Feels incredible to finally be able to talk about this tool and capability. Thanks to everyone that attended the webinar today, much appreciated.
This is a tool that the entire Targeted Ops and Research team at TS has contributed to. I initially wrote the tool, but
@freefirex2
Today, TrustedSec is releasing
#Specula
(our previously internal framework) into the world, which will transform the Outlook email client into a beaconing C2 agent.
@oddvarmoe
and
@freefirex2
walk through how to use Specula in our latest blog!
Things that make my Red Team day harder:
- Macro's disabled
- HTA's disabled
- LAPS implemented
- SMB Signing On
- User Behavior Analytics
- Educated Users
And the worst is a blue team that has passion, that use HoneyUsers/Honeytokens/tripwire/fakeservice and focus on detection.
Defenders should deploy this settings:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Dword: RunAsPPL
Value: 1
Protects dumping of Lsass with a simple registry value.
Encountered that on an engagement recently. 🤯
Mimikatz driver needed to bypass
Details
Random tip on LDAP searches.
Search for UserAccountControl set to 544. That is for "Enabled, Password Not Required". If you get hits, try to authenticate with the account without a password.
This also works really well:
cmd.exe /c "gpupdate /force/../../../../../../../../../../windows/notepad.exe"
and
cmd /c "mshta.exe c:\temp\none.hta/../../../../../../../../../../windows/notepad.exe"
Fun stuff to be had with this technique
Love this technique of doing dcsync. When DA is achieved, simply create a new computer account with a password you know and set the UserAccountControl to SERVER_TRUST_ACCOUNT 0x2000.
Then you can DCSync using that account 💥
Great blog post about it here:
This setting is very powerful and easy forgotten.
If you have not implemented LAPS/Unique Local admin passwords, then this is way to make it harder to move laterally between machines.
I often/still find Group Policy Preferences passwords when I do my pentests.
To check if you have this present in your domain you can run this command:
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
A great write-up here by
@PyroTek3
If you have AppLocker deployed, be aware that most times when Windows 10 is updated/upgraded, it creates a TASKS_MIGRATED folder under C:\windows\system32 that has the CREATOR OWNER, meaning that users can create and execute files from the folder and bypassing AppLocker 😱
A good documentation on all the different
#LOLBins
and
#LOLScripts
would be nice? Right?
Good thing I have started then. Still have a lot of notes to add, but I feel this is a good start. Would love community feedback and contributions.
Is this useful?
Windows 10 1803 has some interesting new binaries.
I don't need to explain this picture....
- Well, they are signed at least
#LOLBins
#LOLBin
#DFIR
#RedTeam
While adding the Windows Defender MpCmdRun.exe to LOLBAS, I also discovered it can store the downloaded file into an Alternate Data Stream. Sweet stuff!
Added here:
Also updated my ADS list:
Great discovery by
@mohammadaskar2
Well, you can download a file from the internet using Windows Defender itself.
In this example, I was able to download Cobalt Strike beacon using the binary "MpCmdRun.exe" which is the "Microsoft Malware Protection Command Line".
Due to the massive response on this tweet I got inspired to write a blog post about some easy wins that makes Red Teaming harder. So, giving away 4 free easy wins for Christmas in this post. 🎅
Enjoy
Things that make my Red Team day harder:
- Macro's disabled
- HTA's disabled
- LAPS implemented
- SMB Signing On
- User Behavior Analytics
- Educated Users
And the worst is a blue team that has passion, that use HoneyUsers/Honeytokens/tripwire/fakeservice and focus on detection.
It is official!
I have been promoted to Principal Security Consultant at
@TrustedSec
and it feels awesome. Love to be a place where I can grow my career and my contributions are appreciated. Without doubt the best place I have ever worked! ❤️❤️
Trying to figure out the name of a Domain Controller without running OS commands on the host through your shell?
Take a look at C:\windows\debug\netsetup.log.
This file contains information about how the computer joined the domain.
#PentestTip
An attacker can use this to create a computer account (When AD is default) :
djoin /PROVISION /DOMAIN <fqdn> /MACHINE evilpc /SAVEFILE C:\temp\evilpc.txt /DEFPWD /PRINTBLOB /NETBIOS evilpc
^This will create the computer account named evilpc with the password evilpc 😱
Did you know when a computer becomes a member of an AD domain, it is a member of the Authenticated Users group?
Meaning if you are system on a machine you can do stuff towards the domain.
After a discussion today I realized that is possibly not common knowledge.
I created this quick and dirty Powershell script to check your current system drivers against the awesome list from
@M_haggis
@_josehelps
@nas_bench
Hope you find it useful
AppLocker case study blogposts so far. More to come!
AppLocker study 1 -
AppLocker study 2 -
Hardening based on study 1 -
Hardening based on study 2 -
#AppLocker
#FeedBackWelcome
A few things that really can make Red Teaming more difficult:
- Network segmentation is implemented and SMB is blocked almost everywhere (I would do this if I was working the blue side)
- Internal MFA for accessing servers with an isolated enrollment process
- HoneyThings
Created some Youtube content. My goal with this video series is to try to help defenders with typical issues we see on our engagements.
Intro:
AD Primer:
AD attacks:
Common Attacks:
A quicktip to all treat hunters out there: sfc.exe /verifyonly and look in the C:\Windows\Logs\CBS\CBS.log file afterwards. Look for "does not match". Easy way to check system binaries 😎
I just discovered that rundll32 also executes data in alternate streams.
Probably already discovered by someone else.
¯\_(ツ)_/¯
I hope you have detection mechanism for data hidden in ADS.
You landed on a box with whitelisting and found out that Plex media server is installed....
Well, I suggest you look at PlexScriptHost.exe.
Could be that you find a signed by Plex version of Python... Just saying...
#LOLBins
Update to LOLBAS today. Merged a lot of PRs. Thanks!
New:
Aspnet_Compiler.exe,Certoc.exe,Cmdl32.exe,FltMC.exe,IMEWDBLD.exe,OfflineScannerShell.exe,OneDriveStandaloneUpdater.exe,PrintBrm.exe,SettingSyncHost.exe,Stordiag.exe,WorkFolders.exe,Procdump.exe+++
New blog post about an adventure I had with pre-created computer accounts. Let me tell you, old computer accounts can be fun!
Ended up creating an impacket script and a PR to the SharpHound ingestor as part of my adventure 🔥
Feedback is appreciated
Found an even cooler example with this technique when looking at it quick.
When executing with conhost it executes the process without a parent PID.
conhost calc.exe/../../windows/notepad.exe
Thanks for the inspiring post
@julianpentest
This also works really well:
cmd.exe /c "gpupdate /force/../../../../../../../../../../windows/notepad.exe"
and
cmd /c "mshta.exe c:\temp\none.hta/../../../../../../../../../../windows/notepad.exe"
Fun stuff to be had with this technique
If you are looking into NTFS Alternate Data Streams (ADS) then you can benefit from my previous work on the subject.
Part 1:
Part 2:
Gist with commands:
New blog post out now!🚨
I wrote a blog post on how I researched how to use the Windows Timeline to figure out user behavior on machines.
A big shout to
@kacos2000
for is excellent research on the Windows Timeline, I reused a lot of his stuff (TY)
Msconfig,Pcwrun,netsh,Runonce,Gpscript,Extexport,psr,Nvudisp,Vsjitdebugger, Mftrace some of the latest
#LOLBins
to the LOLBAS list.
List is constantly growing.
Really love where this project is heading.
Thanks everyone for contributing!
TL;DR my blogpost:
Persistence technique (1-liner) - executes at local admin logon:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil.dll"
Does not show in Autoruns.exe as of now.
Video:
Looking at local files on my computer and it seems like Nvidia GeForce Experience has the possibility to disassemble and assemble files to/from .asm format using courgette.exe.
They also have a Nvidia signed 7-zip.exe copy. Perfect when whitelisting prevents the use of 7-zip.
Quick
#AppLocker
bypass using ACL error in
#Teamviewer
12 log file.
Done by adding alternate streams and executing the stream using WMIC.
#beautiful
Thought it was a new discovery with the WMIC alternate stream execution, but was already blogged about:
New blog post about using ADExplorer on engagements covering stuff like how to use a machine account hash over a socks proxy and various other recon tips.
Hope you find it useful
This is such a great post by
@CE2Wells
Awesome method that can be abused by attackers. Have been working with mandatory profiles a lot in my past, but never thought of using it like this .
🤯🤯
Thanks for sharing!
I cannot recommend Automated Labs enough. It saves me so much time when I need an environment with the Active Directory named according to my current engagement. Perfect for payload testing
Valid paths to a binary in c:\temp on Windows (without ftp/webdav server or similar).
Do you know more paths?
c:\temp\file.exe
\\127.0.0.1\c$\temp\file.exe (or localhost)
\\.\c:\temp\file.exe
\\?\Volume{GUID of drive}\temp\file.exe
Did you know that most of the O365 password spraying tools are giving (not after today) the wrong output for the error AADSTS50079?
AADSTS50079 has changed the meaning over the years from Microsoft and does not longer mean that MFA is in use, it actually means that MFA must be
Principal Security Consultant
@Oddvarmoe
made an exciting discovery while using password-spraying tools in Microsoft Office 365 during a recent engagement. Read our latest
#blog
to find out how he went from error to entry!
Approved some PR in the LOLBAS (Thanks all)
- Rundll32 - Execute directly from smb
- FTP - One-liner example
- Explorer - added with the /root example
- PSR - For recon added
- Desktoipimgdownldr - Downloading files
- Regini - Write reg from ADS
Approved a few PR that had queued up on LOLBAS.
Added the following
- Dllhost.exe
- Datasvcutil.exe
- Appinstaller.exe
- Pnputil.exe
- Remote.exe
- Adplus.exe
In addition some adjustments were made to Teams update.exe, path added to winword.exe, OS on syncappvpub and more
A little old random fun fact about Exchange that probably not everyone knows. Very often you will see the the following "ou=Exchange Administrative Group\FYDIBOHF23SPDLT" referenced.
That FYDIBOHF23SPDLT might look random, but it is not. (Caesar's cipher 1 to the left 😉)
Many ways to execute COM:
cmd /c start shell:::{GUID}
explorer shell:::{GUID}
rundll32 url.dll, OpenURL shell:::{GUID}
Do you know some other technique?
1/2
Thanks to
@browninfosecguy
() and
@Oddvarmoe
, I have learnt something really useful, Which I'd like to share with you:-) Take a look at the picture, and Check here as well :
Want to improve your phishing campaign? Well then I got a trick to share with you. New blog post about Next Gen Phishing - Leveraging Azure Information Protection.