Have you ever wondered about "some esoteric techniques through which we compromised your networks"?

In this session, We will demonstrate some amazing “Living Off the Land” techniques, which helped us to not only evade the defenses of many Fortune 500 organizations, armed with latest security tech and robust defenses, but also helped us to achieve our objectives by exploiting the enterprise environments. Our "attack path" techniques were inspired by Lapsus$ group as well as some ransomware gang operators who made use of funny TTPs to breach the security of several organizations. We compiled a playbook containing the “living-off-the-land” techniques used by ransomware groups, added some of our own tricks to it, and used the playbook to gain control of the entire organizational network. Some of the used techniques are mentioned below:

1. Exploitation of AD CS related misconfiguration either using in-built Windows tools or using custom Powershell based scripts.
2. Escalation of privileges from IIS_apppool virtual account to NT Auth/SYSTEM without using any potato exploit or cert-potato technique.
3. Luring admin into a compromised machine to achieve Domain Admin access.
4. Learning about misconfigurations introduced into the Active Directory environment by a security product through the vendor’s official product configuration tutorials.
Use of HTTP Tunnelling technique, during post-exploitation phase, to reach internal/segregated environment hosts without using C2s
5. Being silent in heavily monitored environments by using "creative" techniques when web app is vulnerable to RCE (for example, avoiding usage of webshells)
6. Tampering with AV/EDR processes
7. Altering host firewalls(including enabling RDP)

We made use of the compiled playbook in our pentests and we were surprised to know that the average success rate was in the range of 80-90%

Demos:

During our demos, we will demonstrate:

1. Exploitation of The AD CS related misconfigurations using in-built Windows tool or using a PowerShell script (Certi Bhai - Will release it during the talk)
2. How official integration guides by many security product vendors for their tools in Windows Active Directory environments can introduce critical domain-wide privilege escalation vectors (exploitable by any standard machine or domain user account) in a secure environment.
3. By taking advantage of an RCE vulnerable web app, we will:
a) To reduce the detection, we can make the use of 10-12 lines of ASPX code to escalate privileges from iis/apppool to NT authority/system in an active directory environment. This demo does not include the use of *-potato/cert potato exploits or any kind of binary usage for exploitation.
b) Usage of webshells generates windows events and can also trip in AV/EDR. We will use an innovative technique to gain the privileges of the web server user in an AD environment.
c) Make the use of HTTP Tunneling to mix up with windows events as well as overcoming the limitations of dropping reverse shell file on the disk.
d) Some creative but effective exploit chains to advance during a pentest in a Windows Active Directory environment.
e) We will demonstrate the abuse of very common missing security controls in AVs/EDRs to make their presence ineffective.
4. We will show in a demo that sometimes, a desperate attacker can cause an intentional alert in a compromised machine to trap a server admin by luring him to login to that machine just to check the root cause of the alert. Further, an attacker can compromise the session of the logged-in admin user.

Take Aways:

Sometimes, we encounter products/networks with exceptional security posture, but there have been multiple instances in which the smallest of configuration mistakes, including minor missing security controls, have contributed to further path of compromise.
In certain situations, even a beginner or an average infrastructure pentester can bypass the detections without making the use of elite red teamer tricks, even the simplest of tricks can be enough to bypass the deployed security products/mechanisms and can help a pentester to perform lateral movement or compromise an enterprise environment.
We are here to bust the myth that there is a requirement of using a C2 or advanced red teaming techniques like obfuscation or evasion to compromise mature enterprise environments.
There are multiple avenues when you have achieved RCE in web applications, we can escalate our privileges, in some scenarios, we can even compromise the entire domain
We have often experienced that SOCs are not always up to date and do not constantly patch their network, which provides a unique opportunity for attackers to dive deep into the internal network by exploiting a recently disclosed vulnerability.