Persistence – Screensaver

Screensavers are part of Windows functionality and enable users to put a screen message or a graphic animation after a period of inactivity. This feature of Windows it is known to be abused by threat actors as a method of persistence. This is because screensavers are executable files that have th...

Dumping RDP Credentials

Administrators typically use Remote Desktop Protocol RDP in order to manage Windows environments remotely. It is also typical RDP to be enabled in systems that… Continue reading - Dumping RDP Credentials...

Persistence – Shortcut Modification

Windows shortcuts contain a reference to a software installed on the system or to a file location network or local. Since the early days of malware shortcuts have been used as a method of executing malicious code for persistence. The file extension of a shortcut is .LNK and gives a number of...

Microsoft Exchange – Domain Escalation

Microsoft Exchange servers are a high valuable target for red teams as they are the main entry point for the majority of the external attacks. From the internal perspective and if initial foothold to the network has been already achieved can allow a user to obtain privileges that would allow him ...

Persistence – Port Monitors

The print spooler service is responsible for managing printing jobs in Windows operating systems. Interaction with the service is performed through the Print Spooler API which contains a function AddMonitor that can be used to install local port monitors and connects the configuration, data and...

Persistence – New Service

Services in a Windows environment can lead to privilege escalation if these are not configured properly or can be used as a persistence method. Creating a new service requires Administrator level privileges and it is not considered the stealthier of persistence techniques. However in red team...

Microsoft Exchange – NTLM Relay

Gaining access to the mailbox of a user during a penetration test or a red team engagement can lead to arbitrary code execution, discovery of sensitive data such as credentials or performing internal Phishing to expand access across the network. Typically access to the mailbox is achieved via...

Persistence – AMSI

AMSI Antimalware Scan Interface is a vendor agnostic interface which can communicate with the endpoint in order to prevent execution of malware. The scan performed… Continue reading - Persistence - AMSI...

Lateral Movement – WebClient

Coercing elevated accounts such as machine accounts to authenticate to a host under the control of an attacker can provide an opportunity for privilege escalation… Continue reading - Lateral Movement - WebClient...

Domain Escalation – PrintNightmare

Printers are part of every corporate infrastructure therefore Windows environments they have a number of embedded drivers installed. The Print Spooler spoolsv.exe service is responsible… Continue reading - Domain Escalation - PrintNightmare...

Dumping Domain Password Hashes

It is very common during penetration tests where domain administrator access has been achieved to extract the password hashes of all the domain users for offline cracking and analysis. These hashes are stored in a database file in the domain controller NTDS.DIT with some additional information li...

Persistence – Accessibility Features

The accessibility features provide additional options on screen keyboards, magnifier, screen reading etc. that could assist people with disabilities to use Windows operating systems easier. However, this functionality can be abused to achieve persistence on a host that RDP is enabled and...

Persistence – Registry Run Keys

Getting an initial foothold inside a network during a red team operation is a time consuming task. Therefore persistence is key to a successful red team operation as will enable the team to focus on the objectives of the engagement without losing the communication with the command and control...

Microsoft Exchange – Mailbox Post Compromise

Gaining access to the mailbox of a domain user give the opportunity for a list of activities that could potentially expand the access of the red team. The trust relationships of the compromised user can be utilised to perform a more efficient Phishing or NTLM relay attack in order to gain access ...

Lateral Movement – RDP

The Remote Desktop Protocol RDP is widely used across internal networks by Administrators. This allows systems owners and admins to manage Windows environments remotely. However RDP can give various opportunities to an attacker to conduct attacks that can be used for lateral movement in red team...

Microsoft Exchange – ACL

During Microsoft Exchange installation a number of security groups are created in the Active Directory related to Exchange. Some of these groups are linked to each other and could allow domain escalation via abuse of access control lists. Specifically user accounts that are a member of Organisati...

Persistence – WMI Event Subscription

Windows Management Instrumentation WMI enables system administrators to perform tasks locally and remotely. From the perspective of red teaming WMI can be used to perform… Continue reading - Persistence - WMI Event Subscription...

Persistence – Winlogon Helper DLL

Winlogon is a Windows component which handles various activities such as the Logon, Logoff, loading user profile during authentication, shutdown, lock screen etc. This kind of behavior is managed by the registry which defines which processes to start during Windows logon. From a red team...

Phishing Windows Credentials

It is very common in Windows environments when programs are executed to require from the user to enter his domain credentials for authentication like Outlook,… Continue reading - Phishing Windows Credentials...

Persistence – Image File Execution Options Injection

Image File Execution Options is a Windows registry key which enables developers to attach a debugger to an application and to enable "GlobalFlag" for application debugging. This behavior of Windows opens the door for persistence since an arbitrary executable can be used as a debugger of a specifi...

HiveNightmare

The security account manager SAM file contains the password hashes of the users on a Windows system. Since it is considered a sensitive file SYSTEM… Continue reading - HiveNightmare...

Remote Potato – From Domain User to Enterprise Admin

NTLM Relaying is an well-known technique that was mainly used in security assessments in order to establish some sort of foothold on a server in… Continue reading - Remote Potato - From Domain User to Enterprise Admin...

Credential Access – Password Filter DLL

Microsoft has introduced password filters as a method for systems administrators to enforce password policies and change notification. Filters are used to validate new passwords… Continue reading - Credential Access - Password Filter DLL...

Persistence – WaitFor

Waitfor is a Microsoft binary which is typically used to synchronize computers across a network by sending signals. This communication mechanism can be used in… Continue reading - Persistence - WaitFor...

Microsoft Exchange – Code Execution

Gaining access to the mailbox of a domain user can lead to execution of arbitrary code by utilising the credentials that have been discovered. Various techniques have been discovered by Nick Landers and Etienne Stalmans that involve the abuse of Outlook common functionality in order to execute...

Parent PID Spoofing

Monitoring the relationships between parent and child processes is very common technique for threat hunting teams to detect malicious activities. For example if PowerShell is… Continue reading - Parent PID Spoofing...

Persistence – Office Application Startup

Microsoft Office is the most popular product in Windows operating systems since it allows users to write and edit documents, create and present slides, gather notes, sent emails and perform calculations. Corporate laptops and workstations have Microsoft Office installed by default to allow...

Persistence – BITS Jobs

Windows operating systems contain various utilities which can be used by system administrators to perform various tasks. One of these utilities is the Background Intelligent Transfer Service BITS which can facilitate file transfer capability to web servers HTTP and share folders SMB. Microsoft...

AppLocker Bypass – CMSTP

CMSTP is a binary which is associated with the Microsoft Connection Manager Profile Installer. It accepts INF files which can be weaponised with malicious commands in order to execute arbitrary code in the form of scriptlets SCT and DLL. It is a trusted Microsoft binary which is located in the...

Persistence – Scheduled Tasks

Windows operating systems provide a utility schtasks.exe which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism. Administrator privileges are no...

Persistence – COM Hijacking

Microsoft introduced Component Object Model COM in Windows 3.11 as a method to implement objects that could be used by different frameworks ActiveX, COM+, DCOM… Continue reading - Persistence - COM Hijacking...

Persistence – Time Providers

Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in System32 folder. The service W32Time initiates during the...

Persistence – DLL Hijacking

When a program is starting a number of DLLs are loaded into the memory space of its process. Windows is searching the DLLs that are… Continue reading - Persistence - DLL Hijacking...

Universal Privilege Escalation and Persistence – Printer

The Print Spooler is responsible to manage and process printer jobs. It runs as a service with SYSTEM level privileges on windows environments. Abuse of… Continue reading - Universal Privilege Escalation and Persistence - Printer...

Persistence – Change Default File Association

In Windows environments every file extensions are associated with a default program. This allows Windows to identify which program needs to be used in order to open a specific file. The associations of extensions with programs is handled through the registry. However, it is possible to hijack...

Persistence – Security Support Provider

Security support provider SSP is a Windows API which is used to extend the Windows authentication mechanism. The LSASS process is loading the security support provider DLL's during Windows startup. This behavior allows a red team operator to either drop an arbitrary SSP DLL in order to interact...

PetitPotam – NTLM Relay to AD CS

Deployment of an Active Directory Certificate Services AD CS on a corporate environment could allow system administrators to utilize it for establishing trust between different… Continue reading - PetitPotam - NTLM Relay to AD CS...

Persistence – Modify Existing Service

It is not uncommon for APT Groups to modify an existing service on the compromised host in order to execute an arbitrary payload when the… Continue reading - Persistence - Modify Existing Service...

Persistence – PowerShell Profile

PowerShell profile is a PowerShell script which enables system administrators and users to customize their environment and to execute specific commands when a PowerShell session initiates. It is similar to logon scripts that are used heavily by Administrators to map network drives and printers fo...

Lateral Movement – WinRM

WinRM stands for Windows Remote Management and is a service that allows administrators to perform management tasks on systems remotely. Communication is performed via HTTP 5985 or HTTPS SOAP 5986 and support Kerberos and NTLM authentication by default and Basic authentication. Usage of this servi...

Persistence – AppInit DLLs

Windows operating systems provide the functionality to allow custom DLL's to be loaded into the address space of almost all application processes. This can give the opportunity for persistence since an arbitrary DLL can be loaded that will execute code when applications processes are created on t...

Persistence – Netsh Helper DLL

Netsh is a Windows utility which can be used by administrators to perform tasks related to the network configuration of a system and perform modifications on the host based Windows firewall. Netsh functionality can be extended with the usage of DLL files. This capability enable red teams to use...

Persistence – AMSI

AMSI Antimalware Scan Interface is a vendor agnostic interface which can communicate with the endpoint in order to prevent execution of malware. The scan performed… Continue reading - Persistence - AMSI...

PlexTrac – A Platform for Purple Teaming

PlexTrac is a platform which can be used by internal security teams or consultancies to conduct purple team assessments but it can be used also… Continue reading - PlexTrac - A Platform for Purple Teaming...

Microsoft Exchange – Privilege Escalation

Harvesting the credentials of a domain user during a red team operation can lead to execution of arbitrary code, persistence and domain escalation. However information that is stored over emails can be highly sensitive for an organisation and therefore threat actors focus can be to exfiltrate dat...

Persistence – Application Shimming

Microsoft in order to resolve the problem with legacy applications that are no compatible with newer Windows operating systems released the application compatibility toolkit ACT. This software enables system administrators and developers to create fix packages for installed applications. The...

Indirect Command Execution

The windows ecosystem provides multiple binaries that could be used by adversaries to execute arbitrary commands that will evade detection especially in environments that are… Continue reading - Indirect Command Execution...

Domain Persistence – Machine Account

Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation.… Continue reading - Domain Persistence - Machine Account...

Microsoft Exchange – Password Spraying

Outlook Web Access OWA portals typically are externally facing in order to allow users to get access to their emails from the Internet. This gives the opportunity to threat actors to use a common password against a valid list of usernames Password Spraying in order to get some initial access to t...

Persistence – RID Hijacking

Windows operating systems use the RID Relative Identifier to differentiate groups and user accounts. It is part of the Security Identifier SID and every time… Continue reading - Persistence - RID Hijacking...