Ad, mimikatz, ata and (awe)some evasion techniques
Download as PPTX, PDF•0 likes•846 views
This document provides an overview of adversarial tactics and techniques for attacking and evading detection on a network. It begins with introducing the speaker and their background in security. It then discusses using Mimikatz to dump credentials from memory and techniques like golden tickets, skeleton keys, and malicious security providers to escalate privileges and maintain access. The document demonstrates how to bypass antivirus and other defenses using techniques like encrypted credentials and living off the land binaries. It emphasizes that the goal is to mimic real adversary behavior to test detection and response capabilities rather than simply exploiting vulnerabilities.
![Red Team Attack Chain
• Gain Access
– Spear Phishing [Malware (trojan...) / Client Side Exploit]
• Gain Situational Awareness
– Powershell/admin tools & commands
• Escalation
– Local User/Domain User Local Admin with UAC/Domain User
– Local Admin with UAC/Domain User Local Admin Bypass UAC/Domain User
– Local Admin Bypass UAC/Domain User Domain Admin
• Explore Network & Lateral Movement (loop To Situational Awareness)
• Persistence
– Backdoor
• Access & Egress Data
• Extraction](https://image.slidesharecdn.com/admimikatzataandawesomeevasiontechniques-180620082511/85/Ad-mimikatz-ata-and-awe-some-evasion-techniques-6-320.jpg)
Ad, mimikatz, ata and (awe)some evasion techniques
- 1. AD, Mimikatz, ATA and (awe)some evasion techniques Guglielmo Scaiola MCSE – CEI – CEH – CHFI – ECSA – GPEN - ISO 27001 L.A. – Security + mail: [email protected] Twitter: @S0ftwarGS Blog: S0ftwarGS.com
- 2. Who am I? • Security Consultant e Ethical Hacker • Red Teamer e Penetration Tester • Microsoft System Engineer – A.D. expert • Incident Handling & Enterprise Forensics • Trainer & Speaker Guglielmo «S0ftwar» Scaiola MCSE – CEI – CEH – CHFI – ECSA - GPEN - ISO 27001 L.A. – Security + mail: [email protected] Twitter: @S0ftwarGS Blog: S0ftwarGS.com
- 3. AGENDA • Intro • Att&ck the network • Attack & Detection • Evading Detection and Bypassing Countermeasures • ??? • Q & A
- 4. Red OR Blue?
- 5. ATT&CK : Adversarial Tactics, Techniques & Common Knowledge https://attack.mitre.org/wiki/Main_Page
- 6. Red Team Attack Chain • Gain Access – Spear Phishing [Malware (trojan...) / Client Side Exploit] • Gain Situational Awareness – Powershell/admin tools & commands • Escalation – Local User/Domain User Local Admin with UAC/Domain User – Local Admin with UAC/Domain User Local Admin Bypass UAC/Domain User – Local Admin Bypass UAC/Domain User Domain Admin • Explore Network & Lateral Movement (loop To Situational Awareness) • Persistence – Backdoor • Access & Egress Data • Extraction
- 7. Real Time Vs. Post Mortem
- 9. Initial Access: Bypass countermeasures • Bypass AV isn’t a problem • https tunneling • + URL in allow category • Expireddomains.net • EV code signing • Endpoint protection - AV • FW port 443 • URL filtering • URL reputation • Smartscreen Filter
- 10. Initial Access: hunting e detection • Search for reflective injection • Search for RWX memory https://www.youtube.com/watch?v=93GyP-mEUAw&t=15s - Malleable Memory Indicators with CS's Beacon Payload - Raphael Mudge
- 11. DEMO TIME
- 12. RECON... • Net commands – Net user /domain • Powerview – User hunter
- 13. ...stop the recon... But... User hunter without DC can work
- 14. Kerberos Attack 1) Emulating DC (Not real DC) 2) Tricking the KDC for a ticket 3) Forging 4) Manipulation
- 15. DcShadow
- 16. DCSync DCSync, normal behaviour: 1) Discovery DC 2) Query replicate the user cred via GetNCChange But: THE SOURCE IP IS NOT FROM A REGULAR DC
- 17. Mimikatz – over-pass-the-hash sekurlsa::pth /user:admin2 /domain:child1.newtest.lab /ntlm:a87f3a337d73085c45f9416be5787d86
- 18. Silver Ticket - Golden Ticket - Sid History
- 19. Skeleton key 19
- 21. AdminSDHolder
- 22. You shall not pass
- 27. Warming up...
- 28. Some bypass • Silver ticket if is not for the account computer of the DC • Malicious Security provider if the computer is not a DC • DCSync trusted domains
- 29. Some ATA Bypass Techniques ATA can’t win if: • The protocols are correctly implemented • ATA can’t see how the ticket (or request) are built • ATA can’t see the traffic with his agents
- 30. Bypass 1 - OverPassTheHash sekurlsa::pth /user:MyUser /domain:MyDomain /aes256:aes256 /ntlm:ntlm /aes128:aes128"‘ sekurlsa::pth /user:admin2 /domain:child1.newtest.lab /ntlm:92937945b518814341de3f726500d4ff /aes256:cc057a204bb4aad41694a58f495b0834118599d76c7a66b0326cb250a9c46f8f /aes128:d4a5dd3dce09a0e031c114fdd7e8094c
- 31. Bypass 2 – Golden Ticket kerberos::golden /User:MyUser /domain:MyDomain /sid:S-1-5-21-3270384115-3177237293-604223748 /aes256:aes256krbtgt /id:1000 /groups:512,513,518,520 /ptt"‘ Golden with AES keys can be generated from any machine unlike restrictions in case of Over-PTH.
- 32. WPC2017 32
- 33. DEMO TIME
- 34. Q & A
- 35. Credits • SpecterOps:@SpecterOps – Matt Graeber: @mattifestation – Will Schroeder: @harmj0y – Raphael Mudge: @ArmitageHacker – Andrew Robbins: @_wald0 – Matt Nelson: @Enigma0x3 • Benjamin Delphi: @gentilkiwi • Sean Metcalf: @PyroTek3
Editor's Notes
- #12: 1metasploit 2artifactrwx 3artifactOk 3’ tot