Ok this assumes you know how to get the NTDS.DIT and SYSTEM registry hive out from a domain controller, if you don’t go looking, we might have blogged a few ways to do that! Now then, firstly, let’s Install DSInternals. From PowerShell 5 onwards you can simply run:
|
You will likely need to set your execution policy:
| Set-ExecutionPolicy -ExecutionPolicy Unrestricted |
Now to dump the hashes we use: Read more “Audit NTDS.DIT using DSINTERNALS”
I kid you not, I forget the commands, so I thought, hey let’s write a small blog post on credential dumping and pass the hash.
To achieve this we need: Debug privileges on a single machine or we need access to a disk that does not have full disk encryption. We also need the password to be re-used.
Ok for this demo I’m going to run with the out of the box release for Mimikatz on a domain joined windows PC with Defender disabled.
To gain system we launch mimikatz from an admin shell and run:
| privilege::debug
token::elevate |
Now we are SYSTEM we access a range of high privilege level areas. Read more “Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)”
We can enumerate active directory to find accounts that do not require pre-authentication. There’s a simple way of doing this using Rubeus:
| .\Rubeus.exe asreproast /format:hashcat |
We can see there is a vulnerable account that has Kerberos Pre-Authentication disabled.
This hash can be loaded into hashcat and possibly cracked (the hash in the screenshot is weak on purpose) Read more “Hacking Guide – AESREPRoast and Kerberoasting”
WMI is an awesome technology capability for Windows administration, I’ve been using WMI since the Windows 2000 era, I’ve written WMI based scripts/tools to defeat malware, yay, however with any tool the use can be for good and for evil!
This post is going to focus on Win32_Process:Create (there are other methods as well!) Read more “Executing/Creating a process via WMI Methods”
I’m sure you will have had a marketing firm or some random sales person on Linkedin tell you that security should be simple and that their product will save you from all the ATPs and nation state hax0rs under the sun. However let’s get real, thats almost certainly not true and also security isnt simple or we’d all be out of jobs and everyon woulndn’t be getting owned all the time.
”The world is burning, the world is burning but then if you look around, it always has been…”
Computer systems and security go together much like chalk and cheese! Probably sounds a bit odd but miniaturization, consumerization and mobility have put more technology out in the world than we can really comprehend, yet technology security is still dramatically overlooked by most organizations.
The insane pace of change, the drive for faster, better, cheaper and the reality that it probably isn’t a stretch to say most people (and organizations) do not really understand what ‘secure’ or ‘hardened’ looks like.
Read more “Ransomware Realities”
We move around in many places, we sit in plain sight, you might know we are there, or you might not. We work in the shadows, yet we shine a light. You see we’ve been inside your networks; we’ve sat in your cabs, we’ve worked with your teams. We have read you annual reports and we’ve mapped your company; we do this in a way that often you can’t even see.
Read more “Confessions of a white hat hacker”
In Part 1 (Initial Access Defence and Checklist) we looked at ways of hardening your attack surface to defend against initial access. When it comes to ransomware there is a range of elements and variables in the kill chain that need to be successful for the outcomes to be achieved by the criminals. Here we are going to move further into the kill chain to look at further defences. Remember you need to have an “Assume Breach” mindset if you are going to be able to defend against ransomware, that being said, there is a hell of a lot of things you can do for 0 to low investment costs that provide a great ROI. Now some of this is going to be repeated guidance from part 1, that’s ok repetition is good (make sure you are covered from multiple perspectives). Ok let us get to it! Read more “Ransomware Defence: Part 2a – Persistence, Privilege Escalation and Lateral Movement”
We looked after about 3-3500 endpoint devices. We were running Windows servers/clients and we leveraged technologies such as:
We keep seeing organization get hit, in some kind of a sick way I think me and some of my friends in the industry are bored with the over dramatic responses of “sophisticated” “advanced” and “unpreventable” because most times the kill chains simply are not like this. But still the onslaught keeps coming. Well I know this much, whilst I would love to deploy with the team and harden everyone’s networks that simply isn’t possible. So what we thought we would do is write something to try and spread the knowledge a bit further and hopefully have some positive impact.
It’s not just that your data will be encrypted, it will likely be exfiltrated and sold. You will likely have access sold, data sold and be extorted. The Ransomware business model is adapting to defender responses. Even if you can restore from backup they will likely try and attempt to extort. This brings a key point in this equation, the best position is to NOT get pwn3d to start with. Ok that might sound silly to say but when we look at these kill chains you might start to see the world from my perspective a little. Read more “Ransomware Defence Checklist – Part 1 : Initial Access”