SlideShare a Scribd company logo

Understanding Windows Lateral Movements

D
Daniel López Jiménez

This document provides an overview of lateral movement techniques in Windows systems using credentials. It discusses authentication methods like NTLM and Kerberos, how logon sessions and access tokens are created, and how an attacker can leverage pass-the-hash, pass-the-ticket, and other techniques to authenticate as other users without needing their passwords. It demonstrates how runas and other tools can be used to create new processes under a different user identity. The goal is to understand how credentials are handled in Windows and how an attacker can manipulate logon sessions and access tokens to perform lateral movement.

Technology
1 of 70
Download to read offline
Understanding Windows Lateral Movements ATTL4S & WINT3R
WHY?
DISCLAIMER For the sake of simplicity, some things will be skipped or just simplified. If you want to go into more detail on a topic, the corresponding links are at the bottom of each slide. Also, some slides are based on images or texts from other sources. Credit has been given to them.
Credential theft │ Password │ Hash │ Token UserA UserB HostA UserB HostB
AGENDA  AUTHENTICATION  LOGON SESSIONS  ACCESS TOKENS  HANDS ON  Do I have passwords?  Do I have hashes?  Can I manipulate interesting tokens?  Let’s move  DETECTIONS
Ways of Authentication
[SAM] HostAUserA [SAM] HostAUserB HostA HostB [NTDS] CorpDomainUserA [NTDS] CorpDomainUserB DC [NTDS] CorpDomainUserA [SAM] : Local Auth [NTDS] : Domain Auth
 We don’t care about physical authentications.  We care about remote authentications and they require privileges.  Being a local user in a system doesn’t mean you have privileges. So…
Windows Internals, Part 1: User Mode
Authentication Packages: Msv1_0 & Kerberos
Local Auth: Msv1_0 (NTLM) HostAATTL4S SAM HostA I’m HostAattl4s Challenge Challenge encrypted with user’s hash *Checks the hash* OK https://support.microsoft.com/en-sg/help/102716/ntlm-user-authentication-in-windows https://docs.microsoft.com/en-us/windows/desktop/secauthn/about-authentication
*NTLM still supported on non domain-joined, legacy services, IP instead hostname… Auth NTDS DCCorpATTL4S HostA OK Pass-through (Netlogon) OK https://docs.microsoft.com/es-es/windows-server/security/kerberos/kerberos-authentication-overview Domain Auth: KERBEROS*
LSAAuth Auth package Logon Session Security information Creates Provides TOKEN User SID Logon Session ID Integrity Groups … Creates UserA HostA Physical Remote NTLM Kerberos
AGENDA  AUTHENTICATION  LOGON SESSIONS  ACCESS TOKENS  HANDS ON  Do I have passwords?  Do I have hashes?  Can I manipulate interesting tokens?  Let’s move  DETECTIONS
 Logon sessions are created when an authentication is successful (physically or remotely).  Credentials (if any) are tied to logon sessions.  Two types:  Interactive / Non-Network  Non-interactive / Network / Remote https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions
 Interactive  The user sends credentials and are stored in lsass.exe.  Typically the auth screen (Winlogon  LogonUI)
 Non-interactive / Network*  The user proves he has credentials but does not send them to the target.  Usually after an interactive authentication for SSO purposes. *Delegation
DEMO 1
LSAAuth Auth package Logon Session Security information Creates Provides TOKEN User SID Logon Session ID Integrity Groups … Creates UserA HostA  When a logon session is created, information is returned to the Local Security Authority (LSA) that is used to create a token for the new user.  Each Access Token references to a Logon Session.  Process/Thread  Token  Logon Session  Credentials Physical Remote NTLM Kerberos
AGENDA  AUTHENTICATION  LOGON SESSIONS  ACCESS TOKENS  HANDS ON  Do I have passwords?  Do I have hashes?  Can I manipulate interesting tokens?  Let’s move  DETECTTIONS
An access token is a protected object that contains information about the identity and user rights of the associated user account Every process executed on behalf of this user has a copy of the token  User SID  Groups  Integrity  Token type  Privileges  Logon Session  …. https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
 An Access token isn’t a single thing that represents a user’s identity  The same user can have different tokens and sessions in different processes/threads  i.e: UAC (medium and high integrity processes)
Passwords.txt DACL Object’s Security Descriptors Access Denied S-1-5-21-domain-1004 (wint3r) Read, Write, Execute ACE 1 Access Allowed S-1-5-32-544 (Administrators) Write ACE 2 … Attl4s’s Process … S-1-5-32-544 (Administrators) … Groups Wint3r’s Process … S-1-5-21-domain-1004 User SID Access Token Access Token
Token Types  Primary Tokens (process tokens)  Every process has a primary token asociated  When a new process is created, the default action is to inherit the primary token of its parent  Impersonation Tokens (thread tokens)  They enable a thread to run in a different context from the process that owns it  Usually used for client and server scenarios (service accounts) https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens https://www.exploit-db.com/papers/13054
https://es.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
Impersonation Tokens  Impersonation Tokens have different “impersonation” levels.  We only care about the ones “fully impersonated”(also called Delegation Tokens).  Delegation Tokens reference to a logon session with credentials in memory and therefore can be used to acess remote resources.  Created by interactive logons  console logons, RunAs, PsExec with - u flag, RDP…  …or delegation! https://docs.microsoft.com/en-us/windows/desktop/secauthz/impersonation-levels https://digital-forensics.sans.org/blog/2012/03/21/protecting-privileged-domain-accounts-access-tokens
LSAAuth Auth package Logon Session Security information Creates Provides TOKEN User SID Logon Session ID Integrity Groups … Creates UserA HostA Do I have passwords? Do I have hashes? Can I manipulate interesting tokens?
AGENDA  AUTHENTICATION  LOGON SESSIONS  ACCESS TOKENS  HANDS ON  Do I have passwords?  Do I have hashes?  Can I manipulate interesting tokens?  Let’s move  DETECTIONS
Do I have Passwords?
Runas.exe  The process created by runas has an access token similar to one done by an interactive-logon.  Useful for:  Local user in the system (Fileserverattl4s on Fileserver$)  Domain user from a trusted domain (Capsuleacapaz on Fileserver$) But…  How can I runas with local users from other systems?  Runas Fileserverattl4s in Sqlserver$ will fail.  How can I runas with domain users when there’s no trust relationship?  Runas Capsuleacapaz in a non-domain joined system will fail.  Also what about the fuc**** password prompt? https://docs.microsoft.com/es-es/windows/desktop/api/winbase/nf-winbase-logonusera https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/
The Netonly Flag
The /netonly flag LOGON32_LOGON_NEW_CREDENTIALS  Tells runas that the specified credentials are for remote access only.  Windows will not validate the credentials (WATCHOUT wrong passwords)  When you interact with a network resource, Windows will use the credential referred to by the logon session created.  Therefore, the Logon Session will not match the identity of the access token.
New Logon Session TOKEN User SID Logon Session ID Integrity Groups … TOKEN User SID New Logon Session ID Integrity Groups … 1. Windows will create a new logon session with the credentials 2. It will copy the current user’s token and substitute the default logon session for the new one New Process 3. The new process will run with this token Runas /netonly - HOW? Original Logon Session References References
…and the fuc**** password prompt?
Win32 API – Do it yourself! CreateProcessWithLogonW, CreateProcessAsUser, CreateProcessWithTokenW, LogonUserA, …  MSF  exploit/windows/local/run_as  post/windows/manage/run_as  post/windows/manage/run_as_psh  Cobalt Strike  MakeToken  RunAs  Covenant / SharpSploit  MakeToken
DEMO 2
Do I have Hashes?
MSV1_0 / NTLM Pass-the-Hash
1. New logon session 2. Update credential material (hash) in that logon session (ADMIN) 3. Copy the original token and refer it to the new logon session 4. Use this new token 5. Runas /netonly but with the hash instead the password!! PASS-THE-HASH (msv1_0) https://docs.microsoft.com/en-us/windows/desktop/secauthn/msv1-0-authentication-package New Logon Session With Hash (msv1_0) TOKEN User SID Logon Session ID Integrity Groups … TOKEN User SID Logon Session ID Integrity Groups … Original Logon Session Duplicate Logon Session ID
Patatas123 UserA HostA LSASS (msv1_0) Access UserB HostA LSASS (msv1_0) Access BD35111AB3B0D46129EFBDBAB06B49C4 PASS-THE-HASH NORMAL Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
Examples
KERBEROS SSP/AP OverPass-the-hash > Pass-the-Ticket > AskTGT
1. New logon session 2. Update credential (hash and/or KEYS) in that logon session ADMIN 3. Copy the original token and refer it to the new logon session 4. Use this new token 5. Runas /netonly but with the hash instead the password!! OVERPASS-THE-HASH (Kerberos SSP/AP) New Logon Session With Hash (Kerberos SSP/AP) TOKEN User SID Logon Session ID Integrity Groups … TOKEN User SID Logon Session ID Integrity Groups … Original Logon Session Duplicate Logon Session ID
Patatas123 UserA HostA LSASS (Kerberos) UserB LSASS (Kerberos) BD35111AB3B0D46129EFBDBAB06B49C4 OVERPASS-THE-HASH NORMAL DC AS-REP AS-REQ TGS-REP TGS-REQ HostA DC AS-REP AS-REQ TGS-REP TGS-REQ Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
1. Obtain (or create) a TGT/TGS ticket somewhere. 2. Import the ticket through Kerberos APIs. 3. Profit. PASS-THE-TICKET (Kerberos SSP/AP) UserB LSASS (Kerberos) PASS-THE-TICKET HostA DCTGS-REP TGS-REQ Kerberos LSA API = NO ADMIN  Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
1. Generate legitimate Kerberos traffic. ASK-TGT/TGS (Kerberos SSP/AP) UserB ASK-TGT/TGS HostA DC Access AS-REQ AS-REP TGS-REP TGS-REQNO LSASS = NO ADMIN  https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
Examples
DEMO 3
Can I manipulate interesting Tokens?
Creating and manipulating logon sessions with passwords/hashes is nice but… …what if there is already what we need in the system?
 With privileges, we can manipulate any token in the system!  Recall that credentials are tied to logon sessions.  Non-Network logon  Credentials in lsass.exe.  Network logon  No credentials.  Logon with no creds means token with no creds.  Token with no creds means USELESS TOKEN. Luke Jennings – “Security Implications of Windows Access Tokens - A Penetration Tester's Guide” Jared Atkinson & Robby Winchester – “A Process is No One. Hunting for Token Manipulation” – Blackhat 2017
Token Impersonation / Theft
TOKEN User SID Logon Session ID Integrity Groups … TOKEN User SID Logon Session ID Integrity Groups … New Process or Existing Thread Logon Session Process DuplicateTokenEx() *  CreateProcessWithTokenW()  Creates a process with the token.  ImpersonateLoggedOnUser()  Assigns a primary or impersonation token to the calling thread  SetTheadToken()  Assigns an impersonation token to a thread *
DEMO 4
Injecting into the Token Context
TOKEN User SID Logon Session ID Integrity Groups … Logon Session Process Payload References Uses Injects* *  Process Injection (Shellcode, Reflective DLL, …)  Allocate memory in the remote process.  Copy program to remote process.  Create thread to run it.  Process Hollowing  Unmapping original program.  Allocate memory and copy program.  Hijack existing thread to run it.  …
DEMO 5
Let’s move
 sc  schtasks  DCOM  WMI  WinRS  Remote registry  Windows Remote Management (WinRM)  Special folders  …
DEMO 6
AGENDA • AUTHENTICATION • LOGON SESSIONS • ACCESS TOKENS • HANDS ON • Do I have passwords? • Do I have hashes? • Can I manipulate interesting tokens? • Let’s move • DETECTIONS
Techniques seen so far  Make Token  We have credential material and we can create a token for the user.  Token Impersonation  The user is logged in our system and we can steal its token to apply it in one of our threads (impersonation token).  Create Process with Token  The user is logged in our system and we can steal its token to create a new process with it (primary token). Jared Atkinson & Robby Winchester – “A Process is No One. Hunting for Token Manipulation” – Blackhat 2017
Make Token
Make Token  Creates a new logon session using the specified credentials.  The new token will appear to be for the calling user and not the one passed to LogonUser().  Local user != network user  There's no "straight" way to know who is the network user.
 An approach is checking Kerberos TGTs for differences between the “caller” and “called” usernames.  These cases are usually related to runas /netonly  User using its Domain Administrator account  But also attackers using stolen credentials.
Token Impersonation
Token Impersonation  Duplicate the Token of another user’s process/thread and apply it to one of our threads as an Impersonation Token.  The owner of the process (and thus the Primary Token) will be our user.  The defender must check all the Primary Tokens (processes) but also all the Impersonation Tokens (threads)
.Get-AccessToken.ps1 | Where-Object {$_.Type –eq ‘TokenImpersonation’} | select PrimaryUsername, Username, Processname, ProcessId https://gist.github.com/jaredcatkinson/17698b39efd72f976a6a846ec3a8eacd

Recommended

Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
Daniel López Jiménez
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
leminhvuong
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
Benjamin Delpy
 

Recommended

Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
Daniel López Jiménez
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
leminhvuong
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
Benjamin Delpy
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
Positive Hack Days
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
shytikov
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
Will Schroeder
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...
Denis Gundarev
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
RootedCON
 
Shadow pad technical_description_pdf
Shadow pad technical_description_pdfShadow pad technical_description_pdf
Shadow pad technical_description_pdf
Andrey Apuhtin
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External Attack
All Things Open
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управления
Positive Hack Days
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
Jesse Burke
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Mimikatz
MimikatzMimikatz
Mimikatz
rishabh sharma
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 

More Related Content

What's hot

Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
Positive Hack Days
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
shytikov
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
Will Schroeder
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...
Denis Gundarev
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
RootedCON
 
Shadow pad technical_description_pdf
Shadow pad technical_description_pdfShadow pad technical_description_pdf
Shadow pad technical_description_pdf
Andrey Apuhtin
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External Attack
All Things Open
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управления
Positive Hack Days
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
Jesse Burke
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 

What's hot (20)

Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
Shadow pad technical_description_pdf
Shadow pad technical_description_pdfShadow pad technical_description_pdf
Shadow pad technical_description_pdf
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External Attack
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управления
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 

Similar to Understanding Windows Lateral Movements

Mimikatz
MimikatzMimikatz
Mimikatz
rishabh sharma
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
Jerod Brennen
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]
RootedCON
 
Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
fangjiafu
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
All Things Open
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Jerod Brennen
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
Felipe Prado
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revival
scriptjunkie
 
Windows post exploitation
Windows post exploitationWindows post exploitation
Windows post exploitation
yarden hanan
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
Wail Hassan
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revival
scriptjunkie
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
Cedar Consulting
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
Raja Waseem Akhtar
 
Ch11
Ch11Ch11
Ch11
Raja Waseem Akhtar
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
Thang Chung
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication right
Andre N. Klingsheim
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...
Information Security Awareness Group
 

Similar to Understanding Windows Lateral Movements (20)

Mimikatz
MimikatzMimikatz
Mimikatz
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]
 
Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revival
 
Windows post exploitation
Windows post exploitationWindows post exploitation
Windows post exploitation
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encoding
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revival
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
Ch11
Ch11Ch11
Ch11
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication right
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...
 

Recently uploaded

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 

Recently uploaded (20)

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 

Understanding Windows Lateral Movements

  • 3. DISCLAIMER For the sake of simplicity, some things will be skipped or just simplified. If you want to go into more detail on a topic, the corresponding links are at the bottom of each slide. Also, some slides are based on images or texts from other sources. Credit has been given to them.
  • 4. Credential theft │ Password │ Hash │ Token UserA UserB HostA UserB HostB
  • 5. AGENDA  AUTHENTICATION  LOGON SESSIONS  ACCESS TOKENS  HANDS ON  Do I have passwords?  Do I have hashes?  Can I manipulate interesting tokens?  Let’s move  DETECTIONS
  • 7. [SAM] HostAUserA [SAM] HostAUserB HostA HostB [NTDS] CorpDomainUserA [NTDS] CorpDomainUserB DC [NTDS] CorpDomainUserA [SAM] : Local Auth [NTDS] : Domain Auth
  • 8.  We don’t care about physical authentications.  We care about remote authentications and they require privileges.  Being a local user in a system doesn’t mean you have privileges. So…
  • 9. Windows Internals, Part 1: User Mode
  • 11. Local Auth: Msv1_0 (NTLM) HostAATTL4S SAM HostA I’m HostAattl4s Challenge Challenge encrypted with user’s hash *Checks the hash* OK https://support.microsoft.com/en-sg/help/102716/ntlm-user-authentication-in-windows https://docs.microsoft.com/en-us/windows/desktop/secauthn/about-authentication
  • 12. *NTLM still supported on non domain-joined, legacy services, IP instead hostname… Auth NTDS DCCorpATTL4S HostA OK Pass-through (Netlogon) OK https://docs.microsoft.com/es-es/windows-server/security/kerberos/kerberos-authentication-overview Domain Auth: KERBEROS*
  • 13. LSAAuth Auth package Logon Session Security information Creates Provides TOKEN User SID Logon Session ID Integrity Groups … Creates UserA HostA Physical Remote NTLM Kerberos
  • 14. AGENDA  AUTHENTICATION  LOGON SESSIONS  ACCESS TOKENS  HANDS ON  Do I have passwords?  Do I have hashes?  Can I manipulate interesting tokens?  Let’s move  DETECTIONS
  • 15.  Logon sessions are created when an authentication is successful (physically or remotely).  Credentials (if any) are tied to logon sessions.  Two types:  Interactive / Non-Network  Non-interactive / Network / Remote https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions
  • 16.  Interactive  The user sends credentials and are stored in lsass.exe.  Typically the auth screen (Winlogon  LogonUI)
  • 17.  Non-interactive / Network*  The user proves he has credentials but does not send them to the target.  Usually after an interactive authentication for SSO purposes. *Delegation
  • 19. LSAAuth Auth package Logon Session Security information Creates Provides TOKEN User SID Logon Session ID Integrity Groups … Creates UserA HostA  When a logon session is created, information is returned to the Local Security Authority (LSA) that is used to create a token for the new user.  Each Access Token references to a Logon Session.  Process/Thread  Token  Logon Session  Credentials Physical Remote NTLM Kerberos
  • 20. AGENDA  AUTHENTICATION  LOGON SESSIONS  ACCESS TOKENS  HANDS ON  Do I have passwords?  Do I have hashes?  Can I manipulate interesting tokens?  Let’s move  DETECTTIONS
  • 21. An access token is a protected object that contains information about the identity and user rights of the associated user account Every process executed on behalf of this user has a copy of the token  User SID  Groups  Integrity  Token type  Privileges  Logon Session  …. https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
  • 22.  An Access token isn’t a single thing that represents a user’s identity  The same user can have different tokens and sessions in different processes/threads  i.e: UAC (medium and high integrity processes)
  • 23. Passwords.txt DACL Object’s Security Descriptors Access Denied S-1-5-21-domain-1004 (wint3r) Read, Write, Execute ACE 1 Access Allowed S-1-5-32-544 (Administrators) Write ACE 2 … Attl4s’s Process … S-1-5-32-544 (Administrators) … Groups Wint3r’s Process … S-1-5-21-domain-1004 User SID Access Token Access Token
  • 24. Token Types  Primary Tokens (process tokens)  Every process has a primary token asociated  When a new process is created, the default action is to inherit the primary token of its parent  Impersonation Tokens (thread tokens)  They enable a thread to run in a different context from the process that owns it  Usually used for client and server scenarios (service accounts) https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens https://www.exploit-db.com/papers/13054
  • 26. Impersonation Tokens  Impersonation Tokens have different “impersonation” levels.  We only care about the ones “fully impersonated”(also called Delegation Tokens).  Delegation Tokens reference to a logon session with credentials in memory and therefore can be used to acess remote resources.  Created by interactive logons  console logons, RunAs, PsExec with - u flag, RDP…  …or delegation! https://docs.microsoft.com/en-us/windows/desktop/secauthz/impersonation-levels https://digital-forensics.sans.org/blog/2012/03/21/protecting-privileged-domain-accounts-access-tokens
  • 27. LSAAuth Auth package Logon Session Security information Creates Provides TOKEN User SID Logon Session ID Integrity Groups … Creates UserA HostA Do I have passwords? Do I have hashes? Can I manipulate interesting tokens?
  • 28. AGENDA  AUTHENTICATION  LOGON SESSIONS  ACCESS TOKENS  HANDS ON  Do I have passwords?  Do I have hashes?  Can I manipulate interesting tokens?  Let’s move  DETECTIONS
  • 29. Do I have Passwords?
  • 30. Runas.exe  The process created by runas has an access token similar to one done by an interactive-logon.  Useful for:  Local user in the system (Fileserverattl4s on Fileserver$)  Domain user from a trusted domain (Capsuleacapaz on Fileserver$) But…  How can I runas with local users from other systems?  Runas Fileserverattl4s in Sqlserver$ will fail.  How can I runas with domain users when there’s no trust relationship?  Runas Capsuleacapaz in a non-domain joined system will fail.  Also what about the fuc**** password prompt? https://docs.microsoft.com/es-es/windows/desktop/api/winbase/nf-winbase-logonusera https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/
  • 32. The /netonly flag LOGON32_LOGON_NEW_CREDENTIALS  Tells runas that the specified credentials are for remote access only.  Windows will not validate the credentials (WATCHOUT wrong passwords)  When you interact with a network resource, Windows will use the credential referred to by the logon session created.  Therefore, the Logon Session will not match the identity of the access token.
  • 33. New Logon Session TOKEN User SID Logon Session ID Integrity Groups … TOKEN User SID New Logon Session ID Integrity Groups … 1. Windows will create a new logon session with the credentials 2. It will copy the current user’s token and substitute the default logon session for the new one New Process 3. The new process will run with this token Runas /netonly - HOW? Original Logon Session References References
  • 34. …and the fuc**** password prompt?
  • 35. Win32 API – Do it yourself! CreateProcessWithLogonW, CreateProcessAsUser, CreateProcessWithTokenW, LogonUserA, …  MSF  exploit/windows/local/run_as  post/windows/manage/run_as  post/windows/manage/run_as_psh  Cobalt Strike  MakeToken  RunAs  Covenant / SharpSploit  MakeToken
  • 37. Do I have Hashes?
  • 39. 1. New logon session 2. Update credential material (hash) in that logon session (ADMIN) 3. Copy the original token and refer it to the new logon session 4. Use this new token 5. Runas /netonly but with the hash instead the password!! PASS-THE-HASH (msv1_0) https://docs.microsoft.com/en-us/windows/desktop/secauthn/msv1-0-authentication-package New Logon Session With Hash (msv1_0) TOKEN User SID Logon Session ID Integrity Groups … TOKEN User SID Logon Session ID Integrity Groups … Original Logon Session Duplicate Logon Session ID
  • 40. Patatas123 UserA HostA LSASS (msv1_0) Access UserB HostA LSASS (msv1_0) Access BD35111AB3B0D46129EFBDBAB06B49C4 PASS-THE-HASH NORMAL Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
  • 42. KERBEROS SSP/AP OverPass-the-hash > Pass-the-Ticket > AskTGT
  • 43. 1. New logon session 2. Update credential (hash and/or KEYS) in that logon session ADMIN 3. Copy the original token and refer it to the new logon session 4. Use this new token 5. Runas /netonly but with the hash instead the password!! OVERPASS-THE-HASH (Kerberos SSP/AP) New Logon Session With Hash (Kerberos SSP/AP) TOKEN User SID Logon Session ID Integrity Groups … TOKEN User SID Logon Session ID Integrity Groups … Original Logon Session Duplicate Logon Session ID
  • 45. 1. Obtain (or create) a TGT/TGS ticket somewhere. 2. Import the ticket through Kerberos APIs. 3. Profit. PASS-THE-TICKET (Kerberos SSP/AP) UserB LSASS (Kerberos) PASS-THE-TICKET HostA DCTGS-REP TGS-REQ Kerberos LSA API = NO ADMIN  Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
  • 46. 1. Generate legitimate Kerberos traffic. ASK-TGT/TGS (Kerberos SSP/AP) UserB ASK-TGT/TGS HostA DC Access AS-REQ AS-REP TGS-REP TGS-REQNO LSASS = NO ADMIN  https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
  • 50. Creating and manipulating logon sessions with passwords/hashes is nice but… …what if there is already what we need in the system?
  • 51.  With privileges, we can manipulate any token in the system!  Recall that credentials are tied to logon sessions.  Non-Network logon  Credentials in lsass.exe.  Network logon  No credentials.  Logon with no creds means token with no creds.  Token with no creds means USELESS TOKEN. Luke Jennings – “Security Implications of Windows Access Tokens - A Penetration Tester's Guide” Jared Atkinson & Robby Winchester – “A Process is No One. Hunting for Token Manipulation” – Blackhat 2017
  • 53. TOKEN User SID Logon Session ID Integrity Groups … TOKEN User SID Logon Session ID Integrity Groups … New Process or Existing Thread Logon Session Process DuplicateTokenEx() *  CreateProcessWithTokenW()  Creates a process with the token.  ImpersonateLoggedOnUser()  Assigns a primary or impersonation token to the calling thread  SetTheadToken()  Assigns an impersonation token to a thread *
  • 55. Injecting into the Token Context
  • 56. TOKEN User SID Logon Session ID Integrity Groups … Logon Session Process Payload References Uses Injects* *  Process Injection (Shellcode, Reflective DLL, …)  Allocate memory in the remote process.  Copy program to remote process.  Create thread to run it.  Process Hollowing  Unmapping original program.  Allocate memory and copy program.  Hijack existing thread to run it.  …
  • 59.  sc  schtasks  DCOM  WMI  WinRS  Remote registry  Windows Remote Management (WinRM)  Special folders  …
  • 61. AGENDA • AUTHENTICATION • LOGON SESSIONS • ACCESS TOKENS • HANDS ON • Do I have passwords? • Do I have hashes? • Can I manipulate interesting tokens? • Let’s move • DETECTIONS
  • 62. Techniques seen so far  Make Token  We have credential material and we can create a token for the user.  Token Impersonation  The user is logged in our system and we can steal its token to apply it in one of our threads (impersonation token).  Create Process with Token  The user is logged in our system and we can steal its token to create a new process with it (primary token). Jared Atkinson & Robby Winchester – “A Process is No One. Hunting for Token Manipulation” – Blackhat 2017
  • 64. Make Token  Creates a new logon session using the specified credentials.  The new token will appear to be for the calling user and not the one passed to LogonUser().  Local user != network user  There's no "straight" way to know who is the network user.
  • 65.  An approach is checking Kerberos TGTs for differences between the “caller” and “called” usernames.  These cases are usually related to runas /netonly  User using its Domain Administrator account  But also attackers using stolen credentials.
  • 66.
  • 67.
  • 69. Token Impersonation  Duplicate the Token of another user’s process/thread and apply it to one of our threads as an Impersonation Token.  The owner of the process (and thus the Primary Token) will be our user.  The defender must check all the Primary Tokens (processes) but also all the Impersonation Tokens (threads)
  • 70. .Get-AccessToken.ps1 | Where-Object {$_.Type –eq ‘TokenImpersonation’} | select PrimaryUsername, Username, Processname, ProcessId https://gist.github.com/jaredcatkinson/17698b39efd72f976a6a846ec3a8eacd