ok let's #ransomware some servers! (in a lab of mine not for real coz it's NASTY!)

VMs go BRRRRR

But wait... we are gonna look at how we can PROTECT, RESPOND and RECOVER! I'm going to deploy @Veeam to help me (coz I like the product, it rocks!)

to start with I'm going to just do some PREP. We are going to need to think about Initial Access then Escalation to Domain Admin and then RAMPAGE!

I'm gonna thread some stuff whilst I build.. I'm going to start with using @VMware workstation PRO. I might do some stuff with the RACK mounted servers but let's see.

ok we are gonna simulate a DMZ RDP exposure (I'm not making a FULL lab for this) and I'm building a quick domain controller!

also lol i have a KALI VM and I totally forgot what the username was (it's a scratch one)

Ok KALI VM is ready

ok cool testing comms to the RDS01 server

also to note, WINRM (WSMAN) on TCP 5985 was open by DEFAULT, RDP I configured to be OPEN manually.

WINRM is only available on the LOCAL SUBNET by default, some NAT configs in hosting providers means that's exposed by DEFAULT as well... (the the whole internet)

ok now we have our Initial Access route sorted, let's get a domain controller (active directory domain/forest) deployed!

ok let's get this domain going on:
cni[.]gov.[]local is going to be our fictional "victim" domain

ok i'm using 2022 OS's so for CNI that's LAUGHABLE .. i should have deployed 2008 R2, I'll set the functional level down low in symbolic reference to REALITY.

i need to do a quick cofig change but whilst I'm here on Server 2022 (this build) local administrator account lockout is ENABLED by DEFAULT! here's the config for default account lockout times!

ok cool as always even in demo labs we need a MVP for docs. I'm gonna quickly demo the account lockout using HYDRA to attack RDP on the domain controler!

ok just a quick TCP port scan (remember DNS clients use UDP 53) TCP 53 is used for zone transfers!
445 - SMB/CIFS (File shares, WMI, RPC)
135,139 - MSRPC, NETBIOS etc.
389 = LDAP
636 = LDAPS
3268 = GLOBAL CAT (the all partitions in the directory!)
3268 - GCAT SSL/TLS
5985 = WINRM… twitter.com/i/web/status/1…

right ok let's fire some PEWS! I've turned on RDP and re-scnaned TCP 3389 (RDP)

now it's sensible to look at the client/server handshake with RDP, there's metadata in there you might want to know about ;)

ok PEW PEW!!
Fire the lasers! etc. etc. this is now attacking the domain controller (which has LOCKOUT local administrator enabled!)

ahh ok tweeps look! when we promoted this to a domain controller the policy WAS changed to this! so that's good to know, if you use BRAND NEW 2022 Media and you make a new domain, local administrator lockout is enabled on OS install, BUT disabled if you promote to a domain… twitter.com/i/web/status/1…

ok let's fire some pews at the RDP server....

the creds are: administrator:Pa55w0rd1!

but look... no dice... let's go check out the logs!

ok pews detected! we can see the logs here... we fire another round of PEWS! and LOCKED OUT! nice one @Microsoft @Windows @MsftSecIntel :)

for the sake of the DEMO we are going to simulate older Windows servers/clients. so I'm disabling this! it might take years for orgs to roll this feature out..

ok let's make this more real! Windows 7! I'll probably also throw in a server 2012 R2 box

PERFECTION! :P #Windows #Seven

let's backdoor this because... my creds aren't working LOL rename utilman.exe to whatever, then copy cmd.exe to utilman.exe

ok now from the RDP (NO NLA ENABLED) screen of console session we can click in the bottom left and we get a SYSTEM level CMD (pwn3d!)

wonderful back in ;) time for dinner!

ok well this part of the build is "FUN"

ok so whilst that builds... we need to think about some backup infra....

we are going to deploy @Veeam

ok cool we have a few VMs to play with. Ideally we would have loads more like app servers, web servers, DMZs etc. but i'm tired and this will do

Whilst we wait for installs, updates... let's make some LURES!

This one is TOP CLASS ATP MATERIAL based off REAL LIFE THREAT ACTORS!

I'm putting a few different types of link, I mean hell let's throw in a onenote document as well!

ok making some ciber weapons

ok our attacker is here, i'm being well lazy but we have a simple HTTP server for hosting our LURE. now we could attack in a few ways:
Phish + maldoc
Phish + Web Inra + Maldoc
Phish + cred harvester
etc.

We could also attack supply chain, web apps, internet infra (e.g. VPNS) or… twitter.com/i/web/status/1…

also i mean we could find a really expensive browser ZERO Day .. or let's just do the LIKELY thing and send someone a link to CLICK.

oh HAI A PDF!

now coz i'm lazy i've just killed the HTTP server and then run responder and simulated clicking a link to wpad.. oh look a prompt... let's enter my creds!

oh no, our IT administrator has been duped! VLAD the fuckwit criminal now has a username and a hash!

ok we have now cracked the hash for our victim IT admin.
Now we can remote in via RDP. We shall wait and do this at night when they have gone home/stopped work.

ok now our RANSOMWARE CRIMINAL has access as OPERATOR to the "REMOTE ADMIN WORKSTATION"

(this isn't fake, this occurs LOADS!)

and now our attacker can now work through the victim operators machine. This might have:

> Windows Credential Manager Creds🔥
> Browser Credentials Stored🔥
> Creds in Memory (LSASS)🔥
> Creds in the registry🔥
> Creds in files🔥
> Creds in password managers 🔥

also we can do… twitter.com/i/web/status/1…

as we can see there's LOTS that has already gone wrong... gonna pause on our ATTACKER journey as we need to deploy VEEAM and backup the stuff etc. also it's getting late! hopefully this is useful to people. it's a very rough version but this is how lots of people get ransomed (or… twitter.com/i/web/status/1…

The GAME, MRS HUDSON... CONTINUES TOMORROW!