TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan

BHIS · 2025-01-20 · Read original ↗

ATT&CK techniques detected

23 predictions
T1572Protocol Tunneling
98%
“##hell, we ’ re going to run another ssh command. this time we ’ re going to listen to the local host, the workstations, local host 127001, right. localhost on port 80. so on the local workstation for 88 we ’ re going to listen and we ’ re going to push that over to port 8080 on …”
T1572Protocol Tunneling
95%
“in the slide deck and i can go back there, we can talk about that again. it doesn ’ t hurt my feelings at all. the first ssh tunnel again is a reverse listener on 9050. so that opens a socket on the linux system that we can shovel proxy chains back through. any tcp based tool can…”
T1572Protocol Tunneling
90%
“with desktop components will be. probably not windows core, but it might be there. i don ’ t know. does anybody. hey, listen, there ’ s not supposed to be a gui on. yeah, there ’ s not supposed to be a, gui on domain controllers. darn it. kent ickler wow. all right, all right. so…”
T1557.001Name Resolution Poisoning and SMB Relay
88%
“file in a share and that starts the service automatically. i don ’ t, i don ’ t have that link handy, but i might find it after. regardless, are there any services on modern windows server builds that can be used for coercion. and i think the theory here is that. have you tested …”
T1021.001Remote Desktop Protocol
87%
“, 100 %, you can have this auto proxy, proxy configuration file. the machine will submit creds. so i have used that to get shadow credentials in ad. so it ’ s basically like i ’ m prepped and ready on this subnet to target shadow credentials on the domain. and so in theory, if yo…”
T1003.008/etc/passwd and /etc/shadow
84%
“? kent ickler so, and then the next slide is what are shadow creds? jordan drysdale so okay, so why shadow creds? we ’ re going to talk about an lpe, right? local privesque or privez c. all right, so there ’ s lots of different lps out there. there ’ s been ones that have been ou…”
T1068Exploitation for Privilege Escalation
74%
“here we ’ re going to talk about this very specifically from an attacker perspective. and that ’ s because this is a consistently effective local privesque technique. lpe, we ’ ll use that acronym a bunch today. this, has been around for going on four years now. and we just like …”
T1558.003Kerberoasting
71%
“if, if anyone can understand, if anyone can explain this better, please help me understand. my understanding is that key can deserialize a portion of the object to recover the to deserialize a portion of the key credential to recover that nt hash. next up, get us for u2 ticket. t…”
T1558Steal or Forge Kerberos Tickets
63%
“component there. kent ickler wow, look at this. holy cow, it ’ s beautiful. jordan drysdale well, thank you. kent ickler yeah, no doubt. so describe ticket can tell us a little bit about this. kent pointed out that you could also right click on that pfx in windows and say hey can…”
T1558.003Kerberoasting
62%
“so it requires a couple of services. windows 10 we ’ re going to lean on the web client service and we need to manipulate that to start which is possible as a low priv user show you how to do that or if you ’ re running windows 11 that coercion doesn ’ t seem to work as well with…”
T1572Protocol Tunneling
58%
“on this host down the tunnel. since we used proxy chains authenticate using this set of credentials here domain, enumerate all pipes. so what ’ s happening? jordan drysdale outbound connection from petit podam m across that tunnel we created to the local host where the tunnel ori…”
T1003.008/etc/passwd and /etc/shadow
55%
“attack tactics 9 : shadow creds for privesc w / kent & jordan attack tactics 9 : shadow creds for privesc w / kent & jordan this webcast was originally published on january 9, 2025. in this video, kent ickler and jordan drysdale discuss attack tactics 9 : shadow credentials for p…”
T1187Forced Authentication
55%
“by ntlm. relax. kent ickler correct. actually, it got an inbound http request. jordan drysdale thank you. kent ickler right. not smb. what we got was user authentication. this came from user land. right. so i ’ m a user. i ’ m, performing some activity. i say, hey, windows, can y…”
T1588.002Tool
52%
“attack tactics 9 and kent and jordan are going to do a deep dive in some of the attacks that we do here at black hills as far as our pen testing services. now if you ever need a pen test, red team, threat hunt, antisoc, which is continuous pen testing with your friendly apt group…”
T1003.008/etc/passwd and /etc/shadow
50%
“shadow creds. and why is it like this shadow cred? like we think of credentials, we think it ’ s something typically like username password. right. is a credential and we all kind of recognize that. we can then go on to say like multi factor authentication has that like third com…”
T1187Forced Authentication
47%
“’ ve got ntlm relax. that port forwarded that off to our linux system. so ntlm relax on that linux system just had some sort of activity that happened where it was listening and it just got a smb protocol connection to do something looking for file jpeg which didn ’ t exist, but …”
T1003.008/etc/passwd and /etc/shadow
45%
“so kind of take a look at from that perspective. but we ’ re going to give the commands and demonstrate it here for you as well. again, this is our number one lp for 2024. kent ickler yeah. and when we do demonstrate the actual attack, if you subtract all the prep work, the captu…”
T1021.001Remote Desktop Protocol
44%
“log into thin clients a desktop image. jordan drysdale if your domain users can log into any system by rdp, you ’ re doing it wrong. domain users should not be. no, they have not. kent ickler absolutely not. jordan drysdale okay, but by default they are. kent ickler so here ’ s t…”
T1090.002External Proxy
43%
“just a reminder, it is illegal to hack systems. it is a state crime in every state in the us it is a federal crime. so that means two trips to court should you choose to attempt wiretapping. now we create two tunnels. the first tunnel we will use to establish a remote tunnel. thi…”
T1090.003Multi-hop Proxy
41%
“just a reminder, it is illegal to hack systems. it is a state crime in every state in the us it is a federal crime. so that means two trips to court should you choose to attempt wiretapping. now we create two tunnels. the first tunnel we will use to establish a remote tunnel. thi…”
T1558.003Kerberoasting
36%
“component there. kent ickler wow, look at this. holy cow, it ’ s beautiful. jordan drysdale well, thank you. kent ickler yeah, no doubt. so describe ticket can tell us a little bit about this. kent pointed out that you could also right click on that pfx in windows and say hey can…”
T1070.004File Deletion
35%
“##sdale it ’ s there. kent ickler i couldn ’ t be more distracted. this is one of the most distracted webcasts i ’ ve experienced. jordan drysdale i ’ m not distracted at all. kent ickler so, yeah, i mean, we can now list objects as well with whisker. whisker list object. we coul…”
T1558.003Kerberoasting
34%
“##enticated coercion, you can still coerce systems and machine authentication with credentials. we ’ re going to use pk init tools for ticketing. we ’ re going to create request an s4u2 service ticket for a privileged user to perform that escalation and then establish remote comm…”

Summary

In this video, Kent Ickler and Jordan Drysdale discuss Attack Tactics 9: Shadow Credentials for Primaries, focusing on a specific technique used in penetration testing services at Black Hills Information Security

The post Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan appeared first on Black Hills Information Security, Inc..