Red Team - Windows

Picture yourself administering a small business network with only five computers and five employe...

The core of any Windows Domain is the Active Directory Domain Service (AD DS). This service acts ...

Your first task as the new domain administrator is to check the existing AD OUs and users, as som...

By default, all the machines that join a domain (except for the DCs) will be put in the container...

So far, we have organised users and computers in OUs just for the sake of it, but the main idea b...

When using Windows domains, all credentials are stored in the Domain Controllers. Whenever a user...

So far, we have discussed how to manage a single domain, the role of a Domain Controller and how ...

Two popular methods for gaining access to that first set of AD credentials is Open Source Intelli...

NTLM and NetNTLM New Technology LAN Manager (NTLM) is the suite of security protocols used to au...

LDAP Another method of AD authentication that applications can use is Lightweight Directory Acce...

Continuing with attacks that can be staged from our rogue device, we will now look at attacks aga...

Large organisations need tools to deploy and manage the infrastructure of the estate. In massive ...

The last enumeration avenue we will explore in this network is configuration files. Suppose you w...

A significant amount of attack avenues can be followed to breach AD. We covered some of those com...

Before jumping into AD objects and enumeration, let's first talk about credential injection metho...

You should have completed the Active Directory Basics room by now, where different AD objects wer...

Command Prompt There are times when you just need to perform a quick and dirty AD lookup, and Co...

PowerShell PowerShell is the upgrade of Command Prompt. Microsoft first released it in 2006. Whi...

Lastly, we will look at performing AD enumeration using Bloodhound. Bloodhound is the most powerf...

Enumerating AD is a massive task. Proper AD enumeration is required to better understand the stru...

What is Lateral Movement? Simply put, lateral movement is the group of techniques used by attack...

This task will look at the available methods an attacker has to spawn a process remotely, allowin...

We can also perform many techniques discussed in the previous task differently by using Windows M...

By alternate authentication material, we refer to any piece of data that can be used to access a ...

Under certain circumstances, an attacker can take advantage of actions performed by users to gain...

Most of the lateral movement techniques we have presented require specific ports to be available ...

In this room, we have discussed the many ways an attacker can move around a network once they hav...

Active Directory can delegate permissions and privileges through a feature called Permission Dele...

Next, we will take a look at Kerberos Delegation. When you talk about AD Delegation, this is usua...

In this task we will take a look at some automated relays. Authentication attempts are constantly...

We have gotten quite far with our exploitation up to this point. We have full administrative acce...

Keylogging the user allowed us to decrypt their credential database, providing us with credential...

Now that we have access to THMSERVER2, we have furthered our journey of exploiting AD by exploiti...

Even though we have access to Tier 0 infrastructure, this is still not enough. We have only explo...

Congratulations weary traveler! After breaching AD, performing enumeration, and exploiting it all...

As discussed in the previous tasks, we often want to persist through service accounts with delega...

A quick note here. The techniques discussed from this point forward are incredibly invasive and h...

The Security IDentifiers (SIDs) have been discussed before. But for a recap, SIDs are used to tra...

If we don't want to tamper with SID histories, we can just add ourselves directly to AD groups fo...

Sometimes, we need more than just persisting to normal AD groups. What if we want to persist to a...

The last persistence technique we will review is persistence through Group Policy Objects (GPOs)....

There are several different ways that we can persist in AD. Some of these techniques persist bett...

Credential Access Credential access is where adversaries may find credentials in compromised sys...

In general, Windows operating system provides two types of user accounts: Local and Domain. Local...

What is the LSASS? Local Security Authority Server Service (LSASS) is a Windows process that han...

This task introduces the Windows Credential Manager and discusses the technique used for dumping ...

This task discusses the required steps to dump Domain Controller Hashes locally and remotely. NT...

This task discusses how to enumerate and obtain a local administrator password within the Active ...

In the previous tasks, the assumption is that we already had initial access to a system and were ...

Recap In this room, we discussed the various approaches to obtaining users' credentials, includi...