118 matches found
Lateral Movement – Services
Services with elevated privileges typically were used in the past as method of privilege escalation or persistence. However a service could be utilized for lateral… Continue reading - Lateral Movement - Services...
Persistence – Windows Telemetry
Microsoft has introduced the compatibility telemetry in order to collect usage and performance data about Windows systems. The telemetry tasks are collected via the binary… Continue reading - Persistence - Windows Telemetry...
Spyse – A Cyber Security Search Engine
Spyse is a search engine which can be used to identify internet assets and perform external reconnaissance easily. Results are delivered fast. Pentestlab has recently… Continue reading - Spyse - A Cyber Security Search Engine...
Persistence – Notepad++ Plugins
It is not uncommon a windows environment especially dedicated servers which are managed by developers or IT staff to have installed the Notepad++ text editor.… Continue reading - Persistence - Notepad++ Plugins...
SPN Discovery
Services that support Kerberos authentication require to have a Service Principal Name SPN associated to point users to the appropriate resource for connection. Discovery of SPNs inside an internal network is performed via LDAP queries and can assist red teams to identify hosts that are running...
Persistence – Scheduled Task Tampering
Windows Task Scheduler enables windows users and administrators to perform automated tasks at specific time intervals. Scheduled tasks has been commonly abused as a method… Continue reading - Persistence - Scheduled Task Tampering...
AS-REP Roasting
Active Directory users that have the Kerberos pre-authentication enabled and require access to a resource initiate the Kerberos authentication process by sending an Authentication Server… Continue reading - AS-REP Roasting...
Persistence – Event Log Online Help
Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is… Continue reading - Persistence - Event Log Online Help...
Initial Access – search-ms URI Handler
Microsoft search protocol enables clients to initiate connections against an enterprise search service such as SharePoint or WebDav. During these search connections the protocol server… Continue reading - Initial Access - search-ms URI Handler...
Lateral Movement – Visual Studio DTE
A lot of organizations have some sort of application development program and it is highly likely that developers will utilize Visual Studio for their development… Continue reading - Lateral Movement - Visual Studio DTE...
Shadow Credentials
Microsoft has introduced Windows Hello for Business WHfB to replace traditional password based authentication with a key based trust model. This implementation uses PIN or… Continue reading - Shadow Credentials...
Account Persistence – Certificates
It is not uncommon organizations to implement an internal certification authority in order to establish trust between entities users, computers etc. or utilize it for… Continue reading - Account Persistence - Certificates...
Persistence – Service Control Manager
The service control manager SCM is responsible to start and stop services in windows environments including device drivers and start up applications. Microsoft introduced in… Continue reading - Persistence - Service Control Manager...
Persistence – Context Menu
Context menu provides shortcuts to the user in order to perform a number of actions. The context menu is invoked with a right mouse click… Continue reading - Persistence - Context Menu...
Persistence – Notepad++ Plugins
It is not uncommon a windows environment especially dedicated servers which are managed by developers or IT staff to have installed the Notepad++ text editor.… Continue reading - Persistence - Notepad++ Plugins...
Domain Persistence – Machine Account
Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation.… Continue reading - Domain Persistence - Machine Account...
Persistence – DLL Proxy Loading
DLL Proxy Loading is a technique which an arbitrary DLL exports the same functions as the legitimate DLL and forwards the calls to the legitimate… Continue reading - Persistence - DLL Proxy Loading...
Unconstrained Delegation
Microsoft to support scenarios where users authenticate via Kerberos to one system and information needs to be updated on another system implemented unconstrained delegation. This… Continue reading - Unconstrained Delegation...
Persistence – Explorer
Windows File Explorer is the is the graphical file management utility for the Windows operating system and the default desktop environment. Windows explorer was introduced… Continue reading - Persistence - Explorer...
Persistence – Visual Studio Code Extensions
It is not uncommon developers or users responsible to write code i.e. detection engineers using Sigma to utilize Visual Studio Code as their code editor.… Continue reading - Persistence - Visual Studio Code Extensions...
Persistence – Windows Setup Script
When the Windows Operating system is installed via a clean installation or via an upgrade, the Windows Setup binary is executed. The Windows setup allows… Continue reading - Persistence - Windows Setup Script...
Persistence – Event Log
Windows Event logs are the main source of information for defensive security teams to identify threats and for administrators to troubleshoot errors. The logs are… Continue reading - Persistence - Event Log...
Initial Access – search-ms URI Handler
Microsoft search protocol enables clients to initiate connections against an enterprise search service such as SharePoint or WebDav. During these search connections the protocol server… Continue reading - Initial Access - search-ms URI Handler...
DCShadow
The DCShadow is an attack which tries to modify existing data in the Active Directory by using legitimate API's which are used by domain controllers. This technique can be used in a workstation as a post-domain compromise tactic for establishing domain persistence bypassing most SIEM solutions...
Persistence – Windows Setup Script
When the Windows Operating system is installed via a clean installation or via an upgrade, the Windows Setup binary is executed. The Windows setup allows… Continue reading - Persistence - Windows Setup Script...
Persistence – Disk Clean-up
Disk Clean-up is a utility which is part of Windows operating systems and can free up hard drive disk space by deleting mainly cache and… Continue reading - Persistence - Disk Clean-up...
Lateral Movement – Visual Studio DTE
A lot of organizations have some sort of application development program and it is highly likely that developers will utilize Visual Studio for their development… Continue reading - Lateral Movement - Visual Studio DTE...
Shadow Credentials
Microsoft has introduced Windows Hello for Business WHfB to replace traditional password based authentication with a key based trust model. This implementation uses PIN or… Continue reading - Shadow Credentials...
Domain Escalation – sAMAccountName Spoofing
Computer accounts have the $ sign appended at the end of their names in contrast with standard user accounts. By default Microsoft operating systems lack… Continue reading - Domain Escalation - sAMAccountName Spoofing...
Lateral Movement – WebClient
Coercing elevated accounts such as machine accounts to authenticate to a host under the control of an attacker can provide an opportunity for privilege escalation… Continue reading - Lateral Movement - WebClient...
Resource Based Constrained Delegation
Microsoft in an attempt to provide more flexibility to domain users enabled owner of resources to configure which accounts are trusted and allowed to delegate… Continue reading - Resource Based Constrained Delegation...
Remote Potato – From Domain User to Enterprise Admin
NTLM Relaying is an well-known technique that was mainly used in security assessments in order to establish some sort of foothold on a server in… Continue reading - Remote Potato - From Domain User to Enterprise Admin...
Persistence – Explorer
Windows File Explorer is the is the graphical file management utility for the Windows operating system and the default desktop environment. Windows explorer was introduced… Continue reading - Persistence - Explorer...
Persistence – Event Log
Windows Event logs are the main source of information for defensive security teams to identify threats and for administrators to troubleshoot errors. The logs are… Continue reading - Persistence - Event Log...
Persistence – Scheduled Task Tampering
Windows Task Scheduler enables windows users and administrators to perform automated tasks at specific time intervals. Scheduled tasks has been commonly abused as a method… Continue reading - Persistence - Scheduled Task Tampering...
Domain Escalation – Machine Accounts
The pass the hash technique is not new and it was usually used for lateral movement on the network in scenarios where the administrator password… Continue reading - Domain Escalation - Machine Accounts...
Domain Escalation – sAMAccountName Spoofing
Computer accounts have the $ sign appended at the end of their names in contrast with standard user accounts. By default Microsoft operating systems lack… Continue reading - Domain Escalation - sAMAccountName Spoofing...
Golden Certificate
Domain persistence techniques enable red teams that have compromised the domain to operate with the highest level of privileges in a large period. One of… Continue reading - Golden Certificate...
PetitPotam – NTLM Relay to AD CS
Deployment of an Active Directory Certificate Services AD CS on a corporate environment could allow system administrators to utilize it for establishing trust between different… Continue reading - PetitPotam - NTLM Relay to AD CS...
Kerberoast
The process of cracking Kerberos service tickets and rewriting them in order to gain access to the targeted service is called Kerberoast. This is very common attack in red team engagements since it doesn't require any interaction with the service as legitimate active directory access can be used ...
Web Browser Stored Credentials
Microsoft introduced Data Protection Application Programming Interface DPAPI in Windows environments as a method to encrypt and decrypt sensitive data such as credentials using the… Continue reading - Web Browser Stored Credentials...
Persistence – Service Control Manager
The service control manager SCM is responsible to start and stop services in windows environments including device drivers and start up applications. Microsoft introduced in… Continue reading - Persistence - Service Control Manager...
Web Browser Stored Credentials
Microsoft introduced Data Protection Application Programming Interface DPAPI in Windows environments as a method to encrypt and decrypt sensitive data such as credentials using the… Continue reading - Web Browser Stored Credentials...
Persistence – Visual Studio Code Extensions
It is not uncommon developers or users responsible to write code i.e. detection engineers using Sigma to utilize Visual Studio Code as their code editor.… Continue reading - Persistence - Visual Studio Code Extensions...
Resource Based Constrained Delegation
Microsoft in an attempt to provide more flexibility to domain users enabled owner of resources to configure which accounts are trusted and allowed to delegate… Continue reading - Resource Based Constrained Delegation...
Domain Escalation – PrintNightmare
Printers are part of every corporate infrastructure therefore Windows environments they have a number of embedded drivers installed. The Print Spooler spoolsv.exe service is responsible… Continue reading - Domain Escalation - PrintNightmare...
PDF – NTLM Hashes
Client side attacks are heavily used in red team engagements as they can allow the red team to execute arbitrary code or retrieve password hashes. Usually Microsoft office products are used to perform these kind of attacks however PDF documents can be also utilized for obtaining NTLM hashes of...
NBNS Spoofing
Netbios Name Service NBT-NS is used in Windows networks for communication between hosts. Systems will use this service when resolving names over LHOSTS and DNS fail. Abusing this service to perform a Man-in-the-middle attack is a common tactic that has been widely used by penetration testers and...
Persistence – DLL Proxy Loading
DLL Proxy Loading is a technique which an arbitrary DLL exports the same functions as the legitimate DLL and forwards the calls to the legitimate… Continue reading - Persistence - DLL Proxy Loading...
Domain Escalation – Backup Operator
The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically,… Continue reading - Domain Escalation - Backup Operator...