TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Admin’s Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path’s for Profit

BHIS · 2021-08-06 · Read original ↗

ATT&CK techniques detected

9 predictions
T1003.006DCSync
94%
"##t now we ’ ve successfully become the domain controller, we can perform a dcsync attack from cobalt strike. conclusion to recap, we started from an initial beacon agent, abused cve - 2021 - 36934 to escalate local privileges, diverted port 445 to our team server, enticed the do…"
T1550.002Pass the Hash
91%
"a few bits of information are presented to us. the rid 500 ( built - in ) administrator account has a blank password, indicating that it was initially not set. in a production environment, this would most likely be non - blank or set by local administrator password solution ( “ l…"
T1003.002Security Account Manager
89%
"back to the adversary. by utilizing the ms - efsrpc protocol ( https : / / docs. microsoft. com / en - us / openspecs / windows _ protocols / ms - efsr / 08796ba8 - 01c8 - 4872 - 9221 - 1000ec2eff31 ), any user on the network may invoke a remote host to send a machine account has…"
T1649Steal or Forge Authentication Certificates
75%
"admin ’ s nightmare : combining hivenightmare / serioussam and ad cs attack path ’ s for profit admin ’ s nightmare : combining hivenightmare / serioussam and ad cs attack path ’ s for profit the year of 2021 has presented some interesting challenges to securing windows and activ…"
T1090.002External Proxy
69%
"##thub. com / exandroiddev / impacket / tree / ntlmrelayx - adcs - attack ) updated version of impacket. we must clone the repository, switch branches ( git checkout ntlmrelayx - adcs - attack ) and then install as per impacket instructions. we ’ ll also need the petitpotam ( htt…"
T1090.001Internal Proxy
60%
"##a7 username : administrator command : " cmd. exe / c c : \ windows \ tasks \ procmon. exe " to execute our cobalt strike beacon payload as system. after establishing a new beacon as system, we can set up our traffic bending. in beacon, start a reverse port forward with rportfwd…"
T1649Steal or Forge Authentication Certificates
51%
"dns ] : : gethostentry ( " domain. local " ) for this attack to work properly, we need to provide the fully qualified domain name ( “ fqdn ” ) for the certificate server. there are a few ways to find the certificate server. if you have remote desktop access, you can issue the com…"
T1557.001Name Resolution Poisoning and SMB Relay
50%
"where a user is phished and the compromised host is used as a pivot point for the ad cs relay attack. in an attack scenario, an adversary would need to entice a remote user or system to authenticate back to the adversary - controlled host in order to relay the credential to the c…"
T1550.002Pass the Hash
42%
"back to the adversary. by utilizing the ms - efsrpc protocol ( https : / / docs. microsoft. com / en - us / openspecs / windows _ protocols / ms - efsr / 08796ba8 - 01c8 - 4872 - 9221 - 1000ec2eff31 ), any user on the network may invoke a remote host to send a machine account has…"

Summary

Stephan Borosh // The year of 2021 has presented some interesting challenges to securing Windows and Active Directory environments with new flaws that Microsoft has been slow to address.   In June, @Harmj0y and @tifkin_ […]

The post Admin’s Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path’s for Profit appeared first on Black Hills Information Security, Inc..