This document provides an overview of lateral movement techniques in Windows systems using credentials. It discusses authentication methods like NTLM and Kerberos, how logon sessions and access tokens are created, and how an attacker can leverage pass-the-hash, pass-the-ticket, and other techniques to authenticate as other users without needing their passwords. It demonstrates how runas and other tools can be used to create new processes under a different user identity. The goal is to understand how credentials are handled in Windows and how an attacker can manipulate logon sessions and access tokens to perform lateral movement.
This document discusses techniques for enumerating information from Active Directory. It begins with an introduction and overview of the domain being targeted, CAPSULE.CORP. The agenda covers local privileges enumeration using MS-RPC to find local admin accounts, logon and session enumeration to detect where users are logged in from, and LDAP enumeration to discover objects and relationships. The document provides details on tools like PowerView that can be used to remotely enumerate SAM databases, network sessions, and query LDAP. It discusses attributes and groups of interest for users, computers, and privileges like delegation.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
This document provides a summary of a presentation titled "Think Like A Hacker" about database attack vectors and techniques to thwart them. The presentation discusses common database hacking techniques such as SQL injection, unauthorized access via stolen or default credentials, and privilege escalation. It also outlines strategies for protecting databases, including applying patches, using secure coding practices with input validation and bind variables, limiting privileges, and encrypting sensitive data. The presentation emphasizes the importance of understanding hacking methods in order to strengthen database security.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
The document discusses various techniques for hacking systems, including password cracking, privilege escalation, executing applications remotely, and using keyloggers and spyware. It provides an overview of tools that can perform functions like password cracking, sniffing network traffic, capturing credentials, escalating privileges, executing code remotely, and logging keystrokes covertly. Countermeasures to these techniques, like disabling LM hashes, changing passwords regularly, and using antivirus software, are also covered.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered:
Identify domains
Enumerate domain controllers
Enumerate users from domain controllers
Enumerate password policy from domain controllers
Perform dictionary attack
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Benjamin Delpy is a security researcher from France known for creating the tool mimikatz. Mimikatz can retrieve credentials like hashes and keys from the LSASS process memory. It supports techniques like pass-the-hash, over-pass-the-hash, and credential dumping from memory dumps. Delpy gives presentations to teach people about Windows authentication and how mimikatz works.
This document discusses techniques for enumerating information from Active Directory. It begins with an introduction and overview of the domain being targeted, CAPSULE.CORP. The agenda covers local privileges enumeration using MS-RPC to find local admin accounts, logon and session enumeration to detect where users are logged in from, and LDAP enumeration to discover objects and relationships. The document provides details on tools like PowerView that can be used to remotely enumerate SAM databases, network sessions, and query LDAP. It discusses attributes and groups of interest for users, computers, and privileges like delegation.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
This document provides a summary of a presentation titled "Think Like A Hacker" about database attack vectors and techniques to thwart them. The presentation discusses common database hacking techniques such as SQL injection, unauthorized access via stolen or default credentials, and privilege escalation. It also outlines strategies for protecting databases, including applying patches, using secure coding practices with input validation and bind variables, limiting privileges, and encrypting sensitive data. The presentation emphasizes the importance of understanding hacking methods in order to strengthen database security.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
The document discusses various techniques for hacking systems, including password cracking, privilege escalation, executing applications remotely, and using keyloggers and spyware. It provides an overview of tools that can perform functions like password cracking, sniffing network traffic, capturing credentials, escalating privileges, executing code remotely, and logging keystrokes covertly. Countermeasures to these techniques, like disabling LM hashes, changing passwords regularly, and using antivirus software, are also covered.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered:
Identify domains
Enumerate domain controllers
Enumerate users from domain controllers
Enumerate password policy from domain controllers
Perform dictionary attack
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Benjamin Delpy is a security researcher from France known for creating the tool mimikatz. Mimikatz can retrieve credentials like hashes and keys from the LSASS process memory. It supports techniques like pass-the-hash, over-pass-the-hash, and credential dumping from memory dumps. Delpy gives presentations to teach people about Windows authentication and how mimikatz works.
Язык докладаРусскийЗанимается «бумажной» и практической информационной безопасностью более 6 лет. Аналитик SOC в «Лаборатории Касперского». В прошлом руководитель подразделения ИБ на одном из промышленных предприятий. Закончил специалитет и магистратуру СибГАУ им. академика М. Ф. Решетнева (в котором в дальнейшем читал курсы по ИБ). Участник ряда CTF. Выступал на ZeroNights.Теймур Хеирхабаров Теймур Хеирхабаров Управление рисками: как перестать верить в иллюзииFast Track
The document discusses the NTLM authentication protocol. It describes NTLM as a Microsoft-designed challenge-response authentication mechanism that is widely used but considered weak. The document outlines the details of NTLM, including how it uses hashes and challenges to authenticate users without exposing credentials. It also provides examples of how to implement NTLM authentication in .NET applications using SSPI calls to the secur32 library.
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
This presentation will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems. This will include a few demonstrations of the techniques that are being used during real-world attacks and penetration tests. This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations.
Full Video Presentation: http://youtu.be/SIeMz6gCK3Q
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
En los últimos años, el término "side-channel" a pasado de ser un concepto únicamente conocido en el sector de hardware hacking a ser un término popular dentro de la industria debido a las vulnerabilidades que se han ido publicando. CRIME, BREACH o FIESTA son claros ejemplos de vulnerabilidades que explotan un side-channel en TLS. Más recientemente, también hemos visto vulnerabilidades empleando este mismo concepto en procesadores, como Spectre o Meltdown.
En esta charla, repasaremos el concepto de "side-channel" y haremos un repaso por las diferentes vulnerabilidades que se han ido publicando a lo largo de estos últimos años, explicando en que consisten y que limitaciones tienen.
The document summarizes technical details about ShadowPad, a modular cyber attack platform deployed through compromised software. It describes how ShadowPad operates in two stages, with an initial shellcode embedded in legitimate software that connects to command and control servers. The second stage acts as an orchestrator for five main modules, including for communication, DNS protocols, and loading additional plugins. Payloads are received from the C&C server as plugins and can perform data exfiltration.
Presented by: Bruce Momjian
Presented at the All Things Open 2021
Raleigh, NC, USA
Raleigh Convention Center
Abstract: This talk explores the ways attackers with no authorized database access can steal Postgres passwords, see database queries and results, and even intercept database sessions and return false data. Postgres supports features to eliminate all of these threats, but administrators must understand the attack vulnerabilities to protect against them. This talk covers all known Postgres external attack methods.
The document discusses using osquery, an open source host-based monitoring and detection agent, to detect compromise on Windows endpoints. It provides an overview of osquery's capabilities including scheduled and event-based queries, file carving, on-demand querying, and deployment at scale. Examples are given of using osquery to monitor processes, users, groups, USB activity, Windows events, and PowerShell for detection of suspicious activity.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
This document summarizes information about three individuals - Andy, Rohan, and Will - who work at Specter Ops creating security tools like BloodHound. It provides details on their jobs, tool development experience, conference presentations, training experience, and Twitter accounts. It then outlines abuse primitives that can be exploited through misconfigurations in Active Directory object ACLs. Finally, it demonstrates how to use tools like PowerView, SharpHound, and BloodHound to find misconfigurations and attack paths in Active Directory.
The document discusses various methods attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes techniques like copying files over SMB, using WMI, WinRM, PowerShell remoting, scheduled tasks, and others. For each technique, it outlines the required network access and system privileges, and provides the most relevant event log entries that could be used for detection. The goal is to help analysts understand lateral movement techniques and know what to look for when hunting for suspicious remote executions in Windows logs and environments.
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
В лекции речь пойдет о том, как команда исследователей обнаружила и эксплуатировала уязвимости различных систем конфигурационного управления в ходе пентестов. Авторы представят различные инструменты распределенного управления конфигурациями, например Apache ZooKeeper, HashiCorp Consul и Serf, CoreOS Etcd; расскажут о способах создания отпечатков этих систем, а также о том, как использовать в своих целях типичные ошибки в конфигурации для увеличения площади атак.
Jesse V. Burke presents on adversarial RDP tactics, techniques, and procedures (TTPs). The presentation reviews the RDP attack cycle from initial reconnaissance using tools like Shodan to identify open RDP ports, through exploitation of vulnerabilities like MS12-020 and EsteemAudit, lateral movement using session hijacking, and potential mitigations. It provides details on common RDP attacks like brute forcing passwords, downgrading encryption, and using tools like Cain & Abel or Seth to perform man-in-the-middle attacks to decrypt credentials. The presentation emphasizes that proper patching, firewalls, and securing RDP connections can help prevent many external and internal RDP attacks.
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
Mimikatz is a tool that enables extracting plain text passwords, hashes, and Kerberos tickets from memory. It can be used to perform pass-the-hash, over-pass-the-hash, and pass-the-ticket authentication attacks. Mimikatz uses the Sekurlsa module to dump credentials stored in the Local Security Authority Subsystem Service (LSASS) process memory. It decrypts encrypted credentials using the same functions LSASS uses, allowing extraction of passwords in plain text. Pass-the-hash allows authenticating with only the NTLM hash by replacing the hash used in authentication with the target user's hash.
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?BeyondTrust
Catch the full webinar here: https://www.beyondtrust.com/resources/webinar/eyes-wide-shut-passwords-no-one-watching/?access_code=a4cd9bc071c923daab48132b0bb2e4f3
Check out this presentation from the intensivewebinar of
Paula Januszkiewicz, CEO CQURE, penetration tester and mentor of CQURE Academy. Paula demonstrates common encryption and decryption password in use today, with an eye toward revealing technology holes and weaknesses that put passwords at risk. Paula will also demonstrate how to locate passwords in some unexpected places, and then walk you through mitigation of these risks.
Язык докладаРусскийЗанимается «бумажной» и практической информационной безопасностью более 6 лет. Аналитик SOC в «Лаборатории Касперского». В прошлом руководитель подразделения ИБ на одном из промышленных предприятий. Закончил специалитет и магистратуру СибГАУ им. академика М. Ф. Решетнева (в котором в дальнейшем читал курсы по ИБ). Участник ряда CTF. Выступал на ZeroNights.Теймур Хеирхабаров Теймур Хеирхабаров Управление рисками: как перестать верить в иллюзииFast Track
The document discusses the NTLM authentication protocol. It describes NTLM as a Microsoft-designed challenge-response authentication mechanism that is widely used but considered weak. The document outlines the details of NTLM, including how it uses hashes and challenges to authenticate users without exposing credentials. It also provides examples of how to implement NTLM authentication in .NET applications using SSPI calls to the secur32 library.
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
This presentation will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems. This will include a few demonstrations of the techniques that are being used during real-world attacks and penetration tests. This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations.
Full Video Presentation: http://youtu.be/SIeMz6gCK3Q
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
En los últimos años, el término "side-channel" a pasado de ser un concepto únicamente conocido en el sector de hardware hacking a ser un término popular dentro de la industria debido a las vulnerabilidades que se han ido publicando. CRIME, BREACH o FIESTA son claros ejemplos de vulnerabilidades que explotan un side-channel en TLS. Más recientemente, también hemos visto vulnerabilidades empleando este mismo concepto en procesadores, como Spectre o Meltdown.
En esta charla, repasaremos el concepto de "side-channel" y haremos un repaso por las diferentes vulnerabilidades que se han ido publicando a lo largo de estos últimos años, explicando en que consisten y que limitaciones tienen.
The document summarizes technical details about ShadowPad, a modular cyber attack platform deployed through compromised software. It describes how ShadowPad operates in two stages, with an initial shellcode embedded in legitimate software that connects to command and control servers. The second stage acts as an orchestrator for five main modules, including for communication, DNS protocols, and loading additional plugins. Payloads are received from the C&C server as plugins and can perform data exfiltration.
Presented by: Bruce Momjian
Presented at the All Things Open 2021
Raleigh, NC, USA
Raleigh Convention Center
Abstract: This talk explores the ways attackers with no authorized database access can steal Postgres passwords, see database queries and results, and even intercept database sessions and return false data. Postgres supports features to eliminate all of these threats, but administrators must understand the attack vulnerabilities to protect against them. This talk covers all known Postgres external attack methods.
The document discusses using osquery, an open source host-based monitoring and detection agent, to detect compromise on Windows endpoints. It provides an overview of osquery's capabilities including scheduled and event-based queries, file carving, on-demand querying, and deployment at scale. Examples are given of using osquery to monitor processes, users, groups, USB activity, Windows events, and PowerShell for detection of suspicious activity.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
This document summarizes information about three individuals - Andy, Rohan, and Will - who work at Specter Ops creating security tools like BloodHound. It provides details on their jobs, tool development experience, conference presentations, training experience, and Twitter accounts. It then outlines abuse primitives that can be exploited through misconfigurations in Active Directory object ACLs. Finally, it demonstrates how to use tools like PowerView, SharpHound, and BloodHound to find misconfigurations and attack paths in Active Directory.
The document discusses various methods attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes techniques like copying files over SMB, using WMI, WinRM, PowerShell remoting, scheduled tasks, and others. For each technique, it outlines the required network access and system privileges, and provides the most relevant event log entries that could be used for detection. The goal is to help analysts understand lateral movement techniques and know what to look for when hunting for suspicious remote executions in Windows logs and environments.
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
В лекции речь пойдет о том, как команда исследователей обнаружила и эксплуатировала уязвимости различных систем конфигурационного управления в ходе пентестов. Авторы представят различные инструменты распределенного управления конфигурациями, например Apache ZooKeeper, HashiCorp Consul и Serf, CoreOS Etcd; расскажут о способах создания отпечатков этих систем, а также о том, как использовать в своих целях типичные ошибки в конфигурации для увеличения площади атак.
Jesse V. Burke presents on adversarial RDP tactics, techniques, and procedures (TTPs). The presentation reviews the RDP attack cycle from initial reconnaissance using tools like Shodan to identify open RDP ports, through exploitation of vulnerabilities like MS12-020 and EsteemAudit, lateral movement using session hijacking, and potential mitigations. It provides details on common RDP attacks like brute forcing passwords, downgrading encryption, and using tools like Cain & Abel or Seth to perform man-in-the-middle attacks to decrypt credentials. The presentation emphasizes that proper patching, firewalls, and securing RDP connections can help prevent many external and internal RDP attacks.
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
Mimikatz is a tool that enables extracting plain text passwords, hashes, and Kerberos tickets from memory. It can be used to perform pass-the-hash, over-pass-the-hash, and pass-the-ticket authentication attacks. Mimikatz uses the Sekurlsa module to dump credentials stored in the Local Security Authority Subsystem Service (LSASS) process memory. It decrypts encrypted credentials using the same functions LSASS uses, allowing extraction of passwords in plain text. Pass-the-hash allows authenticating with only the NTLM hash by replacing the hash used in authentication with the target user's hash.
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?BeyondTrust
Catch the full webinar here: https://www.beyondtrust.com/resources/webinar/eyes-wide-shut-passwords-no-one-watching/?access_code=a4cd9bc071c923daab48132b0bb2e4f3
Check out this presentation from the intensivewebinar of
Paula Januszkiewicz, CEO CQURE, penetration tester and mentor of CQURE Academy. Paula demonstrates common encryption and decryption password in use today, with an eye toward revealing technology holes and weaknesses that put passwords at risk. Paula will also demonstrate how to locate passwords in some unexpected places, and then walk you through mitigation of these risks.
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
Know your opponent and know yourself. It held true for Sun Tzu 2500 years ago, and it holds true for pen testers today. A pen tester who has worked in sec ops role has a distinct advantage, especially if that pen tester has a solid grasp of the good, the bad, and the ugly of identity and access management (IAM) in an enterprise setting. For red teams, this presentation will cover pen testing tips and tricks to circumvent weak or missing IAM controls. For blue teams, we’ll also cover the steps you can take to shore up your IAM controls and catch pen testers in the act. Purple teaming, FTW!
This document describes Windows Credentials Editor (WCE), a tool that can dump and manipulate Windows logon session credentials from memory without requiring code injection. It discusses two implementation methods - using the authentication package API or directly reading LSASS process memory. The memory reading method is safer as it does not require running code in LSASS. It works by reversing the LSASS data structures to find logon sessions and credentials, then decrypting credentials using encryption keys and initialization vectors read from LSASS memory.
The document describes Windows Credentials Editor (WCE), a tool that manipulates Windows logon sessions to dump and modify credentials in memory. WCE has two main features - it can dump in-memory credentials like usernames, domains, and NTLM hashes from current, future, and terminated logon sessions; and it supports pass-the-hash by allowing changes to NTLM credentials or creation of new logon sessions with arbitrary credentials. The document discusses two methods WCE could use - directly calling authentication package APIs, which requires running code in LSASS; or reading LSASS memory to locate logon session and credential structures and decrypt credentials without injecting code.
How to 2FA-enable Open Source Applications (Extended Session)
Presented at: Open Source 101 at Home 2020
Presented by: Mike Schwartz, Gluu
Abstract: Your organization loves open source tools like Wordpress, SuiteCRM, NextCloud, RocketChat, and OnlyOffice... but most of these tools are protected with plain old passwords. You want to use two-factor authentication... but how? In this workshop, you'll learn:
- Which 2FA technologies can be used without paying a license;
- How to enable users to enroll and delete 2FA credentials;
- How to configure open source applications to act as a federated relying party--delegating authentication to a central service
- How custom applications can act as a federated relying party
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Jerod Brennen
With global information security spending rapidly approaching $100 billion, you'd think we,d have a pretty good handle on preventing data breaches by now. However, considering that nearly 1 billion records have been exposed in the 5000+ data breaches publicly disclosed since 2005, you,re probably asking yourself the same question as security and risk management professionals all over the world: How does this keep happening? This presentation will walk you through a penetration tester,s process, step-by-step, as the tester goes from unauthorized outsider to domain admin (without being detected). More importantly, we,ll discuss the fundamental security controls that will shut down attackers time and again.
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
The document discusses various ways that authentication tokens can be abused to bypass security protections. It describes how some implementations of token parsing and signature verification are vulnerable to arbitrary code execution or information disclosure attacks due to inconsistencies in how signing keys and security tokens are resolved from token metadata. Specific attacks are demonstrated against Windows Communication Foundation, Windows Identity Foundation, and SharePoint Server due to differences in how key and token resolution are handled for signature verification versus token authentication.
The document outlines strategies for securing a network from intrusion and exploitation. It discusses how typical networks are easily compromised and provides recommendations across three key areas: network defenses, host defenses, and preventing exploits. Specific controls are proposed such as air gapping systems where possible, whitelisting applications and traffic, using smart cards for authentication instead of passwords, virtual machine isolation, and proactively patching and updating systems.
This document discusses post-exploitation techniques on Windows systems after gaining initial access. It covers hiding user accounts, extracting password hashes from the SAM database and LSASS process, using Mimikatz to dump hashes and elevate privileges, patching logs to cover tracks, and techniques like Pass-the-Hash and session hijacking to authenticate as other users without knowing their passwords. The goal is internal network access, with suggestions to gather additional information from SAM, NTDS.dit, and LSASS and targets like domain administrators.
System hacking is the way hackers get access to individual computers on a network. ... This course explains the main methods of system hacking—password cracking, privilege escalation, spyware installation, and keylogging—and the countermeasures IT security professionals can take to fight these attacks.
Insufficient data encoding occurs when special characters in input data are not properly encoded before being processed or output. This can lead to injection attacks like SQL injection or cross-site scripting attacks. To prevent this, all data from external sources, both on input and output, should be encoded according to the interpreter that will use the data. Common interpreters are HTML, JavaScript, and SQL, and proper encoding prevents attacks by changing the meaning of special characters.
As shown by headlines and countless intrusions, even moderately skilled attackers can sail through the defenses of a typical corporate network. Using a playbook of techniques both common and uncommon, intruders can bypass almost all security barriers despite even tough policies on end users and admins. But failure is not inevitable for a defender. There are many practical ways a network can be constructed that will wipe out most of the playbook, and they don’t always require expensive purchases.
Security must be built from the start, and this presentation will show you how it’s done; how to intelligently look at threats and plan defenses for a Windows network.
Neville Varnham discusses various cyber security threats related to PeopleSoft systems. He notes that ransomware schemes now allow technically illiterate criminals to conduct cyber attacks. Password cracking software can crack simple passwords in under a minute. The document also discusses a past university data breach involving PeopleSoft after a student was able to access a database with Social Security numbers. Varnham provides an overview of steps organizations can take to harden their PeopleSoft security, such as enabling encryption, implementing password policies, and ensuring proper logging and auditing.
The document discusses system security and provides seven common sense rules for security. It covers account security, file permissions, data encryption, single user security, dialup modems, security tools, and an overview of viruses, trojans, and worms. Monitoring logs, using security scanning tools, and educating yourself on security best practices are emphasized as important ways to help secure systems.
The document discusses system security and provides seven common sense rules for security. It covers account security, file permissions, data encryption, single user security, dialup modems, security tools, and an overview of viruses, trojans, and worms. Monitoring logs, using security scanning tools, and educating yourself on security best practices are emphasized as important ways to help secure systems.
This document provides an overview of secure coding practices for Node.js applications. It discusses common vulnerabilities like injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, lack of access controls, CSRF, use of vulnerable components, and unvalidated redirects. For each issue, it provides examples of insecure code and suggestions for more secure implementations using input validation, encryption, access control checks, HTTPS, CSRF tokens, and other best practices. It also lists some useful security tools and resources for Node.js applications.
The document discusses authentication and identity. It covers common authentication factors like passwords, two-factor authentication using a mobile phone, and biometrics. It provides details on securely storing passwords using techniques like salts and hash functions to prevent cracking. It also discusses risks of password reuse across sites and how two-factor authentication helps address this. The document emphasizes the importance of secure authentication and not allowing the security level to be degraded without re-authentication.
This document provides an introduction to distributed security concepts and public key infrastructure (PKI). It describes different methods of remote access computing including single sign-on using Kerberos or NIS. It also discusses security building blocks like encryption, digital signatures, and hash algorithms. The document outlines the key elements of PKI including certificate authorities, public/private key pairs, identity certificates, and LDAP servers. It provides details on SSL/TLS and the SSL handshake process.
Similar to Understanding Windows Lateral Movements (20)
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
3. DISCLAIMER
For the sake of simplicity, some things will be skipped or just simplified.
If you want to go into more detail on a topic, the corresponding links
are at the bottom of each slide.
Also, some slides are based on images or texts from other sources.
Credit has been given to them.
5. AGENDA
AUTHENTICATION
LOGON SESSIONS
ACCESS TOKENS
HANDS ON
Do I have passwords?
Do I have hashes?
Can I manipulate interesting tokens?
Let’s move
DETECTIONS
8. We don’t care about physical authentications.
We care about remote authentications and they require privileges.
Being a local user in a system doesn’t mean you have privileges.
So…
11. Local Auth: Msv1_0 (NTLM)
HostAATTL4S
SAM
HostA
I’m HostAattl4s
Challenge
Challenge encrypted with user’s hash
*Checks the hash* OK
https://support.microsoft.com/en-sg/help/102716/ntlm-user-authentication-in-windows
https://docs.microsoft.com/en-us/windows/desktop/secauthn/about-authentication
12. *NTLM still supported on non domain-joined, legacy
services, IP instead hostname…
Auth
NTDS
DCCorpATTL4S HostA OK
Pass-through (Netlogon)
OK
https://docs.microsoft.com/es-es/windows-server/security/kerberos/kerberos-authentication-overview
Domain Auth: KERBEROS*
13. LSAAuth Auth package
Logon Session
Security information
Creates
Provides
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
Creates
UserA HostA
Physical
Remote
NTLM
Kerberos
14. AGENDA
AUTHENTICATION
LOGON SESSIONS
ACCESS TOKENS
HANDS ON
Do I have passwords?
Do I have hashes?
Can I manipulate interesting tokens?
Let’s move
DETECTIONS
15. Logon sessions are created when an authentication is
successful (physically or remotely).
Credentials (if any) are tied to logon sessions.
Two types:
Interactive / Non-Network
Non-interactive / Network / Remote
https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions
16. Interactive
The user sends credentials and are stored in lsass.exe.
Typically the auth screen (Winlogon LogonUI)
17. Non-interactive / Network*
The user proves he has credentials but does not send
them to the target.
Usually after an interactive authentication for SSO
purposes.
*Delegation
19. LSAAuth Auth package
Logon
Session
Security information
Creates
Provides
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
Creates
UserA HostA
When a logon session is created, information is returned to the Local Security
Authority (LSA) that is used to create a token for the new user.
Each Access Token references to a Logon Session.
Process/Thread Token Logon Session Credentials
Physical
Remote
NTLM
Kerberos
20. AGENDA
AUTHENTICATION
LOGON SESSIONS
ACCESS TOKENS
HANDS ON
Do I have passwords?
Do I have hashes?
Can I manipulate interesting tokens?
Let’s move
DETECTTIONS
21. An access token is a
protected object that
contains information about
the identity and user rights
of the associated user
account
Every process executed on
behalf of this user has a
copy of the token
User SID
Groups
Integrity
Token type
Privileges
Logon Session
….
https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
22. An Access token isn’t a single thing that represents a user’s identity
The same user can have different tokens and sessions in different
processes/threads
i.e: UAC (medium and high integrity processes)
24. Token Types
Primary Tokens (process tokens)
Every process has a primary token asociated
When a new process is created, the default action is to inherit the
primary token of its parent
Impersonation Tokens (thread tokens)
They enable a thread to run in a different context from the process
that owns it
Usually used for client and server scenarios (service accounts)
https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens
https://www.exploit-db.com/papers/13054
26. Impersonation Tokens
Impersonation Tokens have different “impersonation” levels.
We only care about the ones “fully impersonated”(also called
Delegation Tokens).
Delegation Tokens reference to a logon session with credentials in
memory and therefore can be used to acess remote resources.
Created by interactive logons console logons, RunAs, PsExec with -
u flag, RDP…
…or delegation!
https://docs.microsoft.com/en-us/windows/desktop/secauthz/impersonation-levels
https://digital-forensics.sans.org/blog/2012/03/21/protecting-privileged-domain-accounts-access-tokens
28. AGENDA
AUTHENTICATION
LOGON SESSIONS
ACCESS TOKENS
HANDS ON
Do I have passwords?
Do I have hashes?
Can I manipulate interesting tokens?
Let’s move
DETECTIONS
30. Runas.exe
The process created by runas has an access token similar to one done by
an interactive-logon.
Useful for:
Local user in the system (Fileserverattl4s on Fileserver$)
Domain user from a trusted domain (Capsuleacapaz on Fileserver$)
But…
How can I runas with local users from other systems?
Runas Fileserverattl4s in Sqlserver$ will fail.
How can I runas with domain users when there’s no trust relationship?
Runas Capsuleacapaz in a non-domain joined system will fail.
Also what about the fuc**** password prompt?
https://docs.microsoft.com/es-es/windows/desktop/api/winbase/nf-winbase-logonusera
https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/
32. The /netonly flag LOGON32_LOGON_NEW_CREDENTIALS
Tells runas that the specified credentials are for remote access
only.
Windows will not validate the credentials (WATCHOUT wrong
passwords)
When you interact with a network resource, Windows will use the
credential referred to by the logon session created.
Therefore, the Logon Session will not match the identity of the
access token.
33. New Logon
Session
TOKEN
User SID
Logon Session
ID
Integrity
Groups
…
TOKEN
User SID
New Logon
Session ID
Integrity
Groups
…
1. Windows will create a new
logon session with the
credentials
2. It will copy the current
user’s token and
substitute the default
logon session for the
new one
New Process
3. The new process will run with
this token
Runas /netonly - HOW?
Original Logon
Session
References
References
39. 1. New logon session
2. Update credential material (hash) in that logon session (ADMIN)
3. Copy the original token and refer it to the new logon session
4. Use this new token
5. Runas /netonly but with the hash instead the password!!
PASS-THE-HASH (msv1_0)
https://docs.microsoft.com/en-us/windows/desktop/secauthn/msv1-0-authentication-package
New Logon Session
With Hash
(msv1_0)
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
Original Logon
Session
Duplicate
Logon Session ID
40. Patatas123
UserA HostA
LSASS (msv1_0)
Access
UserB HostA
LSASS (msv1_0)
Access
BD35111AB3B0D46129EFBDBAB06B49C4
PASS-THE-HASH
NORMAL
Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
43. 1. New logon session
2. Update credential (hash and/or KEYS) in that logon session ADMIN
3. Copy the original token and refer it to the new logon session
4. Use this new token
5. Runas /netonly but with the hash instead the password!!
OVERPASS-THE-HASH (Kerberos SSP/AP)
New Logon Session
With Hash
(Kerberos SSP/AP)
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
Original Logon
Session
Duplicate
Logon Session ID
50. Creating and manipulating logon sessions with
passwords/hashes is nice but…
…what if there is already what we need in the system?
51. With privileges, we can manipulate any token in the
system!
Recall that credentials are tied to logon sessions.
Non-Network logon Credentials in lsass.exe.
Network logon No credentials.
Logon with no creds means token with no creds.
Token with no creds means USELESS TOKEN.
Luke Jennings – “Security Implications of Windows Access Tokens - A Penetration Tester's Guide”
Jared Atkinson & Robby Winchester – “A Process is No One. Hunting for Token Manipulation” – Blackhat 2017
53. TOKEN
User SID
Logon Session
ID
Integrity
Groups
…
TOKEN
User SID
Logon Session
ID
Integrity
Groups
…
New Process
or
Existing Thread
Logon Session
Process
DuplicateTokenEx()
*
CreateProcessWithTokenW() Creates a process
with the token.
ImpersonateLoggedOnUser() Assigns a primary or
impersonation token to the calling thread
SetTheadToken() Assigns an impersonation token
to a thread
*
56. TOKEN
User SID
Logon Session
ID
Integrity
Groups
…
Logon Session
Process
Payload
References
Uses
Injects*
* Process Injection (Shellcode, Reflective DLL, …)
Allocate memory in the remote process.
Copy program to remote process.
Create thread to run it.
Process Hollowing
Unmapping original program.
Allocate memory and copy program.
Hijack existing thread to run it.
…
61. AGENDA
• AUTHENTICATION
• LOGON SESSIONS
• ACCESS TOKENS
• HANDS ON
• Do I have passwords?
• Do I have hashes?
• Can I manipulate interesting tokens?
• Let’s move
• DETECTIONS
62. Techniques seen so far
Make Token
We have credential material and we can create a token for the
user.
Token Impersonation
The user is logged in our system and we can steal its token to
apply it in one of our threads (impersonation token).
Create Process with Token
The user is logged in our system and we can steal its token to
create a new process with it (primary token).
Jared Atkinson & Robby Winchester – “A Process is No One. Hunting for Token Manipulation” – Blackhat 2017
64. Make Token
Creates a new logon session using the specified
credentials.
The new token will appear to be for the calling user and
not the one passed to LogonUser().
Local user != network user
There's no "straight" way to know who is the network user.
65. An approach is checking Kerberos TGTs for differences
between the “caller” and “called” usernames.
These cases are usually related to runas /netonly
User using its Domain Administrator account
But also attackers using stolen credentials.
69. Token Impersonation
Duplicate the Token of another user’s process/thread and
apply it to one of our threads as an Impersonation Token.
The owner of the process (and thus the Primary Token) will
be our user.
The defender must check all the Primary Tokens
(processes) but also all the Impersonation Tokens (threads)