Living Off the Foreign Land


Living Off the Foreign Land

Using Windows as Offensive Platform

As environments are getting increasingly complex, attackers, administrators and defenders need to invent new ways to hack into systems and prevent and detect such hacking attempts. In the past decade there has been a lot of development on both sides. This blog discusses a novel way in which attackers are able to stay under the radar while performing their offensive activities.

At Deloitte we are performing Red Teaming on a daily basis. During our Red Team operations, we encounter a myriad of IT environments with varying levels of detection mechanisms. Such mechanisms also force us, as Red Teamers, to come up with innovative ways to laterally move and blend in as much as possible with the activities that are already happening in the network.

This challenge to stay under the radar resulted in a novel way where instead of performing activities in the memory of a compromised machine, the machine is only used for routing network traffic into the target network over a reverse SOCKS proxy. This is possible using a setup on the attacker side where a combination of a Linux and Windows machine is used to tunnel built-in Windows tools that can be used for offensive activities towards the target network.

This article aimed for both seasoned red teamers as well as less experienced ethical hackers will first discuss how to configure a setup where the offensive Windows machine can authenticate using Kerberos to the target domain. Next it will discuss the various built-in Windows tools and PowerShell cmdlets that can be used to perform offensive activities on systems in the target network, stealthily blending into the regular network traffic.

The full article goes into depth on both the setup and use of built-in Windows tools for offensive purposes.

Did you find this useful?