Abstract

Red Teaming Active Directory

Contents:
1) Lab setup
2) Post-exploitation in AD
3) Application Whitelist bypass methods

Pre-requisite:
1) Server 2016/2019 installed in vbox/vmware
2) Windows enterprise installed in vbox/vmware
https://www.microsoft.com/en-us/evalcenter/
(Please install the machines before attending to save time. )
3) Linux (preferably Kali or parrot) installed in virtualbox or as host OS
4) Basic internet access for random tools (mobile data would be fine)
5) C2 frameworks:
* https://github.com/zerosum0x0/koadic
* https://github.com/byt3bl33d3r/SILENTTRINITY

The session will be completely about post-exploitation i.e you either have a set of credentials/hash of the user you're attacking.
I have provided a few references for obtaining the hash/credentials.

Content:
* AD setup
* Windows password management(SAM,NTDS.dit,lsass)
* SSP provider - wdigest
* Password spraying
* Widespread local Administrator password spray
* Execution methods - psexec,wmiexec , smbexec , atexec, winrm

Whitelist bypass methods:
1) mshta
2) wmic
* Intro to WMI , wbemtest , powershell and wmi
3) msbuild
* Inline C# execution
4) InstallUtil and csc
* Registration, Unregistration and janus behaviour
* executing when cmd is blocked by creating shortcut
5) regsvr32
* COM , registring dlls, sct files
* Using wscript files for code execution
6) Using trusted scripts for executing code

If you want to learn more, explore these websites as they are/were maintained by experts in this domain.
References:
https://www.secureauth.com/blog/playing-relayed-credentials
https://www.microsoft.com/en-us/download/details.aspx?id=46899
https://www.blackhillsinfosec.com/evade-application-whitelisting-using-regsvr32/
https://byt3bl33d3r.github.io/author/byt3bl33d3r.html
https://hausec.com/
https://adsecurity.org/
https://cobbr.io/SharpSploit.html
https://www.hackingarticles.in/post-exploitation-using-wmic-system-command/
https://blog.conscioushacker.io/index.php/category/application-whitelisting/
https://enigma0x3.net/
http://archive.is/subt0x10.blogspot.nl
https://github.com/khr0x40sh/WhiteListEvasion
https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
https://web.archive.org/web/20161214101107/http://thrysoee.dk/InsideCOM+/ch05e.htm
https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation
https://gist.github.com/mycryptonite/
https://medium.com/harsh-thakur/how-to-install-active-directory-663c685355ee

Speaker

Harsh Thakur

I prefer day dreaming, I have better control over the narrative.

Timing

Starts at Saturday May 04 2019, 09:30 AM. The sessions runs for about 8 hours.

Resources