0xDEAD: Domain Exploitation and Domination

All right, it's 11:30, so we'll get started with our next talk. I want to introduce John Milkins speaking on domain exploitation and domination. So, welcome. >> Thank you. >> Hey everyone, how's everybody doing today? All doing good. Ready to learn something new? Novel zero days, right? >> Well, if you are, you're in the wrong place. Just saying. Um, who am I? Uh, Dave Man or John Milkins. I run a pentest firm, but I also do pentesting full-time outside of my own firm for, you know, an organization. Uh, they prefer to not be named. I am not a DPK, DPRK worker. In fact, despite several people thinking I am, I just like to keep my Mac in clamshell mode and not

actually turn my camera on um to the point where I actually have to go buy a camera. So, um, play, you know, PTRPGs and I brew cider. Um, pretty boring hobbies, but, you know, they're fun for me. So, what are we doing today? We're going to go through, you know, some basic Active Directory attacks. Um, and then we're going to jump into scenario walkthroughs of some recent penetration tests over the last few months. um that just kind of highlight if you know what you're doing and the tools that you're using, how you apply them can matter and also expedite the process to go from lowprivileged domain user or even you know just a box on the network to

completely owning the domain or even the forest if it's sitting in the forest. Um as low as 30 minutes, right? So pretty pretty interesting stuff. So, first and foremost, Active Directory. Who loves it? Nobody. I mean, all the pentesters should love it. Um, it is the gift that keeps on giving. I think every year we get some new misconfigurations that come out that we can apply. Uh, most recent being ABCS. Um, that was probably the biggest one came out in 2020 from our friends over at Spectre Ops. Um and that has just been blown up both from their research as well as the community's research. So um in most corporations you are going to find Active Directory and it's likely

going to be a thorn in everyone's side because Microsoft has made it as complicated as possible to configure it properly and it seems like everything's bolted on at this point. Um as I mentioned at the start, we're not covering anything new or novel. There's no new techniques. There's no zero days. It's the same things that you see on CTS. It's the same things you see every penetration test. But it's really honing in your process, knowing how to use these tools effectively and knowing what you see all the time to really expedite your testing to take over the domain. Um, clients love but also hate to see a really fast domain admin compromise because they are impressed that you did

it so fast, but then they also go, "Oh god, I have so much work on my plate. If it took you 30 minutes to get DA." So, we're going to go into some methods for that. Why speed over stealth? Right? This is a talk from the perspective of a penetration test, not a stealthy blackbox red team where you're, you know, doing external and fishing based attacks, but you're typically doing an assumed breach, whether that's a system on the network or um someone running a payload from a domain joined account. We have a timeboxed um session to do this testing. An attacker does not. Most breaches will typically go unnoticed for a couple months unless it's a mature

organization. They'll be operating hands-on keyboard. What that looks like is different for every group um for you know upwards of four plus months. We have on average from three to 15 business days to do our testing. So, um, we're focusing on speed so that we can accomplish all the goals set, make our company look good, write a good report, and get that to the client so that they can then fix that and hopefully an attacker doesn't abuse it. So, our main goal, right, if we see active directory, you want to get domain admin or enterprise admin, you find a forest, take that over to, you know, as long as it's in scope. Most of the time it is.

Check with your clients. Always ask. Uh, it's one of the first things we always ask. Um, if you see an Azure hybrid joint or if they want Azure in scope, ask them if that's in scope too. Can you move from the internal network after you compromise or even mid compromise, can you move into Azure? Can you take that over too? Are there issues? Um, then the other reason for speed and I keep seeing this more and more is clients are once again becoming combative. They are treating a penetration test like an adversarial engagement and they're saying, "Oh, we caught you. We are going to rotate those creds. We're going to quarantine your box. We're going to implement firewall

rules to drop you until you reach out to us and say, "Hey, what the heck are you blocking me? Why did you rotate those credits? Can I get a, you know, arable account?" Because that's a, you know, service account that touches a lot of things. And if it breaks or gets locked out, it's going to cause a production outage. Um, most of the time they say no because again they see us as the enemy and want to look as good as they can in front of their board of directors in most cases. Um, I always find knowing your security vulnerabilities and how to fix them is a good look, right? Security posture is a real thing. So speed helps us there. So

we're going to go through some basic AD attack flows. Again, you've probably seen this a million times if you're here for John Hammond. You know, content creators talk about the same stuff. It's just how someone interprets it. Um, who's familiar with this amazing photo here? This is the orange security uh 80 mind map. Uh, it looks terrible on a slide because this image is ginormous. Um, I don't know what that means. Ginormous. No. [laughter] Hero Morpheus wherever you said. Yeah. So this mind mapap right you start from the far left and it says you don't have credentials start here. Run these types of scams right. It's a easy walk through of how to approach an internal corporate

environment that also has active directory. Um and then once you get credentials it tells you things you can do. It provides commands and tools and you it's on you to go beyond the command they listed. Um, but this will pretty much walk you through an active directory test. It is hands down the best resource out there in one place. Um, so they're awesome. Initial access. Um, for penetration testers, this is going to be done in a couple different ways. Dropbox on the network, no credentials provided on you to find your own active directory credentials. Sometimes clients will give that to you. Um, sometimes they'll just give you VPN access with credentials to simulate, you know, like an internal

employee going rogue. Um, or you can send them a C2 payload, something like Cobalt Strike, Havoc, you know, whatever your flavor is there. Um, and have someone run that from a domain join account, and that'll simulate a fishing compromise. So, those are the main ways we will typically operate. Again, it's not blackbox. It's more gray box than anything. Once you're in though, you got to start doing recon, right? Got to start looking around, seeing what's out there. So, if you don't have credentials, first thing you're going to want to do is kick off ports scams, right? Those are super noisy. They take forever, especially if the client's giving you a bunch of slash16s to scan.

It's going to take forever. Um, you can't just ye mass scan at it without the potential of something going down. Also, mass scan doesn't give you all the results. just due to speed and missing the response before it moves on. So look for juicy ports that you know are going to have vulnerabilities you know are going to be misconfigured. So things like Cisco smart install, uh FTP, SMB, VNC, things like that, your standard web ports. People love to update their external perimeter, not their internal. You got to we I think recently saw a Apache Tomcat 5 internally and I think it had default credentials. So, um, you know, the internal network does not get updated

from a web app perspective nearly as much. A a good one that we all love, uh, man in the middle, right? If you have a fox on that network, kick off Responder, kick off man in the middle six. You know, try to coers people to authenticate to you, capture those hashed credentials, crack them offline. Most cases we find people still use terrible passwords. Uh location one for the company. Saw that recently. You know, seasons, years. Throw a word list at it. It's likely to crack. It's a service account. Hit or miss. Depends on on the organization. Always check your domain controllers for anonymous access. The real good way to go ahead and get user accounts or

password spray. If you don't find anonymous access, throw a word list and curb root at it and you will find tons of usernames, statistically valid usernames. Repo is always a good one. You can throw seck lists at it. You'll find a bunch of users that you can put in for password spray. Again, checking for known clones. You know, run nuclei internally. It's going to be noisy. It's going to be quick, right? If you want to tailor down to a couple of templates that you see client after client after client, you can. That'll speed it up. Um, or it can just run in the background. Go ahead, do your password strays. You're always going to find unless the organization is really

mature and using something like Entra password solution. You're going to find weak credentials like company one, company one, two, three, season year, so on so forth. Once you do get credentials, you need to enumerate active directory. So, first and foremost, we're going to drop back to Blood Hound. Blood Hound is your best friend on an active directory envir. It's going to give you all these nice paths. They're graphical. I don't know about you guys, but I'm a visual learner. I like to see things. And so, having a nice picture of what I want to do, and essentially telling me how to do it is great. Um, if you find a domain trust and you have a two-way trust or

another valid trust where your credentials work, go ahead and dump that as well. That is totally valid. Get as much information as you can. Uh, and then of course, you know, check active directory certificate services. It's always a an easy lowhanging fruit. So, we have low privilege credentials. We want to find more credentials. How do we do that? Kerarosting. I think I've been in one environment in the past 5 years that did not have a curb arrestable user. One. So that's thousands of clients. Not sure uh how that one didn't have a curb roastable user, but you know, it's first time for everything. You know, check your GPP uh files for passwords. Still see this to this day despite that

AES key getting leaked in 2013. People still store valid credentials there. Don't ask me why. asrep roasting. Um, another way to see this, we actually found an asrep roastable domain admin which had a variation of his username as his password and it was eight characters. So, at the very the very least uh you know that would have taken about a day. I mean it was and it was all lowercase. It was terrible. Um, if you have local admin access to any system, dump it. Whether that's a remote secrets dump or you know you get on through WinRM or another remote access solution and try to dump Elsass for credentials or tickets you know it's up to you. Elsas I

don't really touch these days mainly just due to the protections on it. So I'll kind of bypass those. So if you find the hash spray it see what else is using it. Right? you can finding out as much information as possible and finding out who has the same stuff is crucial. I think I find shared local admin passwords on almost every test whether that's you know admin or not. Um you know looking at ACS exploitation you as I mentioned this research has been going off since 2020. Uh we're up to ESC 15 maybe 16 now might be wrong on the 15 but you know plenty there to choose from. It is clutch. I use it on almost

every engagement until they outsource certificates from AD which is really the best solution. You can apply mitigations and things for all these ESC's but really just getting it out of active directory hands is your best solution. Lateral movement so blood hound your best friend right you can see what users can communicate with what systems. You can see they have decom access. Do they have RDP abilities? Can they PS remote, right? This is just going to help you identify it. It's not going to see everything, especially if systems are patched and you didn't have local admin when you did that poll. Um, so it's not going to be 100% accurate, but it will give you an idea of places you can

definitely communicate with. Look for outbound object control in Blood Hound. This is going to let you know what you have rights over. you have something like generic right generic all you can modify permissions so that you have local admin access on those boxes and then you can dump credentials if you want to you can have a remote interactive session in some cases and play around through evil winrm or or whatever the case is again you find a hash spray it you find a new hash spray that too right especially local hashes because they really don't have a lockout policy dom domain hashes definitely have a lockout policy. Definitely be careful spraying those. Uh I've seen too many

clients get upset at consultants not taking care with password spraying. Um so you know take that one with a grain of salt. Do it smart. You know one spray, two sprays per lockout period. Wait till it resets and then you can do it again. Um you know I personally like WinRM a lot. I find it to be extremely useful and evil winrm is great because it has some bakedin security bypasses that you can try and run. Um, Crowd Strike is not great at detecting it. So, uh, you run like bypass AMSI. Crowd Strike's just kind of like, all right, looks good to me, man. And then next thing you know, running Rubious in memory and dumping tickets for domain

admin, then reusing that ticket to perform other actions. Um, so definitely if you have access to another box, especially local admin access, touch it. Um, make sure it's not a sensitive system. And one of the first things you should always ask your client is autoquarantine enabled. Uh, because you will, especially credential dumping and some lateral movement trigger auto quarantine and definitely don't want to cause an outage. So, privilege escalation, right? Another one that I see all the time, Kerberosting um and having a domain admin, a member of account operators, server operators, you know, those highprivileged groups. Um they have an SPN and are Kerros still using RC4 encryption. >> I have come across one client that has

maybe two that has actually phased out RC4. So, still seeing it all the time. A lot of them use weak passwords. Um, I'd say probably about 70 75% of the time they're using a weak password that isn't a word less that you can hit with rules. Uh, ADCS abuse. God, this is this runs rampant everywhere. Uh, ESC1, ESC4, ESC8, ESC11 are probably the most common, but you know, we've seen pretty much the entire gamut over past few years. Um, you'll see that's one that we'll talk about, you know, ad nauseium because it is so prevalent. Uh, password reuse. This is another big one. It loves to have a shared password for all of their service accounts and accounts that

are going to do things. Oh, that service account runs this database. Well, why doesn't it just run all databases? because we it's easy for us to remember the password, right? So service account, my SQL 1, my SQL 2, so on so forth, all use the same password. Oh, the break glass admin account also uses that password, too. Sweet. Love that. Um I mean, I do love that, but you know, they typically I've had them argue and say, "Well, why do we need to set you passwords?" Well, this is why because I compromised one account. Now I've just compromised 30. Yeah, you unique password. Well, that's hard to remember. Okay. Well, you can always look into a

vaulting solution with check-in, checkout, you know, methods and that can help alleviate some of that, you know, but some people are still stuck in the past and in their mindset and, you know, showcasing things like this will help them to change it whether they want to or not. Uh, and then one of my personal favorites, if you're striking out everywhere, share enumeration. Um, tools like Snafler, uh, Manspider, Pi Snafler, um, and even NXC. So, Net Exec can, you know, crawl through a lot of accessible shares and do, you know, dump out file names. You see things called passwords.txt, passwords.csv, whatever. Um, Snafler is really great because it has a list of bakedin rules and will look for that automatically and

then spit out the nice result file. Props to Mike Los um for that tool. That thing's rockstar and we've been using it for very long time. Um, but we always find database credentials which most people don't configure their databases correctly. So, you know, you're running a U MSSQL database as a domain admin or as system, right? Well, you're also giving everyone database admin. So, DBA privs. Well, just because you turned off XP command shell, I'm a DBA. I can turn it back on. And now I have code execution on the box. And in most cases, it's running as system or highly privileged account. And then we steal tickets or credentials and then reuse those, right? Reuse is the name of the

game. So so many ways. But now let's say you found that domain admin ticket, that hatch, those credentials right from wherever you are. You are domain admin or you let's say you have a machine account for a domain controller. Go ahead and DC. um depends on your company. Some are vehemently against DC syncing. Um they think it creates too much risk for a customer. Um but they are few and far between. Whereas most penetration testing organizations will dump the the NTDS. get a full list of password hashes and then do a password audit, white password audit on the hashes to understand what the domain password policy really is, whether it's, you know, a 10 character policy, but you can

crack 70% of the passwords. That's not a strong password policy. Yes, it exceeds PCI standards. Yes, it surpasses NIST. not a secure, you know, not a secure configuration. You need to add something else. So, DC sync immediately. Um, I've definitely been uh boned on this one, right? I talked about adversarial clients. Um, they've disabled the account right as they noticed ECSAC. So, you know, they had a disabled RID 500 ad. Well, they don't put domain admins at the top here. It's really just that RID 500. So I lost my DC sync privileges and I had to start all over. So um definitely be aware of that. You know there are some tricks around that. Um now I always dy sync a few highly

privileged accounts really quickly that are enabled or will pass the sniff test so that I can continue to DC sync if I get interrupted. Um once you do that um a lot of times clients will be like well you didn't get on the domain controller so did you actually compromise a domain? Sure. Okay. So I just kind of added it into my thing now just to evil winrm or otherwise access a domain controller with domain admin creds uh interactively. Just do an IP config and a host name screenshot it like yes see I did actually access domain controller and take over the domain. But you know, here's the here's the actual proof you needed. Um, and as I mentioned, if you

saw more domains in the forest and they are in scope, dump those, too. Um, most cases in most configurations, enterprise admins, at least one of those or two of those members are going to have DC sync privileges to the other domains. um not always the case as we'll see um later on, but in most cases that'll that'll do it. You'll have the blood hound data. You can do a path from your highprivileged account or from your domain to the other domains. Look at those paths and then pivot accordingly. Um you can do domain persistence. Um a lot of clients will like to see this. So kind of varied here. Um, my go-to is typically adding a domain admin account

just to see if they detect it. Um, most of the times I will say yes, they do. Um, but the detection is delayed. Typically, it's something like land sweeper that runs once or twice a day that will then tell them unless they have additional rules. You could do a golden or a diamond ticket. If you're going to do this, be careful because depends on the length you set. Uh, and you obviously don't want to leave that lying around post exercise. Um, and then you can always do admin SD although that's another really nice one. Um, there are detections for it. It's great. So now we're going to get into actually the meat and potatoes here. So we're

going to go through a couple scenarios. I put four from recent pentest all at varying levels and we'll kind of talk through them. So the first one we had a Dropbox on the internal network. We were not given credentials for this test. So over here is just our local subnet. We're going ahead we're running responder man the middle six you know whichever you choose. Um but here we caught some NLM hashes for low privilege users. Uh and we cracked those I want to say within 5 10 minutes due to weak passwords. So, company's location, number one, exclamation point. Very easy. It's typically one of our password sprays. Uh, but we caught that within, I don't know, maybe

5 10 minutes of turning responder on and then cracked it. Once we did that, we enumerated AD. We ran Blood Hound, right? It's my first go-to is always run blood. While that's in the background, I'm pulling Kerbice tickets. I'm checking active directory certificate services. I'm checking for GP passage. You can run them all at on different tab. You don't have to wait for them to fetch. Um, and we found that this client, their certificate authority was vulnerable to ESC8, a NLM relay attack to the CA's uh, HTTP web env. So, just pulled out a coercion tool. Could be Tanner, it could be Perc, it could be net exit. It's really up to the user on what you want to use. went ahead

and we said, "Hey, do the main control, I'd really love it if you'd authenticate to me. I'm using valid credentials. Just come come check my share." And so it's like, "Okay, sure." I say, "Sweet. Thanks dummy." >> And then throw that over to the CA's web enrollment portal, those net B2s. CA's like, "Hey, that that checks out. Sweet. All right, DC1, you need a certificate. Here you go." So, we had a valid ADCSER for domain controller one's machine account. Well, domain controllers are designed to replicate passwords. Yeah. So, went ahead and did a DC sync account or DC sync the domain from that account. Now, we have all the passwords. Um, this client specifically, we cracked 85% of

their user passwords. Uh, pretty terrible. A lot of password reuse. uh very low uh pathway length. Pretty interesting. Um they have since remediated that u increased policy, implemented a couple additional tools and um during their remediation validation, cracked far fewer credentials due to those changes. So this is probably as basic as it gets for like your fastest AECS stuff, right? you're using vulnerable protocols that are, you know, vulnerable men, middle, and spoop. They're using weak passwords and they have one of the easiest and fastest uh vulnerability misconfigurations out there to get credentials for high privileged account. So, this is probably as easy on this one. So, this one is uh another client we had Dropbox. Their goals were to do target

child as well as the domain. So we were operating within child and we had to compromise that as well as the root domain. So we're gone. We got our responder running. We got you doing our checks for anonymous access. Well, no luck there. But what we did find is they did not properly patch. So unoff petite patana is a vulnerability from 2022. So the one of the root domain controllers did not apply that hash. So said okay sweet hey man you mind authenticating to me and it's like oh who are you? Ah it doesn't matter. Sure I'll authenticate to you. What do I care? So took that and it was over SMB. So then we relayed that up to the domain

controller to move the child. Now traditionally you cannot relay SMB credentials to LDAP unless they didn't apply a patch from 2019 >> called drop the mic where you remove message entirety checks and it will accept those SMB credentials. So sure enough, we removed message integrity checking sent here and it was like, "Oh, sweet, dude. Yeah, that looks good." Yeah, you wanted to make a machine account. All right. Our machine account policy still default 10th. So, uh, yeah, go ahead. Here your account, you know, KSL1. Love it. So, now I have credentials. It can start performing that active directory attack. So, what do we do? We mean red ADCS we run blood or pulling curros tickets so on so forth. These guys

vulnerable to ESC11. Same concept as ESC8 only over RPC. So again I say hey you want to authenticate to me again and I'll relay that over here. And now I got a uh certificate for the root domain controller and because it's the root has DC sync to itself but also to its children. No further attacks needed. Had I done DC1 from the child, you know, could have tried an enterprise SIDS attack to then take over something like that. Very simple, very easy and it works most of the time. So, this kind of shows that patching is important. We're always told, you know, patch early, patch often, patch patch patch Windows patch Tuesday, blah blah. Well, we just showed and highlighted

this was a uh emergency services company that works with uh varying emergency services and their call centers throughout the country. So if their domain was compromised, you know, could cause a massive panic across the country, right? So they were like, "Oh my god, we definitely need to fix fix this and fix it break." Again, this probably took us whole time an hour and that's maybe due to me not reading error messages when trying to make wire sheet count. But very very easy. You don't see these too often on each petite fan or, you know, drop the mic, but they do exist. It's always worthwhile to check because you go in with the assumption, hey, this is

going to fail. I don't care if it fails, but I'm going to look for it because if I don't look for it, that's stupid. I still look for eternal blue. I still look for MS867. Sometimes I farmed it and I abused it. I company in Russia recently and leverage uh or Charles blue to as my additional football, you know, albeit I had to work the exploit a little bit, but things like that still exist. So, always look for why wouldn't there? It's shooting fish in a barrel. So, this one's a little more interesting. Um, this is a recent client in the past, I don't know, month or two. So the scope we were given was, hey,

you're going to target domain 2.local. Okay. You going to give me any hosts, IPs, IP bridges, anything? No, domain 2.local is your target. Okay. Um, we'll put your Dropbox in childmain.com and you can have some credentials for child.domain.com. All right. So, first things first, go through my enumeration. Uh, doing my recon, right? First thing, blood hound. I see in my initial blood hound, we have a two-way trust. Two-way trust, a two-way trust. So, okay, my credentials work for all of these. That's >> That's nice. Thank you. Uh, so I've done blood hound on child. All right, I'll do blood hound on parent. All right. Now, I'll do blood hound on our actual target. Okay. Now I could start pathf

finding. How do I move from child domain A or child domain to domain 2.local? Well, come to find out this doesn't have a path, but the parent has a path through a GMSA account uh through a service account that has right access over a GNSA actually. Okay. Well, I know I now need to move into parent. So do my enumeration. What do I have? Oh, we have a root CA sitting in the parent. Oh, it's vulnerable to our favorite friend ESC11. Hey, we just walked through. So, what do I do? Excuse me, will you authenticate to me? I actually have credentials. So, you know, this one un unoff didn't work, but I had credentials, so it doesn't

matter. It's like, sure, I'll off. Okay, sweet. Thanks, Dave. Hey, can I start for the root root DC? All right, here you go. Right. Again, so easy. Takes no time. I think this whole thing here took me longer to run what it did to pop these two darts, which is pretty bad. Um, so now we got that search. Rather than fully dy syncing this, it's not my target. I don't really care about it. I'm only going to DC sync the service account that I need. I'm going to grab its NLM hashes so that I can reuse them when I target this. Well, we had gart right over a GNSA which I personally like to do shadow

credentials especially ad or PKI and it's used in the environment. Um so basically we add our uncert we use that to get a keros ticket then we you know do a little math in the back end to figure out what the actual ntmop hash is. So moved from here to here and now we use the account in root to get the Non credentials of the account over here for the GMSA which has DC sync privileges. Um total time for this was probably about 30 to 45 minutes. Uh and most of that time was blood hound looking for the path. Um client was pretty appalled that it was that easy. um we kind of laughed about it said it's not super

hard to fix by the recommendations we give you and it will make a huge difference especially with ADCS if they didn't have ADCS uh would have taken a little longer uh they did have curustable VAS and other curable service mounts so that likely would have been our path plus share hunting um but we'll see next time the last one this is a returning customer this was probably their third test and we crushed that every single test in various widths. ABCs, perversible DAS, password spraying, reused IT accounts, finding domain hacking threads in SMB shares, right? So, they've been applying our mitigations for three years. So, we came into this one and we were kind of like,

okay, this one's going to be tough. We know stuff doesn't work. They've patched all of our protocol poison. No responder, no man in the middle six just dies right there. So now I'd have to then go perform her root user enumeration or um I know for a fact they didn't have anonymous. Uh they had it the previous years still checked it just to make sure enable it on accident but um just started throwing statistically valid username word list. We found that their their uh username formats a lot had one or two letters followed by five digits. So really easily to create your own iteration of those in a word list. Use hashtap to do it, you know, super easy. So get a bunch

more accounts, a new password spray, simple stuff. Client name, season, year, whatever it works in most cases. That's the one thing they didn't implement. I'll lie. They didn't implement it, but they didn't. Um, had they done that, it would have been much more difficult to find a user account. Once we got that, right? Her blood hounds unseen tools over and over and over no matter what environment you go to. Well, we found a perverable user. Um, not any groups. I think it had four total group memberships, all load priv users. Um, but it was a service account to a specific service. Just some benign HTTP service. We could look at it. Couldn't get anything good out of it.

So, used those credentials, did SMB share punting. Well, lo and behold, this service account can access an IT share. So, we're manually crawling that IT share, looking for fun stuff. Find a domain controller backup from 2024. Just an ISO. So, uh, you know, map the share, then map the ISO in Kimu, start browsing its file system. I'm like, yeah, could get that NTDS, man. It's going to be great. Well, did have NTDS on it, unfortunately. It looked like it was pre-joined to the domain. Must have been base image before MTDS was populated. Um, but we were able to pull registry highs off it. your SAM, your system and security. Pulled those back to local and

then parse them locally, you know, using secret stuff. Well, gota admin NLM hash. Oh, it doesn't match the RI 500. Okay, try it. Does it work on DC? No. Okay. Well, we did find a plain text password and LSA secrets. no username associated with it. But because we have blood and we have all the users, go ahead and spray it, see who it belongs to, and we find that it belongs to one account, a service account. And when we look at that service accounts groups, it's a domain admin. We we had that thought because this was a domain controller image that it would likely be a domain admin or at least hyperl be another stepping stone. Um but with that

we now had official domain admin creds. So we undrew our post exploitation. They didn't it's the only domain in the forest. So we didn't do anything there and they didn't want us to pit as Azure. Um so just ran a DC sync and then we proceeded to crack 79% of their user passwords. Um which was pretty egregious. So even though they had applied to all previous mitigations, they're still using weak passes. probably their ultimate finding was weak passwords that because if they had applied our password mitigations from the previous years, we likely would not have cracked that Kerburst account. We likely would not have sprayed that initial user account. They've been patching their internal systems. So, you know, little things at

a time, but just goes to show that, you know, things still get missed. It's never hopeless. um you can usually find something with enough time. This one took I want to say probably about a day or so for us to actually get through because of you know all the changes they had made to the environment. I'll stop there and I'll uh if anyone has questions I don't mind hanging uh to answer any questions you all have. John, what is ESC's for? ESC, whatever. >> Uh, ESC stands for escalation. >> Um, they have other ones, persist one, persist two, and things like that. So, it's ESC just stands for escalation. And we're all lazy and trying to save time.

So, it's just ESC for sure. >> It's been bloodound directed, right? >> Yes. >> Yep. From Spectre Ops. They they coined one through eight initially in their initial research paper. Um, and then just the communities kind of stuck to them with the exception of an ADCS CVE from 2022, which is collopially known as certified, but all the other ones have pretty much stuck to the the ESC moniker just for um cobilation in in the tool directories. Anybody else have a question? Yeah, right here.

ITP is a can be a thorn in the side if properly configured. Um so like crowd strike ITP for instance will if it sees DC syncing from an unwhited account or an approved account or system it will temporarily disable that account. I've had I've come up against that recently which is why now I just always sync a bunch of accounts and then just kind of iterate through them till I get what I need. Um, but yeah, it can be a thorn in the side, but it's not a foolproof solution. Just like EDR is not a silver bullet.

>> People like to think so. That's what I'll say about that one. >> I guess

they should u but I have not implemented ITP myself. Um but yeah, they should be looking for OS looking to see where things are originating so that they can then determine based on a known good list. Yes, that is allowed. No, that is not allowed. Um I see a lot of people making mistakes, especially when it comes to DC syncing. They're like, "Oh, it's a domain controller. It's totally fine." Sure it is. I saw a question over here. >> Yeah. the your your any of your work that's been that you can share for pivoting to hybrid >> pivoting to hybrid um that's your biggest one for pivoting to hybrid is going to be um AAD internals is going to

be the biggest tool suite there um most cases when I see hybrid um you can play around with the MSOL accounts because they can sync between on-prem and the cloud and then also Azure AD SSO ACC machine account Um, if you can get that in TLM hash, you can essentially do a golden ticket um to request Kerros tickets to the cloud. Then you can feed the to get a token and then use the token to um through AAD internals or exchange online or one of the other many um PowerShell or CLI tools to access and make changes in the cloud or um my favorite is to send email from the PC to the PAC with a with a picture of their

company logo or something. Um they got hey did you get that email from yourself? Yeah. like, oh yeah, I sent that from the cloud. Also, you might want to look at your global admins and see if the you notice the addition I put in there for myself. But yeah, that's probably the biggest is is through MSOL or Azure ADSSO. Um, other ones I've seen is password reuse. Um, so sometimes they're not fully syncing passwords, but for service accounts, they will essentially set the same exact password. So, it's always worth trying to reuse passwords there as well. Anybody else? All right, cool. Thanks for coming. Hope uh you know if you learned a little bit even though nothing was new and it would

give a way to kind of hone your process a little bit and you know apply it in a method where you're running things concurrently and know what to look for what is going to be your first move because oftent times that will save you hours. So thank you all appreciate it.