The premise of the talk is to explain their take on Red Team operations and methodology. An important feature of this is the notion of emulation of threat techniques independent of the toolkit. In other words, the ability to use multiple tools, to perform the same function. The important point being that Red Teams do not need to use the exact tools of adversary’s, but can use any means to accomplish the job, as long as the techniques are mirrored.
In terms of adversary techniques, in a post-exploit Windows environment, this can be broken down thus:
Tactic 1: Situational Awarenesses
Tactic 2. Domain Trusts
Tactic 3. Escalation and Pivoting
Tactic 5. Files Files Files
With the focus on the ability to use multiple tools to perform the same function, it is obviously preferable to use new freely available tools to automate, improve and speed things up.
For example, traditionally we used net.exe to enumerate users and network information. The following commands are taken from the Red Team Field Manual (Page 16) – Windows NET/DOMAIN commands:
net view /domain - Hosts in current domain. net view /domain:[MYDOMAIN] - Hosts in [MYDOMAIN} net user /domain - All users in current domain net accounts /domain - Domain password policy net localgroup "Administrators" - Local admins net group /domain - Domain groups net group "Domain Admins" - Domain admin users net group "Domain Controllers" /domain - List DCs net share - SMB shares
PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows “net *” commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.
This is a beautiful and powerful tool, comprising a full net.exe replacement in case this is blocked, plus additional functionality such as:
Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines Invoke-UserEventHunter - hunts for user logon events in domain controller event logs
Domain Trust Functions
Get-NetDomainTrust - gets all trusts for the current user's domain Get-NetForestTrust - gets all trusts for the forest associated with the current user's domain Find-ForeignUser - enumerates users who are in groups outside of their principal domain Find-ForeignGroup - enumerates all the members of a domain's groups and finds users that are outside of the queried domain Invoke-MapDomainTrust - try to build a relational mapping of all domain trusts
Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to Find-UserField - searches a user field for a particular term Find-ComputerField - searches a computer field for a particular term Get-ExploitableSystem - finds systems likely vulnerable to common exploits Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain
With Powershell’s “help” function, coupled with the “-Examples” parameter and tab completion, this just could not be easier for us.
David and Will go on to discuss some of the old and new school tools and techniques for escalation, pivoting, persistence and getting to the data.
I encourage you to take 50 minutes to watch this seminal talk: