Resource Based Constrained Delegation

Microsoft in an attempt to provide more flexibility to domain users enabled owner of resources to configure which accounts are trusted and allowed to delegate… Continue reading - Resource Based Constrained Delegation...

Resource Based Constrained Delegation

Microsoft in an attempt to provide more flexibility to domain users enabled owner of resources to configure which accounts are trusted and allowed to delegate… Continue reading - Resource Based Constrained Delegation...

PetitPotam – NTLM Relay to AD CS

Deployment of an Active Directory Certificate Services AD CS on a corporate environment could allow system administrators to utilize it for establishing trust between different… Continue reading - PetitPotam - NTLM Relay to AD CS...

PetitPotam – NTLM Relay to AD CS

Deployment of an Active Directory Certificate Services AD CS on a corporate environment could allow system administrators to utilize it for establishing trust between different… Continue reading - PetitPotam - NTLM Relay to AD CS...

Account Persistence – Certificates

It is not uncommon organizations to implement an internal certification authority in order to establish trust between entities users, computers etc. or utilize it for… Continue reading - Account Persistence - Certificates...

Account Persistence – Certificates

It is not uncommon organizations to implement an internal certification authority in order to establish trust between entities users, computers etc. or utilize it for… Continue reading - Account Persistence - Certificates...

Domain Escalation – PrintNightmare

Printers are part of every corporate infrastructure therefore Windows environments they have a number of embedded drivers installed. The Print Spooler spoolsv.exe service is responsible… Continue reading - Domain Escalation - PrintNightmare...

Domain Escalation – PrintNightmare

Printers are part of every corporate infrastructure therefore Windows environments they have a number of embedded drivers installed. The Print Spooler spoolsv.exe service is responsible… Continue reading - Domain Escalation - PrintNightmare...

HiveNightmare

The security account manager SAM file contains the password hashes of the users on a Windows system. Since it is considered a sensitive file SYSTEM… Continue reading - HiveNightmare...

HiveNightmare

The security account manager SAM file contains the password hashes of the users on a Windows system. Since it is considered a sensitive file SYSTEM… Continue reading - HiveNightmare...

Universal Privilege Escalation and Persistence – Printer

The Print Spooler is responsible to manage and process printer jobs. It runs as a service with SYSTEM level privileges on windows environments. Abuse of… Continue reading - Universal Privilege Escalation and Persistence - Printer...

Universal Privilege Escalation and Persistence – Printer

The Print Spooler is responsible to manage and process printer jobs. It runs as a service with SYSTEM level privileges on windows environments. Abuse of… Continue reading - Universal Privilege Escalation and Persistence - Printer...

Dumping RDP Credentials

Administrators typically use Remote Desktop Protocol RDP in order to manage Windows environments remotely. It is also typical RDP to be enabled in systems that… Continue reading - Dumping RDP Credentials...

Dumping RDP Credentials

Administrators typically use Remote Desktop Protocol RDP in order to manage Windows environments remotely. It is also typical RDP to be enabled in systems that… Continue reading - Dumping RDP Credentials...

Persistence – AMSI

AMSI Antimalware Scan Interface is a vendor agnostic interface which can communicate with the endpoint in order to prevent execution of malware. The scan performed… Continue reading - Persistence - AMSI...

Persistence – AMSI

AMSI Antimalware Scan Interface is a vendor agnostic interface which can communicate with the endpoint in order to prevent execution of malware. The scan performed… Continue reading - Persistence - AMSI...

Remote Potato – From Domain User to Enterprise Admin

NTLM Relaying is an well-known technique that was mainly used in security assessments in order to establish some sort of foothold on a server in… Continue reading - Remote Potato - From Domain User to Enterprise Admin...

Remote Potato – From Domain User to Enterprise Admin

NTLM Relaying is an well-known technique that was mainly used in security assessments in order to establish some sort of foothold on a server in… Continue reading - Remote Potato - From Domain User to Enterprise Admin...

PlexTrac – A Platform for Purple Teaming

PlexTrac is a platform which can be used by internal security teams or consultancies to conduct purple team assessments but it can be used also… Continue reading - PlexTrac - A Platform for Purple Teaming...

PlexTrac – A Platform for Purple Teaming

PlexTrac is a platform which can be used by internal security teams or consultancies to conduct purple team assessments but it can be used also… Continue reading - PlexTrac - A Platform for Purple Teaming...

Lateral Movement – Services

Services with elevated privileges typically were used in the past as method of privilege escalation or persistence. However a service could be utilized for lateral… Continue reading - Lateral Movement - Services...

Indirect Command Execution

The windows ecosystem provides multiple binaries that could be used by adversaries to execute arbitrary commands that will evade detection especially in environments that are… Continue reading - Indirect Command Execution...

Spyse – A Cyber Security Search Engine

Spyse is a search engine which can be used to identify internet assets and perform external reconnaissance easily. Results are delivered fast. Pentestlab has recently… Continue reading - Spyse - A Cyber Security Search Engine...

Persistence – COM Hijacking

Microsoft introduced Component Object Model COM in Windows 3.11 as a method to implement objects that could be used by different frameworks ActiveX, COM+, DCOM… Continue reading - Persistence - COM Hijacking...

Persistence – DLL Hijacking

When a program is starting a number of DLLs are loaded into the memory space of its process. Windows is searching the DLLs that are… Continue reading - Persistence - DLL Hijacking...

Phishing Windows Credentials

It is very common in Windows environments when programs are executed to require from the user to enter his domain credentials for authentication like Outlook,… Continue reading - Phishing Windows Credentials...

Parent PID Spoofing

Monitoring the relationships between parent and child processes is very common technique for threat hunting teams to detect malicious activities. For example if PowerShell is… Continue reading - Parent PID Spoofing...

Persistence – RID Hijacking

Windows operating systems use the RID Relative Identifier to differentiate groups and user accounts. It is part of the Security Identifier SID and every time… Continue reading - Persistence - RID Hijacking...

Credential Access – Password Filter DLL

Microsoft has introduced password filters as a method for systems administrators to enforce password policies and change notification. Filters are used to validate new passwords… Continue reading - Credential Access - Password Filter DLL...

Persistence – WaitFor

Waitfor is a Microsoft binary which is typically used to synchronize computers across a network by sending signals. This communication mechanism can be used in… Continue reading - Persistence - WaitFor...

Persistence – Modify Existing Service

It is not uncommon for APT Groups to modify an existing service on the compromised host in order to execute an arbitrary payload when the… Continue reading - Persistence - Modify Existing Service...

Persistence – WMI Event Subscription

Windows Management Instrumentation WMI enables system administrators to perform tasks locally and remotely. From the perspective of red teaming WMI can be used to perform… Continue reading - Persistence - WMI Event Subscription...

Persistence – Winlogon Helper DLL

Winlogon is a Windows component which handles various activities such as the Logon, Logoff, loading user profile during authentication, shutdown, lock screen etc. This kind of behavior is managed by the registry which defines which processes to start during Windows logon. From a red team...

Persistence – Image File Execution Options Injection

Image File Execution Options is a Windows registry key which enables developers to attach a debugger to an application and to enable "GlobalFlag" for application debugging. This behavior of Windows opens the door for persistence since an arbitrary executable can be used as a debugger of a specifi...

Persistence – AppInit DLLs

Windows operating systems provide the functionality to allow custom DLL's to be loaded into the address space of almost all application processes. This can give the opportunity for persistence since an arbitrary DLL can be loaded that will execute code when applications processes are created on t...

Persistence – Change Default File Association

In Windows environments every file extensions are associated with a default program. This allows Windows to identify which program needs to be used in order to open a specific file. The associations of extensions with programs is handled through the registry. However, it is possible to hijack...

Persistence – Application Shimming

Microsoft in order to resolve the problem with legacy applications that are no compatible with newer Windows operating systems released the application compatibility toolkit ACT. This software enables system administrators and developers to create fix packages for installed applications. The...

Persistence – Office Application Startup

Microsoft Office is the most popular product in Windows operating systems since it allows users to write and edit documents, create and present slides, gather notes, sent emails and perform calculations. Corporate laptops and workstations have Microsoft Office installed by default to allow...

Persistence – Accessibility Features

The accessibility features provide additional options on screen keyboards, magnifier, screen reading etc. that could assist people with disabilities to use Windows operating systems easier. However, this functionality can be abused to achieve persistence on a host that RDP is enabled and...

Persistence – PowerShell Profile

PowerShell profile is a PowerShell script which enables system administrators and users to customize their environment and to execute specific commands when a PowerShell session initiates. It is similar to logon scripts that are used heavily by Administrators to map network drives and printers fo...

Persistence – Scheduled Tasks

Windows operating systems provide a utility schtasks.exe which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism. Administrator privileges are no...

Persistence – BITS Jobs

Windows operating systems contain various utilities which can be used by system administrators to perform various tasks. One of these utilities is the Background Intelligent Transfer Service BITS which can facilitate file transfer capability to web servers HTTP and share folders SMB. Microsoft...

Persistence – Netsh Helper DLL

Netsh is a Windows utility which can be used by administrators to perform tasks related to the network configuration of a system and perform modifications on the host based Windows firewall. Netsh functionality can be extended with the usage of DLL files. This capability enable red teams to use...

Persistence – Port Monitors

The print spooler service is responsible for managing printing jobs in Windows operating systems. Interaction with the service is performed through the Print Spooler API which contains a function AddMonitor that can be used to install local port monitors and connects the configuration, data and...

Persistence – Time Providers

Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in System32 folder. The service W32Time initiates during the...

Persistence – Security Support Provider

Security support provider SSP is a Windows API which is used to extend the Windows authentication mechanism. The LSASS process is loading the security support provider DLL's during Windows startup. This behavior allows a red team operator to either drop an arbitrary SSP DLL in order to interact...

Persistence – Screensaver

Screensavers are part of Windows functionality and enable users to put a screen message or a graphic animation after a period of inactivity. This feature of Windows it is known to be abused by threat actors as a method of persistence. This is because screensavers are executable files that have th...

Persistence – Shortcut Modification

Windows shortcuts contain a reference to a software installed on the system or to a file location network or local. Since the early days of malware shortcuts have been used as a method of executing malicious code for persistence. The file extension of a shortcut is .LNK and gives a number of...

Persistence – New Service

Services in a Windows environment can lead to privilege escalation if these are not configured properly or can be used as a persistence method. Creating a new service requires Administrator level privileges and it is not considered the stealthier of persistence techniques. However in red team...

Persistence – Registry Run Keys

Getting an initial foothold inside a network during a red team operation is a time consuming task. Therefore persistence is key to a successful red team operation as will enable the team to focus on the objectives of the engagement without losing the communication with the command and control...