This document discusses tactics for red team operations on Windows networks. It begins by covering techniques for gaining initial access and situational awareness, such as using PowerShell commands to enumerate users, computers, and network information. It then discusses abusing domain trust relationships and using PowerView to operate across trusts. Escalation techniques like PowerUp for privilege escalation and Mimikatz for token manipulation are also covered. The document discusses persistence methods like Golden Tickets and WMI. It finally covers techniques for locating and accessing file shares to retrieve sensitive information, using PowerView commands. The overall message is that while tactics remain the same, tools and implementations are continually evolving to facilitate red team operations.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
IoT Device Management using open standards end-to-endPilgrim Beart
A talk given by Pilgrim Beart to the Thames Valley IoT Meetup on 26th May 2016. This covers Pilgrim's experiences of scaling-up connected services such as AlertMe (Hive) and how a set of open IP-compatible standards now makes it possible to deploy and manage IoT systems in an open and interoperable fashion, creating an ecosystem which benefits customers and vendors alike.
This is the slide deck that I used when presenting at FSU's Cyber Security Club. This presentation was supposed to give a description of what Red Teaming, Pen Testing, and other roles do.
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
This presentation, given at BSidesPittsburgh 2015, discusses free tools and techniques penetration testers use that can be translated to network defenders for immediate impact and value.
This talk describes the current state of the Veil-Framework and the different tools included in it such as Veil-Evasion, Veil-Catapult, Veil-Powerview, Veil-Pillage, Veil-Ordnance
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
In this talk we’ll see how Authentication and Secrets delivery work in distributed containerized applications from the inside. We’ll start from the theory of security and will go through the topics like Container Auth Role, Static & Dynamic secrets, Env vars/volumes for secret delivery, Vault & K8S secrets. After this talk you’ll get an understanding how to securely deploy your containerized workloads.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - PanoraysDemi Ben-Ari
To defend against attacks, think like a hacker. But does that mean you need to be a DevOps expert? Security researchers today need to discover new attack techniques. However, much of their focus is diverged to backend coding. We share how to build an infrastructure for researchers that allows them concentrate on business logic and writing hacker “tasks”. Using Docker and Kubernetes on Google Cloud, these tasks can then be performed in parallel and without a lot of DevOps hassle. Our technique removes two common barriers: first, long and risky deployment processes and second, low transparency within the production system.
Promise to share the stupid things too.
A Primer for Your Next Data Science Proof of Concept on the CloudAlton Alexander
Learn how to quickly create a highly scalable solution using AWS. We introduce the benefits and challenges you may face. We discuss scope and establish realistic expectations, budgets, and constraints for these type of projects. Finally we end with a demo for website event tracking and analysis.
Learn how Decisiv provides secure access to developers and deals with compliance hurdles. Senior Engineer Hunter Madison will talk about how Decisiv needed to quickly solve the pain of scaling the engineering team, migrating to AWS, maintaining ISO 27002 compliance, and a few of his key learnings from his two-year journey using Teleport.
Is the door to your active directory wide open and unsecureDavid Rowe
You wouldn’t leave the front or back door of your house unlocked and wide open, would you? Then why aren’t you as diligent with your work environment? Idle permissions and forgotten accounts – which often aren’t cleaned up – are two key areas ripe for compromise in your identity system.
Learn how:
- An attacker can use back doors into your Active Directory environment to gain access to your systems, applications, and confidential information.
- Having your administrators make a few minor changes, can increase your security footprint and lower your attack surface.
Session Outcomes:
- Learn 5 free methods to secure your Active Directory.
- Deploy validated and tested policies that enhance your security footprint.
- Identify and define privileged groups in your organization.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays
apidays LIVE New York - API for Legacy Industries: Banking, Insurance, Healthcare and Retail
Navigating the Sea of Javascript Tools to Discover Scalable Tools for Continuous Delivery
Menelaos Kotsollaris, Senior Software Engineer
Viki Green, Senior Software Developer at Trulioo
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Derbycon - Passing the Torch
1. Passing the Torch:
Old School Red
Teaming, New
School Tactics?
Dave McGuire, Will Schroeder
Veris Group’s Adaptive Threat Division
2. @davidpmcguire
● Director of Veris Groups’ Adaptive Threat
Division
o Penetration Testing
o Red Teaming
o Threat Replication
● Former technical lead of NSA Red Team
● Developer of Adaptive Penetration Testing
and Adaptive Red Team Tactics BlackHat
training classes
3. @harmj0y
● Chief security researcher and red teamer for
Veris Group’s Adaptive Threat Division
● Co-founder of the Veil-Framework #avlol
o www.veil-framework.com
o Shmoocon ‘14: AV Evasion with the Veil Framework
o Defcon ‘14: Veil-Pillage: Post-exploitation 2.0
o co-wrote Veil-Evasion, wrote Veil-Catapult, Veil-
Pillage, PowerView, and PowerUp
● Active Cortana and PowerShell hacker
4. tl;dr
● Pentesting vs. Red Teaming
● Red Teaming vs Red Team Operations
● Tactic 1: Situational Awareness
● Tactic 2: Domain Trusts
● Tactic 3: Escalation and Pivoting
● Tactic 4: Persistence
● Tactic 5: Files Files Files
● Demo: FIGHT!
5. Pentesting
● Definition ranges anywhere from a single
person running a (slightly)-glorified vuln
scan, to a full on multi-person assault for
several weeks
● Reasonable Balance: breadth vs. depth,
find as many holes as you can and see how
far you can get in a limited timeframe
6. Red Teaming vs.
Red Team Operations
● Red teaming means different things to
different people
● Some focus on physical ops, some focus on
in-depth social engineering, some focus on
custom exploit dev, some focus on pure
network based operations, etc.
● Common thread of increased time frame and
more permissive scope
7. Red Teaming Operations
● An operation organized to emulate a
potential adversary’s exploitation or attack
effectiveness against a targeted mission or
capability
● Military concept of adversarial thinking that
evolved into adversary emulation
● General idea: simulate an “advanced”
attacker
8. Our Take
● We focus on operational risk posed by
advanced attackers
● From our perspective, red team operations
primarily involve analysis and actions
that happen after the initial access
● A vast majority of corporate deployments in
the US consist of Windows environments, so
that’s where we focus
9. Cyber Kill-Chain :)
Identify points that affect business impact
Datamine for Sensitive Information
Establish Persistence
Acquire Domain/Network Administrative Privileges
Identify Further Exploit Points
Escalate Privileges
Gain Situational Awareness
Gain Access
10. Bridging the Gap
● Red Teaming is historically defined by:
o The use of specialized toolsets
o Expanded timeframe
o Large team size
o Lots of $$$
● Our interpretation is really more about
emulation of techniques, independent of
toolsets
o Newer tools provide many previously specialized
capabilities
11. Nothing New?
● These techniques are public but lesser
known
● Admins need to admin, users wanna use
o Always going to be a way to abuse ‘normal’
functionality for unintended purposes
● Everything here is possible through multiple
means
o VBscript, PowerShell, C/WinAPI or native/CLI
o Good to have alternative ways to accomplish the
same goal
14. Landing on the Beachhead
● Orient yourself after the initial compromise
● Gain situational awareness to plan your next
attack steps
● Nothing revolutionary here:
o the more information you can gather, the better you
can map out your next phase
o and active directory is a gold mine of information
15. Old School: Users/Network Info
● Groups/users in the domain:
o net users /domain
o net group /domain
o net group “Domain Admins” /domain
● Computers in the domain:
o net view /domain:<domain name>
● Information about a host
o net view <hostname>
o srvinfo <hostname>
o sc <hostname>
o nbtstat -A <hostname>
16. Old School: User Hunting
● Find where high value users are logged in
● Find user fileservers:
1. net use
a. look for mapped drives
2. net user <username> /domain
a. extract “Home Directory” server
3. ...repeat for all users :(
● Check the sessions, match against target
users:
o NetSess.exe SERVER
17. New School
● Rob Fuller (@mubix’s) netview.exe project,
presented at Derbycon 2012, is a tool to
“enumerate systems using WinAPI calls”
● Finds all machines on the network,
enumerates shares, sessions, and logged in
users for each host
o And now can check share access, highlight high
value users, and use a delay/jitter :)
18. New(est) School: PowerShell
● PowerShell has some great AD hooks and
access to the Windows API as well
● PowerView implements a ton of this
functionality without having to remember all
the syntax
● Full replacement for “net *” commands, as
well as a full netview.exe implementation,
Invoke-Netview
19. New(est) School: PowerShell
● Invoke-UserHunter
o queries AD for all machines
o queries for a target user group (“Domain Admins”)
o uses the same API calls as netview.exe to
enumerate sessions and logged in users, matching
against the target user list
● Invoke-StealthUserHunter
o queries AD for all users, extracts all home
directories
o queries for a target user group
o runs the equivalent to “net session” against each file
server, matching against target user list
22. Windows Domain Trusts 101
● Trusts allow separate domains/directories to
form inter-domain relationships
● A trust simply allows for the possibility of
access between domains
o Administrators must go the extra mile and actually
enable access
● Trusts can be a method for an attacker to
jump from one network to another
23. Domain Trusts 101
● Trusts come in 3 varieties
o One way - Only one domain trusts the other
o Two way - Both domains trust each other
o Transitive - Domain A trusts Domain B and Domain
B trusts Domain C, so Domain A trusts Domain C
● Each domain in a forest has a two-way
transitive trust with both its parent and each
of its children
● More information:
o http://www.harmj0y.net/blog/redteaming/trusts-you-
might-have-missed/
24. So What?
● Why does this matter?
● Red teams often compromise
accounts/machines in a domain trusted by
their actual target
o Allows operators to exploit these existing trust
relationships to achieve their end goal
● And Enterprise Admin = pwnership over
everything below
25. Old School: nltest
● Some Microsoft administrative tools can give
you lots of interesting information concerning
domain trusts:
o nltest /domain_trusts - identify all current domain
trusts
o nltest /dcname:<domain name> - identify primary
domain controller for a target domain
● Other tools grant some of this functionality
as well:
o netdom to verify two-way trusts
o dsquery/dsget to enumerate additional information
26. Old School: dsquery/dsget
● Retrieve users from a specific domain:
o dsquery user
“cn=users,dc=dev,dc=test,dc=local”
● Grab “Domain Admins” for a specific domain:
o dsget group "cn=Domain
Admins,cn=users,dc=dev,dc=test,dc=local" -
members
● See what groups a user is a member of:
o dsget user
"cn=john,cn=users,dc=dev,dc=test,dc=local" -
memberof
27. New School: Trusts and PowerShell
● Of course you can do this (and with greater
ease) using PowerShell:
o ([System.DirectoryServices.ActiveDirecto
ry.Forest]::GetCurrentForest()).Domains
o ([System.DirectoryServices.ActiveDirecto
ry.Domain]::GetCurrentDomain()).GetAllTr
ustRelationships()
● PowerShell AD functionality can easily
operate on domains to which there's an
existing trust
o finding domain controllers, querying users,
enumerating domain groups, etc.
28. New(est) School: PowerView
● Domain/forest trust relationships can be
enumerated through several PowerView
functions:
o Get-NetForest: information about the current
domain forest
o Get-NetForestTrusts: grab all forest trusts
o Get-NetForestDomains: enumerate all domains in
the current forest
o Get-NetDomainTrusts: find all current domain
trusts, á la nltest
29. New(est) School: PowerView
● If a trust exists, most functions in
PowerView can accept a
“-Domain <name>” flag to operate across a
trust:
o Get-NetDomainControllers
o Get-NetUser/Get-NetUsers
o Get-NetComputers/Get-NetFileServers
o Get-NetGroup/Get-NetGroups
o Invoke-UserFieldSearch
o Invoke-Netview
o Invoke-UserHunter, etc.
32. Moving Beyond the Beachhead
● Now that you’ve mapped out the network,
active directory structure and trust
relationships, time to see what mischief you
can cause
● First step often involves escalating to
SYSTEM on your target
● Then grab tokens/passwords/etc. and start
your lateral movement
33. Old School: Escalation
● One of the most effective escalation vectors
was (and still is) vulnerable Windows
services
● Specifically, many organizations overlook
the permissions for service binaries :)
● After gaining SYSTEM on a box, makes it a
lot easier to snarf up all active user tokens
o File servers are great places to look
34. Old School: Tokens
● Impersonation tokens
o for “non-interactive” logons, i.e. drive mapping
o allows a process/thread to carry out actions as the
identified user on the current system
● Delegation tokens
o for “interactive” logons (we want these!!)
o allows a process/thread to carry out actions as the
identified user on remote systems
● Impersonate/steal tokens with your agent of
choice
o Can also just migrate to a user-owned process!
35. New School: Escalation
● PowerUp: a PowerShell tool to automate the
discovery and abuse of Windows privilege
escalation vectors. Checks for:
o vulnerable services
o service binaries
o unquoted paths
o AlwaysInstallElevated, and more
● Invoke-AllChecks will run all current
checks, and will tell you what function will
abuse whatever vulns are found
36. New School: Token Manipulation
● PowerSploit / Exfiltration / Invoke-
TokenManipulation.ps1
● Equivalent to Incognito’s functionality, but
purely in PowerShell
● Allows you to enumerate tokens,
steal/impersonate what you find, create
processes, etc.
37. New School: Mimikatz FTW
● If you don’t know what Mimikatz
is, shame on you!
● Even better, the PowerSploit
guys integrated everything
into PowerShell
● Invoke-Mimikatz.ps1 lets you dump
credentials, play with kerberos tickets, and
more
40. Keeping the Door Open
● You don’t want to have to regain access for
each new engagement
o Attackers don’t leave, why should you
o Long term assessments require stable access
● Two main approaches:
o local machine level persistence
o domain level persistence
● Credentials are always a great persistence
method
41. Old School
● Keep a low and slow C2 agent running on
the machine
o In case of reboot, drop an obfuscated binary to disk
● Try to stay off of main servers
o Find privileged users with access to those servers,
then target their workstations
● Dump domain hashes
o Pay attention to privileged accounts with an
infrequent password change policy
42. ● For low-and-slow agent persistence, a few
specialized tools are available:
o Cobalt Strike’s Beacon
o Immunity’s Innuendo
o Silentbreak’s Throwback
● For on-disk local persistence, some
(newer?) techniques:
o schtasks + PowerShell through a one-liner
o permanent WMI + PowerShell through PowerSploit
o obfuscated binary + SC
New School: Local Persistence
44. The Golden Ticket
● If you can knock over a domain controller
and grab the krbtgt hash, you can forge your
own kerberos tickets
o For any user. And put them in any group. For as
long as that hash isn't changed. Which isn't often.
o Think years.
● Long story short: if you can pwn a domain
once, you can pwn it for a LONG time
● Go see Chris’ “Et tu – Kerberos?” at 6pm!
48. Files on Files
● The end goal isn’t domain admin, the end
goal is data
● Even when you don’t own everything, every
organization has file shares with improper
access controls
● Goal:
o Locate and triage every single file we can access
over the network (hunt for sensitive data)
o Gain sensitive information (potentially for
escalation), choose possible files to trojanize
49. Old School: Finding Shares
● Finding shares manually:
o net view /domain:<domain name>
o net view <hostname>
● Make new people triage every network share
and file found
o Great morale booster :)
● Once readable shares are located, triage the
possible thousands to millions of files on
remote servers
o New people like doing this :)
50. Old School: Finding Files
● Nothing more old school that straight
recursive directory listings with dir /s
o dir /s <hostname>SHARE > listing.txt
o dir /s /Q /O:-D /T:A <hostname>SHARE >
listing.txt
● Then grep file listings for sensitive names,
as well as office docs/.exe’s that have been
recently accessed :)
51. New School: Finding Shares
● Search for open shares and sensitive files
with PowerShell and PowerView
● Invoke-ShareFinder -CheckAccess will:
o Find all machines on the network
o Enumerate all shares on each machine
o Check if the current user has read access to any
found shares
● Spits out a “HOSTSHARE - comment” list
of all shares on the network you can read
52. New School: Finding Files
● Once you have shares, PowerShell helps
you triage for files, nicely sortable:
o PS> get-childitem MACHINEPATH -rec -
ErrorAction SilentlyContinue | where
{!$_.PSIsContainer} | select-object
FullName,@{Name='Owner';Expression={(Ge
t-Acl $_.FullName).Owner}},
LastAccessTime, LastWriteTime, Length |
export-csv -notypeinformation -path
files.csv
● The -include @(‘*term*’) argument lets you
find files by wildcard terms
53. New School: Targeted Trojanation
● Invoke-SearchFiles and Invoke-FileFinder
both accept the “-FreshEXEs” flag
o this will find .exe’s accessed within the last week
● We can then use Joshua Pitts’ The
Backdoor Factory to easily trojanate these
binaries
● Then can use PowerView’s Invoke-
CopyFile to copy the trojanated file in,
matching MAC attributes
55. Recap
● Newer tools and techniques can greatly
facilitate red team engagements
● Always have a backup plan- if one
implementation fails, you always need to
have options
● Moral of the story: the underlying tactics
rarely change, but the specific
implementations often do
56. Questions?
● Offensive PowerShell blogs:
o http://obscuresecurity.blogspot.com/
o http://www.exploit-monday.com/
o http://www.darkoperator.com/blog/
o http://blog.harmj0y.net
● Offensive PowerShell Toolsets:
o PowerSploit:
https://github.com/mattifestation/PowerSploit/
o PowerView:
https://github.com/veil-framework/Veil-PowerView
o PowerUp:
https://github.com/HarmJ0y/PowerUp