Network Domination & Persistence

Finding the proverbial โ€˜needle in the haystackโ€™ (a modern server room); image courtesy of
Gaining domain admin โ€” a scary proposition for all IT departments; shock & awe best conveyed by Shelley Duvallโ€™s expression in The Shining

Gaining Domain Admin

Using Inveigh to obtain NTLMv1/NLTMv2 hashes; image courtesy of Github
Using Impacket for SMB/NTLM relays; image courtesy of DiabloHorn
Wireshark packet captures; image courtesy of Wireshark
Metasploit SMB Capture 1; courtesy of Offensive Security
Metasploit SMB Capture 2; courtesy of Offensive Security
Responder; image courtesy of 4ARMED
Responder; image courtesy of
Sample spear phishing email attack against USAA; courtesy of


Kerberos the 3-headed mythical beast guarding the gates of Hell; courtesy of
Using PowerShell to request service account SPNs; image courtesy of STEALTHbits Technologies
Using Mimikatz to extract Kerberos service tickets; courtesy of Mimikatz

Gaining Asset Admin

Privilege Escalation attack on Windows 10 machine from Safe Mode
MSCONFIG Boot Settings restored to normal boot (uncheck Safe boot)

Exfiltrating Sensitive Data

Using Windows Secure Copy to exfil data; courtesy of WinSCP
Using OpenStego to exfil data

Long-Term Persistence via โ€˜Living-off-the-Landโ€™

Example of PowerShell used in conjunction w/ BITSAdmin tool to download files; courtesy of Mattโ€™s DFIR blog
Example of using Mimikatz to retrieve plaintext login passwords from volatile memory; credits bytes > bombs
Example of Windows command line downloading the BITSAdmin tool; image courtesy of bytes > bombs
Changing a userโ€™s password by elevating PsExecโ€™s privileges; credits Chris Sanders
A malicious executable being launched remotely; credits Chris Sanders
Using PowerLurk to build malicious WMI Event Subscriptions; credits KitPloit

Nasty Afterthoughts



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store