IT Security Red Team Post Exploitation Methodology

I want to share a talk given by @davidpmcguire and @harmj0y entitled: Passing the Torch Old School Red Teaming New School Tactics.

The premise of the talk is to explain their take on Red Team operations and methodology. An important feature of this is the notion of emulation of threat techniques independent of the toolkit. In other words, the ability to use multiple tools, to perform the same function. The important point being that Red Teams do not need to use the exact tools of adversary’s, but can use any means to accomplish the job, as long as the techniques are mirrored.

In terms of adversary techniques, in a post-exploit Windows environment, this can be broken down thus:

Tactic 1: Situational Awarenesses
Tactic 2. Domain Trusts
Tactic 3. Escalation and Pivoting
Tactic 4.Persistence
Tactic 5. Files Files Files

With the focus on the ability to use multiple tools to perform the same function, it is obviously preferable to use new freely available tools to automate, improve and speed things up.

For example, traditionally we used net.exe to enumerate users and network information. The following commands are taken from the Red Team Field Manual (Page 16) – Windows NET/DOMAIN commands:

net view /domain - Hosts in current domain.
net view /domain:[MYDOMAIN] - Hosts in [MYDOMAIN}
net user /domain - All users in current domain
net accounts /domain - Domain password policy
net localgroup "Administrators" - Local admins
net group /domain - Domain groups
net group "Domain Admins" - Domain admin users
net group "Domain Controllers" /domain - List DCs
net share - SMB shares

Although the above does the job, a new way to enumerate this information is through Powershell and more specifically PowerView written by @harmj0y

PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows “net *” commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.

This is a beautiful and powerful tool, comprising a full net.exe replacement in case this is blocked, plus additional functionality such as:

User-Hunting Functions:

Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines

Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users

Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines

Invoke-UserEventHunter - hunts for user logon events in domain controller event logs

Domain Trust Functions

Get-NetDomainTrust - gets all trusts for the current user's domain

Get-NetForestTrust - gets all trusts for the forest associated with the current user's domain

Find-ForeignUser - enumerates users who are in groups outside of their principal domain

Find-ForeignGroup - enumerates all the members of a domain's groups and finds users that are outside of the queried domain

Invoke-MapDomainTrust - try to build a relational mapping of all domain trusts

MetaFunctions:

Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain

Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain

Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to

Find-UserField - searches a user field for a particular term

Find-ComputerField - searches a computer field for a particular term

Get-ExploitableSystem - finds systems likely vulnerable to common exploits

Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain

It’s worth reading @harmj0y‘s blog post: Trusts You Might Have Missed at this point.

With Powershell’s “help” function, coupled with the “-Examples” parameter and tab completion, this just could not be easier for us.

David and Will go on to discuss some of the old and new school tools and techniques for escalation, pivoting, persistence and getting to the data.

I encourage you to take 50 minutes to watch this seminal talk: