Logo
latest

Breaching

  • Introduction
    • What?
    • Why?
    • How?
  • OSINT
  • Phishing
  • NTLM authenticated services
    • Password spraying
  • LDAP bind credentials
    • LDAP pass-back
    • Rogue LDAP server
    • Capturing LDAP credentials
  • Authentication relays
    • Server Message Block
    • LLMNR, NBT-NS, and WPAD
    • Intercepting NetNTLM challenge
  • Microsoft Deployment Toolkit
  • Configuration files
    • Configuration file credentials

Enumerating

  • Introduction
    • What?
    • Why?
    • How?
  • Setup for THM AD
  • Credential injection
  • Through Microsoft Management Console
  • Through Command Prompt
  • Through PowerShell
  • Through Bloodhound
  • Cleanup

Lateral movement and pivoting

  • Introduction
    • What?
    • Why?
    • How?
  • Setup for THM AD
  • Moving through the network
  • Spawning processes remotely
    • PsExec
    • WinRM
    • sc.exe
    • schtasks
    • Flag
  • Moving laterally using wmi
    • Connecting to wmi from powershell
    • Remote process creation
    • Run a command remotely
    • Creating services remotely
    • Scheduled tasks
  • Use of alternate authentication material
    • NTLM authentication flow
    • Kerberos authentication flow
    • Cracking hashes
      • NTLM hash (NTHash)
      • NTLMv1 (Net-NTLMv1) hash
      • NTLMv2 (Net-NTLMv2) hash
    • Pass-the-hash
    • Pass-the-ticket
    • Overpass-the-hash/Pass-the-key
    • Flags
      • Inject with mimikatz
      • Impacket from kali
      • Kerberos
  • Abusing user behaviour
    • Writable Shares
      • Backdooring .vbs Scripts
      • Backdooring .exe Files
    • RDP Session hijacking
    • Flag
  • Port forwarding
    • SSH tunnelling
      • SSH remote port forwarding
      • SSH local port forwarding
    • Port forwarding with socat
    • Dynamic port forwarding and SOCKS
    • Flags
      • RDP to THMIIS
      • Exploit Rejetto HFS on the Domain Controller
    • Resources
  • Cleanup

Exploiting

  • Introduction
    • What?
    • Why?
    • How?
  • Setup for THM AD
    • Connecting to the network
    • Edit DNS configuration
    • Test hostname lookups
    • Request credentials
    • Jump in
  • Exploiting permission delegation
    • Exploiting ACEs
    • Bloodhound
    • Privilege Escalation
    • Add AD account to the IT Support group
    • Force a new password on a T2 Admin
  • Exploiting kerberos delegation
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • Lab: Constrained Delegation Exploitation
      • Enumeration
      • Dumping secrets with mimikatz
      • Kekeo
      • Back to mimikatz
      • Get the flag
  • Exploiting automated relays
    • Machine accounts
    • The Printer Bug
      • Verify the Print Spooler service is running
      • Verify SMB signing enforcement
    • Exploit authentication relay
  • Exploiting AD users
    • Payload
    • Transfer the payload to the target
    • Get flag
  • Exploiting GPOs
    • THMWRK1
    • THMWRK2
  • Exploiting certificates
    • Finding vulnerable certificate templates
    • Exploiting a Certificate Template
    • User impersonation through a certificate
  • Exploiting domain trusts
    • KRBTGT and Golden tickets
      • Dumping the KRBTGT hash
      • Getting the SIDs
    • Exploiting domain trusts

Persisting

  • Introduction
    • What?
    • Why?
    • How?
  • Setup for THM AD
    • Connecting to the network
    • Edit DNS configuration
    • Test hostname lookups
    • Request credentials
    • Jump in
  • Persistence through credentials
    • Passwords
    • Order of Operations
    • DC Sync
      • Log file
      • One-liner
  • Persistence through tickets
    • Kerberos authentication flow
    • Golden Tickets
    • Silver Tickets
    • Forging tickets
    • Resources
  • Persistence through certificates
    • Extract the CA’s Private Key
    • Create a certificate for the domain administrator account
  • Persistence through SID history
    • Resources
  • Persistence through group membership
    • Warning
    • Create groups
    • Nesting
    • Verify inherited privileges
  • Persistence through ACLs
    • Modify the AdminSDHolder template
    • WinRM to the Domain Controller
  • Persistence through GPOs
    • Resources

Credentials harvesting

  • Introduction
    • What?
    • Why?
    • How?
  • Credential access
    • PowerShell history
    • Database Files
    • Password Managers
    • Memory Dump
    • Active Directory
    • Network Sniffing
    • Resources
  • Local Windows credentials
    • Security Account Manager (SAM)
      • Shadow Copy
      • Registry Hives
  • Local Security Authority Subsystem Service
    • Protected LSASS and Mimikatz
    • Again
  • Windows Credential Manager
    • Credential Dumping
    • RunAs
    • Mimikatz
  • Domain Controller
    • NTDS
    • Ntdsutil
    • Local Dumping (No Credentials)
    • Remote Dumping (With Credentials)
  • Local Administrator Password Solution
  • Hashes and tickets
Mythical blue lake
  • Mythical blue lake
  • Red Team
  • Improbability Blog
  • About
  • Register

Introduction

THM Persisting Active Directory
THM Room: Persisting Active Directory

What?

Common Active Directory persistence techniques.

Why?

To ensure the blue team will not be able to kick us out during a red team exercise.

How?

  • Setup for THM AD

  • Persistence through credentials

  • Persistence through tickets

  • Persistence through certificates

  • Persistence through SID history

  • Persistence through group membership

  • Persistence through ACLs

  • Persistence through GPOs

Previous Next
Unseen University, 2023, with a forest garden fostered by /ut7.
Read the Docs v: latest
Versions
latest
Downloads
On Read the Docs
Project Home
Builds