In this video, Trenton Ivey, Secureworks Offensive Researcher, Counter Threat Unit and Adversarial Security Testing, gives a demonstration of how, after initial compromise, an attacker would obtain a domain administrator's password using Mimikatz.
We now have administrative level access to a system owned by a domain controller. Let's use MIMIKATZ to try to pull credentials from memory and recover the domain administrator's password. Mimikatz has recovered the user's domain password, this password isn't bad. This credential would've taken a very long time for us to crack.
Fortunately for us, local admin access enabled us to read system memory with Mimikatz and get a clear text domain admin credential. While not the most stealthy approach, let's see if we can get access to the domain controller by using Invoke_wmi once again.
We now have administrative access to the domain controller. Let's use Mimikatz one more time. This time, we'll dump domain user hashes from the LSAs process. There are safer and stealthier ways to do this but this method will be good enough for now. Now we can become anyone we want.
With a KRBTGT token, we can create our own KERBROSE tickets for anyone in the domain. Now the only way for blue team to keep us out of the domain account is to reset the whole domain. All we need to do now is to complete the remaining objectives.
The old approaches to cybersecurity are no longer adequate. It’s time for something new. Layered defenses can create almost as many problems as they solve, and security teams struggle to keep up with the threat. What you need is context across all your layers of defense with the right people, processes, and technology working together in concert. That’s how Secureworks can help. Using 20+ years of industry knowledge, advanced analytics, industry-leading threat intelligence, and the network effect of more than 4,000 customer environments, we provide world-class cybersecurity solutions to customers around the globe. This unmatched experience empowers our customers to be Collectively Smarter. Exponentially Safer.™
Our Managed Detection and Response (MDR) solution is comprehensive, powered by our cloud-native software Red Cloak™ Threat Detection and Response that uses AI and machine learning to deliver better outcomes for your security operations. MDR unifies telemetry from your existing security technology to maximize visibility, reduce complexity, and enable you to move at the speed of the threat. Learn more about how Managed Detection and Response uses contextualized visibility to improve your organization’s security posture.