Avi's blog

  image: C:\Windows\system32\attrib.exe cmdline: ATTRIB +H . ATTRIB +H +R +S <folder_name> H for hidden R for read only S for system file to unhide this: ATTRIB -H -R -S <folder_name>

https://attack.mitre.org/techniques/T1222/001/   Image: C:\Windows\system32\icacls.exe cmdline: ICACLS . /GRANT EVERYONE:F /T /C /Q   icacls C:\Windows\System32\config\sam     C:\Users\Avi\Desktop>cacls TestCACLS /p Users:n (n for no control) now on the  TestCACLS folder, no one can access.  C:\Users\Avi\Desktop>cacls TestCACLS /p Users:f (f for full control) now can access.     https://ss64.com/nt/cacls.html       Check Permissions Force Remove THen add Read + Execute Validate Permissions icacls putty.exe icacls putty.exe /deny tsa_admin:(F) icacls putty.exe /grant:r tsa_admin:(RX) icacls putty.exe      icacls "%WINDIR%\system32\msimg64.dll" /grant administrators:F    Detection: windows security log events (event id 4670) are created when DACLs are modified.      Inheritance rights are represented by the following abbreviations: OI object inherit  CI container inherit IO inherit only NP do not propagate inherit NTFS permissions are represented by one of the following

  Image: C:\Windows\system32\cmd.exe cmdline: C:\Windows\system32\cmd.exe /c 308911640839192.bat cmd.exe cmd /c %TEMP%\\ud.bat

Its windows scripting host which runs script files. windows runs this to execute scripts. sometimes malware and attacker may utilize this. sysinternals tool autoruns can tell you what scripts are running. or check windows task scheduler from computer management section.  you can try with free version of malware bytes to check your systems whether malware is calling cscript or not.  example: image: C:\Windows\system32\cscript.exe cmdline: CSCRIPT.EXE //NOLOGO M.VBS attacker may abuse visual basic for execution. VB is a programming language created by Microsoft.  Derivative languages based on VB have also been created, such as visual basic for application (VBA) and VBScript. VBA is an event-driven programming language built into microsoft office as well as several third party application like wikipedia.  VBA enables documents to contain macros which is used to automate the execution of tasks and other functionality on the host. VBScript is default scripting language on windows hosts and

cve-42278 --> spoof the samaccountname of computer account thus impersonating domain controller.  cve-42287 --> affect the PAC thus impersonating DC.  both the vulnerabilities has been patched now by Microsoft November 2021 update. Attribution: its worth mentioning that everything i am writing in this blog is a contribution of the Cloud Brothers.  #Attach Scenario: 1 the attacker has gained foothold on a workstation. the domain is using the default configuration and thus the logged in user has the following permissions: SeMachineAccountPrivilege MS-DS-Machine-Account-Quota the 1st one meaning or translates to "add workstations to domain" but it can only be abused if the MS-DS-Machine-Account-Quota parameter is not set to 0 . in this case any user can create up to 10 default computer object in AD. #Attach Scenario: 2 the attacker has gained foothold on a workstation. this time the domain is hardened to at some extend thus not every user can create computer object in AD.

https://mahim-firoj.medium.com/nessus-remote-host-is-dead-b119121bd516

https://mahim-firoj.medium.com/ad-foreign-domain-dcsync-11435f9db331

ntds.dit --> new technology directory services.directory information tree %Systemroot%\NTDS\Ntds.dit this ntds.dit file is encrypted using system registry hive.  we will use ntdsutil.exe tool which is microsoft tool that will help us to copy the ntds.dit file to another location. because normally you cannot do this as this file is always used by the system.  The following command will copy ntds.dit, system registry hive and security hive to our said location. but we only require system hive registry file to decrypt ntds.dit file.  C:\>ntdsutil "ac i ntds" "ifm" "create full C:\ProgramData\backup" q q now on this location C:\ProgramData\backup you will get ntds.dit, system and security registry hive file.  now as an attacker you can crack password offline.  https://www.youtube.com/watch?v=rioVumJB0Fo Avi

Pass the hash (lateral movement) pass the hash is a technique that enables an attacker using mimikatz tool to capture ntlm or lanman password hash of user from memory. successful attack allow the attacker to access directory or resources that the compromised user has authorize to access.  how this attack works: 1. attacker first compromise a system or without taking consent of the user, attacker access that system and if that account has admin rights then leveraging that right attacker can use mimikatz to dump out all other ntlm password hashes from memory. or they can also compromise AD and take the ntds.dit file to capture hash from that file.  2. using mimikatz tool they can embed the hash on the local token and starts moving through out the network laterally. it will not give attacker high level access on the target system. but if the compromised user account hash is authorized to high level access then attacker also will get the same. it depends based on the permission.  you can s

https://youtu.be/beRDcvBwTBw 1. we will use kerberoast github tool to get users SPNs. github.com/nidem/kerberoast after launching this script it will give us a list of useraccount in AD that have SPN associate with it.  PS C:\kerberoast> .\GetUserSPNs.ps1 2. once a list of target account is obtained then attacker request service tickets to AD using spn values.  as we can see we have got the ticket.  3. now we will use mimikatz to dump the ticket out to disk from memory.    this ticket is encrypted using mysql service account ntlm password hash. now we need take off this ticket offline to start cracking it using dictionary attack.  4.  For solution check stealthbits attack catalog attack to product mapping pdf file.    Avi

https://www.youtube.com/watch?v=_nJ-b1UFDVM https://stealthbits.com/blog/impersonating-service-accounts-with-silver-tickets/#es_form_f0-n1 https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets#golden-ticket https://adsecurity.org/?page_id=183   Kerberos silver ticket: silver ticket is forged granting service ticket. after creating this ticket, AS REQ, AS REP, TGS REQ and TGS REP steps are bypassed. since a silver ticket is forged TGS so there is no need to communicate with a domain controller.  1. ticket is valid as it is encrypted by service account's ntlm password hash. service account configured with service principal name for each server the kerberos authenticating service runs on. for example, sql server running on windows server 2016. by default sql service is running as follows which is not vulnerable . SQL Server (MSSQLSERVER)    NT Service\MSSQLSERVER if you want to make this vulnerable or want a AD user account should authenticate sql service via kerberos then

1. before reply to any mail, please check that reply address is set as the appropriate one. from the address you received the mail and to the address the mail is suppose to going should be same. as well as check the domain name as well. because sender name, email address and domain name can be spoofed easily. so if the mail looks suspicious then check it reply-to header, domain header. you can do this by checking mail source code. for example, from thunderbard email client navigate to more > view source code  in this source code all the necessary email header you can get. 2. check mail return path . return path says if the mail bounce back then where should the bounce back mail should come. return-path should be the sender mail address. if it is another mail address then it is suspicious.  3. check the mail attachment . sometimes it is showing doc or excel attachment but behind this exe file is hidden. so analysis the following headers from the source code.  Content-Type: Applic

https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets#golden-ticke t https://adsecurity.org/?p=1515   first lets see how kerberos works: 1. First authentication request which is TGT, is send to the authenticator which is KDC in the form of AS REQ. When user put his/her username and password, the password is converted in NTLM hash and timestamp of that user (in order to prevent replay attack) is encrypted with the hash and send to KDC. 2. The domain controller KDC service checks users information like users logon restrictions, group membership permission etc. it basically checks what things users are allowed to do on their system; then create a TGT for the user. send the TGT in reply with AS REQ which is AS REP. 3.  this TGT is encrypted with AD krbtgt account password hash. only the kerberos service in the domain can open and read TGT data. no other one can because they dont have krbtgt accounts password hash to decrypt.  4. the user needs to present this TGT when requesti