Adding references for Altered Security labs
parent
402412c6fe
commit
0dfaec828b
|
@ -256,3 +256,4 @@ An attacker can change the password of the user this ACE applies to:
|
|||
* [ACE to RCE - @JustinPerdok - July 24, 2020](https://sensepost.com/blog/2020/ace-to-rce/)
|
||||
* [Access Control Entries (ACEs) - The Hacker Recipes - @_nwodtuhs](https://www.thehacker.recipes/active-directory-domain-services/movement/abusing-aces)
|
||||
* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
||||
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)
|
|
@ -354,3 +354,4 @@ Enumerate users from the Domain Controllers.
|
|||
* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
|
||||
* [PowerView 3.0 Tricks - HarmJ0y](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993)
|
||||
* [SOAPHound - tool to collect Active Directory data via ADWS - Nikos Karouzos - 01/26/204](https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c)
|
||||
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)
|
|
@ -113,3 +113,4 @@ StandIn.exe --gpo --filter Shards --tasktype computer --taskname Liber --author
|
|||
* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
|
||||
* [GPO Abuse: "You can't see me" - Huy Kha - July 19, 2019](https://pentestmag.com/gpo-abuse-you-cant-see-me/)
|
||||
* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
|
||||
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)
|
|
@ -91,3 +91,4 @@ Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`)
|
|||
* [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
|
||||
* [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/)
|
||||
* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
|
||||
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)
|
|
@ -2,11 +2,19 @@
|
|||
|
||||
> SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation.
|
||||
|
||||
|
||||
## SCCM Application Deployment
|
||||
|
||||
> Application Deployment is a process that involves packaging software applications and distributing them to selected computers or devices within an organization
|
||||
|
||||
**Tools**:
|
||||
|
||||
* [PowerShellMafia/PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM)
|
||||
* [nettitude/MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM)
|
||||
|
||||
|
||||
**Exploitation**:
|
||||
|
||||
* Using **SharpSCCM**
|
||||
```ps1
|
||||
.\SharpSCCM.exe get devices --server <SERVER8NAME> --site-code <SITE_CODE>
|
||||
|
|
|
@ -86,3 +86,8 @@ The members of the group **"Account Operator"** can add and modify all the non a
|
|||
Add-DomainGroupMember -Identity 'LAPS ADM' -Members 'user1' -Credential $cred -Domain "domain.local"
|
||||
Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -Domain "domain.local"
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)
|
|
@ -46,3 +46,4 @@
|
|||
|
||||
* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
|
||||
* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)
|
||||
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)
|
|
@ -18,3 +18,8 @@ By default the first domain created if the Forest Root.
|
|||
```powershell
|
||||
kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)
|
|
@ -35,3 +35,8 @@ Inject the ST file and access the targeted service with the spoofed rights.
|
|||
kirbikator lsa .\ticket.kirbi
|
||||
ls \\machine.domain.local\c$
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)
|
|
@ -379,3 +379,4 @@ Use the user account to create a computer and request a PRT
|
|||
* [Azure AD Pass The Certificate - Mor - Aug 19, 2020](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
|
||||
* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
|
||||
* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -123,3 +123,4 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta
|
|||
* [Azure AD connect for RedTeam - Adam Chester @xpnsec - 2019-02-18](https://blog.xpnsec.com/azuread-connect-for-redteam/)
|
||||
* [Azure AD Kerberos Tickets: Pivoting to the Cloud - Edwin David - February 09, 2023](https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud)
|
||||
* [DUMPING NTHASHES FROM MICROSOFT ENTRA ID - Secureworks](https://www.secureworks.com/research/dumping-nthashes-from-microsoft-entra-id)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -174,3 +174,4 @@ roadtx findscope -s https://graph.microsoft.com/mail.read
|
|||
* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad)
|
||||
* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
|
||||
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -251,3 +251,4 @@ Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Reco
|
|||
* [Bypassing conditional access by faking device compliance - @DrAzureAD - September 06, 2020](https://o365blog.com/post/mdm/)
|
||||
* [CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course](https://github.com/0xJs/CARTP-cheatsheet/blob/main/Authenticated-enumeration.md)
|
||||
* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps - Ryan Hausknecht - Jan 28, 2020](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -44,3 +44,4 @@ Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose
|
|||
|
||||
* [Maintaining Azure Persistence via automation accounts - Karl Fosaaen - September 12, 2019](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
|
||||
* [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -143,3 +143,4 @@ roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<ph
|
|||
* [The Art of the Device Code Phish - Bobby Cooke - July 12, 2021](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
|
||||
* [Power Pwn - Black Hat Arsenal 2023 - Aug 24, 2023](https://www.youtube.com/watch?v=LpdckZyBwvs)
|
||||
* [Low Code High Risk - Enterprise Domination via Low Code Abuse - Defcon 30 - Oct 20, 2022](https://www.youtube.com/watch?v=D3A62Rzozq4)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -35,3 +35,4 @@ Subscriptions:
|
|||
|
||||
* [Az - Permissions for a Pentest - HackTricks](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-permissions-for-a-pentest)
|
||||
* [An introduction to penetration testing Azure - HollyGraceful - 06 August 2021](https://akimbocore.com/article/introduction-to-pentesting-azure/)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -11,4 +11,4 @@
|
|||
|
||||
## References
|
||||
|
||||
* []()
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -14,4 +14,4 @@
|
|||
|
||||
## References
|
||||
|
||||
* []()
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -17,4 +17,4 @@
|
|||
|
||||
## References
|
||||
|
||||
* []()
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -141,3 +141,4 @@ You can access an organization's Azure DevOps Services instance via https://dev.
|
|||
## References
|
||||
|
||||
* [Hiding in the Clouds: Abusing Azure DevOps Services to Bypass Microsoft Sentinel Analytic Rules - Brett Hawkins - November 6, 2023](https://www.ibm.com/downloads/cas/5JKAPVYD)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -35,3 +35,4 @@
|
|||
## References
|
||||
|
||||
* [Get-AzurePasswords: A Tool for Dumping Credentials from Azure Subscriptions - August 28, 2018 - Karl Fosaaen](https://www.netspi.com/blog/technical/cloud-penetration-testing/get-azurepasswords/)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -34,3 +34,4 @@ Requirements:
|
|||
## References
|
||||
|
||||
* [Microsoft Intune - Microsoft Intune support for Windows LAPS](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -31,3 +31,4 @@ Get-MgDrive -top 1
|
|||
## References
|
||||
|
||||
* [Pentesting Azure Mindmap - Alexis Danizan](https://github.com/synacktiv/Mindmaps)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -85,4 +85,4 @@ Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -mar
|
|||
|
||||
## References
|
||||
|
||||
* []()
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -45,4 +45,4 @@ PS Az> (Get-AzStorageAccount | Get-AzStorageContainer).cloudBlobContainer | sele
|
|||
|
||||
## References
|
||||
|
||||
* []()
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -46,3 +46,4 @@ Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
|
|||
## References
|
||||
|
||||
* [Running Powershell scripts on Azure VM - Karl Fosaaen - November 6, 2018](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -31,4 +31,4 @@ az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-g
|
|||
|
||||
## References
|
||||
|
||||
* []()
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
Loading…
Reference in New Issue