11. Scenario 1
• Developer with Local Admin Rights
• Requested recently IT Support
• Sometimes, access lsass.exe process
memory doesn’t show clear passwords
but…..
12. Pass The Hash
Step by step
1 – Access privileged memory
2 – Copy RC4 password for NTLM authentication
3 – Execute the PassTheHash attack and start a
command prompt
4 – Now, with Domain Admin Rights, do:
Whatever you want!
15. Scenario 2
• Access for 1 minute in a computer with Local Admin Rights
• Requested recently IT Support
• Without being in the domain
• But with access to the network!
16. Pass The Ticket
Step by step
1 – Access privileged memory
2 – Because the machine had a recent access from a
Domain Admin, exporting the Tickets, we manage to get
one ticket from the pt.adm user
3 – In a non controlled machine, we do the Pass The Ticket
and are able to access everything in that Domain
Note: in a machine that doesn’t have protection, sky is the
limit
19. Scenario 3
• Access for 1 minute in a computer with Local Admin Rights
• User doesn’t have Domain Admin Rights, but belongs to
the Administrator group
• In a machine outside of the domain
• But with access to the network!
20. DC Sync
Step by step
1 – We want to manage a DC from an attackers machine
2 – Even thought its not in the Network Administrator
group, but because the user is misconfigured, and has
access to the Administrator group, he can request the
Kerberos Ticket (Golden Ticket)
3 – After that, the only thing to do is, in a non controlled
machine, do the Pass The Ticket and are able to access
everything in that Domain
24. Scenario 4
• Access 1 minute to a computer without Local Admin Rights
• Without IT Support
• Without being in the domain
• But with access to the network!
25. Kerberos Delegation
Step by step
1 – Request the Delegation ticket
2 – In a machine outside the Domain, use that ticket
3 – Now, with a user access in controlled machine, do:
Whatever you want! – Escalation?
Note: now, the machine doesn’t have protection!
29. Scenario 5
• Access for 1 minute in a computer with Local Admin Rights
• Having requested IT Support
• Monitorization of the AD with a SIEM*
in the SOC*
Security Information and Event Management
Security Operations Center
30. DC Sync
Step by step
1 – We want to manage a DC from an attackers machine
2 – Because communications between DCs are very noisy,
lets use this. We are going to issue a command as a DC
3 – After the creation of the command(s), we issue a “push”
and for a second we will have a Rogue DC.
Long enough to issue add a new user to the Domain Admins
without “noise”