From 0dfaec828bae0f9164aa4ef5b8e143e100bcd4d1 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 24 May 2024 10:48:55 +0200 Subject: [PATCH] Adding references for Altered Security labs --- docs/active-directory/ad-adds-acl-ace.md | 1 + docs/active-directory/ad-adds-enumerate.md | 3 ++- docs/active-directory/ad-adds-group-policy-objects.md | 3 ++- docs/active-directory/ad-roasting-kerberoasting.md | 3 ++- docs/active-directory/deployment-sccm.md | 8 ++++++++ docs/active-directory/pwd-read-laps.md | 7 ++++++- docs/active-directory/trust-relationship.md | 3 ++- docs/active-directory/trust-sid-hijacking.md | 7 ++++++- docs/active-directory/trust-ticket.md | 7 ++++++- docs/cloud/azure/azure-access-and-token.md | 3 ++- docs/cloud/azure/azure-ad-connect.md | 3 ++- docs/cloud/azure/azure-devices-users-sp.md | 3 ++- docs/cloud/azure/azure-enumeration.md | 3 ++- docs/cloud/azure/azure-persistence.md | 3 ++- docs/cloud/azure/azure-phishing.md | 3 ++- docs/cloud/azure/azure-requirements.md | 3 ++- docs/cloud/azure/azure-services-application-endpoint.md | 2 +- docs/cloud/azure/azure-services-application-proxy.md | 2 +- docs/cloud/azure/azure-services-deployment-template.md | 2 +- docs/cloud/azure/azure-services-devops.md | 3 ++- docs/cloud/azure/azure-services-keyvault.md | 3 ++- docs/cloud/azure/azure-services-microsoft-intune.md | 3 ++- docs/cloud/azure/azure-services-office-365.md | 3 ++- docs/cloud/azure/azure-services-runbook.md | 2 +- docs/cloud/azure/azure-services-storage-blob.md | 2 +- docs/cloud/azure/azure-services-virtual-machine.md | 3 ++- docs/cloud/azure/azure-services-web-apps.md | 2 +- 27 files changed, 65 insertions(+), 25 deletions(-) diff --git a/docs/active-directory/ad-adds-acl-ace.md b/docs/active-directory/ad-adds-acl-ace.md index 0a721e1..c6cafd2 100644 --- a/docs/active-directory/ad-adds-acl-ace.md +++ b/docs/active-directory/ad-adds-acl-ace.md @@ -256,3 +256,4 @@ An attacker can change the password of the user this ACE applies to: * [ACE to RCE - @JustinPerdok - July 24, 2020](https://sensepost.com/blog/2020/ace-to-rce/) * [Access Control Entries (ACEs) - The Hacker Recipes - @_nwodtuhs](https://www.thehacker.recipes/active-directory-domain-services/movement/abusing-aces) * [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) +* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab) \ No newline at end of file diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md index ce85c4d..7a5150d 100644 --- a/docs/active-directory/ad-adds-enumerate.md +++ b/docs/active-directory/ad-adds-enumerate.md @@ -353,4 +353,5 @@ Enumerate users from the Domain Controllers. * [Penetration Testing Active Directory, Part II - March 12, 2019 - Hausec](https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/) * [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/) * [PowerView 3.0 Tricks - HarmJ0y](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) -* [SOAPHound - tool to collect Active Directory data via ADWS - Nikos Karouzos - 01/26/204](https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c) \ No newline at end of file +* [SOAPHound - tool to collect Active Directory data via ADWS - Nikos Karouzos - 01/26/204](https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c) +* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab) \ No newline at end of file diff --git a/docs/active-directory/ad-adds-group-policy-objects.md b/docs/active-directory/ad-adds-group-policy-objects.md index 74cd504..c6ada6f 100644 --- a/docs/active-directory/ad-adds-group-policy-objects.md +++ b/docs/active-directory/ad-adds-group-policy-objects.md @@ -112,4 +112,5 @@ StandIn.exe --gpo --filter Shards --tasktype computer --taskname Liber --author * [GPO Abuse - Part 2 - RastaMouse - 13 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-2/) * [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/) * [GPO Abuse: "You can't see me" - Huy Kha - July 19, 2019](https://pentestmag.com/gpo-abuse-you-cant-see-me/) -* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179) \ No newline at end of file +* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179) +* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab) \ No newline at end of file diff --git a/docs/active-directory/ad-roasting-kerberoasting.md b/docs/active-directory/ad-roasting-kerberoasting.md index 3e63df9..994d55a 100644 --- a/docs/active-directory/ad-roasting-kerberoasting.md +++ b/docs/active-directory/ad-roasting-kerberoasting.md @@ -90,4 +90,5 @@ Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`) * [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf) * [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) * [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/) -* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/) \ No newline at end of file +* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/) +* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab) \ No newline at end of file diff --git a/docs/active-directory/deployment-sccm.md b/docs/active-directory/deployment-sccm.md index 106b3ba..67689bb 100644 --- a/docs/active-directory/deployment-sccm.md +++ b/docs/active-directory/deployment-sccm.md @@ -2,11 +2,19 @@ > SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation. + ## SCCM Application Deployment +> Application Deployment is a process that involves packaging software applications and distributing them to selected computers or devices within an organization + +**Tools**: + * [PowerShellMafia/PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM) * [nettitude/MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM) + +**Exploitation**: + * Using **SharpSCCM** ```ps1 .\SharpSCCM.exe get devices --server --site-code diff --git a/docs/active-directory/pwd-read-laps.md b/docs/active-directory/pwd-read-laps.md index 21e5651..63e802b 100644 --- a/docs/active-directory/pwd-read-laps.md +++ b/docs/active-directory/pwd-read-laps.md @@ -85,4 +85,9 @@ The members of the group **"Account Operator"** can add and modify all the non a ```ps1 Add-DomainGroupMember -Identity 'LAPS ADM' -Members 'user1' -Credential $cred -Domain "domain.local" Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -Domain "domain.local" -``` \ No newline at end of file +``` + + +## References + +* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab) \ No newline at end of file diff --git a/docs/active-directory/trust-relationship.md b/docs/active-directory/trust-relationship.md index 1e8b90e..924f2d3 100644 --- a/docs/active-directory/trust-relationship.md +++ b/docs/active-directory/trust-relationship.md @@ -45,4 +45,5 @@ ## References * [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html) -* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0) \ No newline at end of file +* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0) +* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab) \ No newline at end of file diff --git a/docs/active-directory/trust-sid-hijacking.md b/docs/active-directory/trust-sid-hijacking.md index a35162e..f3610f3 100644 --- a/docs/active-directory/trust-sid-hijacking.md +++ b/docs/active-directory/trust-sid-hijacking.md @@ -17,4 +17,9 @@ By default the first domain created if the Forest Root. - Create golden ticket and attack parent domain. ```powershell kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt - ``` \ No newline at end of file + ``` + + +## References + +* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab) \ No newline at end of file diff --git a/docs/active-directory/trust-ticket.md b/docs/active-directory/trust-ticket.md index b7ac42d..690ad83 100644 --- a/docs/active-directory/trust-ticket.md +++ b/docs/active-directory/trust-ticket.md @@ -34,4 +34,9 @@ Inject the ST file and access the targeted service with the spoofed rights. ```powershell kirbikator lsa .\ticket.kirbi ls \\machine.domain.local\c$ -``` \ No newline at end of file +``` + + +## References + +* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab) \ No newline at end of file diff --git a/docs/cloud/azure/azure-access-and-token.md b/docs/cloud/azure/azure-access-and-token.md index 555763c..63ba974 100644 --- a/docs/cloud/azure/azure-access-and-token.md +++ b/docs/cloud/azure/azure-access-and-token.md @@ -378,4 +378,5 @@ Use the user account to create a computer and request a PRT * [Attacking Azure Cloud shell - Karl Fosaaen - December 10, 2019](https://blog.netspi.com/attacking-azure-cloud-shell/) * [Azure AD Pass The Certificate - Mor - Aug 19, 2020](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597) * [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/) -* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/) \ No newline at end of file +* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/) +* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab) \ No newline at end of file diff --git a/docs/cloud/azure/azure-ad-connect.md b/docs/cloud/azure/azure-ad-connect.md index 5a59dc6..def3cb5 100644 --- a/docs/cloud/azure/azure-ad-connect.md +++ b/docs/cloud/azure/azure-ad-connect.md @@ -122,4 +122,5 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta * [Windows Azure Active Directory in plain English - Openness AtCEE - Jan 9, 2014](https://www.youtube.com/watch?v=IcSATObaQZE) * [Azure AD connect for RedTeam - Adam Chester @xpnsec - 2019-02-18](https://blog.xpnsec.com/azuread-connect-for-redteam/) * [Azure AD Kerberos Tickets: Pivoting to the Cloud - Edwin David - February 09, 2023](https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud) -* [DUMPING NTHASHES FROM MICROSOFT ENTRA ID - Secureworks](https://www.secureworks.com/research/dumping-nthashes-from-microsoft-entra-id) \ No newline at end of file +* [DUMPING NTHASHES FROM MICROSOFT ENTRA ID - Secureworks](https://www.secureworks.com/research/dumping-nthashes-from-microsoft-entra-id) +* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab) \ No newline at end of file diff --git a/docs/cloud/azure/azure-devices-users-sp.md b/docs/cloud/azure/azure-devices-users-sp.md index e3261b1..277e7b2 100644 --- a/docs/cloud/azure/azure-devices-users-sp.md +++ b/docs/cloud/azure/azure-devices-users-sp.md @@ -173,4 +173,5 @@ roadtx findscope -s https://graph.microsoft.com/mail.read * [Pentesting Azure Mindmap](https://github.com/synacktiv/Mindmaps) * [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad) * [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56) -* [AZURE AD INTRODUCTION FOR RED TEAMERS - Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html) \ No newline at end of file +* [AZURE AD INTRODUCTION FOR RED TEAMERS - Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html) +* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab) \ No newline at end of file diff --git a/docs/cloud/azure/azure-enumeration.md b/docs/cloud/azure/azure-enumeration.md index d8bbc49..b823570 100644 --- a/docs/cloud/azure/azure-enumeration.md +++ b/docs/cloud/azure/azure-enumeration.md @@ -250,4 +250,5 @@ Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Reco * [Bypassing conditional access by faking device compliance - @DrAzureAD - September 06, 2020](https://o365blog.com/post/mdm/) * [CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course](https://github.com/0xJs/CARTP-cheatsheet/blob/main/Authenticated-enumeration.md) -* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps - Ryan Hausknecht - Jan 28, 2020](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a) \ No newline at end of file +* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps - Ryan Hausknecht - Jan 28, 2020](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a) +* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab) \ No newline at end of file diff --git a/docs/cloud/azure/azure-persistence.md b/docs/cloud/azure/azure-persistence.md index adda022..d1249ac 100644 --- a/docs/cloud/azure/azure-persistence.md +++ b/docs/cloud/azure/azure-persistence.md @@ -43,4 +43,5 @@ Add-AzureADGroupMember -ObjectId -RefObjectId -Verbose ## References * [Maintaining Azure Persistence via automation accounts - Karl Fosaaen - September 12, 2019](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/) -* [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell) \ No newline at end of file +* [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell) +* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab) \ No newline at end of file diff --git a/docs/cloud/azure/azure-phishing.md b/docs/cloud/azure/azure-phishing.md index 78e8f07..f8e246f 100644 --- a/docs/cloud/azure/azure-phishing.md +++ b/docs/cloud/azure/azure-phishing.md @@ -142,4 +142,5 @@ roadtx codeauth -c -r msgraph -t <0.A....> -ru 'https:// (Get-AzStorageAccount | Get-AzStorageContainer).cloudBlobContainer | sele ## References -* []() \ No newline at end of file +* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab) \ No newline at end of file diff --git a/docs/cloud/azure/azure-services-virtual-machine.md b/docs/cloud/azure/azure-services-virtual-machine.md index 7cddacd..5abc4df 100644 --- a/docs/cloud/azure/azure-services-virtual-machine.md +++ b/docs/cloud/azure/azure-services-virtual-machine.md @@ -45,4 +45,5 @@ Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt ## References -* [Running Powershell scripts on Azure VM - Karl Fosaaen - November 6, 2018](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/) \ No newline at end of file +* [Running Powershell scripts on Azure VM - Karl Fosaaen - November 6, 2018](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/) +* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab) \ No newline at end of file diff --git a/docs/cloud/azure/azure-services-web-apps.md b/docs/cloud/azure/azure-services-web-apps.md index 1597187..556b04a 100644 --- a/docs/cloud/azure/azure-services-web-apps.md +++ b/docs/cloud/azure/azure-services-web-apps.md @@ -31,4 +31,4 @@ az webapp create-remote-connection --subscription --resource-g ## References -* []() \ No newline at end of file +* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab) \ No newline at end of file