Domain Escalation – Backup Operator

The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically,… Continue reading - Domain Escalation - Backup Operator...

Persistence – Windows Telemetry

Microsoft has introduced the compatibility telemetry in order to collect usage and performance data about Windows systems. The telemetry tasks are collected via the binary… Continue reading - Persistence - Windows Telemetry...

Persistence – Context Menu

Context menu provides shortcuts to the user in order to perform a number of actions. The context menu is invoked with a right mouse click… Continue reading - Persistence - Context Menu...

Unconstrained Delegation

Microsoft to support scenarios where users authenticate via Kerberos to one system and information needs to be updated on another system implemented unconstrained delegation. This… Continue reading - Unconstrained Delegation...

Domain Persistence – AdminSDHolder

Utilizing existing Microsoft features for offensive operations is very common during red team assessments as it provides the opportunity to blend in with the environment… Continue reading - Domain Persistence - AdminSDHolder...

Domain Persistence – AdminSDHolder

Utilizing existing Microsoft features for offensive operations is very common during red team assessments as it provides the opportunity to blend in with the environment… Continue reading - Domain Persistence - AdminSDHolder...

HiveNightmare

The security account manager SAM file contains the password hashes of the users on a Windows system. Since it is considered a sensitive file SYSTEM… Continue reading - HiveNightmare...

AS-REP Roasting

Active Directory users that have the Kerberos pre-authentication enabled and require access to a resource initiate the Kerberos authentication process by sending an Authentication Server… Continue reading - AS-REP Roasting...

Persistence – Disk Clean-up

Disk Clean-up is a utility which is part of Windows operating systems and can free up hard drive disk space by deleting mainly cache and… Continue reading - Persistence - Disk Clean-up...

PlexTrac – A Platform for Purple Teaming

PlexTrac is a platform which can be used by internal security teams or consultancies to conduct purple team assessments but it can be used also… Continue reading - PlexTrac - A Platform for Purple Teaming...

Persistence – Event Log Online Help

Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is… Continue reading - Persistence - Event Log Online Help...

Domain Escalation – Machine Accounts

The pass the hash technique is not new and it was usually used for lateral movement on the network in scenarios where the administrator password… Continue reading - Domain Escalation - Machine Accounts...

Dumping RDP Credentials

Administrators typically use Remote Desktop Protocol RDP in order to manage Windows environments remotely. It is also typical RDP to be enabled in systems that… Continue reading - Dumping RDP Credentials...

Golden Certificate

Domain persistence techniques enable red teams that have compromised the domain to operate with the highest level of privileges in a large period. One of… Continue reading - Golden Certificate...

Account Persistence – Certificates

It is not uncommon organizations to implement an internal certification authority in order to establish trust between entities users, computers etc. or utilize it for… Continue reading - Account Persistence - Certificates...

Situational Awareness

A common step in the life-cycle of a red team engagement is to gather as much information is possible for the compromised environments and the domain network. This activity is often called situational awareness and there is no defined list of commands that a red teamer should execute. However all...

Universal Privilege Escalation and Persistence – Printer

The Print Spooler is responsible to manage and process printer jobs. It runs as a service with SYSTEM level privileges on windows environments. Abuse of… Continue reading - Universal Privilege Escalation and Persistence - Printer...

Command and Control – Browser

Red Teams are always focused in the discovery of innovative ways to establish connections back to their command and control infrastructure. The main reasons that leads red teams to use standard protocols or native system functionality for command and control operations is to bypass some sort of...