RedTeam
5.Machine
3.Active-Directory
General
Exploitation
General
Shema of Exploitation

General

In a hacking attack, the initial compromise stage is the first step where the attacker gains access to a target's system. This can be achieved through various methods, such as phishing emails, social engineering tactics, or exploiting known vulnerabilities in software or operating systems. The attacker's next move is to establish a foothold on the system, which is done by installing malware or backdoors to maintain access to the system even if the initial point of entry is discovered and removed.

Once the attacker has a foothold, they will try to escalate their privileges on the system in order to gain higher-level access. This can be done by exploiting vulnerabilities in the operating system or software that allows the attacker to gain administrator-level access. Once the attacker has administrator-level access, they have full control over the system and can perform tasks such as creating new user accounts, installing malware, and exfiltrating data.

After the attacker has escalated their privileges, they will conduct internal reconnaissance to gather more information about the internal network, in order to identify other potential targets or sensitive data. The attacker may use tools such as Windows Management Instrumentation (WMI), PowerShell, or the command prompt to gather information about the victim's system and the network it is connected to.

The attacker may also move laterally in the network, using the information gathered during the internal reconnaissance stage to identify and compromise other systems on the network.

Finally, the attacker will try to maintain their presence on the system, by using persistent backdoors, such as a service or scheduled task that will re-establish the attacker's access even if the original point of entry is removed. This will allow the attacker to maintain access to the system and continue to exfiltrate data or carry out other malicious activities.

![[Pasted image 20230111201727.png]]

The following mindmap can assist you in outlining the specific steps required to achieve your goal. ---> [[Mindmap]]

  • Initial Compromise Example Initial compromise in a Windows hacking scenario could be through the use of a phishing email. The attacker sends an email to the victim that appears to be from a legitimate source, such as a bank or a company the victim does business with. The email contains a link to a website that looks legitimate but is actually a fake site controlled by the attacker. The victim is prompted to enter their login credentials on the fake site, which the attacker then uses to gain access to the victim's account.

  • Establish Foothold Example Establishing a foothold in a Windows hacking scenario could be through the use of a exploit. The attacker identifies a vulnerability in the software or operating system running on the victim's computer, and creates a exploit to exploit that vulnerability. Once the exploit is delivered to the victim's computer, it can be used to gain access to the system without the need of user interaction. This can be done by sending a malicious email with a link or an attachment, or by using a vulnerability scanner to find vulnerable systems on the network and exploiting them. Once the attacker has access to the system, they can use it as a jumping-off point to move deeper into the network and gain access to other systems.

  • Escalate Privilege Example Escalating privileges in a Windows hacking scenario could be through the use of a privilege escalation exploit. After an attacker has established a foothold on a victim's system, they may find that they have limited access to the system's resources and functionality. To gain more control, the attacker can try to escalate their privileges on the system by exploiting a vulnerability in the operating system or software that allows them to gain higher-level access. One example of this could be exploiting a vulnerability in the Windows operating system that allows an attacker with low-level access to execute a payload that grants them administrator-level access. Once the attacker has administrator-level access, they have full control over the victim's system and can perform tasks such as creating new user accounts, installing malware, and exfiltrating data.

  • Internal Recon Example Internal reconnaissance in a Windows hacking scenario could be after the attacker has already established a foothold on a victim's system, they may want to gather more information about the internal network, in order to identify other potential targets or sensitive data. The attacker may use tools such as Windows Management Instrumentation (WMI), PowerShell, or the command prompt to gather information about the victim's system and the network it is connected to.

  • Lateral Movement Example Suppose we are performing a red team engagement where our final goal is to reach an internal code repository, where we got our first compromise on the target network by using a phishing campaign. Usually, phishing campaigns are more effective against non-technical users, so our first access might be through a machine in the Marketing department. ㅤ Marketing workstations will typically be limited through firewall policies to access any critical services on the network, including administrative protocols, database ports, monitoring services or any other that aren't required for their day to day labour, including code repositories. ㅤ To reach sensitive hosts and services, we need to move to other hosts and pivot from there to our final goal. To this end, we could try elevating privileges on the Marketing workstation and extracting local users' password hashes. If we find a local administrator, the same account may be present on other hosts. After doing some recon, we find a workstation with the name DEV-001-PC. We use the local administrator's password hash to access DEV-001-PC and confirm it is owned by one of the developers in the company. From there, access to our target code repository is available. ㅤ Simple Lateral Movement ㅤ Notice that while lateral movement might need to be used to circumvent firewall restrictions, it is also helpful in evading detection. In our example, even if the Marketing workstation had direct access to the code repository, it is probably desirable to connect through the developer's PC. This behaviour would be less suspicious from the standpoint of a blue team analyst checking login audit logs.

  • Maintain Presence Example Maintaining presence in a Windows hacking scenario could be through the use of a persistent backdoors. After an attacker has successfully exploited a victim's system, they may want to maintain access to it even if the victim or an administrator takes steps to remove the original point of entry. One way to do this is by planting a persistent backdoors on the compromised system, such as a service or scheduled task that will re-establish the attacker's access even if the original point of entry is removed.

2.initial Users EnumerationClear Logs