Loading
Preparing your Intelligence workspace
We are restoring your source feed, E-Fraud Watch context, account state, and trust signals.
Loading
We are restoring your source feed, E-Fraud Watch context, account state, and trust signals.
00:00 - Introduction 01:05 - Start of nmap 03:50 - Grabbing files off the open share, looking at logs and seeing an error message that contains an old credential 07:50 - Using BloodyAD to pull information from the account to see password last set, also running BloodHound 09:45 - Running Certipy, then using JQ to show me certificates with non-default groups/accounts in enrollment 12:25 - Going over Bloodhound, showing our SVC_RECOVERY can take over MSA_HEALTH$ 16:30 - Showing BloodyAD to allow ourselves read access to the MSA_HEALTH$ password, could also do Shadow Credentials 20:30 - Getting on the box with WinRM, discovering Monitor.ps1 file. Use COM to look at scheduled task 24:30 - Using MSFVenom to create a malicious DLL, zip it up and upload wait for the scheduled task to execute it 32:40 - Got access to Jaylee Clifton, using Rubeus tgtdeleg to get us a Kerberos ticket so we can run commands as them on our box 38:45 - Using Certipy to confirm the server is vulnerable to ESC17 41:45 - Looking at WSUS Config, discover things are pointed to wsus.logging.htb which does not exist 46:10 - Using Certipy to create a certificate that can impersonate wsus.logging.htb 49:00 - Setting up WSUKS to push a malicious windows update
Trust cues for videos