9/25/2023 0 Comments Lateral movement cobalt strike![]() The Cobalt Strike System Profiler can use JavaScript to perform reconnaissance actions. Ĭommand and Scripting Interpreter: JavaScript Ĭommand and Scripting Interpreter: PythonĬobalt Strike can use Python to perform execution. Ĭommand and Scripting Interpreter: Visual BasicĬobalt Strike can use VBA to perform execution. ![]() Ĭommand and Scripting Interpreter: Windows Command ShellĬobalt Strike uses a command-line interface to interact with systems. Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution. This technique does not write any data to disk. Ĭommand and Scripting Interpreter: PowerShellĬobalt Strike can execute a payload on a remote host with PowerShell. Ĭobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates. Ĭobalt Strike can download a hosted "beacon" payload using BITSAdmin. All protocols use their standard assigned ports. Ĭobalt Strike can use a custom command and control protocol that can be encapsulated in DNS. Ĭobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. Ĭobalt Strike can conduct peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. Ĭobalt Strike can determine if the user on an infected machine is in the admin or domain admin group. Īccess Token Manipulation: Parent PID SpoofingĬobalt Strike can spawn processes with alternate PPIDs. Īccess Token Manipulation: Make and Impersonate TokenĬobalt Strike can make tokens from known credentials. Īccess Token Manipulation: Token Impersonation/TheftĬobalt Strike can steal access tokens from exiting processes. Ībuse Elevation Control Mechanism: Sudo and Sudo CachingĬobalt Strike can use sudo to run a command. Execution of the following command will calculate the hash values of the new machine account password.\Rubeus.exe hash /domain:purple.lab /user:WVLFLLKZ$ /password:'iUAL)l" | base64 -d > admin.Enterprise Layer download view Techniques Used DomainĪbuse Elevation Control Mechanism: Bypass User Account ControlĬobalt Strike can use a number of known techniques to bypass Windows UAC. The methodology of Resource Based Constrained Delegation is now applicable and could be used to establish an elevated session. Attribute – msDS-AllowedToActOnBehalfOfOtherIdentity ![]() The attribute “ msDS-AllowedToActOnBehalfOfOtherIdentity” of the PC1 (10.0.0.4) host has been modified and therefore the new machine account (WVLFLLKZ) has delegation permissions. Active Directory – New Computer Object Permissions The PC1$ machine account will have some permissions over the new computer account. The new computer account will be visible into the Active Directory object “ Computers“. Resource Based Constrained Delegation – Remote Computer Object Since the flag “ –delegate-access” has been used during execution of ntlmrelayx a new computer account will be created on the domain with delegation permissions over the host PC1 (10.0.0.4). The machine account of the target host (PC1$) will authenticate with the domain controller via LDAP connection. Executing the PetitPotam exploit using the Windows machine name from Responder and the host which is running the WebClient service will force the machine account of the target IP address to authenticate with the system which is configured to receive that authentication. sudo vi /usr/share/responder/nfįrom the results above two hosts can be used for lateral movement. Executing the following will open the configuration file of Responder. The configuration of Responder should be modified to disable the HTTP service to avoid conflict with the ntlmrelayx tool which is going to capture HTTP authentication. However, this attack could be combined with resource based constrained delegation in order to gain elevated access to other systems on the network which are running the WebDav service as a lateral movement option. The PetitPotam attack enables a threat actor which has established access on the organization network to compromise the domain. There are various examples which involve the Print Spooler service, the PetitPotam attack or the lock screen of Windows that trigger machine accounts to authenticate with another system and relay this authentication on the domain controller. Coercing elevated accounts such as machine accounts to authenticate to a host under the control of an attacker can provide an opportunity for privilege escalation and domain escalation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |