SlideShare a Scribd company logo

Passing the Torch: Old School Red Teaming Tactics Meet New School Techniques

Download as PPTX, PDF
Will Schroeder
Will Schroeder

This document discusses tactics for red team operations on Windows networks. It begins by covering techniques for gaining initial access and situational awareness, such as using PowerShell commands to enumerate users, computers, and network information. It then discusses abusing domain trust relationships and using PowerView to operate across trusts. Escalation techniques like PowerUp for privilege escalation and Mimikatz for token manipulation are also covered. The document discusses persistence methods like Golden Tickets and WMI. It finally covers techniques for locating and accessing file shares to retrieve sensitive information, using PowerView commands. The overall message is that while tactics remain the same, tools and implementations are continually evolving to facilitate red team operations.

Technology
1 of 56
Passing the Torch: Old School Red Teaming, New School Tactics? Dave McGuire, Will Schroeder Veris Group’s Adaptive Threat Division
@davidpmcguire ● Director of Veris Groups’ Adaptive Threat Division o Penetration Testing o Red Teaming o Threat Replication ● Former technical lead of NSA Red Team ● Developer of Adaptive Penetration Testing and Adaptive Red Team Tactics BlackHat training classes
@harmj0y ● Chief security researcher and red teamer for Veris Group’s Adaptive Threat Division ● Co-founder of the Veil-Framework #avlol o www.veil-framework.com o Shmoocon ‘14: AV Evasion with the Veil Framework o Defcon ‘14: Veil-Pillage: Post-exploitation 2.0 o co-wrote Veil-Evasion, wrote Veil-Catapult, Veil- Pillage, PowerView, and PowerUp ● Active Cortana and PowerShell hacker
tl;dr ● Pentesting vs. Red Teaming ● Red Teaming vs Red Team Operations ● Tactic 1: Situational Awareness ● Tactic 2: Domain Trusts ● Tactic 3: Escalation and Pivoting ● Tactic 4: Persistence ● Tactic 5: Files Files Files ● Demo: FIGHT!
Pentesting ● Definition ranges anywhere from a single person running a (slightly)-glorified vuln scan, to a full on multi-person assault for several weeks ● Reasonable Balance: breadth vs. depth, find as many holes as you can and see how far you can get in a limited timeframe
Red Teaming vs. Red Team Operations ● Red teaming means different things to different people ● Some focus on physical ops, some focus on in-depth social engineering, some focus on custom exploit dev, some focus on pure network based operations, etc. ● Common thread of increased time frame and more permissive scope
Red Teaming Operations ● An operation organized to emulate a potential adversary’s exploitation or attack effectiveness against a targeted mission or capability ● Military concept of adversarial thinking that evolved into adversary emulation ● General idea: simulate an “advanced” attacker
Our Take ● We focus on operational risk posed by advanced attackers ● From our perspective, red team operations primarily involve analysis and actions that happen after the initial access ● A vast majority of corporate deployments in the US consist of Windows environments, so that’s where we focus
Cyber Kill-Chain :) Identify points that affect business impact Datamine for Sensitive Information Establish Persistence Acquire Domain/Network Administrative Privileges Identify Further Exploit Points Escalate Privileges Gain Situational Awareness Gain Access
Bridging the Gap ● Red Teaming is historically defined by: o The use of specialized toolsets o Expanded timeframe o Large team size o Lots of $$$ ● Our interpretation is really more about emulation of techniques, independent of toolsets o Newer tools provide many previously specialized capabilities
Nothing New? ● These techniques are public but lesser known ● Admins need to admin, users wanna use o Always going to be a way to abuse ‘normal’ functionality for unintended purposes ● Everything here is possible through multiple means o VBscript, PowerShell, C/WinAPI or native/CLI o Good to have alternative ways to accomplish the same goal
Tactic 1 Situational Awareness
Landing on the Beachhead
Landing on the Beachhead ● Orient yourself after the initial compromise ● Gain situational awareness to plan your next attack steps ● Nothing revolutionary here: o the more information you can gather, the better you can map out your next phase o and active directory is a gold mine of information
Old School: Users/Network Info ● Groups/users in the domain: o net users /domain o net group /domain o net group “Domain Admins” /domain ● Computers in the domain: o net view /domain:<domain name> ● Information about a host o net view <hostname> o srvinfo <hostname> o sc <hostname> o nbtstat -A <hostname>
Old School: User Hunting ● Find where high value users are logged in ● Find user fileservers: 1. net use a. look for mapped drives 2. net user <username> /domain a. extract “Home Directory” server 3. ...repeat for all users :( ● Check the sessions, match against target users: o NetSess.exe SERVER
New School ● Rob Fuller (@mubix’s) netview.exe project, presented at Derbycon 2012, is a tool to “enumerate systems using WinAPI calls” ● Finds all machines on the network, enumerates shares, sessions, and logged in users for each host o And now can check share access, highlight high value users, and use a delay/jitter :)
New(est) School: PowerShell ● PowerShell has some great AD hooks and access to the Windows API as well ● PowerView implements a ton of this functionality without having to remember all the syntax ● Full replacement for “net *” commands, as well as a full netview.exe implementation, Invoke-Netview
New(est) School: PowerShell ● Invoke-UserHunter o queries AD for all machines o queries for a target user group (“Domain Admins”) o uses the same API calls as netview.exe to enumerate sessions and logged in users, matching against the target user list ● Invoke-StealthUserHunter o queries AD for all users, extracts all home directories o queries for a target user group o runs the equivalent to “net session” against each file server, matching against target user list
Tactic 2 Domain Trusts
Domain Trusts
Windows Domain Trusts 101 ● Trusts allow separate domains/directories to form inter-domain relationships ● A trust simply allows for the possibility of access between domains o Administrators must go the extra mile and actually enable access ● Trusts can be a method for an attacker to jump from one network to another
Domain Trusts 101 ● Trusts come in 3 varieties o One way - Only one domain trusts the other o Two way - Both domains trust each other o Transitive - Domain A trusts Domain B and Domain B trusts Domain C, so Domain A trusts Domain C ● Each domain in a forest has a two-way transitive trust with both its parent and each of its children ● More information: o http://www.harmj0y.net/blog/redteaming/trusts-you- might-have-missed/
So What? ● Why does this matter? ● Red teams often compromise accounts/machines in a domain trusted by their actual target o Allows operators to exploit these existing trust relationships to achieve their end goal ● And Enterprise Admin = pwnership over everything below
Old School: nltest ● Some Microsoft administrative tools can give you lots of interesting information concerning domain trusts: o nltest /domain_trusts - identify all current domain trusts o nltest /dcname:<domain name> - identify primary domain controller for a target domain ● Other tools grant some of this functionality as well: o netdom to verify two-way trusts o dsquery/dsget to enumerate additional information
Old School: dsquery/dsget ● Retrieve users from a specific domain: o dsquery user “cn=users,dc=dev,dc=test,dc=local” ● Grab “Domain Admins” for a specific domain: o dsget group "cn=Domain Admins,cn=users,dc=dev,dc=test,dc=local" - members ● See what groups a user is a member of: o dsget user "cn=john,cn=users,dc=dev,dc=test,dc=local" - memberof
New School: Trusts and PowerShell ● Of course you can do this (and with greater ease) using PowerShell: o ([System.DirectoryServices.ActiveDirecto ry.Forest]::GetCurrentForest()).Domains o ([System.DirectoryServices.ActiveDirecto ry.Domain]::GetCurrentDomain()).GetAllTr ustRelationships() ● PowerShell AD functionality can easily operate on domains to which there's an existing trust o finding domain controllers, querying users, enumerating domain groups, etc.
New(est) School: PowerView ● Domain/forest trust relationships can be enumerated through several PowerView functions: o Get-NetForest: information about the current domain forest o Get-NetForestTrusts: grab all forest trusts o Get-NetForestDomains: enumerate all domains in the current forest o Get-NetDomainTrusts: find all current domain trusts, á la nltest
New(est) School: PowerView ● If a trust exists, most functions in PowerView can accept a “-Domain <name>” flag to operate across a trust: o Get-NetDomainControllers o Get-NetUser/Get-NetUsers o Get-NetComputers/Get-NetFileServers o Get-NetGroup/Get-NetGroups o Invoke-UserFieldSearch o Invoke-Netview o Invoke-UserHunter, etc.
Tactic 3 Escalation and Pivoting
Escalation and Pivoting
Moving Beyond the Beachhead ● Now that you’ve mapped out the network, active directory structure and trust relationships, time to see what mischief you can cause ● First step often involves escalating to SYSTEM on your target ● Then grab tokens/passwords/etc. and start your lateral movement
Old School: Escalation ● One of the most effective escalation vectors was (and still is) vulnerable Windows services ● Specifically, many organizations overlook the permissions for service binaries :) ● After gaining SYSTEM on a box, makes it a lot easier to snarf up all active user tokens o File servers are great places to look
Old School: Tokens ● Impersonation tokens o for “non-interactive” logons, i.e. drive mapping o allows a process/thread to carry out actions as the identified user on the current system ● Delegation tokens o for “interactive” logons (we want these!!) o allows a process/thread to carry out actions as the identified user on remote systems ● Impersonate/steal tokens with your agent of choice o Can also just migrate to a user-owned process!
New School: Escalation ● PowerUp: a PowerShell tool to automate the discovery and abuse of Windows privilege escalation vectors. Checks for: o vulnerable services o service binaries o unquoted paths o AlwaysInstallElevated, and more ● Invoke-AllChecks will run all current checks, and will tell you what function will abuse whatever vulns are found
New School: Token Manipulation ● PowerSploit / Exfiltration / Invoke- TokenManipulation.ps1 ● Equivalent to Incognito’s functionality, but purely in PowerShell ● Allows you to enumerate tokens, steal/impersonate what you find, create processes, etc.
New School: Mimikatz FTW ● If you don’t know what Mimikatz is, shame on you! ● Even better, the PowerSploit guys integrated everything into PowerShell ● Invoke-Mimikatz.ps1 lets you dump credentials, play with kerberos tickets, and more
Tactic 4 Persistence
Persistence
Keeping the Door Open ● You don’t want to have to regain access for each new engagement o Attackers don’t leave, why should you o Long term assessments require stable access ● Two main approaches: o local machine level persistence o domain level persistence ● Credentials are always a great persistence method
Old School ● Keep a low and slow C2 agent running on the machine o In case of reboot, drop an obfuscated binary to disk ● Try to stay off of main servers o Find privileged users with access to those servers, then target their workstations ● Dump domain hashes o Pay attention to privileged accounts with an infrequent password change policy
● For low-and-slow agent persistence, a few specialized tools are available: o Cobalt Strike’s Beacon o Immunity’s Innuendo o Silentbreak’s Throwback ● For on-disk local persistence, some (newer?) techniques: o schtasks + PowerShell through a one-liner o permanent WMI + PowerShell through PowerSploit o obfuscated binary + SC New School: Local Persistence
New(est) School: Domain Persistence ● There’s nothing better than...
The Golden Ticket ● If you can knock over a domain controller and grab the krbtgt hash, you can forge your own kerberos tickets o For any user. And put them in any group. For as long as that hash isn't changed. Which isn't often. o Think years. ● Long story short: if you can pwn a domain once, you can pwn it for a LONG time ● Go see Chris’ “Et tu – Kerberos?” at 6pm!
A LOOONNNGGG Time
Tactic 5 Files Files Files
Files on Files
Files on Files ● The end goal isn’t domain admin, the end goal is data ● Even when you don’t own everything, every organization has file shares with improper access controls ● Goal: o Locate and triage every single file we can access over the network (hunt for sensitive data) o Gain sensitive information (potentially for escalation), choose possible files to trojanize
Old School: Finding Shares ● Finding shares manually: o net view /domain:<domain name> o net view <hostname> ● Make new people triage every network share and file found o Great morale booster :) ● Once readable shares are located, triage the possible thousands to millions of files on remote servers o New people like doing this :)
Old School: Finding Files ● Nothing more old school that straight recursive directory listings with dir /s o dir /s <hostname>SHARE > listing.txt o dir /s /Q /O:-D /T:A <hostname>SHARE > listing.txt ● Then grep file listings for sensitive names, as well as office docs/.exe’s that have been recently accessed :)
New School: Finding Shares ● Search for open shares and sensitive files with PowerShell and PowerView ● Invoke-ShareFinder -CheckAccess will: o Find all machines on the network o Enumerate all shares on each machine o Check if the current user has read access to any found shares ● Spits out a “HOSTSHARE - comment” list of all shares on the network you can read
New School: Finding Files ● Once you have shares, PowerShell helps you triage for files, nicely sortable: o PS> get-childitem MACHINEPATH -rec - ErrorAction SilentlyContinue | where {!$_.PSIsContainer} | select-object FullName,@{Name='Owner';Expression={(Ge t-Acl $_.FullName).Owner}}, LastAccessTime, LastWriteTime, Length | export-csv -notypeinformation -path files.csv ● The -include @(‘*term*’) argument lets you find files by wildcard terms
New School: Targeted Trojanation ● Invoke-SearchFiles and Invoke-FileFinder both accept the “-FreshEXEs” flag o this will find .exe’s accessed within the last week ● We can then use Joshua Pitts’ The Backdoor Factory to easily trojanate these binaries ● Then can use PowerView’s Invoke- CopyFile to copy the trojanated file in, matching MAC attributes
Demo
Recap ● Newer tools and techniques can greatly facilitate red team engagements ● Always have a backup plan- if one implementation fails, you always need to have options ● Moral of the story: the underlying tactics rarely change, but the specific implementations often do
Questions? ● Offensive PowerShell blogs: o http://obscuresecurity.blogspot.com/ o http://www.exploit-monday.com/ o http://www.darkoperator.com/blog/ o http://blog.harmj0y.net ● Offensive PowerShell Toolsets: o PowerSploit:  https://github.com/mattifestation/PowerSploit/ o PowerView:  https://github.com/veil-framework/Veil-PowerView o PowerUp:  https://github.com/HarmJ0y/PowerUp

Recommended

I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-OwnedWill Schroeder
 

Recommended

I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-OwnedWill Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 

More Related Content

What's hot

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 

What's hot (20)

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 

Viewers also liked

PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
IoT Device Management using open standards end-to-end
IoT Device Management using open standards end-to-endIoT Device Management using open standards end-to-end
IoT Device Management using open standards end-to-endPilgrim Beart
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply ChainOllie Whitehouse
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity AssessmentClaude Baudoin
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 

Viewers also liked (20)

PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
IoT Device Management using open standards end-to-end
IoT Device Management using open standards end-to-endIoT Device Management using open standards end-to-end
IoT Device Management using open standards end-to-end
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply Chain
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity Assessment
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 

Similar to Passing the Torch: Old School Red Teaming Tactics Meet New School Techniques

Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Is DevOps Braking Your Company?
Is DevOps Braking Your Company?Is DevOps Braking Your Company?
Is DevOps Braking Your Company?conjur_inc
 
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - PanoraysHacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - PanoraysDemi Ben-Ari
 
A Primer for Your Next Data Science Proof of Concept on the Cloud
A Primer for Your Next Data Science Proof of Concept on the CloudA Primer for Your Next Data Science Proof of Concept on the Cloud
A Primer for Your Next Data Science Proof of Concept on the CloudAlton Alexander
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)Brian Brazil
 
Prometheus (Microsoft, 2016)
Prometheus (Microsoft, 2016)Prometheus (Microsoft, 2016)
Prometheus (Microsoft, 2016)Brian Brazil
 
Is the door to your active directory wide open and unsecure
Is the door to your active directory wide open and unsecureIs the door to your active directory wide open and unsecure
Is the door to your active directory wide open and unsecureDavid Rowe
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays
 
Devoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsDevoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsBert Jan Schrijver
 
Arnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsArnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsBert Jan Schrijver
 
Monitoring as an entry point for collaboration
Monitoring as an entry point for collaborationMonitoring as an entry point for collaboration
Monitoring as an entry point for collaborationJulien Pivotto
 

Similar to Passing the Torch: Old School Red Teaming Tactics Meet New School Techniques (20)

Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Is DevOps Braking Your Company?
Is DevOps Braking Your Company?Is DevOps Braking Your Company?
Is DevOps Braking Your Company?
 
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - PanoraysHacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
 
A Primer for Your Next Data Science Proof of Concept on the Cloud
A Primer for Your Next Data Science Proof of Concept on the CloudA Primer for Your Next Data Science Proof of Concept on the Cloud
A Primer for Your Next Data Science Proof of Concept on the Cloud
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)
 
Prometheus (Microsoft, 2016)
Prometheus (Microsoft, 2016)Prometheus (Microsoft, 2016)
Prometheus (Microsoft, 2016)
 
Is the door to your active directory wide open and unsecure
Is the door to your active directory wide open and unsecureIs the door to your active directory wide open and unsecure
Is the door to your active directory wide open and unsecure
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
Devoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsDevoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systems
 
Arnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsArnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systems
 
Monitoring as an entry point for collaboration
Monitoring as an entry point for collaborationMonitoring as an entry point for collaboration
Monitoring as an entry point for collaboration
 

More from Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 

More from Will Schroeder (7)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Recently uploaded (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Passing the Torch: Old School Red Teaming Tactics Meet New School Techniques

  • 1. Passing the Torch: Old School Red Teaming, New School Tactics? Dave McGuire, Will Schroeder Veris Group’s Adaptive Threat Division
  • 2. @davidpmcguire ● Director of Veris Groups’ Adaptive Threat Division o Penetration Testing o Red Teaming o Threat Replication ● Former technical lead of NSA Red Team ● Developer of Adaptive Penetration Testing and Adaptive Red Team Tactics BlackHat training classes
  • 3. @harmj0y ● Chief security researcher and red teamer for Veris Group’s Adaptive Threat Division ● Co-founder of the Veil-Framework #avlol o www.veil-framework.com o Shmoocon ‘14: AV Evasion with the Veil Framework o Defcon ‘14: Veil-Pillage: Post-exploitation 2.0 o co-wrote Veil-Evasion, wrote Veil-Catapult, Veil- Pillage, PowerView, and PowerUp ● Active Cortana and PowerShell hacker
  • 4. tl;dr ● Pentesting vs. Red Teaming ● Red Teaming vs Red Team Operations ● Tactic 1: Situational Awareness ● Tactic 2: Domain Trusts ● Tactic 3: Escalation and Pivoting ● Tactic 4: Persistence ● Tactic 5: Files Files Files ● Demo: FIGHT!
  • 5. Pentesting ● Definition ranges anywhere from a single person running a (slightly)-glorified vuln scan, to a full on multi-person assault for several weeks ● Reasonable Balance: breadth vs. depth, find as many holes as you can and see how far you can get in a limited timeframe
  • 6. Red Teaming vs. Red Team Operations ● Red teaming means different things to different people ● Some focus on physical ops, some focus on in-depth social engineering, some focus on custom exploit dev, some focus on pure network based operations, etc. ● Common thread of increased time frame and more permissive scope
  • 7. Red Teaming Operations ● An operation organized to emulate a potential adversary’s exploitation or attack effectiveness against a targeted mission or capability ● Military concept of adversarial thinking that evolved into adversary emulation ● General idea: simulate an “advanced” attacker
  • 8. Our Take ● We focus on operational risk posed by advanced attackers ● From our perspective, red team operations primarily involve analysis and actions that happen after the initial access ● A vast majority of corporate deployments in the US consist of Windows environments, so that’s where we focus
  • 9. Cyber Kill-Chain :) Identify points that affect business impact Datamine for Sensitive Information Establish Persistence Acquire Domain/Network Administrative Privileges Identify Further Exploit Points Escalate Privileges Gain Situational Awareness Gain Access
  • 10. Bridging the Gap ● Red Teaming is historically defined by: o The use of specialized toolsets o Expanded timeframe o Large team size o Lots of $$$ ● Our interpretation is really more about emulation of techniques, independent of toolsets o Newer tools provide many previously specialized capabilities
  • 11. Nothing New? ● These techniques are public but lesser known ● Admins need to admin, users wanna use o Always going to be a way to abuse ‘normal’ functionality for unintended purposes ● Everything here is possible through multiple means o VBscript, PowerShell, C/WinAPI or native/CLI o Good to have alternative ways to accomplish the same goal
  • 13. Landing on the Beachhead
  • 14. Landing on the Beachhead ● Orient yourself after the initial compromise ● Gain situational awareness to plan your next attack steps ● Nothing revolutionary here: o the more information you can gather, the better you can map out your next phase o and active directory is a gold mine of information
  • 15. Old School: Users/Network Info ● Groups/users in the domain: o net users /domain o net group /domain o net group “Domain Admins” /domain ● Computers in the domain: o net view /domain:<domain name> ● Information about a host o net view <hostname> o srvinfo <hostname> o sc <hostname> o nbtstat -A <hostname>
  • 16. Old School: User Hunting ● Find where high value users are logged in ● Find user fileservers: 1. net use a. look for mapped drives 2. net user <username> /domain a. extract “Home Directory” server 3. ...repeat for all users :( ● Check the sessions, match against target users: o NetSess.exe SERVER
  • 17. New School ● Rob Fuller (@mubix’s) netview.exe project, presented at Derbycon 2012, is a tool to “enumerate systems using WinAPI calls” ● Finds all machines on the network, enumerates shares, sessions, and logged in users for each host o And now can check share access, highlight high value users, and use a delay/jitter :)
  • 18. New(est) School: PowerShell ● PowerShell has some great AD hooks and access to the Windows API as well ● PowerView implements a ton of this functionality without having to remember all the syntax ● Full replacement for “net *” commands, as well as a full netview.exe implementation, Invoke-Netview
  • 19. New(est) School: PowerShell ● Invoke-UserHunter o queries AD for all machines o queries for a target user group (“Domain Admins”) o uses the same API calls as netview.exe to enumerate sessions and logged in users, matching against the target user list ● Invoke-StealthUserHunter o queries AD for all users, extracts all home directories o queries for a target user group o runs the equivalent to “net session” against each file server, matching against target user list
  • 22. Windows Domain Trusts 101 ● Trusts allow separate domains/directories to form inter-domain relationships ● A trust simply allows for the possibility of access between domains o Administrators must go the extra mile and actually enable access ● Trusts can be a method for an attacker to jump from one network to another
  • 23. Domain Trusts 101 ● Trusts come in 3 varieties o One way - Only one domain trusts the other o Two way - Both domains trust each other o Transitive - Domain A trusts Domain B and Domain B trusts Domain C, so Domain A trusts Domain C ● Each domain in a forest has a two-way transitive trust with both its parent and each of its children ● More information: o http://www.harmj0y.net/blog/redteaming/trusts-you- might-have-missed/
  • 24. So What? ● Why does this matter? ● Red teams often compromise accounts/machines in a domain trusted by their actual target o Allows operators to exploit these existing trust relationships to achieve their end goal ● And Enterprise Admin = pwnership over everything below
  • 25. Old School: nltest ● Some Microsoft administrative tools can give you lots of interesting information concerning domain trusts: o nltest /domain_trusts - identify all current domain trusts o nltest /dcname:<domain name> - identify primary domain controller for a target domain ● Other tools grant some of this functionality as well: o netdom to verify two-way trusts o dsquery/dsget to enumerate additional information
  • 26. Old School: dsquery/dsget ● Retrieve users from a specific domain: o dsquery user “cn=users,dc=dev,dc=test,dc=local” ● Grab “Domain Admins” for a specific domain: o dsget group "cn=Domain Admins,cn=users,dc=dev,dc=test,dc=local" - members ● See what groups a user is a member of: o dsget user "cn=john,cn=users,dc=dev,dc=test,dc=local" - memberof
  • 27. New School: Trusts and PowerShell ● Of course you can do this (and with greater ease) using PowerShell: o ([System.DirectoryServices.ActiveDirecto ry.Forest]::GetCurrentForest()).Domains o ([System.DirectoryServices.ActiveDirecto ry.Domain]::GetCurrentDomain()).GetAllTr ustRelationships() ● PowerShell AD functionality can easily operate on domains to which there's an existing trust o finding domain controllers, querying users, enumerating domain groups, etc.
  • 28. New(est) School: PowerView ● Domain/forest trust relationships can be enumerated through several PowerView functions: o Get-NetForest: information about the current domain forest o Get-NetForestTrusts: grab all forest trusts o Get-NetForestDomains: enumerate all domains in the current forest o Get-NetDomainTrusts: find all current domain trusts, á la nltest
  • 29. New(est) School: PowerView ● If a trust exists, most functions in PowerView can accept a “-Domain <name>” flag to operate across a trust: o Get-NetDomainControllers o Get-NetUser/Get-NetUsers o Get-NetComputers/Get-NetFileServers o Get-NetGroup/Get-NetGroups o Invoke-UserFieldSearch o Invoke-Netview o Invoke-UserHunter, etc.
  • 32. Moving Beyond the Beachhead ● Now that you’ve mapped out the network, active directory structure and trust relationships, time to see what mischief you can cause ● First step often involves escalating to SYSTEM on your target ● Then grab tokens/passwords/etc. and start your lateral movement
  • 33. Old School: Escalation ● One of the most effective escalation vectors was (and still is) vulnerable Windows services ● Specifically, many organizations overlook the permissions for service binaries :) ● After gaining SYSTEM on a box, makes it a lot easier to snarf up all active user tokens o File servers are great places to look
  • 34. Old School: Tokens ● Impersonation tokens o for “non-interactive” logons, i.e. drive mapping o allows a process/thread to carry out actions as the identified user on the current system ● Delegation tokens o for “interactive” logons (we want these!!) o allows a process/thread to carry out actions as the identified user on remote systems ● Impersonate/steal tokens with your agent of choice o Can also just migrate to a user-owned process!
  • 35. New School: Escalation ● PowerUp: a PowerShell tool to automate the discovery and abuse of Windows privilege escalation vectors. Checks for: o vulnerable services o service binaries o unquoted paths o AlwaysInstallElevated, and more ● Invoke-AllChecks will run all current checks, and will tell you what function will abuse whatever vulns are found
  • 36. New School: Token Manipulation ● PowerSploit / Exfiltration / Invoke- TokenManipulation.ps1 ● Equivalent to Incognito’s functionality, but purely in PowerShell ● Allows you to enumerate tokens, steal/impersonate what you find, create processes, etc.
  • 37. New School: Mimikatz FTW ● If you don’t know what Mimikatz is, shame on you! ● Even better, the PowerSploit guys integrated everything into PowerShell ● Invoke-Mimikatz.ps1 lets you dump credentials, play with kerberos tickets, and more
  • 40. Keeping the Door Open ● You don’t want to have to regain access for each new engagement o Attackers don’t leave, why should you o Long term assessments require stable access ● Two main approaches: o local machine level persistence o domain level persistence ● Credentials are always a great persistence method
  • 41. Old School ● Keep a low and slow C2 agent running on the machine o In case of reboot, drop an obfuscated binary to disk ● Try to stay off of main servers o Find privileged users with access to those servers, then target their workstations ● Dump domain hashes o Pay attention to privileged accounts with an infrequent password change policy
  • 42. ● For low-and-slow agent persistence, a few specialized tools are available: o Cobalt Strike’s Beacon o Immunity’s Innuendo o Silentbreak’s Throwback ● For on-disk local persistence, some (newer?) techniques: o schtasks + PowerShell through a one-liner o permanent WMI + PowerShell through PowerSploit o obfuscated binary + SC New School: Local Persistence
  • 43. New(est) School: Domain Persistence ● There’s nothing better than...
  • 44. The Golden Ticket ● If you can knock over a domain controller and grab the krbtgt hash, you can forge your own kerberos tickets o For any user. And put them in any group. For as long as that hash isn't changed. Which isn't often. o Think years. ● Long story short: if you can pwn a domain once, you can pwn it for a LONG time ● Go see Chris’ “Et tu – Kerberos?” at 6pm!
  • 48. Files on Files ● The end goal isn’t domain admin, the end goal is data ● Even when you don’t own everything, every organization has file shares with improper access controls ● Goal: o Locate and triage every single file we can access over the network (hunt for sensitive data) o Gain sensitive information (potentially for escalation), choose possible files to trojanize
  • 49. Old School: Finding Shares ● Finding shares manually: o net view /domain:<domain name> o net view <hostname> ● Make new people triage every network share and file found o Great morale booster :) ● Once readable shares are located, triage the possible thousands to millions of files on remote servers o New people like doing this :)
  • 50. Old School: Finding Files ● Nothing more old school that straight recursive directory listings with dir /s o dir /s <hostname>SHARE > listing.txt o dir /s /Q /O:-D /T:A <hostname>SHARE > listing.txt ● Then grep file listings for sensitive names, as well as office docs/.exe’s that have been recently accessed :)
  • 51. New School: Finding Shares ● Search for open shares and sensitive files with PowerShell and PowerView ● Invoke-ShareFinder -CheckAccess will: o Find all machines on the network o Enumerate all shares on each machine o Check if the current user has read access to any found shares ● Spits out a “HOSTSHARE - comment” list of all shares on the network you can read
  • 52. New School: Finding Files ● Once you have shares, PowerShell helps you triage for files, nicely sortable: o PS> get-childitem MACHINEPATH -rec - ErrorAction SilentlyContinue | where {!$_.PSIsContainer} | select-object FullName,@{Name='Owner';Expression={(Ge t-Acl $_.FullName).Owner}}, LastAccessTime, LastWriteTime, Length | export-csv -notypeinformation -path files.csv ● The -include @(‘*term*’) argument lets you find files by wildcard terms
  • 53. New School: Targeted Trojanation ● Invoke-SearchFiles and Invoke-FileFinder both accept the “-FreshEXEs” flag o this will find .exe’s accessed within the last week ● We can then use Joshua Pitts’ The Backdoor Factory to easily trojanate these binaries ● Then can use PowerView’s Invoke- CopyFile to copy the trojanated file in, matching MAC attributes
  • 54. Demo
  • 55. Recap ● Newer tools and techniques can greatly facilitate red team engagements ● Always have a backup plan- if one implementation fails, you always need to have options ● Moral of the story: the underlying tactics rarely change, but the specific implementations often do
  • 56. Questions? ● Offensive PowerShell blogs: o http://obscuresecurity.blogspot.com/ o http://www.exploit-monday.com/ o http://www.darkoperator.com/blog/ o http://blog.harmj0y.net ● Offensive PowerShell Toolsets: o PowerSploit:  https://github.com/mattifestation/PowerSploit/ o PowerView:  https://github.com/veil-framework/Veil-PowerView o PowerUp:  https://github.com/HarmJ0y/PowerUp

Editor's Notes

  1. Everybody drink!