Author: Herr HoZi

AS2Go | How one certificate template misconfiguration (ESC1) can lead to complete Active Directory (AD) forest compromise

Herr HoZi1 Comment

This post explains how to execute an ESC1 attack using AS2Go v2.9.

In three out of four Active Directory Security Assessments (ADSA), my colleagues and I identified vulnerabilities in Active Directory Certificate Services (ADCS). Most issues stem from certificate templates that, by default, are secure but become vulnerable due to human misconfigurations.

This discovery prompted me to enhance my script, “Attack Scenario To Go” (AS2Go), by adding a new privilege escalation method and creating this corresponding blog post.

Continue reading

Choose your type of Privilege Escalation

Herr HoZi2 Comments

Find the best attack based on Victim’s PC Operation System (OS Build) and the current situation

Which, among other things, is taken into account?

  • Is the Victim a local admin on the Victim PC?
  • Is the Victim PC member of the Domain Admins or Account Operators?
  • Client for currently cached Kerberos tickets?
  • Does this Client/User have access to c$ share on Admin PC?
  • Is the Windows authentication protocol WDigest supported?
  • Is Pass-the-Hash Attack supported?
  • Is the Helpdesk User & Domain Admin member of the Protected Users Security Group?
  • Is Forge Authentication Certificates Attack supported?
  • Is a risky CA Template available?
  • Found at least one administrative account with Service Principal Names (SPNs)?

CURRENT SITUATION – FROM THE ATTACKER’S PERSPECTIVE:

.

AS2Go | Lab Setup 1/3 | DC

Herr HoZi1 Comment 
This post describes how to prepare the Domain Controller (DC) for the attack scenario with AS2Go v2.6

Assuming you already setup an Active Directory you have to do the following steps on your Domain Controller (DC).

  • Create a directory & download files from GitHub
  • Create a share
  • Create alias (cname) and allow Domain Zone Transfer
  • Create dedicated AS2Go Active Directory Groups and Organization Units
  • Customizing the PowerShell (PoSH) Script to create a set of users for an demo attack
  • Create thousands of Demo Accounts
Continue reading

AS2Go | Lab Setup 3/3 | Victim PC

Herr HoZi2 Comments 
This post describes how to prepare the Victim PC for the attack scenario, to run Pass-the-Hash and Pass-the-Tickets attacks against Admin PC.

Assuming you already finished lab setup 2/3 and setup an Active Directory join workstation (English OS) you have to do the following steps on your Admin PC.

  • Add Victims & Helpdesk Groups to the local administration group
  • Install and Import PowerShell ActiveDirectory & GroupPolicy Module
  • Create a directory & Exclusion regarding Virus Scanner
  • Download files from GitHub
  • Create an shortcuts on the public desktop
  • Copy the help script to %system32% folder
  • Modify the AS2Go Config File
  • Test the AS2Go Posh Script
  • !!!! Download the malware, like Mimikatz.exe !!!!
Continue reading

AS2Go | Attack Scenario To Go

FeaturedLeave a comment 
AS2Go is an acronym for Attack Scenario To Go. 
 
AS2Go is written in PowerShell and goes along the cyber kill chain, with stops at Password Spray, Reconnaissance, Privilege Escalation, Sensitive Data Access & Exfiltration and Domain Compromise.

The GIF shows a typical attack along the kill-chain. Starting with stolen credentials and ending with a compromised domain.

Continue reading

Live-Hack: Wie nur ein einzelnes kompromittiertes Benutzerkonto euer ganzes Unternehmen lahmlegen könnte.

Herr HoZiLeave a comment

I gave this session during the HIP Germany 2022 in October 2022.

Summary

Bekanntlich wird das Active Directory bei rund 90 % der aktuellen Cyberangriffe als Angriffsfläche genutzt.

Notes

Bekanntlich wird das Active Directory bei rund 90 % der aktuellen Cyberangriffe als Angriffsfläche genutzt.

In meiner Live Demo „Attack Scenario along the Cyber Kill-Chain” zeige ich euch einen typischen Cyberangriff basierend auf den Attack Vektoren:

• Password Spray
• Reconnaissance
• Lateral Movement
• Data Exfiltration & Encryption
• Domain dominance

Here you find my recording, which shows AS2Go v2.1 and my presentation.

Lateral Movement Paths (LMPs) with Microsoft Defender for Identity (MDI)

Herr HoZiLeave a comment

I hold this session during the HIP Europe 2021 in June 2021.

Summary

Learn how to identify and investigate Lateral Movement and how to de-risk LMPs using Microsoft Defender for Identity.

Notes

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Learn a “life hack” (brute-force attack a overpass-the-hash attack a pass-the-ticket a domain dominance) and how to identify and investigate Lateral Movement and how to de-risk LMPs using Microsoft Defender for Identity.

Here you find my recording, which shows AS2Go v1.x.

AS2Go | Prepare & Test the Ransomware Attack

Herr HoZi1 Comment 
This post describes how to prepare the Victim PC for the attack scenario, to simulate an ransomware attack against the domain controller.

Assuming you already finished lab setup 3/3 | Victim PC you have to do the following steps on your Victim PC.

  • download files from GitHub to c:\temp\AS2Go
  • optional create an creates a self-signed certificate
Continue reading