In Part 1 we explored how one could go about discovering and mapping the LAPS configuration in a domain. In this part, we’ll look at various ways LAPS can be abused for persistence purposes.
In this blog post I’m going to cover my first impressions of MWR Labs C3 project, through installation and setup to usage in a basic scenario.
TikiService is a new .NET Service Binary that allows you to run a TikiTorch payload via the Service Control Manager (à la PsExec). TikiTorch.cna has also been updated to create a new Cobalt Strike function:
tikiexec, that automates its use. This blog post provides a brief overview and usage examples.
Covenant v0.1 was first released in February 2019 and has since received a lot of really good updates. v0.2 was released in May which added p2p comms over SMB named pipes, and v0.3 was released in August which added a brand new web interface. Even though it’s such a young project, it has really proven itself to be a capable tool for offensive operators. I’ve not taken a look at Covenant since v0.1.x but since providing some new additions to SharpSploit, it kinda got my geek going. One of my areas of interest is weaponising the Grunt stager.
FortyNorth Security recently posted an article detailing the process for leveraging MSBuild to execute unmanaged PowerShell, and automating it in Aggressor script for Cobalt Strike users. Being a native binary in the Windows OS, the use of MSBuild is a common AWL bypass technique, which is handy in relatively well locked down environments.
The main impetus behind this post was me experimenting with ways to leverage TikiSpawn with some of the popular lolbins.
In my previous post, I described how one could leverage CVE-2019-0841 to backdoor the LAPS
AdmPwd.dll for EoP to
NT AUTHORITY\SYSTEM. The obvious question is that if a machine is not using LAPS, what can you do…? Well Rich Warren provided one solution, by using the Windows Diagnostics Hub Standard Collector Service.