program Files\qemu\qemu-system-x86_64.exe" -m 2048 -boot d -smp 3 -net nic -net user -hda ubuntu-minimal.img -cdrom mini.iso -accel tcg
      

      2-Ubuntu-Install

    3. Install every tool(offsec) you need

    4. Transfer the virtual hard disk to the compromised Windows host on the network.

  4. Run the Qemu portable application with the command below to boot the Ubuntu minimal ISO which is loaded with the offensive security tools needed. Depending on the compromised machine's specs, this can feel like forever (it took around ~20mins for me).

    qemu-system-x86_64.exe -m 2048 -smp 3 -net nic -net user -hda ubuntu-minimal.img -accel tcg
    

    3-Installed

Below are the boot times for the Ubuntu Minimal (CLI) Virtual Hard Disk. The time starts when the Qemu boot command is executed up to the CLI user login. The details on the VM and Qemu which the times were recorded with are:

  • Hierarchy:

    • Host Machine
      • Windows 64-bit VM
        • Qemu
  • Specs:

    • Windows 64-bit VM

      • 4 vCPU
      • 8GB RAM
    • Qemu

      • 3 smp/vCPU
      • 2GB RAM
Time (+2/-2 sec) bit Version Accelerator Virtualize Intel VTX
1:05 64 none No
0:59 64 tcg No
1:07 64 none Yes
0:59 64 tcg Yes
3:54 64 hax Yes

Kali Linux Live

  1. Download the Kali Live ISO

  2. Just a side note, the Windows machine on the target network which I was in only had 3GB RAM which made it excruciatingly painful to run and virtualize an OS with a GUI like Kali. For faster boot times and responsiveness, try the Ubuntu-minimal way above instead. The Ubuntu-minimal way, however, needs preparation such as installing the OS, tools, and dependencies. In case you have sufficient vCPU and memory on the host or compromised machine, below is a basic command to get it running:

    qemu-system-x86_64.exe -m 2048 -boot d -smp 3 -net nic -net user -cdrom kali-linux-2020.4-live-amd64.iso -accel tcg
    

    4-Kali-Live

The table below shows Kali Live boot times. The time starts when the Qemu boot command is executed up to the GUI with the wallpaper loaded. The details on the VM and Qemu which the times were recorded with are:

  • Hierarchy:

    • Host
      • Windows 64-bit VM
        • Qemu
  • Specs:

    • Windows 64-bit VM
      • 4 vCPU
      • 8GB RAM
    • Qemu
      • 3 smp/vCPU
      • 2GB RAM
Time (+2/-2 sec) bit Version Accelerator Virtualize Intel VTX
5:01 64 tcg No
5:10 64 tcg Yes
7:09 32 tcg Yes
6:51 32 tcg No
7:40 32 none No
4:53 64 none No
11:00 64 hax Yes
4:48 64 none Yes

Caveats:

Aside from the speed of Qemu's VM which is possibly also affected by nested virtualization, AVs such as Windows Defender will still see the traffic coming out of your VM (tested on NAT mode) and can still kill the process(Qemu) once certain malicious traffic is detected. This happened to me where Qemu suddenly disappears upon running Zerologon towards a Domain Controller. Regular NMAP, CrackMapExec, and most Impacket modules are fine.


Conclusion

There were a lot of options and routes to take given a normal user on a domain-joined machine where you're able to run Powershell scripts with only Windows Defender watching you. When I say only I mean it could've been 2 AVs or 1 AV & 1 EDR. With only a few caveats, the Qemu-sabi method worked as intended and was helpful in the recon and pivoting stages of the engagement. Overall the engagement turned out to be a success and value was brought to the table.


Further research to be done

  • Run Qemu on bridge mode using non-privileged user accounts

  • Research on other methods or virtualization tools

    • smaller footprint
      • size
      • detection
    • speed (faster / accelerators)
  • Research on smaller operating systems that wouldn't cause too much trouble when installing and running offensive security tools

If you have any tips, suggestions, comments, or corrections about this, shout them below in the comments section.