• Home
  • All Posts
  • Tags
  • About
  • Atom feed
Red Team SNCF

AD CS

Outbound Trusts, AD CS, and Tool Adaptation, Adventures in Cross-Domain Pivoting March 25, 2025 11 minute read Written by @Dram4ck

Table of Content

  • Introduction
  • Setting the Scene
  • Steps to Victory
    • Step 1: Getting a Foothold
    • Step 2: Extracting the Trust Account
      • Confirm the Trust Exists
      • Find the Trust Object
      • Extract the Trust Account Hash
      • Alternate Method: Dump It From Memory
      • Accessing Resources in domain-b.local
    • Step 3: Exploiting AD CS
      • Certify on Windows: The DIY Method
        • The Problem
          • Not Working Case 1: Using a Non-Domain-Joined Machine with an Injected TGT
          • Not Working Case 2: Using a Domain-A... read more

Active Directory

Outbound Trusts, AD CS, and Tool Adaptation, Adventures in Cross-Domain Pivoting March 25, 2025 11 minute read Written by @Dram4ck

Table of Content

  • Introduction
  • Setting the Scene
  • Steps to Victory
    • Step 1: Getting a Foothold
    • Step 2: Extracting the Trust Account
      • Confirm the Trust Exists
      • Find the Trust Object
      • Extract the Trust Account Hash
      • Alternate Method: Dump It From Memory
      • Accessing Resources in domain-b.local
    • Step 3: Exploiting AD CS
      • Certify on Windows: The DIY Method
        • The Problem
          • Not Working Case 1: Using a Non-Domain-Joined Machine with an Injected TGT
          • Not Working Case 2: Using a Domain-A... read more

Code injection

How to create your own mythic agent in C May 23, 2024 27 minute read Written by @ZkClown & Ze_Asimovitch

Table of Content

  • Abstract
  • Understand the framework
    • Mythic
    • Let’s start our Mythic instance
  • Create our payload and translator
    • Create our Skeleton
    • Customise our skeleton
      • Agent side
      • Translator side
  • Create communication diagram
    • Craft your own protocol
    • Understand what Mythic wants
      • Check-in
      • Get Tasking
      • Post Response
  • Crafting the agent’s architecture
    • Project structure
    • Ceos configuration
  • Implementing the communication
    • Package and Parser
    • read more
How to perform a Complete Process Hollowing January 24, 2024 36 minute read Written by @ZkClown

Table of Content

  • Abstract
  • Basic Process Hollowing
    • Definition
    • Start a suspended process
    • LoadPE and Retrieve NT Headers
    • Allocate Memory
    • Copy PE in target process
    • Image base Relocation
    • Changing the entrypoint and resuming the execution
  • Make the remote process load the required libraries
    • Load an arbitrary DLL in a remote process
    • Resolve injected PE IAT to make the remote process load all the dependencies
    • Resolve the functions and libraries addresses on the remote process
    • Retrieve the libraries and function addresses
    ... read more

Coding

How to create your own mythic agent in C May 23, 2024 27 minute read Written by @ZkClown & Ze_Asimovitch

Table of Content

  • Abstract
  • Understand the framework
    • Mythic
    • Let’s start our Mythic instance
  • Create our payload and translator
    • Create our Skeleton
    • Customise our skeleton
      • Agent side
      • Translator side
  • Create communication diagram
    • Craft your own protocol
    • Understand what Mythic wants
      • Check-in
      • Get Tasking
      • Post Response
  • Crafting the agent’s architecture
    • Project structure
    • Ceos configuration
  • Implementing the communication
    • Package and Parser
    • read more
How to perform a Complete Process Hollowing January 24, 2024 36 minute read Written by @ZkClown

Table of Content

  • Abstract
  • Basic Process Hollowing
    • Definition
    • Start a suspended process
    • LoadPE and Retrieve NT Headers
    • Allocate Memory
    • Copy PE in target process
    • Image base Relocation
    • Changing the entrypoint and resuming the execution
  • Make the remote process load the required libraries
    • Load an arbitrary DLL in a remote process
    • Resolve injected PE IAT to make the remote process load all the dependencies
    • Resolve the functions and libraries addresses on the remote process
    • Retrieve the libraries and function addresses
    ... read more

Malware Developpement

How to create your own mythic agent in C May 23, 2024 27 minute read Written by @ZkClown & Ze_Asimovitch

Table of Content

  • Abstract
  • Understand the framework
    • Mythic
    • Let’s start our Mythic instance
  • Create our payload and translator
    • Create our Skeleton
    • Customise our skeleton
      • Agent side
      • Translator side
  • Create communication diagram
    • Craft your own protocol
    • Understand what Mythic wants
      • Check-in
      • Get Tasking
      • Post Response
  • Crafting the agent’s architecture
    • Project structure
    • Ceos configuration
  • Implementing the communication
    • Package and Parser
    • read more
How to perform a Complete Process Hollowing January 24, 2024 36 minute read Written by @ZkClown

Table of Content

  • Abstract
  • Basic Process Hollowing
    • Definition
    • Start a suspended process
    • LoadPE and Retrieve NT Headers
    • Allocate Memory
    • Copy PE in target process
    • Image base Relocation
    • Changing the entrypoint and resuming the execution
  • Make the remote process load the required libraries
    • Load an arbitrary DLL in a remote process
    • Resolve injected PE IAT to make the remote process load all the dependencies
    • Resolve the functions and libraries addresses on the remote process
    • Retrieve the libraries and function addresses
    ... read more

Pivoting

Outbound Trusts, AD CS, and Tool Adaptation, Adventures in Cross-Domain Pivoting March 25, 2025 11 minute read Written by @Dram4ck

Table of Content

  • Introduction
  • Setting the Scene
  • Steps to Victory
    • Step 1: Getting a Foothold
    • Step 2: Extracting the Trust Account
      • Confirm the Trust Exists
      • Find the Trust Object
      • Extract the Trust Account Hash
      • Alternate Method: Dump It From Memory
      • Accessing Resources in domain-b.local
    • Step 3: Exploiting AD CS
      • Certify on Windows: The DIY Method
        • The Problem
          • Not Working Case 1: Using a Non-Domain-Joined Machine with an Injected TGT
          • Not Working Case 2: Using a Domain-A... read more

Red Team

Outbound Trusts, AD CS, and Tool Adaptation, Adventures in Cross-Domain Pivoting March 25, 2025 11 minute read Written by @Dram4ck

Table of Content

  • Introduction
  • Setting the Scene
  • Steps to Victory
    • Step 1: Getting a Foothold
    • Step 2: Extracting the Trust Account
      • Confirm the Trust Exists
      • Find the Trust Object
      • Extract the Trust Account Hash
      • Alternate Method: Dump It From Memory
      • Accessing Resources in domain-b.local
    • Step 3: Exploiting AD CS
      • Certify on Windows: The DIY Method
        • The Problem
          • Not Working Case 1: Using a Non-Domain-Joined Machine with an Injected TGT
          • Not Working Case 2: Using a Domain-A... read more

Windows

Outbound Trusts, AD CS, and Tool Adaptation, Adventures in Cross-Domain Pivoting March 25, 2025 11 minute read Written by @Dram4ck

Table of Content

  • Introduction
  • Setting the Scene
  • Steps to Victory
    • Step 1: Getting a Foothold
    • Step 2: Extracting the Trust Account
      • Confirm the Trust Exists
      • Find the Trust Object
      • Extract the Trust Account Hash
      • Alternate Method: Dump It From Memory
      • Accessing Resources in domain-b.local
    • Step 3: Exploiting AD CS
      • Certify on Windows: The DIY Method
        • The Problem
          • Not Working Case 1: Using a Non-Domain-Joined Machine with an Injected TGT
          • Not Working Case 2: Using a Domain-A... read more
How to create your own mythic agent in C May 23, 2024 27 minute read Written by @ZkClown & Ze_Asimovitch

Table of Content

  • Abstract
  • Understand the framework
    • Mythic
    • Let’s start our Mythic instance
  • Create our payload and translator
    • Create our Skeleton
    • Customise our skeleton
      • Agent side
      • Translator side
  • Create communication diagram
    • Craft your own protocol
    • Understand what Mythic wants
      • Check-in
      • Get Tasking
      • Post Response
  • Crafting the agent’s architecture
    • Project structure
    • Ceos configuration
  • Implementing the communication
    • Package and Parser
    • read more
How to perform a Complete Process Hollowing January 24, 2024 36 minute read Written by @ZkClown

Table of Content

  • Abstract
  • Basic Process Hollowing
    • Definition
    • Start a suspended process
    • LoadPE and Retrieve NT Headers
    • Allocate Memory
    • Copy PE in target process
    • Image base Relocation
    • Changing the entrypoint and resuming the execution
  • Make the remote process load the required libraries
    • Load an arbitrary DLL in a remote process
    • Resolve injected PE IAT to make the remote process load all the dependencies
    • Resolve the functions and libraries addresses on the remote process
    • Retrieve the libraries and function addresses
    ... read more
  • AD CS (1)
  • Active Directory (1)
  • Code injection (2)
  • Coding (2)
  • Malware Developpement (2)
  • Pivoting (1)
  • Red Team (1)
  • Windows (3)

    2025 © Red Team SNCF

    Posts
    Tags
    About