Powershell

Command and Control Using Active Directory

‘Exotic’ command and control (C2) channels always interest me. As defenses start to get more sophisticated, standard channels that have been stealthy before (like DNS) may start to lose their efficacy. I’m always on the lookout for non-obvious, one-way (or ideally two-way) communication methods. This post will cover a proof of concept for an internal C2 approach that uses standard …

Command and Control Using Active Directory Read More »

PowerShell RC4

Every language needs an RC4 implementation. Despite its insecurities, RC4 is widely used due to its simple algorithm and the minimal amount of code it takes to implement it. Some people have even tried to fit implementations into single tweets. It’s commonly used by malware due to its low overhead, and I’m actually shocked that RosettaCode doesn’t have …

PowerShell RC4 Read More »

KeeThief – A Case Study in Attacking KeePass Part 2

Note: this post and code were co-written with my fellow ATD workmate Lee Christensen (@tifkin_) who developed several of the interesting components of the project. The other week I published the “A Case Study in Attacking KeePass” post detailing a few notes on how to operationally “attack” KeePass installations. This generated an unexpected amount of responses, …

KeeThief – A Case Study in Attacking KeePass Part 2 Read More »

Identifying Your Prey

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetGroup  ->  Get-NetGroupMember Get-NetGroups ->  Get-NetGroup [Note: This has been cross posted on the Adaptive Threat Division blog] User hunting is one of my favorite phases of an engagement. Whether it’s performed for lateral spread and escalation, or to …

Identifying Your Prey Read More »

“I Hunt Sys Admins”

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetGroups  ->  Get-NetGroup Get-UserProperties  ->  Get-UserProperty Invoke-UserFieldSearch  ->  Find-UserField Get-NetSessions  ->  Get-NetSession Invoke-StealthUserHunter  ->  Invoke-UserHunter -Stealth Invoke-UserProcessHunter  ->  Invoke-ProcessHunter -Username X Get-NetProcesses  ->  Get-NetProcess Get-UserLogonEvents  ->  Get-UserEvent Invoke-UserEventHunter  ->  Invoke-EventHunter [Note] This post is a companion to the Shmoocon …

“I Hunt Sys Admins” Read More »

Mining a Domain’s Worth of Data With PowerShell

On a red team engagement, our goal usually isn’t access, it’s data. While getting domain admin on a test is a great feeling, what actually matters to us is identifying what a customer is trying to protect and then targeting those crown jewels. Access is obviously a necessary component, but data mining is just as important. Some …

Mining a Domain’s Worth of Data With PowerShell Read More »

Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2

A year ago, @mubix published a cool post on http://carnal0wnage.attackresearch.com/ about “Dumping a domain’s worth of passwords with mimikatz“. In the article, he talked about using a combination of PowerShell, file shares, .bat scripts and output files in order to run Mimikatz across a large number of machines in an enterprise using just WMI. A few …

Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2 Read More »

PowerUp

On a recent assessment we ran into a situation where we needed to escalate privileges on a fairly locked down workstation. Kernel exploits (kitrap0d) wouldn’t work, so we fell back to an old classic, vulnerable windows services. While we couldn’t manipulate services directly, a custom system service purposely left its binary privileges open for compatibility …

PowerUp Read More »