1. Pivot Checklist

Pivot Test (Assumed Compromise) Checklist

---

Before testing begins

One week before the test

• Check SOW for any non-standard test elements
  • Targeting of specific resources/objectives
  • Unique remote/environmental access requirements
• Test remote access to testing system/network

Note: If the customer is providing a physical device to perform testing from (i.e. laptop), Systems has a PiKVM device for use in these situations. You can email systems@blackhillsinfosec.com to request the device if it is available.

Test start

• Review the ROE notes for special requests/requirements, status update requests, etc.
• Send the Start email to the customer.

Shortcuts for better screenshots (optional)

Rhino made these shortcuts that automatically change the font size, color, window width, etc. of the PowerShell and Command Prompt windows to take better screenshots. Consider copying them to the desktop of the test workstation if you are working from the Windows GUI, so you’ll get good looking screenshots.

• Optionally download and copy these shortcuts to the test computer: https://github.com/Wh1t3Rh1n0/edc/tree/main/portable

---

Is a physical device provided by the customer being used?

• Windows Privilege Escalation - Physical Access

---

Endpoint Defenses (AV/EDR) Enabled? - Establish method for running tools

Important

Antivirus and other defenses should typically be disabled for a Pivot test (as opposed to a C2 test). But this is something you must discuss with the customer on the ROE call if you want them to be disabled.

This section is here in case the customer didn’t want to disable endpoint defenses or in case you didn’t know/forgot to bring it up on the ROE call. (NBD. It has happened to me. 😉 🦏)

Access to administrative tools

• If defenses are intact and you can run these tools, this is a finding.
• If defenses have been disabled, Rhino’s opinion is that this shouldn’t be a finding. Maybe you wouldn’t be able to run these tools if defenses were enabled? Who knows? 🤷‍♂️

• Can you run:
  • cmd.exe
  • powershell.exe
  • powershell_ise.exe
• Can you install Python from the Microsoft Store?
• Can you install Kali Linux from the Microsoft Store and run it afterward? (Typically requires admin privileges.)

Hacking tool execution methods

• If you’re using Cobalt Strike or other C2:
  • Try executing BOFs/assemblies in memory.
  • Try executing tools on your own system and proxying them through your C2 channel. Related pages that might be helpful:
    • Lateral Movement Best Practices
    • Cobalt Strike SOCKS Proxy (SOCKS4a)
• Try downloading and running our Pipeline tools from disk.
• Check for antivirus exception folders and run your tools from those locations.
• Try using PowerShell. Can you:
  • Execute PowerShell scripts from disk?
  • Execute PowerShell scripts in memory with a download cradle?
  • Paste the script into a new, unsaved script in PowerShell ISE and run from there?
  • Paste into an interactive PowerShell shell?
  • Bypass AMSI?
    • PowerShell version 2: powershell.exe -version 2
    • PowerShell AMSI Bypass - RastaMouse
  • Obfuscate the script, and then try all these methods again after obfuscation.
• Python - Helpful documentation here: Windows - Non-Admin Install of Python and Impacket
  • Open the Windows store either through the GUI or by running python.exe, and install Python from the Windows store. Then download and use Python-based tools such as Impacket. This can be done without local administrator privileges.
• Kali - If you can install and run Kali Linux from the Windows Store, run Kali and use it for testing. You can run anything you like within the Kali console.

Important

If you’ve exhausted everything you know to get stuff to work and you think it’s going to impact testing or prevent you from doing the things you need to do: Explain the situation and its impact to the customer and ask if they’ll disable endpoint defenses to let testing continue.

---

Initial enumeration

• Check if your user already has local administrator privileges. This may be a finding, if so.

Run enumeration tools

• Upload and run: https://github.com/Wh1t3Rh1n0/test-system-enumeration

  • Download all the output saved to the “Enum-Output” folder in the location where the script is run.

• Run a Bloodhound Ingestor (e.g. SharpHound) - Bloodhound and SharpHound Execution

  • BE SURE TO RUN BLOODHOUND SEPARATELY ON EVERY DOMAIN!! - See “domain-trusts.txt” in the Enum-Output for a list of domains.
  • Run CollectionMethod All
  • Run CollectionMethod Session --Loop
    • This one will run for a while…

Egress test

• Scan for outbound ports allowed out
  • Nmap or Outbound Port Scan using PowerShell

Run long-running attacks

• Kerberoast (cracking will be the long-running part) - See: Kerberoasting…
• AS-REP Roast
  • AS-REP Roasting example with Rubeus:

execute-assembly /pipe/ANY/4.5/Rubeus.exe asreproast /outfile:C:\Users\allem\Desktop\09-03_0025_asreproast.txt 

• Scan SMB Shared Folders for Interesting, Sensitve Files

• Password spray: Internal password spraying - Domain users

---

Parse enumeration output to identify attack paths

Parse Enum-Output files

• Grep the C:\ dump for useful files

  grep --color -Ei '\\(python|ruby|java|cpp|cs|gcc|gpp).exe|unattend.xml|\\(sysprep|panther)(\\.*unattend.*\.xml|$)' c-drive.dump

  • Examine unattend.xml if found
  • Manually test python.exe if found. It may just be a shortcut to the Microsoft Store - not really python.

• Examine the SAVED PowerShell history

  • PowerShell--ConsoleHost_history.txt in Enum-Output
  • Manually check these paths from a PowerShell shell:

explorer ((get-PSReadlineOption).HistorySavePath)
 
explorer ((get-PSReadlineOption).HistorySavePath)\..

• Check the registry AutoLogon entries output in Enum-Output\registry-AutoLogon.txt

• Search domain user and group comments for passwords.

  • Example of doing this using files in Enum-Output:

# Search for "pass" or "pwd"
grep -iEh 'comment|(User|Group) name' comments--*.txt | grep --color -Ei 'comment.*(pass|pwd)' -B1
 
# Search for "admin"
grep -iEh 'comment|(User|Group) name' comments--*.txt | grep --color -Ei 'comment.*admin' -B1
 
# Search for "change"
grep -iEh 'comment|(User|Group) name' comments--*.txt | grep --color -Ei 'comment.*change' -B1

• Check for passwords on SYSVOL
  • Relevant files in Enum-output:
    • sysvol--cpassword_search.txt - “cpassword” strings only
    • sysvol--password-search.txt - All “password” strings found in Group Policy XML files on SYSVOL
      • Sometimes there will be autologon passwords, etc in here even if there were no cpassword strings
    • sysvol--password-search-FULL.txt - ALL “password” strings found on the entire SYSVOL share
  • Decrypt cpassword strings with gpp-decrypt

Analyze Bloodhound data

• Search for attack paths in the Bloodhound GUI

  • Try all the “Pre-Built Analytics Queries” and the “Favorite” queries in customqueries.json

• Run queries in the Neo4J interface

  • Cypher Queries to Find Credentials
  • Bloodhound Queries that Result in Findings
  • Misc Bloodhound Cypher Queries
  • Queries for Demonstrating Impact, Hunting Crown Jewels
  • Bloodhound Queries for Target Selection
  • Get more High Value Targets in Bloodhound - Direct Admins
  • (Old) Get More High Value Targets

Analyze SMB shared files (Snaffler)

• Review SMB shared file scans/Snaffler output for sensitive data
  • Less obvious stuff to look for:
    • .WIM files:
      • Can be opened over the network (without downloading) using the 7-Zip GUI. There is a portable version.
      • Contain Windows registry hives that you can pull hashes from.

Some commands that might help with analyzing the output:

• Converting snaffler output to a list of UNC paths:

grep -Eo '\(\\\\([^\)]*[^[:space:])]\\)*[^\)]*' <SNAFFLER-LOG-FILE> | sed -E 's/^\(//g' > UNC-PATHS.txt

• Converting Invoke-FileFinder CSV output to a list of UNC paths:

awk -F '","' '{print $3}' <INVOKE-FILEFINDER.CSV> | grep -E '^\\\\' > UNC-PATHS.txt

---

Local privilege escalation

• Check if already local admin if not checked already.
• Run whoami /priv and check for any dangerous privileges. (Examples here: https://docs.devincud.com/posts/windows-privilege-escalation/#user-privileges)
• CMD shortcut trick:
  • Create a new shortcut to cmd.exe.
  • Open the shortcut Properties and check the box for run as administrator.
  • Run the shortcut.
  • This works in environments where third-party software on the workstation is configured to automatically allow installers or other programs that programmatically request to be run with elevated privileges to do so.
• Check for Unattend.xml if not checked already.
• Scan for local privilege escalation vulnerabilities: Windows Local Privilege Escalation Tools

To Do

🦏: Need to add a section here that links to reference material for exploiting some of the very common privilege escalation scenarios we encounter. Examples:

• Service binary permissions
• Service configuration permissions
• WSUS HTTP configuration - commonly reported by PrivEscCheck
• Local privesc Gab did on that 2022-03 project
• KrbRelayUp

---

Local administrator post-exploitation (if escalation successful)

• Gather credentials
  • Dump local & cached hashes. Can use reg.exe, regedit.exe, or various tools.
  • Dump credentials from LSASS. Can use taskmgr.exe or various tools.
  • Dump RDP cleartext credentials with Mimikatz
• Crack password hashes
• Test for widespread local administrator accounts/access:
  • Spray cleartext passwords for local admin access
  • Spray NTLM hashes for local admin access

---

Domain privilege escalation exploits

Exploits that go straight from domain user to DA.

• Active Directory Certificate Services (ADCS) vulnerable template exploitation

---

Abuse the current user’s privilege level

Search for stored credentials

• Check for passwords in SYSVOL if not done already. See Enum-Output.
• Consider copying the entire SYSVOL share offline for additional analysis
  • xcopy /C /E \\%USERDNSDOMAIN%\SYSVOL
  • You may need to ZIP it up before downloading it from the test computer.
• Explorer - Search LDAP for passwords

Scan for administrative access

• Scanning for Local Administrator Access
• Scanning for RDP access (PowerShell, xfreerdp)

Credential capture

• Try to passively capture network credentials
  • Start Inveigh/Responder
  • Check the company’s software center for Wireshark, Npcap, etc. Or try running Wireshark portable.
• Create LNK/URL files whose icon references the listener and deploy them to SMB shares to elicit authentication requests.
  • See: Deploy Windows shortcuts (LNK or URL files) to collect hashes with Inveigh, Responder, NTLMrelayx

Test access to SQL services

• Basic Tests Checklist for PowerUpSQL
  • Alternate SQL tools: SharpSQL, DAFT

More stuff to try

• Search for passwords on:
  • SharePoint
  • Microsoft Teams — Has had very good results before
  • OneDrive
• Analyze output from previous commands left running.
  • Check on password sprays
  • Check on password cracking tasks
    • Spray cracked passwords for local admin access
    • Spray cracked passwords for reuse on other domain user accounts
• Repeat the checklist on any new user accounts or computers that are compromised.

---

Still nothing?

• Port scan for low hanging fruit
  • 80 and 443 - web services
    • Try logging in to web applications with domain user credentials
    • Printers and copiers: Check for stored SMB/LDAP credentials and attempt to retrieve the credentials by:
      • Viewing the value of password fields (view source/inspect element)
      • SMB/LDAP PassBack attacks
• Check for old Windows versions that may be vulnerable to RCE exploits (MS17-010, MS08-067? lol)
  • See BloodHound or Get-ExploitableSystem with PowerView for targets