Living Off the Foreign Land

At Deloitte we are performing Red Teaming on a daily basis. During our Red Team operations, we encounter a myriad of IT environments with varying levels of detection mechanisms. Such mechanisms also force us, as Red Teamers, to come up with innovative ways to laterally move and blend in as much as possible with the activities that are already happening in the network.

This challenge to stay under the radar resulted in a novel way where instead of performing activities in the memory of a compromised machine, the machine is only used for routing network traffic into the target network over a reverse SOCKS proxy. This is possible using a setup on the attacker side where a combination of a Linux and Windows machine is used to tunnel built-in Windows tools that can be used for offensive activities towards the target network.

This article aimed for both seasoned red teamers as well as less experienced ethical hackers will first discuss how to configure a setup where the offensive Windows machine can authenticate using Kerberos to the target domain. Next it will discuss the various built-in Windows tools and PowerShell cmdlets that can be used to perform offensive activities on systems in the target network, stealthily blending into the regular network traffic.

The full article goes into depth on both the setup and use of built-in Windows tools for offensive purposes.