SlideShare a Scribd company logo

Trusted Third Parties are NOT Trust Worthy!

N
nettitude_labs

The document summarizes a simulated attack on an organization via compromise of a trusted third party supplier. It demonstrates how threat actors used phishing to deliver malware, abused active directory trusts to move laterally between the supplier and target networks, and extracted credentials and customer data from the target organization's systems after gaining initial access through the third party. It stresses that such trusted third party attacks are a real risk and organizations need to carefully restrict access and monitor for signs of compromise when connecting suppliers to their internal networks and assets.

Technology
1 of 36
Trusted Third Parties are NOT Trust Worthy! April 2019 GISEC
Contents Introductions + Whoami / Nettitude Overview + Summary of the hack + Why you should care as an organisation Demonstrate a Trusted Third Party Compromise + Weaponisation & delivery (Phishing) + Abusing Active Directory trusts (Bi-Directional) + In Combination with Trusted Network Routing + Elevation of privileges in enterprise organisations + Extraction of Customer data and privileged access
@benpturner + Managing Principal Security Consultant @ Nettitude + Lead the Global Red Team Operation @ Nettitude + 8 years as a Crest Team Leader (CHECK Team Leader - Infrastructure) + 5 years as a Crest Simulated Attack Specialist (CCSAS - STAR/CBEST) Training / Talks + Advanced Threat Actor Simulation - Red Team Training Course (Steelcon 2017/2018) + Workshops - Red Teaming with PoshC2 (BSides London/Manchester) + 21st Century War Stories (Steelcon/BSides 2016) - https://www.youtube.com/watch?v=O8Ul6QSPuo4 + PowerShell Fu with Metasploit (Steelcon/BSides 2015) - https://www.youtube.com/watch?v=ottfZFRSsj4 Development Projects + Lead developer of PoshC2 - Nettitude’s Open Source Command & Control (C2) Framework + https://github.com/nettitude/PoshC2_Python/ + General day to day PowerShell & C# projects
@BaffledJimmy + Security Consultant @ Nettitude + Work mainly on large Active Directory / infrastructure engagements and Red Teams + CHECK Team Leader + 8 years as a British Army Officer – mainly centered around cyber leadership roles + Enjoys both the offensive and defensive sides of red teaming, and abusing companies internal tooling against them.
Team Spicy Weasel 1st Place - 2018 + labs.nettitude.com/blog/derbycon-2018-ctf-write-up 1st Place - 2017 + labs.nettitude.com/blog/derbycon-2017-ctf-write-up 3rd Place - 2016 + labs.nettitude.com/blog/derbycon-2016-ctf-write-up
“ ” Skilled and motivated attackers are compromising third party suppliers with a view to pivoting into their ultimate target organization. FireEye, 2018
Disclaimer 1. All screenshots and organization names have been fictitiously made up or cloned for this presentation 2. The attack techniques and methodologies are a true representation of real connections with trusted third parties 3. This is not a contrived attack scenario, the risk is very real 4. We are enacting this scenario for many of our clients and you would be scared at the amount of success, and the over reliance or trust that is put in third party organizations
Cyber Kill Chain
News Reports 1. Screenshot of The Register with 3rd party breaches etc
Threat Intelligence / Open Source Intelligence Gathering • OSINT • Social Media / Networking Sites • Active / Passive Reconnaissance • HUMINT
Digital Solutions Summary of the Target
Prowl – Hunting the Employees
Identifying the Target
Deploying C2 Infrastructure
Photon
VIDEO Weaponising the Document
Deliver the Weapon to the Target
VIDEO Symantec Secure File Share
Attacker C2 Channel Established
Visual Representation
Situational Awareness
Enumerating and Abusing Active Directory Trusts  Active Directory trusts with suppliers or outsourcing partners are common  Combined with overly permissive firewall rules between each company  Frequently misconfigured to allow two way authentication between organisations  Frequently allow all accounts to authenticate, not just the required accounts
Trust Enumeration & Kerberoast Attack
Visual Representation
Custom Distributed Cloud Cracking
Distributed Cloud Cracking 22hrs 56mins £3220
Cloud Cracking has given access into Blorebank  Blorebank are using Jump Boxes / Bastion Hosts – a good security practice  AWS Cloud Cracking reveals MS SQL Service Account password  The attacker can now authenticate from the DS machine using those creds, to execute an implant on the database server
Post Exploitation
Getting into Blorebank
Visual Representation
Video of RDP into workstation, find an RDCMan file on Desktop (one of many) Use Photon to extract PW (complex) – RDCMan for Blore BastionHost
Stealing Privileged Credentials & Data Exfiltration
VIDEO MSSQL Account is localadmin. Mimikatz: logonpasswords.
Key Takeaways  Trusted Third Party Attacks are REAL  Separate your Active Directory environments to minimize your attack surface  Ensure strict firewalling between suppliers and your assets, e.g. RDP  Heavily monitor and audit your authentication events  Restrict access to critical assets to authorized and dedicated accounts only  Deploy password managers, 2FA & utilize Microsoft Group Managed Service Accounts & LAPS
THANK YOU Ben Turner @benpturner Tom MacDonald @baffledjimmy https://www.slideshare.net/nettitude_labs/trusted-third-parties-are-not-trust-worthy

Recommended

powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...CODE BLUE
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101Mario-Leander Reimer
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 

Recommended

powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...CODE BLUE
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101Mario-Leander Reimer
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...CODE BLUE
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)Madhavan Marimuthu
 
Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1KlaraOrban
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open SourceMichael Ducy
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanPuma Security, LLC
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021Denis Zakharov
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsAll Things Open
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Automating Security Response with Serverless
Automating Security Response with ServerlessAutomating Security Response with Serverless
Automating Security Response with ServerlessMichael Ducy
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMichael Ducy
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Webinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosJenniferMete1
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Amazon Web Services
 

More Related Content

What's hot

[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...CODE BLUE
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1KlaraOrban
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open SourceMichael Ducy
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanPuma Security, LLC
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsAll Things Open
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Automating Security Response with Serverless
Automating Security Response with ServerlessAutomating Security Response with Serverless
Automating Security Response with ServerlessMichael Ducy
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMichael Ducy
 

What's hot (20)

[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
 
Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
 
Automating Security Response with Serverless
Automating Security Response with ServerlessAutomating Security Response with Serverless
Automating Security Response with Serverless
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in Kubernetes
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 

Similar to Trusted Third Parties are NOT Trust Worthy!

Webinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosJenniferMete1
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Amazon Web Services
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Amazon Web Services
 
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...AWS Summits
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Amazon Web Services
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Elastic user group London nov 2019
Elastic user group London nov 2019Elastic user group London nov 2019
Elastic user group London nov 2019Andrey Bezverkhiy
 
Security in the Hybrid Cloud at Liberty Mutual
Security in the Hybrid Cloud at Liberty MutualSecurity in the Hybrid Cloud at Liberty Mutual
Security in the Hybrid Cloud at Liberty MutualVMware Tanzu
 
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy GoalsIRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy GoalsIRJET Journal
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Imperva
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018Paula Januszkiewicz
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themTudor Damian
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainErik Van Buggenhout
 

Similar to Trusted Third Parties are NOT Trust Worthy! (20)

Webinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von Baggenstos
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
 
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Elastic user group London nov 2019
Elastic user group London nov 2019Elastic user group London nov 2019
Elastic user group London nov 2019
 
Security in the Hybrid Cloud at Liberty Mutual
Security in the Hybrid Cloud at Liberty MutualSecurity in the Hybrid Cloud at Liberty Mutual
Security in the Hybrid Cloud at Liberty Mutual
 
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy GoalsIRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
 
Check Point Consolidation
Check Point ConsolidationCheck Point Consolidation
Check Point Consolidation
 
Implementing Governance as Code
Implementing Governance as CodeImplementing Governance as Code
Implementing Governance as Code
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

Trusted Third Parties are NOT Trust Worthy!

  • 1. Trusted Third Parties are NOT Trust Worthy! April 2019 GISEC
  • 2. Contents Introductions + Whoami / Nettitude Overview + Summary of the hack + Why you should care as an organisation Demonstrate a Trusted Third Party Compromise + Weaponisation & delivery (Phishing) + Abusing Active Directory trusts (Bi-Directional) + In Combination with Trusted Network Routing + Elevation of privileges in enterprise organisations + Extraction of Customer data and privileged access
  • 3. @benpturner + Managing Principal Security Consultant @ Nettitude + Lead the Global Red Team Operation @ Nettitude + 8 years as a Crest Team Leader (CHECK Team Leader - Infrastructure) + 5 years as a Crest Simulated Attack Specialist (CCSAS - STAR/CBEST) Training / Talks + Advanced Threat Actor Simulation - Red Team Training Course (Steelcon 2017/2018) + Workshops - Red Teaming with PoshC2 (BSides London/Manchester) + 21st Century War Stories (Steelcon/BSides 2016) - https://www.youtube.com/watch?v=O8Ul6QSPuo4 + PowerShell Fu with Metasploit (Steelcon/BSides 2015) - https://www.youtube.com/watch?v=ottfZFRSsj4 Development Projects + Lead developer of PoshC2 - Nettitude’s Open Source Command & Control (C2) Framework + https://github.com/nettitude/PoshC2_Python/ + General day to day PowerShell & C# projects
  • 4. @BaffledJimmy + Security Consultant @ Nettitude + Work mainly on large Active Directory / infrastructure engagements and Red Teams + CHECK Team Leader + 8 years as a British Army Officer – mainly centered around cyber leadership roles + Enjoys both the offensive and defensive sides of red teaming, and abusing companies internal tooling against them.
  • 5. Team Spicy Weasel 1st Place - 2018 + labs.nettitude.com/blog/derbycon-2018-ctf-write-up 1st Place - 2017 + labs.nettitude.com/blog/derbycon-2017-ctf-write-up 3rd Place - 2016 + labs.nettitude.com/blog/derbycon-2016-ctf-write-up
  • 6. “ ” Skilled and motivated attackers are compromising third party suppliers with a view to pivoting into their ultimate target organization. FireEye, 2018
  • 7. Disclaimer 1. All screenshots and organization names have been fictitiously made up or cloned for this presentation 2. The attack techniques and methodologies are a true representation of real connections with trusted third parties 3. This is not a contrived attack scenario, the risk is very real 4. We are enacting this scenario for many of our clients and you would be scared at the amount of success, and the over reliance or trust that is put in third party organizations
  • 9. News Reports 1. Screenshot of The Register with 3rd party breaches etc
  • 10. Threat Intelligence / Open Source Intelligence Gathering • OSINT • Social Media / Networking Sites • Active / Passive Reconnaissance • HUMINT
  • 12. Prowl – Hunting the Employees
  • 17. Deliver the Weapon to the Target
  • 22. Enumerating and Abusing Active Directory Trusts  Active Directory trusts with suppliers or outsourcing partners are common  Combined with overly permissive firewall rules between each company  Frequently misconfigured to allow two way authentication between organisations  Frequently allow all accounts to authenticate, not just the required accounts
  • 23. Trust Enumeration & Kerberoast Attack
  • 27. Cloud Cracking has given access into Blorebank  Blorebank are using Jump Boxes / Bastion Hosts – a good security practice  AWS Cloud Cracking reveals MS SQL Service Account password  The attacker can now authenticate from the DS machine using those creds, to execute an implant on the database server
  • 30.
  • 32. Video of RDP into workstation, find an RDCMan file on Desktop (one of many) Use Photon to extract PW (complex) – RDCMan for Blore BastionHost
  • 33. Stealing Privileged Credentials & Data Exfiltration
  • 34. VIDEO MSSQL Account is localadmin. Mimikatz: logonpasswords.
  • 35. Key Takeaways  Trusted Third Party Attacks are REAL  Separate your Active Directory environments to minimize your attack surface  Ensure strict firewalling between suppliers and your assets, e.g. RDP  Heavily monitor and audit your authentication events  Restrict access to critical assets to authorized and dedicated accounts only  Deploy password managers, 2FA & utilize Microsoft Group Managed Service Accounts & LAPS
  • 36. THANK YOU Ben Turner @benpturner Tom MacDonald @baffledjimmy https://www.slideshare.net/nettitude_labs/trusted-third-parties-are-not-trust-worthy

Editor's Notes

  1. BEN: Thanks everyone for having us on the Dark Stage today. We’re going to present to you the lessons of not trusting your third parties!!
  2. BEN: So whoami! My name is Ben Turner, I head up the Global Red Team @ Nettitude. I’m a managing principal security consultant. I have direct oversight of all red teaming engagements and essential hack into backs for a living – ethically. I have also created my own C2 framework that is called PoshC2 if you haven’t ever heard of it check it out.
  3. MAC:
  4. BEN: Some other places you may have seen us is at Derbycon, we’re quite a keen attender of this conference. If you like CTF’s check out some of the blogs we wrote off the back of the cons. It will be sad this year its coming to an end – hopefully we can go out with a bang and maintain that 1st place position!
  5. MAC: Rick even mentioned this yesterday from FireEye that trusted third parties and supply chains are often a massive pivot point into your network
  6. BEN:
  7. BEN:
  8. MAC: News report detailing number of supply chain breaches. ASUS HACK Taiwanese computer maker says it fixed an issue that allows attackers to distribute malware via the company update mechanism
  9. BEN:
  10. MAC:
  11. BEN:
  12. MAC Add Whitelist Installs SSH Key, Apache etc Updates SSL Certs – Lets Encrypt Anti-Incident Response Techniques - UserAgents DNS Records Automated lookup against categorization sites and submits where necessary
  13. MAC Add Whitelist Installs SSH Key, Apache etc Updates SSL Certs – Lets Encrypt Anti-Incident Response Techniques - UserAgents DNS Records Automated lookup against categorization sites and submits where necessary
  14. BEN:
  15. MAC:
  16. MAC: Specifically designed to look like a security bulletin email Specially crafted for the target user of the organization with custom attributes such as the license code
  17. BEN:
  18. MAC:
  19. BEN: Initial implant Screenshot Network map Cred-Popping
  20. MAC: Explain the basic concepts of active directory trusts and how we can sometimes abuse them
  21. BEN: Enumerating the trusts of the organisation Verify the bidirectional trust Kerberoast the trust (active directory exploitation)
  22. MAC:
  23. MAC:
  24. BEN: RC4 Kerberoasting Hash Cracked in 23 hours and 7 minutes With a combination of a custom wordlist and rules!
  25. MAC:
  26. BEN:
  27. BEN: Upload exe to abuse rdcman, as seen by process listing Deploy socks tunnel to allow us to rdp to Jason’s workstation while he is away from this desk
  28. MAC: PowerUPSQL to get the sql instances from the domain and query the data as a low level user
  29. CHANGE GREEN LINES TO SHOW TRAFFIC TUNNELING OUT TO THE INTERNET AND TO THE C2 CHANNEL
  30. MAC: Exfiltrate all the data from the SQL server via a jump station logging in as sqladmin_all
  31. BEN:
  32. MAC:
  33. BEN:
  34. BEN: