Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Pentesting Active Directory and Windows-based Infrastructure
  • Table Of Contents Toc
  • Feedback & Rating feedback
Pentesting Active Directory and Windows-based Infrastructure

Pentesting Active Directory and Windows-based Infrastructure

By : Denis Isakov
4.9 (14)
Buy this Book
close
close
Pentesting Active Directory and Windows-based Infrastructure

Pentesting Active Directory and Windows-based Infrastructure

4.9 (14)
By: Denis Isakov
Buy this Book

Overview of this book

This book teaches you the tactics and techniques used to attack a Windows-based environment, along with showing you how to detect malicious activities and remediate misconfigurations and vulnerabilities. You’ll begin by deploying your lab, where every technique can be replicated. The chapters help you master every step of the attack kill chain and put new knowledge into practice. You’ll discover how to evade defense of common built-in security mechanisms, such as AMSI, AppLocker, and Sysmon; perform reconnaissance and discovery activities in the domain environment by using common protocols and tools; and harvest domain-wide credentials. You’ll also learn how to move laterally by blending into the environment’s traffic to stay under radar, escalate privileges inside the domain and across the forest, and achieve persistence at the domain level and on the domain controller. Every chapter discusses OpSec considerations for each technique, and you’ll apply this kill chain to perform the security assessment of other Microsoft products and services, such as Exchange, SQL Server, and SCCM. By the end of this book, you'll be able to perform a full-fledged security assessment of the Microsoft environment, detect malicious activity in your network, and guide IT engineers on remediation steps to improve the security posture of the company.
Table of Contents (13 chapters)
close
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Chapter 1: Getting the Lab Ready and Attacking Exchange Server
Chapter 1: Getting the Lab Ready and Attacking Exchange Server
Technical requirements
Lab architecture and deployment
Active Directory kill chain
Why we will not cover initial access and host-related topics
Attacking Exchange Server
Summary
Further reading
Free Chapter
2
Chapter 2: Defense Evasion
chevron up
Chapter 2: Defense Evasion
Technical requirements
AMSI, PowerShell CLM, and AppLocker
PowerShell Enhanced Logging and Sysmon
Event Tracing for Windows (ETW)
Summary
References
Further reading
3
Chapter 3: Domain Reconnaissance and Discovery
Chapter 3: Domain Reconnaissance and Discovery
Technical requirements
Enumeration using built-in capabilities
Enumeration tools
Enumerating services and hunting for users
Enumeration detection evasion
Summary
References
Further reading
4
Chapter 4: Credential Access in Domain
Chapter 4: Credential Access in Domain
Technical requirements
Clear-text credentials in the domain
Capture the hash
Forced authentication
Roasting the three-headed dog
Automatic password management in the domain
NTDS secrets
DCSync
Dumping user credentials in clear text via DPAPI
Summary
References
Further reading
5
Chapter 5: Lateral Movement in Domain and Across Forests
Chapter 5: Lateral Movement in Domain and Across Forests
Technical requirements
Usage of administration protocols in the domain
Relaying the hash
Pass-the-whatever
Kerberos delegation
Abusing trust for lateral movement
Summary
References
Further reading
6
Chapter 6: Domain Privilege Escalation
Chapter 6: Domain Privilege Escalation
Technical requirements
Zero2Hero exploits
ACL abuse
Group Policy abuse
Other privilege escalation vectors
Summary
References
Further reading
7
Chapter 7: Persistence on Domain Level
Chapter 7: Persistence on Domain Level
Technical requirements
Domain persistence
Domain controller persistence
Summary
References
8
Chapter 8: Abusing Active Directory Certificate Services
Chapter 8: Abusing Active Directory Certificate Services
Technical requirements
PKI theory
Certificate theft
Account persistence
Domain privilege escalation
Domain persistence
Summary
References
9
Chapter 9: Compromising Microsoft SQL Server
Chapter 9: Compromising Microsoft SQL Server
Technical requirements
Introduction, discovery, and enumeration
Privilege escalation
OS command execution
Lateral movement
Persistence
Summary
Further reading
10
Chapter 10: Taking Over WSUS and SCCM
Chapter 10: Taking Over WSUS and SCCM
Technical requirements
Abusing WSUS
Introduction to MECM/SCCM
Reconnaissance
Privilege escalation
Lateral movement
Defensive recommendations
Summary
References
Further reading
11
Index
Index
Why subscribe?
12
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

References

  1. Process Hacker: https://processhacker.sourceforge.io/
  2. API monitor: http://www.rohitab.com/apimonitor
  3. AMSI bypass list by S3cur3Th1sSh1t: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
  4. AMSI bypass list by Pentestlaboratories: https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/
  5. Invoke-Obfuscation script: https://github.com/danielbohannon/Invoke-Obfuscation
  6. Nishang project: https://github.com/samratashok/nishang
  7. Powercat: https://github.com/besimorhino/powercat
  8. Persistence via AMSI: https://pentestlab.blog/2021/05/17/persistence-amsi/
  9. Threat Hunting AMSI bypasses by Pentest Laboratories: https://pentestlaboratories.com/2021/06/01/threat-hunting-amsi-bypasses/
  10. Hunt for AMSI bypasses by F-Secure: https://blog.f-secure.com/hunting-for-amsi-bypasses/
  11. Tiraniddo’s research about Applocker internals: https://www.tiraniddo.dev/2019/11/the-internals-of-applocker-part-1.html
  12. Sensitive PowerShell capabilities constrained by CLM: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/#what-does-constrained-language-constrain
  13. AppLocker beginners guide: https://www.hackingarticles.in/windows-applocker-policy-a-beginners-guide/
  14. AppLocker bypass using InstallUtil: https://www.ired.team/offensive-security/code-execution/t1118-installutil
  15. AppLocker bypass using MSBuild: https://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c
  16. AppLocker bypass list project: https://github.com/api0cradle/UltimateAppLockerByPassList
  17. PowerShdll project uses PowerShell automation DLLs: https://github.com/p3nt4/PowerShdll
  18. PSBypassCLM project to create a wrapper over InstalUtil: https://github.com/padovah4ck/PSByPassCLM
  19. Bypass-CLM project to patch the return value: https://github.com/calebstewart/bypass-clm
  20. Bypass CLM with the help of COM: https://blog.xpnsec.com/constrained-language-mode-bypass/
  21. Bypass CLM by setting the HKCU environment value: https://sp00ks-git.github.io/posts/CLM-Bypass/
  22. AaronLocker project: https://github.com/microsoft/AaronLocker
  23. Deploy WDAC and AppLocker: https://improsec.com/tech-blog/one-thousand-and-one-application-blocks
  24. Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
  25. Sysmon Community Guide: https://github.com/trustedsec/SysmonCommunityGuide
  26. Sysmon config version by SwiftOnSecurity: https://github.com/SwiftOnSecurity/sysmon-config
  27. Sysmon config version by Florian Roth: https://github.com/Neo23x0/sysmon-config
  28. Sysmon config version by Olaf Hartong: https://github.com/olafhartong/sysmon-modular
  29. ScriptBlock Logging bypass by cobbr.io: https://cobbr.io/ScriptBlock-Logging-Bypass.html
  30. ScriptBlock Warning Event Logging by cobbr.io: https://cobbr.io/ScriptBlock-Warning-Event-Logging-Bypass.html
  31. DeepBlue: https://github.com/sans-blue-team/DeepBlueCLI
  32. Newish bypasses Part 1: https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-1/
  33. Newish bypasses Part 2: https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-2/
  34. PowerShell Protect Module: https://blog.ironmansoftware.com/protect-logging-bypass/
  35. Bypass of EnableTranscripting: https://avantguard.io/en/blog/powershell-enhanced-logging-capabilities-bypass
  36. Invisi-Shell tool: https://github.com/OmerYa/Invisi-Shell and https://www.youtube.com/watch?v=Y3oMEiySxcc
  37. Stracciatella tool: https://github.com/mgeeky/Stracciatella
  38. Detect Sysmon: https://www.ired.team/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host
  39. Sysmon tampering: https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-3-sysmon-tampering-49c2dc9bf6d9
  40. Phant0m tool: https://github.com/hlldz/Phant0m
  41. SysmonQuiet: https://github.com/ScriptIdiot/SysmonQuiet
  42. SysmonEnte: https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
  43. Shhmon: https://github.com/matterpreter/Shhmon
  44. ETW beginner’s guide: https://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw
  45. Detect malicious usage of .NET part 1: https://blog.f-secure.com/detecting-malicious-use-of-net-part-1/
  46. Detect malicious usage of .NET part 2: https://blog.f-secure.com/detecting-malicious-use-of-net-part-2/
  47. SilkETW: https://github.com/mandiant/SilkETW
  48. Seatbelt: https://github.com/GhostPack/Seatbelt
  49. ConfuserEx: https://github.com/mkaring/ConfuserEx
  50. Bypass ETW by neutering the EtwEventWrite API: https://whiteknightlabs.com/2021/12/11/bypassing-etw-for-fun-and-profit/
  51. Patch EtwEventWrite API: https://blog.xpnsec.com/hiding-your-dotnet-etw/
  52. TamperETW: https://github.com/outflanknl/TamperETW
  53. Evade ETW and AMSI: https://pre.empt.blog/2023/maelstrom-6-working-with-amsi-and-etw-for-red-and-blue
  54. Tampering with ETW: https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
End of Section 7
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY