Hunting for common Active Directory Domain Services Exploitations

Ok this morning I woke up really really early! I then went on a bit of a KQL thread on twitter, and then IRL work destroyed my plans to play in the lab. However I’m publishing this in its current state [use at own risk etc.] because I think it might help people! So let’s get to it:

These queries can help you identify 3 common active directory attack techniques from logs on a domain controller (this does not rely on ADCS logs etc.)

Read more “Hunting for common Active Directory Domain Services Exploitations”

The Manual Version 2.0

Working in Cyber security can expose you to all kinds of information. I’m an offensive and defensive security architect and occasional (haha that’s daily right!) pew pew slinger (pentester) and I am also a threat intelligence practioner (CTI) (we need The Many Hats Club back!). Which is why sometimes when things appear on the internet I think I decide to take a look.

Read more “The Manual Version 2.0”

Stealthy Active Directory Username Enumeration with LDAPNomNom

My friend Lars and I were just talking about some of the research areas we are working on and randomly the conversation turned into “what shall we call it?” and then LDAPNomNom came up! So I whilst laughing (coz the name is lulz) with my buddy I downloaded and ran LDAPNomNom against a lab vm quickly! (Lars also fixed an error with readme.md that I pointed out coz my debug skillz ROCK! 😛 )

So here we have me doing username enumeration via LDAP Ping using LDAPNOMNOM!

Read more “Stealthy Active Directory Username Enumeration with LDAPNomNom”

Active Directory Security Cheat Sheet

Ok you need to do some AD Security Auditing or Security Testing/Exploitation, great. Let’s look at some of the common misconfigurations and some tools to help you, a list of things will obviously not be the answer, you will need a method and process to go through from recon/enumeration through to exploitation and impact (effects), but that’s what google is for (and CTFs/Labs)! This post is just me jotting down some notes, hopefully they help defenders think about improving their posture.

Read more “Active Directory Security Cheat Sheet”

Linux Privilege Escalation

When you gain access to a target node you will want to explore, the exact method you use to do this will depend upon operational security considerations, time constraints and style. You will be looking for a range of elements to support progressing an objective.

It should be noted that the objective may NOT require elevation. You may be trying to obtain data and access might already be possible using the context you have assumed.

You also may need to move from a www-data user to a named user account or get to root level of access. If so there’s a range of questions we should be asking ourselves:

Read more “Linux Privilege Escalation”

Priviledge Escalation Hunting – Scheduled Tasks and Scripts

TLDR: If you have been hunting for privescs before you will know it’s normally not a fast task, you will have a shed ton of data to look at. Sure WINPEAS is good but it’s not a silver bullet.

Here is a really small script which focuses on system administration files/scripts, scheduled tasks and scheduled task history to help you hunt for weaknesses:

Read more “Priviledge Escalation Hunting – Scheduled Tasks and Scripts”
Copyright (c) Xservus Limited