This article pulls together some of the tactics and techniques used by OP Innovate researchers during a red team exercise. Please note, tools, tactics and techniques are described below for educational purposes only!
What is Red Teaming
During a red team/blue team cybersecurity simulation, the red team mimics the role of the adversary, attempting to identify and exploit potential weaknesses within the organization’s cyber defenses using sophisticated attack techniques. These offensive teams typically consist of highly experienced security professionals or independent ethical hackers who focus on penetration testing by imitating real-world attack techniques and methods.
This type of engagement is used to test an organization’s ability to detect and respond to a stealthy, invasive and prolonged attack.
Goals in Red Teaming
The most important goal of a red team exercise is to acquire an organization’s crown jewels. It is therefore important to define these before commencing the exercise. For example, when targeting a domain, the red team’s ultimate goal is to acquire domain admin privileges. Doing so means “game over” since the red team now has unfettered access to the entire network and the business sensitive information stored within. By charting out this workflow and the risks exposed, we can provide our customers with recommendations that can mitigate attacks on their infrastructure.
In the next section, a red team member discusses their route to domain admin. For reference purposes, each step along the route has been framed as a Mitre ATT&CK tactic.
Confessions of a Red Team Member
As a red team member, my first tool is caffeine. Black hat hackers in the movies often prefer the anonymity of a coffee shop but when I work, I prefer to work from home, with my own coffee!
A red team exercise usually begins with an attacker acquiring the login credentials of a low privileged user. This could be achieved in several ways including via social engineering using a phishing campaign, or via the insider threat posed by a disgruntled employee or physically present attacker.
Having acquired these credentials and used them to create a VPN connection, the next phase of exploitation begins. All Windows installations contain the Windows App Store by default which provides me with a legitimate method for installing tools of the trade such as Notepad++, Microsoft Windows Terminal, and most interestingly, Python, even though my user is not a local admin!
To get domain admin means circumventing the traditional controls of the Microsoft Active Directory (AD). There are several freely available mind maps (for example, here) that contain a myriad of techniques that can be deployed – kerberoasting from the impacket scripts is one of my regular go-tos. In this case I use a bash script that automates enumeration of the Active Directory.
The bash script informs me that the account lockout policy is 10 attempts. Since I have already acquired the working password of a regular user, I deduce that the company uses strong passwords of about 10-15 characters. With such a low limit of guesses to work with, this is going to make brute force a non-viable option. There is little chance of getting a successful hit with the top 10 popular passwords since these are weak passwords that don’t meet the policy in place here. I activate BloodHound, a tool for analyzing AD rights and relationships. The view is not so promising:
The starting point on our journey to domain admin shows a service account which I currently do not have access to. Let’s work on that.
Knowing that system administrators like to use the same algorithm across multiple users, I examine the construction of the password in my possession and the information I’ve extracted from the AD, and learn a lot about the password complexity policy. This enables me to craft additional passwords using a similar algorithm. Next, I use the algorithm to craft similarly built passwords for all the users I managed to extract from the AD using my bash script. I then create a list of credential pairs for each user. This should provide at least one hit!
Success – more than one user matched. By updating Bloodhound to match this, I see a new and improved picture:
The BloodHound route now shows a far shorter journey to domain admin.
The route shows me a new user account, Tom, that has local administrator permissions on Server X. That server in turn hosts a disconnected session from another user, Jerry. Jerry is a member of the Domain Admins group. Looks like getting Tom’s credentials puts domain admin privileges within reach!
My next step is to connect to Server X with Tom’s credentials and get the NTLM hash of Jerry’s password using the Mimikatz tool.
Privilege Escalation (pt 1)
Once connected to Server X, I can see Jerry’s cached credentials (even though Jerry is disconnected), so I grab them!
With a disconnected session stored in memory, I should be able to pull Jerry’s credential hash using Mimikatz. Trouble is, there is an EDR client installed on Server X which will quarantine Mimikatz as soon as I try to download it.
So what’s my next move? Sounds simple but I can just try to remove it – remember, Tom is a local admin on Server X.
Boom! Removed. That was almost too easy!
Privilege Escalation (pt 2)
Now I’m able to download Mimikatz from Github, grab the hash of Jerry’s credentials from memory and use the NTLMv1 hash to connect to the domain controller via the WinRM protocol.
SUCCESS – Domain Admin privileges acquired:
In just a few steps I have shown how a run-of-the-mill social engineering attack can be leveraged to derive domain admin privileges using freely available open-source scripts and applications (and of course caffeine!). See the MITRE map below to see how we use the ATT&CK matrix to chart the workflow:
For more information on how OP Innovate’s offensive services can help preempt attacks on your organization, please contact Shay Pinsker [email protected] .
About the author
Israel Malamud worked for several years as a system administrator before transitioning to the world of security. His first role was as a Digital Forensic and Incident Responder at Kaspersky. Israel joined OP Innovate in 2021 as a Penetration Tester and Incident Responder. He lives in Jerusalem.