Pfe Meriem

République Algérienne Démocratique et Populaire
Ministère de l’Enseignement Supérieur et de la Recherche Scientifique
Université des Sciences et de la Technologie Houari Boumediene
Faculté d’Electronique et d’Informatique

Département Informatique
Mémoire de Master
Filière: Informatique
Spécialité: SSI
Development of an adversary simulation tool for

attacks targeted at Windows environment.
Sujet Proposé par :

El Djazair Information Technology (ELIT)
Soutenu le : 07/15/2021
Présenté par :
LAROUI Meriem
BOUGUERRA Fatima
Devant le jury composé de:

Mr BELKHIR Abdelkader Président (e)
Mme SEDDIKI Manel Membre
Binôme N° : SSI011/ 2021

Acknowledgments
First of all, we thank God for giving us the strength and health to be
able to finish our thesis that will conclude five years of hard work,
learning, and extraordinary experiences.
Our deepest gratitude go to the engineers at ELIT for having

proposed this theme, and to our supervisor Mr.OUCHENE for the
clarifications and judicious advice, which contributed to feed our
reflection.
We would like to thank the members of the jury, Mr BELKHIR and

Miss SEDDIKI for agreeing to take the time to examine and judge
our work.
Finally, We would like to show our deepest gratitude to all the

people who contributed in any way to the success of this project directly
or indirectly, our dear teachers who have always been devoted and
formed us during these last years, and especially our families and
friends who have been always by our sides whenever we needed any
form of support.
“Learning is the only thing the mind never exhausts, never fears,
and never regrets.”
General Introduction ............................................................................................................................... 1
Chapter I : State of the art ................................................................................................ 2

1. Introduction ............................................................................................................................. 2
2. The Windows operating system .............................................................................................. 2
2.1 Definition............................................................................................................................. 2
2.2 History ................................................................................................................................. 2
2.3 Versions ............................................................................................................................... 3
2.3.1 Desktop ........................................................................................................................ 3
2.3.2 Server........................................................................................................................... 3
2.4 Active directory ................................................................................................................... 3
2.4.1 Definition..................................................................................................................... 3
2.4.2 Active Directory Services............................................................................................ 4
2.4.3 Logical Components.................................................................................................... 4
2.4.4 Physical Components .................................................................................................. 5
2.5 Functionalities of Domain Controllers ................................................................................ 5
3. Cyber attacks ........................................................................................................................... 6
3.1 Definition............................................................................................................................. 6
3.2 The Cyber kill chain ............................................................................................................ 6
3.3 Cyber-attacks on Windows operating system ..................................................................... 7
4. Cyber defense .......................................................................................................................... 7
4.1 Definition............................................................................................................................. 7
4.2 Teaming ............................................................................................................................... 7
4.2.1 Red team ...................................................................................................................... 7
4.2.2 Blue team ..................................................................................................................... 8
4.2.3 Purple teaming ............................................................................................................. 8
5. Adversary Simulation .............................................................................................................. 9
5.1 Definition............................................................................................................................. 9
5.2 Adversary simulation versus adversary emulation .............................................................. 9
5.3 Study Case of existent Adversary simulation tools ............................................................. 9
5.3.1 CALDERA™ .............................................................................................................. 9
5.3.2 ATTPwn .................................................................................................................... 10
5.3.3 Comparison and analysis of the presented tools ........................................................ 11
5.4 Benefits of Adversary Simulation ..................................................................................... 11
6. Threat intelligence ................................................................................................................. 12
6.1 Definition........................................................................................................................... 12
6.2 Threat intelligence in adversary simulation....................................................................... 12
7. The MITRE ATT&CK™ framework.................................................................................... 12
7.1 Definition........................................................................................................................... 12
7.2 History ............................................................................................................................... 12
7.3 MITRE ATT&CK Matrices .............................................................................................. 12
7.3.1 ATT&CK Enterprise ................................................................................................. 12
7.3.2 ATT&CK for Mobile ................................................................................................ 13
7.3.3 ATT&CK ICS ........................................................................................................... 13
7.4 MITRE ATT&CK tactics .................................................................................................. 13
7.5 MITRE ATT&CK techniques ........................................................................................... 14
7.6 Cyber kill chain comparison .............................................................................................. 15
7.6.1 The Unified Kill Chain .............................................................................................. 15
7.7 Use cases and benefits ....................................................................................................... 16
7.8 Challenges ......................................................................................................................... 16
8. Conclusion ............................................................................................................................. 17
Chapter II : Cyber Attacks on Windows Infrastructures ............................................. 17

1. Introduction ........................................................................................................................... 17
2. Authentication protocols in Windows ................................................................................... 17
2.1 New Technology LAN Manager (NTLM) ........................................................................ 17
2.2 Kerberos ............................................................................................................................ 19
3. Cyber Attacks on Windows systems ..................................................................................... 20
3.1 Active scanning ................................................................................................................. 21
3.1.1 Scanning IP Blocks.................................................................................................... 21
3.1.2 Vulnerability Scanning .............................................................................................. 21
3.2 Account discovery ............................................................................................................. 21
3.3 Man in the Middle ............................................................................................................. 21
3.3.1 LLMNR/NBT-NS Poisoning..................................................................................... 22
3.3.2 SMB Relaying ........................................................................................................... 23
3.4 Dumping credentials .......................................................................................................... 24
3.4.1 Lsass memory ............................................................................................................ 24
3.4.2 Security account manager (SAM) ............................................................................. 25
3.4.3 NTDS......................................................................................................................... 25
3.4.4 LSA Secrets ............................................................................................................... 25
3.4.5 Cached domain credentials ........................................................................................ 26
3.4.6 DCSync ..................................................................................................................... 26
3.5 Using Alternate Authentication Material .......................................................................... 27
3.5.1 Pass the hash .............................................................................................................. 27
3.5.2 Pass the ticket ............................................................................................................ 28
3.6 Stealing or Forging Kerberos Tickets ................................................................................ 28
3.6.1 Kerberoasting ............................................................................................................ 28
3.6.2 AS-REP Roasting ...................................................................................................... 30
3.6.3 Golden ticket ............................................................................................................. 31
3.6.4 Silver ticket................................................................................................................ 32
3.7 Brute Force ........................................................................................................................ 33
3.7.1 Password Cracking .................................................................................................... 33
4. Conclusion ............................................................................................................................. 33
Chapter III : Analysis and Conception ............................................................................ 34

1. Introduction ........................................................................................................................... 34
2. Problematic and objectives .................................................................................................... 34
3. Functionalities ....................................................................................................................... 34
4. Architecture of the solution ................................................................................................... 36
5. Conception of the solution..................................................................................................... 37
5.1 Authentication ................................................................................................................... 37
5.2 Setting up a simulation session.......................................................................................... 38
5.3 Static simulation ................................................................................................................ 39
5.4 Dynamic simulation........................................................................................................... 41
5.5 Determining attack paths ................................................................................................... 45
5.6 Simulations of the different sub-techniques : .................................................................... 48
5.6.1 Active scanning ......................................................................................................... 48
5.6.2 Account discovery ..................................................................................................... 49
5.6.3 Man in the middle...................................................................................................... 50
5.6.4 Dumping credentials .................................................................................................. 52
5.6.5 Using alternate authentication material ..................................................................... 57
5.6.6 Stealing or forging Kerberos tickets .......................................................................... 63
5.6.7 Brute Force ................................................................................................................ 67
5.7 Generating reports ............................................................................................................. 68
5.8 Class diagram .................................................................................................................... 69
6. Conclusion ............................................................................................................................. 70
Chapter IV : Implementation and Tests........................................................................... 71

1. Introduction ........................................................................................................................... 71
2. Working Environment ........................................................................................................... 71
2.1 Operating system ............................................................................................................... 71
2.1.1 GNU/Linux ................................................................................................................ 71
2.2 Servers ............................................................................................................................... 71
2.2.1 MySQL ...................................................................................................................... 71
2.3 Languages .......................................................................................................................... 71
2.3.1 Python ........................................................................................................................ 71
2.3.2 SQL ........................................................................................................................... 71
2.3.3 HTML........................................................................................................................ 72
2.3.4 CSS ............................................................................................................................ 72
2.3.5 JavaScript .................................................................................................................. 72
2.4 Frameworks ....................................................................................................................... 72
2.4.1 Flask .......................................................................................................................... 72
2.4.2 Bootstrap ................................................................................................................... 72
2.4.3 JQUERY .................................................................................................................... 72
2.4.4 JSON ......................................................................................................................... 72
2.5 Software and modules ....................................................................................................... 72
2.5.1 Impacket .................................................................................................................... 72
2.5.2 Nmap ......................................................................................................................... 73
2.5.3 Living off land binaries (LOLBins) .......................................................................... 73
3. Test environment ................................................................................................................... 73
3.1 Virtualization environment ................................................................................................ 73
3.1.1 VMware workstation ................................................................................................. 73
3.2 Domain environment ......................................................................................................... 73
4. Presentation of the application .............................................................................................. 74
5. Scenarios and tests................................................................................................................. 77
5.1 Static simulation ................................................................................................................ 77
5.1.1 First scenario ............................................................................................................. 78
5.1.2 Second scenario ......................................................................................................... 79
5.2 Dynamic simulation........................................................................................................... 80
5.2.1 First scenario ............................................................................................................. 85
5.2.2 Second scenario ......................................................................................................... 88
5.3 Determining Attack Paths ...................................................................................................... 89
6. Conclusion ............................................................................................................................. 91
General Conclusion................................................................................................................................ 92
List of figures
Figure 1.1 Timeline of releases of Windows versions ........................................................................... 3

Figure 1.2 Logical components of Active Directory ............................................................................. 5
Figure1.3 Phases of the Cyber kill chain .............................................................................................. 6
Figure 1.4 Blue Team Perspectives and tasks ........................................................................................ 8
Figure 1.5 The workflow of the blue, red and purple teams .................................................................. 8
Figure 1.6 Graphical user interface of the CALDERA web interface ................................................. 10
Figure 1.7 Graphical user interface of the ATTPwn platform ............................................................. 11
Figure1. 8 Example of the Enterprise matrix, its tactics (first row), and techniques (columns) .......... 14
Figure 1.9 Example of the Brute force technique, and its sub-techniques ........................................... 15
Figure 1.10 The unified kill chain.......................................................................................................... 16
Figure 2.1 The NTLM Authentication process .................................................................................... 18
Figure 2.2 The Kerberos Authentication process................................................................................. 20
Figure 2.3 The LLMNR/NBT-NS Poisoning attack process ............................................................... 23
Figure 2.4 The SMB Relaying attack................................................................................................... 24
Figure 2.5 The DCSync attack process ............................................................................................... 26
Figure 2.6 The Pass the hash attack process ...................................................................................... 28
Figure 2.7 The Kerberoasting attack process ....................................................................................... 29
Figure 2.8 The AS-REP Roasting attack process ................................................................................ 31
Figure 2.9 The Golden ticket attack process ........................................................................................ 32
Figure 2.10 The Silver ticket attack process .......................................................................................... 32
Figure 3.1 Architecture of the solution ................................................................................................ 36
Figure 3.2 Sequence diagram of the sign-up function ......................................................................... 37
Figure 3.3 Sequence diagram of the login function ............................................................................ 38
Figure 3.4 Sequences diagram of the functionality "Setting up a simulation session" ........................ 39
Figure 3.5 Flowchart describing the general process of simulating an attack ..................................... 40
Figure 3.6 Sequences diagram of the functionality "Dynamic simulation" ......................................... 42
Figure 3.7 Flow chart describing the functioning of a dynamic simulation ........................................ 44
Figure 3.8 Sequences diagram of the functionality 'Determining Attack Paths' .................................. 47
Figure 3.9 The Scanning IP blocks simulation process ....................................................................... 48
Figure 3.10 The Vulnerability scanning simulation process .................................................................. 49
Figure 3.11 The Account discovery simulation process ....................................................................... 50
Figure 3.12 The LLMNR/NBT-NS Poisoning simulation process ........................................................ 51
Figure 3.13 The functioning of the poisoning and relaying simulation ................................................. 52
Figure 3.14 The functioning of the Mimikatz procedure ....................................................................... 53
Figure 3.15 The functioning of the Procdump procedure ...................................................................... 54
Figure 3.16 The functioning of the Comsvcs procedure ....................................................................... 55
Figure 3.17 The functioning of the SAM, LSA, and Cached credentials, simulation .......................... 55
Figure 3.18 The functioning of the NTDS-Volume shadow copy procedure ........................................ 56
Figure 3.19 The functioning of the NTDS-Ntdsutil procedure .............................................................. 57
Figure 3.20 The functioning of the DCSync simulation ........................................................................ 57
Figure 3.21 Sequences diagram of the sub-technique 'pass the hash' .................................................... 58
Figure 3.22 Sequence diagram describing the procedure 'Psexec' ......................................................... 59
Figure 3.23 Sequence diagram describing the procedure 'SMBexec ..................................................... 59
Figure 3.24 Sequence diagram describing the procedure 'Pass the hash through WMI' ........................ 60
Figure 3.25 Sequence diagram describing the procedure 'Pass the hash through RPC' ......................... 61
Figure 3.26 Diagram describing an example of the results of the pass the hash technique ................... 61
Figure 3.27 Sequences diagram of the pass the ticket sub-technique simulation ................................. 62
Figure 3.28 Sequences diagram of the Kerberoasting sub-technique simulation .................................. 64
Figure 3.29 Sequences diagram of the AS-REP Roasting sub-technique simulation ............................ 65
Figure 3.30 Sequences diagram of the Golden Ticket sub-technique simulation .................................. 66
Figure 3.31 Sequences diagram of the Silver Ticket sub-technique simulation ....... Erreur ! Signet non
défini.
Figure 3.32 Sequences diagram of the password cracking simulation .................................................. 68
Figure 3.33 Sequences diagram of the functionality "Generating reports" ............................................ 69
Figure 3.34 Class diagram ..................................................................................................................... 70
Figure 4.1 Representation of the test environment .............................................................................. 74
Figure 4.2 Login Interface ................................................................................................................... 74
Figure 4.3 Dashboard containing the available techniques and sub-techniques .................................. 75
Figure 4.4 Example: knowledge framework of the scanning IP blocks sub-technique ....................... 75
Figure 4.5 Functionalities menu........................................................................................................... 75
Figure 4.6 Static simulation - list of sub-techniques ............................................................................ 76
Figure 4.7 Dynamic simulation - mode choice .................................................................................... 76
Figure 4.8 Previous simulations result interface .................................................................................. 76
Figure 4.9 Setting up a simulation session- automatic mode ............................................................... 77
Figure 4.10 Viewing the simulation session information ...................................................................... 77
Figure 4.11 Editing the simulation session information ........................................................................ 78
Figure 4.12 Starting the LLMNR/NBT-NS poisoning & SMB relaying simulation ............................. 78
Figure 4.13 Reports of the LLMNR/NBT-NS poisoning & SMB relaying simulation ......................... 79
Figure 4.14 Simulating the LSASS memory dumping sub-technique of the Credential dumping
technique ............................................................................................................................................... 79
Figure 4.15 Reports of the LSASS memory dumping sub-technique ................................................... 80
Figure 4.16 Starting a dynamic simulation ............................................................................................ 81
Figure 4.17 Reports of the scanning IP blocks simulation..................................................................... 81
Figure 4.18 Reports of the Vulnerability Scanning simulation............................................................. 82
Figure 4.19 Proceeding with a dynamic simulation- Vulnerability exploitation ................................... 83
Figure 4.20 Reports of the Vulnerability exploitation technique ........................................................... 83
Figure 4.21 Proceeding with a dynamic simulation- Account discovery .............................................. 84
Figure 4.22 Reports of the Account Discovery technique - Domain controllers ................................... 84
Figure 4.23 Reports of the Account Discovery technique - Domain users ............................................ 85
Figure 4.24 Reports of the Account Discovery technique - Domain administrators ............................. 85
Figure 4.25 Proceeding with a dynamic simulation - Cached domain credentials ................................ 85
Figure 4.26 Reports of the Cached domain credentials dumping simulation ........................................ 86
Figure 4.27 Proceeding with a dynamic simulation - Password cracking ............................................. 86
Figure 4.28 Reports of the password cracking sub-technique ............................................................... 86
Figure 4.29 Proceeding with a dynamic simulation - Lateral movement from dumped passwords ...... 87
Figure 4.30 Reports of the Lateral movement from dumped passwords sub-technique ...................... 87
Figure 4.31 Simulations history - Dynamic simulation ......................................................................... 87
Figure 4.32 Proceeding with a dynamic simulation - Security account manager .................................. 88
Figure 4.33 Reports of the sub-technique Security account manager of the credential dumping
technique .............................................................................................................................................. 88
Figure 4.34 Proceeding with a dynamic simulation - Pass the hash ...................................................... 88
Figure 4.35 Reports of the sub-technique Pass the hash ........................................................................ 89
Figure 4.36 Simulations history - Dynamic simulation 2 ...................................................................... 89
Figure 4.37 Determining attack paths- Starting information gathering ................................................. 89
Figure 4.38 Reports of Determining Attack Paths - Domain administrators ......................................... 90
Figure 4.39 Reports of Determining Attack Paths - Local administrators through the network ........... 90
Figure 4.40 Reports of Determining Attack Paths - Password strength assessment .............................. 90
Figure 4.41 Reports of Determining Attack Paths - Users vulnerable to Kerberoasting and ASREP
roasting .................................................................................................................................................. 91
Figure 4.42 Reports of Determining Attack Paths - Determining shadow administrators..................... 91
List of tables
Table 3.1 Information provided by users before a static simulation .......................................... 40

General Introduction
The exponential growth of the information technology industry has led to a significant
extension of cyber attack incidents that comes with disastrous and grievous consequences. The
cyber security incidents that make headlines around the world typically involve companies of all
sizes and in every industry, these companies are vulnerable to cyber security threats that result in
billions of dollars in financial losses, disruption to operations and supply chains, and inflicting
reputational damage from impacted customers and investors.
This urges businesses to implement a solid strategy for cyber security and a robust
mitigation and detection plan if they intend to stay afloat in the face of cyber attacks. However,
many businesses can’t afford professional solutions and have limited time and human resources
to devote to protect against cyber threats which takes a tremendous level of expertise and years
of experience.
Our objective is to offer a solution that tests the strength of the network's security in an
automated way under real-life conditions. This will be achieved by integrating the tactics,
techniques, and practices of adversaries in a tool that allows its users to understand, analyze and
simulate threats and attacks against a network infrastructure in order to provide valuable insight
into the present and future defensive needs, and counter the threats and vulnerable routes to
critical assets before an adversary exploits them. Our solution is mainly focused on Windows
systems since most enterprise networks today are managed using Windows infrastructures.
Our thesis is composed of four chapters, organized as follows :
In the first chapter, we present the basic notions that we will be utilizing in our project.
Starting with the Windows Operating system, then moving to the concept of cyber attack and
defense. And finally the MITRE ATT&CK knowledge framework and how it can be leveraged
to offer up-to-date solutions against the most advanced threats.
The second chapter consists of studying and defining the most omnipresent attacks against
Windows infrastructures, and the weaknesses that allow adversaries to exploit them.
The third chapter will give a global vision of our work by defining and exposing the
conceptual approaches followed to design our solution. It includes the architecture and the
different functionalities offered and the detailed procedures that reflect our reasoning.
The fourth and final chapter consists of presenting the implementation of our solution by
starting with the environment and tools used all along the implementation phase. Then the
presentation, tests, and scenarios phase which includes a presentation of our application and a
selection of test scenarios that will highlight our work and demonstrate it through use cases and
scenarios extended with screenshots of the different steps and results.
We will complete our thesis with a general conclusion that will recapitulate and highlight
the main functions and objectives of our solution, in addition to the future perspectives.
1
Chapter I :
State of the art
1. Introduction
The protection against cyber-attacks has become a vital issue for companies nowadays, as they
are continuously expanding by becoming more sophisticated, targeted, and often undetected.
With the widespread use of Windows infrastructures, especially within companies, Windows
has become the focal point for adversaries. Security professionals must understand and analyze
available knowledge about these threats in order to develop and deploy the most advanced tools
and techniques to counter them. [1]
In this chapter, we will present the Windows operating system, followed by cyber attacks and
cyber defense techniques. Then, we will explain adversary simulation, and how it is enhanced by
threat intelligence.
Finally, we will present and discuss the MITRE ATT&CK framework, and how it can be
leveraged to offer up-to-date solutions against the most advanced threats.
2. The Windows operating system

2.1 Definition
Microsoft Windows is a group of several graphical operating system families, all of which
are developed, marketed, and sold by Microsoft. It provides a way to manages computer
hardware and software resources, and provides common services for computer programs.
Windows is designed to operate across a variety of platforms, including personal
computers, smartphones, and video-gaming consoles.
For the past three decades, Windows has been the most popular operating system
for personal computers. [2]
2.2 History
Microsoft Windows was announced by Bill Gates on November 10, 1983, as a
graphical operating system shell for MS-DOS1 in response to the growing interest in graphical
user interfaces (GUIs).
The first version of Windows (Windows 1.0) was released in 1985. Since then, the OS has
gone through several major updates. A few of the most notable Windows releases include
Windows 3.1 (1992), Windows 95 (1995), Windows XP (2001), Windows 7 (2009), and
Windows 10 (2015).
The most recent version of Windows is Windows 11, and the most recent version
for server computers is Windows Server 2019. [3]
The following figure represents the timeline of releases of Windows versions.
1
Short for Microsoft Disk Operating System, MS-DOS is a non-graphical command line operating system created for IBM
compatible computers and introduced by Microsoft in 1981.
2
Chapter 1 : State of the art
Figure 1.1 Timeline of releases of Windows versions
2.3 Versions
Microsoft offers two major versions of operating systems, each tailored for different use
cases.
2.3.1 Desktop
Windows Desktop Operating System is geared towards home or business use for
simple daily functions like video editing, image manipulation, or coding.
It always comes in a graphical user interface which makes its usage easier and more
user-friendly. It is optimized for simple daily usage, they are not meant to run for
extended periods.
2.3.2 Server
Windows server is designed to be run on server hardware, which uses enterprise-
grade components. It allows users to install server features like Active Directory, DNS
Server, DHCP Server, Group Policy, as well as many other features which are not
available in Desktop versions.
It can run without a graphic interface to minimize the size of the install.Windows
Server can be deployed either on-site or on a cloud computing service.
2.4 Active directory

2.4.1 Definition
Active Directory (AD) is a directory service developed by Microsoft for Windows
domain networks. It provides the structure and functions for organizing, managing, and
controlling network resources on a centralized database and a common interface.
Active Directory allows management and storage of information and offers
authentication and authorization mechanisms. It also provides a whole new way of
accomplishing administrative tasks and allows for far more granularity in delegating
administrative authority. [4]
3
2.4.2 Active Directory Services

Active Directory offers several services that manage users, computers, and data.
The main services are :
- Active Directory Domain Services (AD DS): It is the main service of the Active
Directory and the foundation stone of every Windows domain network. It stores
information about members of the domain, including devices and users, verifies their
credentials, and defines their access rights. The server running this service is called
a domain controller.
- Active Directory Lightweight directory services (AD LDS): This is the light
version of AD DS that supports LDAP2 for cross-platform domain services. It removes
some complexity and advanced functionality to offer just the basic directory service
functionality, without the use of domain controllers, forests, or domains. Typically used
in small, single office network environments.
- Active Directory certificate services (AD CS): Certificate Services offers digital
certification services and supports public key infrastructure (PKI). This service can store,
validate, create and revoke public key credentials used for encryption.
- Active Directory Federation Services (AD FS): provides a single-sign-on
functionality that enables secure user authentication and authorization service, especially
when they are interacting with multiple web applications during a single session.
- Active Directory rights management services (AD RMS): It is a rights
management service that breaks down authorization beyond access granted or access
denied model and limits what a user can do with particular files or documents. The rights
and restrictions are attached to the document rather than the user. These rights are
commonly used to prevent altering documents by unauthorized users. [5]
2.4.3 Logical Components
The logical parts of Active Directory include :
- Forest: a forest is the largest unit in Active Directory and is a collection of trees
that share a common schema. In a forest all trees are connected by transitive two-way
trust relationships, thus allowing users in any tree access to resources in another for
which they have been given appropriate permissions and rights.
- Tree: a tree is a collection of Active Directory domains that share a contiguous
namespace. These domains fall into a parent-child relationship, where the child domain
takes on the name of the parent.
- Domain: a domain is a logical group of users and computers that share the
characteristics of centralized security and administration.
- Organizational Unit (OU): An organizational unit is a container object that helps
to organize objects for administration or group policy application. An OU exists within a
domain and can only contain objects from that domain. OUs can be nested, which allows
for more flexibility in terms of administration.
- Objects: Objects in Active Directory are entities that represent a resource such as
users, groups, computers, printers, and shares that are a part of the network. Each object
is defined by a set of information called object attributes. [6]
The following figures represents the logical components of Active Directory.
2
LDAP is a protocol that allows AD to communicate with other LDAP enabled directory services across platforms.
4
Figure 1.2 Logical components of Active Directory
2.4.4 Physical Components

The physical structure of Active Directory helps to manage the communication
between servers. The two physical elements of Active Directory are :
- Domain Controllers (DC): Domain controllers are Windows server-based systems
that store the Active Directory database. Every domain controller has a writable copy of
the directory. Domain controllers in the same domain contain replicas of the directory
that must be synchronized periodically.
- Site: In Active Directory, sites are a collection of well-connected computers that
can communicate frequently within the site. All IP subnets that share a Local Area
Network (LAN) connectivity without knowing the actual physical location of computers
are called a site. Sites ensure that users connect to local resources. [6]
From an architectural view, each domain controller belongs to a specific site, these
sites are used to communicate between domain controllers and control network traffic
generated by replications. Replication ensures that changes to a domain controller are
reflected in all domain controllers within a domain. On a site, a topology is generated
amid domain controllers in the same domain to define and ensure that there is at least a
replication path from one domain to another.
2.5 Functionalities of Domain Controllers

Domain controllers are the most important part of an Active Directory infrastructure, they
carry out so many functionalities, among them :
 Managing authentication, which is the primary function of a domain controller. It's done
by managing user logon, validating access on the network, and determining access
privileges based on user roles.
 Storing directory data and hosting domain information and configurations using objects.
 Manages the different resources of the domain by setting and deploying security
policies.
 Managing and replicating updates to other domain controllers in the same domain.
 Locating the different resources in the network and defining the Active Directory
topology by the bias of name resolution services (such as DNS).
5
3. Cyber attacks
3.1 Definition
Cyber attacks are malicious attempts launched by threat actors (also referred to as
cybercriminals, hackers, or adversaries) to gain unauthorized access to a computer, computing
system, or computer network to alter, manipulate or steal data held within these systems.
Cybercriminals use a variety of methods to launch a cyber-attack, including malware,
phishing, ransomware, and denial of service among other methods.
3.2 The Cyber kill chain

The cyber kill chain is a framework Developed by Lockheed Martin3, as part of
the Intelligence Driven Defense model4 for identification and prevention of cyber intrusions
activity. The model identifies what the adversaries must complete to achieve their objectives.
[7] The cyber kill chain contains 7 major phases, which are:
-Reconnaissance: The intruder chooses their target and conducts in-depth research on it to
identify its vulnerabilities that can be exploited.
-Weaponization: The intruder creates a malware weapon like a virus, worm, or such in
order to exploit the vulnerabilities of the target. This malware can exploit new, undetected
vulnerabilities (also known as zero-day exploits) or a combination of different vulnerabilities.
-Delivery: This step involves transmitting the weapon to the target. The intruder can
employ different methods like USB drives, e-mail attachments, and phishing websites for this
purpose.
-Exploitation: The malware is triggered to exploit the target’s vulnerabilities.
-Installation: The malware installs an access point for the intruder. This access point is also
known as the backdoor.
-Command and Control: The malware gives the intruder access to the system.
-Actions on Objective: Once the intruder gains persistent access, they take action to fulfill
their purposes.
3
Lockheed Martin is one of the largest companies in the aerospace, military support, security and technologies industry. It is
principally engaged in the research, development and integration of advanced technology systems, products and services.
4
Intelligence driven defense is a risk management strategy that addresses the threat component of risk, incorporating analysis
of adversaries, their capabilities, objectives and limitations.
6
The following figure represents the phases of the Cyber kill chain.
Figure 1.3 Phases of the Cyber kill chain
The cyber kill chain is mainly used as a management tool to help understand and encounter
the different cyber threats that may face organizations, such as insider threats, advanced
malware, and innovative attacks.
3.3 Cyber attacks on Windows operating system

The fact that Windows is a very common operating system both for personal and
professional use has made it inevitably one of the most targeted by threat actors. In fact, around
90% of the world’s enterprise organizations rely on Active directory infrastructures for their
professional needs, which made Windows-based endpoints the main target for adversaries
looking to get their hands on sensitive data. Back in 2015, Microsoft estimated that around 95
million Windows accounts are the target of cyber-attacks every day. [8]
In addition to Windows's popularity and widespread, it has always been prone to security
issues. According to the CVE5 database, Windows operating systems suffer from more than
6800 vulnerabilities which were discovered in different versions. [9]
Aside from security vulnerabilities, skilled malicious actors have always succeeded at
abusing legitimate and default Windows functionalities to leverage a set of well-known attacks.
These types of attacks that exploit default configurations are very omnipresent, especially with
the fact that most Windows-based infrastructures rely on default non-secure configurations, in
addition to misconfigurations that can lead to an even bigger attack surface and exposure to
additional threats.
The spread of Cyber attacks on Windows systems can also be noticed from the percentage
of malware developed and targeted at Windows operating systems compared to other systems.
According to AV Test's 2019/2020 Security Report, 114 million new pieces of malicious
programs were developed in 2019, 78.64% of them were distributed on Windows systems. In
2020, 83.45% of the malware developed was targeted at Windows environments. [1]
5
CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws.
7
4. Cyber defense
4.1 Definition
Cyber defense is the collection of processes and practices which are employed to
prevent and respond to cyber threats. It involves taking active steps to anticipate
adversarial actions and to counter intrusions.
The most common cyber defense activities include:
 Implementation and maintaining of hardware and software detection and
prevention tools.
 Analyzing, identifying, and patching system vulnerabilities.
 Obtaining and understanding of the latest threat intelligence information.
 Periodically perform different types of cybers security assessments.
4.2 Teaming
The concept of teaming in cyber security was modeled after military training exercises.
Cyber security professionals are divided into teams based on the nature of their activities,
whether it's on the defensive or the offensive side. Some of the most commonly used titles
is Red Team, Blue Team, and Purple Team.
4.2.1 Red team
The red team consists of security professionals who act as an adversary to evaluate
the security from the perspective of threat actors. Red team exercises focus on imitating
real-world attack techniques and methods to identify and exploit potential weaknesses
within the organization’s cyber defenses. Based on the results, recommendations and
plans on how to strengthen the security posture are elaborated.
4.2.2 Blue team
The blue team is on the defensive side. It consists of professionals who work
continuously on identifying, assessing, and responding to intrusions.
The blue team's main objective is to protect the organization’s critical assets against
any kind of threat by performing an analysis of information systems to
identify security flaws and verify the effectiveness of each security measure. They are
expected to detect, oppose and weaken the red team.
The following figure represents the different perspectives and tasks of the blue
team.
Figure 1.4 Blue Team Perspectives and tasks
8
4.2.3 Purple teaming

Purple teaming is a security methodology rather than a dedicated team. In purple
teaming exercises, red and blue teams work closely together to
maximize cyber capabilities through continuous feedback and knowledge transfer.
The following figure represents the workflow of the blue, red, and purple teams.
Figure 1.5 The workflow of the Blue, Red and Purple teams
5. Threat intelligence
5.1 Definition
Cyber threat intelligence is organized, analyzed, and refined information about potential
or current attacks that threaten an organization.
It is used to prepare, prevent, and identify new threats and threat actors, by analyzing the
adversarial motives and their tactics, techniques, and procedures (TTPs). [10]
5.2 Threat intelligence in adversary simulation

Successful adversary simulation is a collaborative effort between multiple domains of
expertise, particularly red teaming and cyber threat intelligence. Simulation exercises are
enhanced by Threat intelligence to leverage the attacks which are most likely to target the
organization.
These intelligence-driven simulation plans provide a means to test and tune defensive
capabilities and products against the evolving Tactics, Techniques, and Procedures (TTPs) by
outlining in detail how the techniques are chained together giving security teams a clear
understanding of how specific attacks are carried out.
One of the most used cyber threat intelligence frameworks is the MITRE ATT&CK™
which has become the foundation of most offensive and defensive exercises.
6. The MITRE ATT&CK™ framework

6.1 Definition
MITRE ATT&CK™, acronym for Adversarial Tactics, Techniques, and Common
Knowledge is a globally accessible knowledge base of adversary tactics, techniques, and
procedures (TTPs) based on real-world cyber security observations and built on threat
intelligence. It is used to help organizations across the world – from the private sector to
governments and solution providers – develop more effective cyber security practices.
ATT&CK is available to everyone and every organization free of charge and is updated
quarterly based on publicly available threat intelligence and incident reporting. [11]
ATT&CK is becoming the most definitive resource of adversary techniques available. It
is a reference that professionals are using to build defenses on its models.
9
6.2 History
The ATT&CK framework was created by MITRE Corporation, which is an American
government-funded research organization. The project was launched in 2013 and officially
released in May 2015 on the MediaWiki6 platform. [12]
In 2018, the framework was moved from MediaWiki to the attack.mitre.org domain, and
since then, many versions were released, from ATT&CK v1 to ATT&CK v9 (current version)
which was released on 29th April 2021. [13]
6.3 MITRE ATT&CK Matrices

MITRE organizes its observations about attack behaviors into tables called Matrices.
Each Matrix addresses a different target, the available matrices are:
6.3.1 ATT&CK Enterprise
The enterprise matrix is designed to address the stages of the cyber attack life cycle
after exploitation has begun, such as achieving initial access to a system, moving
laterally, and performing data collection. Its goal is to cover the various ways in which an
attacker could actively exploit and operate within an organization’s network and systems.
The enterprise matrix includes 7 sub-matrices, which are the PRE sub-matrix,
Windows, macOS, Linux, Cloud, Network, and Containers. The Cloud sub-matrix itself
includes 5 sub matrices which are Microsoft Office 365, Microsoft Azure AD, Google
Workspace, Software-as-a-Service (SaaS), and Infrastructure as a service (IaaS).
6.3.2 ATT&CK for Mobile
The mobile matrix is designed to cover the same stages of the cyberattack life cycle
as the enterprise while focusing on threats and attack vectors specific to mobile devices.
Like the enterprise matrix, the mobile matrix includes coverage of several specific
mobile platforms. Users of ATT&CK can look at attack vectors specific to Android or
iOS in particular in their own matrices or view all mobile attack vectors in the general
mobile matrix.
6.3.3 ATT&CK ICS
This Matrix is geared for defenders of industrial control systems (ICS) including
operations technology (OT) and Industrial Internet of Things (IIoT) devices. [14]
6.4 MITRE ATT&CK tactics

MITRE calls the top-level category 'tactics', each column under a tactic includes a list of
'techniques' that aim to achieve that tactic. Tactics represent certain objectives an adversary
might want to achieve, such as credential access or lateral movement.
The ATT&CK enterprise matrices include 14 tactics in total which are :
 Reconnaissance: The adversary is trying to gather the information they can use to
plan future operations.
 Resource development: The adversary is trying to establish resources they can use
to support operations.
 Initial Access: The adversary is trying to get into the network.
 Execution: The adversary is trying to run malicious code.
 Persistence: The adversary is trying to maintain its foothold.
 Privilege Escalation: The adversary is trying to gain higher-level permissions.
 Defense Evasion: The adversary is trying to avoid being detected.
 Credential Access: The adversary is trying to steal account names and passwords.
6
MediaWiki is the free open-source wiki software used to power Wikipedia and other wikis.
10
 Discovery: The adversary is trying to figure out the environment.

 Lateral Movement: The adversary is trying to move through the environment.
 Collection: The adversary is trying to gather data of interest to their goal.
 Exfiltration: The adversary is trying to steal data.
 Command and Control: The adversary is trying to communicate with
compromised systems to control them.
 Impact: The adversary is trying to manipulate, interrupt, or destroy systems and
data. [15]
The ATT&CK mobile matrix includes 12 tactics in common with the ATT&CK
enterprise (all the tactics except Reconnaissance and Resource development), in addition
to two other tactics which are :
 Network Effects: The adversary is trying to intercept or manipulate network
traffic to or from a device.
 Remote Service Effects: The adversary is trying to control or monitor the device
using remote services. [16]
The ATT&CK ICS matrix contains 11 tactics, 9 of which are the same as the ATT&CK
enterprise tactics (Command and control, Discovery, Initial access, Lateral movement,
Persistence, Evasion, Execution, and Impact), the remaining 3 tactics are:
 Collection: The adversary is trying to gather data of interest and domain
knowledge on the ICS environment to inform their goal.
 Impair Process Control: The adversary is trying to manipulate, disable, or damage
physical control processes.
 Inhibit Response Function: The adversary is trying to prevent safety, protection,
quality assurance, and operator intervention functions from responding to a
failure, hazard, or unsafe state. [16]
6.5 MITRE ATT&CK techniques

Techniques represent the various ways to achieve the tactic's objectives. Some of the
ATT&CK techniques include sub-techniques, which are a way to describe a specific
implementation of a technique in more detail.
In addition to classification, the ATT&CK framework provides technical information
about individual techniques. This includes technical descriptions, mitigation, and detection
advice.
As of May 2021, the ATT&CK Matrix contained 353 techniques in total:
 The Enterprise matrix includes a set of 185 techniques and 367 sub-techniques.
[17]
 The Mobile matrix includes a set of 89 techniques and no sub-techniques. [18]
 The ICS matrix includes a set of 79 techniques and no sub-techniques. [19]
The following figure presents an example of the Enterprise matrix, its tactics (first row),
and techniques (columns).
11
Figure 1.8 Example of the Enterprise matrix, its tactics (first row), and techniques (columns)
The following figure presents an example of the Brute force technique, and its sub-
techniques.
Figure 1.9 Example of the Brute force technique, and its sub-techniques
6.6 Cyber kill chain comparison

The primary difference between the two is that the ATT&CK matrix is more of a list of
techniques by tactics, and doesn’t propose a specific order of operations, while The Cyber
Kill Chain, is a well-defined sequence of events that progresses from reconnaissance to
intrusion and so on. Conversely, the ATT&CK techniques are used from different tactics at
different times of the scenario depending on the situation. An ATT&CK scenario could start
with a Hardware Addition from the Initial Access tactic, then jump to Bypass User Account
Control from the Privilege Escalation tactic and go back to the Execution tactic to
run malicious commands.
Also, the MITRE ATT&CK framework goes into significantly more depth on how each
stage is conducted through the techniques and sub-techniques whereas the Cyber Kill Chain
12
uses ordered phases to describe high-level adversary objectives, however, each stage of the
Cyber Kill Chain can be matched with a set of specific MITRE ATT&CK techniques.
Many researchers feel that the ATT&CK framework has already replaced the Cyber Kill
Chain, which is further demonstrated by the trends of vendors implementing ATT&CK
terminology into their solutions.
6.6.1 The Unified Kill Chain
A unified version of the kill chain was developed in order to offer a significant
improvement over the scope limitations of the Cyber Kill Chain and the time-agnostic
nature of ATT&CK, by uniting and extending Lockheed Martin's kill chain and MITRE’s
ATT&CK framework. The unified kill chain is an ordered arrangement of 18 unique
attack phases, which covers activities that occur in a cyber arrack. The unified model can
be used to analyze, compare and defend against cyber-attacks by adversaries.
The following figure represents the stages of the unified kill chain.
Figure 1.10 The unified kill chain
6.7 Use cases and benefits

The ATT&CK Framework is widely recognized as an authority on understanding the
behaviors and techniques that hackers use against organizations today. It not only removes
ambiguity and provides a common vocabulary for industry professionals to discuss and
collaborate on combating these adversary methods, but it also has practical applications for
security teams.
Some key use cases for the MITRE ATT&CK framework include:
 Adversary Emulation: ATT&CK can be used to create adversary emulation
scenarios to test and verify defenses related to specific APTs, by applying
intelligence about these APTs and how they operate to emulate a threat.
 Adversary Simulation: Testing the techniques in ATT&CK against the
environment is the best way to assess how successful certain attacks might be
against the controls present in the environment.
 Red Teaming: ATT&CK can be used to create red team plans and organize
operations. The team members can use ATT&CK to speak a common language
with defenders or amongst themselves.
 Blue teaming: Even the most well-resourced teams cannot protect against all
attack vectors equally. The ATT&CK framework can offer a blueprint for teams
for where to focus their detection efforts.
 Behavioral Analytics Development: ATT&CK can be used to simplify and
organize patterns of suspicious activity deemed malicious.
13
 Defensive Gap Assessment: ATT&CK can be used to assess existing tools, or test
new tools before purchasing, to determine security coverage and prioritize
investment.
6.8 Challenges
As with any other solution, using ATT&CK doesn’t come without challenges. Some of
the challenges that are often faced while leveraging ATT&CK are:
 Not all techniques are always malicious, some of them can be used for a legitimate
reason by a legitimate user. For example, the "Data from Network Shared Drive"
technique (T1039), which is a system feature that allows a user to search network
shares on a computer. Adversaries may use it on compromised hosts to find files of
interest and collect sensitive data.
 Some techniques have many possible methods of execution. For example, the
"Credential Dumping" Technique (T1003) can be leveraged in multiple ways and
by a vast selection of tools. It's a challenge to try to simulate and defend against all
the possibilities.
 Not all techniques in the ATT&CK framework are easy to detect. For example, the
"Rogue Domain Controller" Technique (T1207)7 can be quite difficult to detect on
security monitoring tools.
 It requires a high level of expertise, as It may be daunting for organizations with
small security teams or junior engineers to process and map the different attacks to
the security infrastructure. Prioritizing threats is a must, instead of aiming to protect
against every single type of technique.
7. Adversary Simulation
7.1 Definition
Adversary simulation is a red team exercise classified as a white box8 activity. It is
a realistic simulation of a malicious actor actively trying to penetrate into the system and
evading detection.
The process models an attack scenario that very closely mirrors the tools, tactics, and
procedures of the adversaries, with a pre-defined objective. This objective, for example, can be
accessing a specific sensitive network zone, extracting confidential data, or gaining
administrative level access over the environment.
Adversary simulation provides a complete insight into the security posture of an
organization, such as user awareness, monitoring, and detection capabilities. It also provides
the blue team with the necessary artifacts and indicators of compromise9 needed to harden the
defense mechanisms.
7.2 Adversary simulation versus adversary emulation

Both the terms simulation and emulation have been used interchangeably to refer to the
same type of red team exercises. Whereas, it's possible to differentiate between the two terms if
we look at them from the perspective of how the attack is carried out.
7
It's an attack where adversaries create a rogue Domain Controller (DC) to manipulate Active Directory data,
including objects and schemas, by registering and simulating the behavior of a DC
8
An assessment is classified as white box when the maximum amount of information about the target's system is shared in
complete transparency.
9
Indicators of compromise are pieces of forensic data, such as data found in system log entries or files that identify
potentially malicious activity on a system or network.
14
From the definition of the terms in the Cambridge English Dictionary, to "Emulate" is to
behave in the same way as someone else, while to "Simulate" is to produce something that is
not real but has the appearance of being real. [20] [21]
From an attack perspective, Adversary emulation is the mimicking of specific advanced
attackers, or advanced persistent threats (APTs)10. Based on threat intelligence, the APT that's
most likely to target the organization is determined, then their tactics, techniques, and
procedures (TTPs) are employed in an adversary emulation exercise, to test the environment
and be prepared for the potential threat.
On the other hand, during an adversary simulation, the tactics, techniques, and procedures
(TTPs) are employed irrespectively from which APTs use them. Adversary simulation focuses
more on simulating an attack that looks real while there is no real adversary.
7.3 Study Case of existent Adversary simulation tools

7.3.1 CALDERA™
CALDERA™ is a framework built on the MITRE ATT&CK™ knowledge base
and is actively maintained by MITRE. It consists of a command and control server and a
web interface. It allows the users to choose a specific technique to simulate or chain a
group of techniques to provide a complete breach-and-simulation exercise. It can also be
used to run automated incident response scripts.
The behaviors included in CALDERA are mapped to ATT&CK techniques. [22]
It offers a lot of functionalities, such as:
 Deploy an agent : That is generated dynamically based on the target system
and have to be manually installed on the victim's machine. It will allow to
run the different simulations on it.
 Choose an adversary profile : It offers a set of predefined adversaries
according to their goals such as collection, discovery, enumeration...etc.
Implementation of new adversaries could be done either by combining
existing ones or by adding abilities one by one.
 Running an operation : This starts a simulation of the procedures from an
adversary profile on a target host via the deployed agent.
 Reviewing the operation : This allows to view the results and status of the
started operations.
10
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains
unauthorized access to a computer network and remains undetected for an extended period.
15
The following image represents the graphical user interface of the CALDERA web
application.
Figure 1.6 Graphical user interface of the CALDERA web interface
7.3.2 ATTPwn
ATTPwn developed by Telefonica security researchers is a tool that aims to enable
penetration testers to identify potential weaknesses impacting an organization. It is based
on techniques and tactics from the MITRE ATT&CK framework. [23]
ATTPwn can be used to mimic several attack chains against Windows
environments, like privilege escalation11, lateral movement12 across a network, and
credential dumping. The tool also includes famous exploits that were used in destructive
ransomware attacks like NotPetya and WannaCry.
The functionalities offered by ATTPwn are very much similar to those offered by
CALDERA.
11
Privilege escalation is when adversaries gain access to the privileges of another user account in the target system, with
higher privileges than the ones they currently dispose of.
12
Lateral movement refers to the techniques that adversaries use after gaining initial access, to move deeper into a network in
search of sensitive data and other high-value assets.
16
The following image represents the graphical user interface of the ATTPwn
platform.
Figure 1.7 Graphical user interface of the ATTPwn platform
7.3.3 Comparison and analysis of the presented tools

Both the presented tools map their attacks to the MITRE ATT&CK knowledge
framework, however, CALDERA has wider coverage than ATTPwn, it covers much
more techniques than the latter.
Also, they both performs real actions on systems when operating. Thus, they should
be used by care especially in a production network, beyond an isolated lab network to de-
conflict any issues that may arise.
Additionally, they both rely on agents13 for the execution of the different
simulations, these agents connect back to the applications to retrieve commands or
transfer results. However, these agents should be manually deployed and started on each
individual target host on the network which doesn't present a fully automated solution
and can be a daunting task, especially on large networks.
7.4 Benefits of Adversary Simulation

It is undeniable that Adversary simulation has so many benefits when it comes to putting
security to the test under real-life conditions without taking the slightest risk. Some of the
benefits are :
 Adversary simulation assessments offer defenders the ability to view their networks
from the point of view of an adversary, and thus avoid breaches by discovering weak
points before an adversary does.
13
An agent is a software program that performs tasks on behalf of users.
17
 Improving security practices, by testing against the common risks, and thus detect the
weak points to strengthen the security posture and confirm any need for additional
investment.
 Offering a low-budget solution for companies with small security teams or no red
teams, as it represents an automated exercise that doesn't need a professional red team
intervention.
 Test the blue team's incident response processes against the threats posing the greatest
risks to the infrastructure.
8. Conclusion
In this chapter, we presented the basic notions that we will be utilizing in our project. Starting
with the Windows Operating system, then moving to the concept of cyber attack and defense. And
finally the MITRE ATT&CK knowledge framework.
This will allow us to study and define the most omnipresent attacks against Windows
infrastructures, and the vulnerabilities which allow us to exploit and simulate them, which will
make the subject of the next chapter.
18
Chapter II :
Cyber Attacks on Windows Infrastructures
1. Introduction
Adversaries are always on the hunt for the newest and latest ways to abuse vulnerabilities in
different systems. The Windows operating system has always been the main target due to the
nature and implementation of its legitimate functionalities which allows adversaries to abuse them
for malicious purposes.
In order to analyze, understand, and simulate the different attacks targeted at Windows
infrastructures, the main functionalities that are prone to these attacks should be presented first. In
this chapter, we will study the default authentication protocols in the Windows system, which will
allow us to define the most omnipresent attacks against Windows infrastructures, and the
weaknesses that allow adversaries to exploit them.
2. Authentication protocols in Windows

Authentication in networks is the procedure of proving the identity of a user or a process to a
network application or resource in order to provide access control. It is the gate to valuable assets
which made it the main focus of malicious actors.
The Windows operating system implements a wide range of authentication protocols, such as
Kerberos, LAN Manager (LM)14, New technology LAN Manager (NTLM), Transport Layer
Security/Secure Sockets Layer (TLS/SSL), Digest15..etc. Inevitably, each authentication protocol
suffers from its share of vulnerabilities and weaknesses, thus, improved and more secure solutions
are always replacing former ones. Currently, Windows systems are relying mainly on two
authentication protocols, which are NTLM and Kerberos, they are used widely and by default in
most Windows implementation.
2.1 New Technology LAN Manager (NTLM)
Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered
by Microsoft to authenticate user's identities and protect the integrity and confidentiality of
their activity. At its core, NTLM is a single sign-on (SSO)16 process that relies on a challenge-
response protocol to confirm the identity of the user without revealing their secret across the
network. [24]
The challenge-response authentication process in NTLM goes as follow :
 When a client wants to authenticate to a server, a negotiation message is sent from
the client to the server to request access.
 Upon receiving the negotiation message, the server sends a challenge message,
which includes a randomly generated number unique on each session, called a
challenge
14
The LM protocol was the first used in Microsoft's products and is still the authentication protocol of choice for older
operating systems. Its hashing algorithme is a based on DES encryption, and can only support passwords up to 14
characters. LM is the predecessor to the NTLM authentication protocol.
15
Digest Authentication is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and
web-based authentication.
16
single sign-on allows the user to log in once and access services without re-entering authentication factors upon each
action.
19
Chapter 2 : Cyber attacks on Windows infrastructures
 The client encrypts this challenge with their NT password hash17 and returns the
result to the server in an authentication message.
 To verify the identity of the user, the server sends the username, the clear-text
challenge, and the received response (encrypted challenge) to the domain controller.
 The domain controller encrypts the clear-text challenge with the user's NT password
hash, then compares it to the received encrypted challenge. If they are identical,
access is granted.
 The server then sends a response back to the client.
The following figure represents the NTLM authentication process.
Figure 2.1 The NTLM Authentication process
NTLM was replaced as the default authentication protocol by Kerberos on Windows 2000
and later releases. However, it's still used even on new systems in order to maintain
compatibility with legacy clients and servers, it's also used for authentication instead of
Kerberos if the latter fails.
NTLM has two versions, NTLMv1 and NTLMv2. NTLMv2 offers better security than its
previous version, by hardening the protocol against some attacks. In NTLMv2, the client
includes a timestamp with the encrypted challenge, in order to mitigate replay attacks 18, also,
while NTLMv1 uses a 16-byte random number challenge, NTLMv2 uses a variable-length
challenge.
Several vulnerabilities related to the NTLM authentication protocol have been discovered,
Pass the hash and NTLM relaying are an example of the most famous ones.
17
The NT hash is the format used to store hashes on Windows environments starting from Windows Vista, it consists of 32
hexadecimal digits. The NT hashing algorithm uses the MD4 algorithm on the clear-text password encoded in the UTF-16-
LE format.
18
A replay attack is an attack in which the adversary records a communication session and replays the entire session, or some
portion of the session, at a later point in time.
20
2.2 Kerberos
Kerberos was developed by researchers at the Massachusetts Institute of Technology
(MIT) in the 1980s. The name is derived from the Greek mythological character Cerberus, the
three-headed dog.
Microsoft introduced their version of Kerberos in Windows 2000. It is currently the default
authorization technology used by Microsoft Windows. Implementations of Kerberos exist in
Apple OS, UNIX, and Linux. [25]
The three main security components in the Kerberos protocol are :
 The client who wants to authenticate to a service.
 The server hosting the service that the client wants to authenticate to.
 The key distribution center (KDC) which is run by the Domain Controller. It's
composed of the ticket granting server and the authentication server.
The Kerberos Authentication process goes as follow :
 The client sends an authentication request (AS-REQ) to the authentication server.
This request contains information about the client like the client's ID and a
timestamp (system time) encrypted with the secret key of the client which is an
encryption key that's derived from the client's password depending on the encryption
algorithm used. The encrypted timestamp and client ID among other attributes
compose what's called the PREAUTH data or the authenticator.
 When the authentication server receives the AS-REQ packet, it verifies the identity
of the client by retrieving his password from the Domain controller's database, then it
calculates the client's secret key and uses it to decrypt the received authenticator. If it
can decrypt it successfully and the obtained system time matches the current time
within a 5 minutes interval then the client's identity and the validity of the request are
verified.
The authentication server creates a ticket called the Ticket Granting Ticket (TGT)
which includes a Client/TGS session key. The TGT is encrypted with the secret key
of the Key Distribution Center service account. The TGT and a copy of the
Client/TGS session key encrypted with the client's secret key are then sent to the
client via a response message (AS-REP).
The Key Distribution Center service account is called "KRBTGT", it is a local
default account that acts as a service account19 for the KDC. This account cannot be
deleted, and the account name cannot be changed.
 When the client receives the TGT and the Client/TGS Session key he decrypts the
received session key with his secret key, this Client/TGS session key is used for
further communications with the TGS.
The TGT (which cannot be decrypted by the client) is stored in the client’s Kerberos
tray20and can be used to request access to different services for a defined period (10
hours by default).
 When the clients want to authenticate to a specific service, he sends the Ticket
Granting Ticket (TGT), the ID of the requested service, and an authenticator (Client's
ID and a timestamp encrypted with the Client/TGS session key) to the Ticket
Granting Server via a request message (TGS-REQ).
 The Ticket Granting Server decrypts the TGT with the secret key of the KRBTGT
account. The decrypted TGT includes the client's ID and the Client/TGS session key
which is used to decrypt the authenticator to confirm the identity of the client by
19
A service account is an account that is created explicitly to provide a security context for services running on Windows
Server operating systems.
20
A special memory area for storing cached Kerberos tickets.
21
comparing the client's ID retrieved from the TGT with the one retrieved from the
authenticator, and checking the validity of the timestamp.
 The TGS generates a TGS ticket for the client to access the service, it includes a
Client/Server Session key, the TGS ticket is encrypted using the service's secret key.
The TGS is sent to the client via a response message (TGS-REP) alongside the
Client/Server session key encrypted with the Client/TGS session key.
 The client decrypts the Client/Server session key with his Client/TGS session key
and saves it alongside the TGS ticket in his Kerberos tray. He then sends a copy of
the TGS ticket and an authenticator (the client's id and a timestamp encrypted with
the Client/Server session key) to the server where the service is hosted.
 The server uses the secret key of the service account to decrypt the TGS ticket and
retrieve the Client/Service session key, then uses it to decrypt the authenticator and
check the validity of the request and if the client has the necessary permission to
access the resource. If so, access is permitted.
The following figure summarizes the Kerberos authentication process.
Figure 2.2 The Kerberos Authentication process
Kerberos is considered a secured protocol, but it hasn't been sheltered from cyber attacks.
Several ways have been discovered to abuse the nature of the Kerberos protocol or exploit
some of its security weaknesses in order to use it for malicious and unauthorized actions. Some
of the most famous attacks that exploit Kerberos include Kerberoasting, AS-REP Roasting,
Golden tickets, and Silver tickets among others.
3. Cyber Attacks on Windows systems

Windows systems are vulnerable to several attacks that are highly and actively exploited by
adversaries, due to the reason that these attacks rely on abusing the nature and the implementation
of many legitimate and default Windows features and processes such as the aforementioned
authentication protocols. These attacks must be identified and analyzed to better understand the
present risks.
22
3.1 Active scanning

Active scanning is a pre-compromise and information-gathering technique, it's identified in
MITRE ATT&CK as the technique T1595, under the tactic Reconnaissance.
It is one of the first and most important steps adversaries take, it allows them to gather the
information that can be used to analyze and understand the target's infrastructure by engaging
with the different endpoints in the targeted system's network.
3.1.1 Scanning IP Blocks

It's a sub-technique of the Active scanning technique, identified as T1595.001.It
allows adversaries to gather information about the victim's network, such as IP addresses
that are actively in use and information about hosts assigned to these addresses. It even
allows adversaries to gather information about software deployed in hosts and its
versions.
It operates by sending specially crafted network parquets and queries to the targets
and then extract information by analyzing the responses received from them. This attack
uses native features of network protocols such as ICMP, TCP, and UDP.
3.1.2 Vulnerability Scanning

It's a sub-technique of the Active scanning technique, identified as T1595.002. It
allows adversaries to discover weaknesses and security vulnerabilities on the different
resources on the network by highlighting out-of-date applications, missing patches, and
misconfigurations that could be potential points of exploitation.
Vulnerability scanners harvest system information such as services run on each
port, versions of services, installed applications...etc. Then it checks each information
against one or more databases of security vulnerabilities, these databases reference
known flaws and potential paths that can be exploited by adversaries.
There are two types of vulnerability scanning, internal and external. External
scanning is limited to the components that are on the demilitarized zone (DMZ). It
identifies vulnerabilities that reside at the perimeter of the network and can be exploited
by adversaries in order to bypass the present security mechanisms and infiltrate the
infrastructure. In contrast, Internal scanning targets the internal components of the
infrastructure.
3.2 Account discovery

Account discovery is a discovery and information gathering technique, it's identified in
MITRE ATT&CK as the technique T1087, under the tactic Discovery. Upon gaining a
foothold into the network, adversaries will attempt to map the environment and identify the
different accounts present especially those with elevated privileges. This information will guide
adversaries into determining the next points of compromise.
In this type of discovery, adversaries query built-in utilities on Windows systems in order
to enumerate local or domain accounts, for users and groups.
3.3 Man in the Middle

Man in the middle is a credential access and collection technique, it's identified in MITRE
ATT&CK as the technique T1557 under the tactic credential access. It's a type of attack where
adversaries insert themselves in the middle of the network in order to eavesdrop or impersonate
one of the parties, making it appear as if a normal exchange of information is underway.
LLMNR/NBT-NS Poisoning and SMB Relay are both famous Man in the middle attacks
widely employed by adversaries on Windows infrastructures. They are both identified in
MITRE ATT&CK as the sub-technique T1557.001 of the Man in the middle technique.
23
3.3.1 LLMNR/NBT-NS Poisoning

LLMNR, an acronym for Link-Local Multicast Name Resolution, and NBT-NS an
acronym for NetBIOS Name Service are two Windows protocols that are alternatives to
the DNS (Domain Name System) protocol.
When a Windows machine tries to resolve a domain name or an IP address, it goes
through a specific set of steps. If the wanted name isn't found in the host file entries or the
local DNS cache the machine sends a query to the DNS server and waits for the response.
If the DNS server can’t find the correct name either the resolution task will be assigned to
the LLMNR and NBT-NS Protocols ( LLMNR first, if it fails, then NBT-NS).
The LLMNR/NBT-NS resolution works by sending a query in a broadcast message
to all the machines on the local network to ask for the correct name. If a machine on the
local network knows the wanted host or is the wanted host it will reply to the query and
then the authentication process is established between the two machines.
These protocols can be abused by adversaries. A malicious actor can set up a man
in the middle attack where he places himself in the middle of the network to listen for
LLMNR and NBT-NS broadcast messages and respond to them by pretending that he is
the requested host in order to trick the victim into authenticating to the attacker's
machine, this will allow him to obtain the password hash of the victim. The attacker can
obtain the password hash in cases where the authentication is carried by the NTLM
protocol in which the challenge is encrypted with the NT password hash and exchanged
between the two parties during authentication.
The process of the LLMNR/NBT-NS poisoning attack goes as follow :
 A victim tries to connect to a file share through SMB (which uses NTLM
authentication by default) but mistypes the share name, thus, the DNS server
can't resolve the name.
 The victim's machine sends a broadcast message asking all the machines on the
network for the resolution of the host that the victim wants to reach.
 The attacker responds to the message pretending that he is the wanted host.
 The victim sends an authentication request to the attacker.
 The attacker proceeds with the authentication by sending a challenge to the
victim.
 The victim encrypts the challenge with their password hash and sends back the
encrypted challenge to the attacker.
 Once the attacker receives the encrypted challenge, he will terminate the
session with the victim, by sending a failed authentication response.
24
The following figure demonstrates the LLMNR/NBT-NS poisoning attack process.
Figure 2.3 The LLMNR/NBT-NS Poisoning attack process
When adversaries obtain the challenge encrypted with the NT password hash of a
victim they can either attempt to crack it using the clear-text challenge and a word list to
obtain a clear text password or relay it across the network in an attempt to impersonate a
legitimate user.
This attack is widely exploited by adversaries due to the reason that the
LLMNR/NBT-NS protocols are both activated by default on systems running Windows
Vista and later. In addition, a wide range of services running on Windows Systems still
relies on NTLM authentication by default, such as SMB.
3.3.2 SMB Relaying

SMB (an acronym for Server Message Block) is a server/client network file-sharing
protocol that operates on the Application and Presentation Layers. It allows hosts (clients)
within the same network to communicate with the different resources in the network
(files, printers..etc).
In order to protect these resources and important files, clients must authenticate
before communicating with other resources. The authentication protocol supported by
default is the NTLM protocol.
The SMB Relaying attack is chained with a Man in the middle attack (like
LLMNR/NBT-NS Poisoning) where attackers place themselves in the middle of a
network, then abuse the process of the NTLM authentication protocol in order to
impersonate a legitimate user and authenticate on their behalf.
The SMB relaying process goes as follow :
 The attacker places himself in the middle of the network and waits for someone
to authenticate to their machine.
 When a victim connects to the attacker's machine, the attacker selects the target
server he wants to authenticate to and sends an authentication request on behalf
of the victim.
 The target generates a challenge and sends it back to the attacker.
 The attacker sends the challenge back to the victim.
 The victim then encrypts the challenge with its NT password hash and sends it
back to the attacker.
25
 The attacker passes the correctly encrypted challenge to the target and
successfully authenticates.
 The attacker terminates the session with the victim, by sending a failed
authentication response.
The following figure demonstrates the SMB relaying attack process.
Figure 2.4 The SMB Relaying attack
In order to relay authentication packets to a target host, the host must have SMB
signing set as "not required". SMB signing is a Windows feature that allows to digitally
sign the packets, this security mechanism comes as a part of the SMB protocol and is also
known as security signatures. It is used to confirm the origin and authenticity of the
incoming packets in order to eliminate man-in-the-middle attacks.
By default on systems running Windows (except server editions) SMB signing is
set as 'not required', which makes this attack widely used by adversaries.
3.4 Dumping credentials

Credential Dumping is a post-exploitation21 and lateral movement attack. It's identified in
MITRE ATT&CK as the technique T1003 under the tactic Credentials access.
It's an attack where adversaries attempt to locate, copy, and retrieve the credentials present
on the compromised machine in different forms. These credentials will then be used to
perform Lateral Movement and potentially escalate privileges.
The different locations where credentials are stored and approaches used to dump them
from Windows systems are presented in MITRE ATT&CK under six different sub-techniques.
3.4.1 Lsass memory

It's a sub-technique of the Credential dumping technique, identified as T1003.001.
LSASS is the Local Security Authority Server process. It is an executable file used to
enforce security policies. One of its roles is to check for the validity of the credentials
submitted upon attempting to access resources on the system.
LSASS stores sensitive information in memory, such as password hashes and
Kerberos tickets. In older Windows versions (Windows 2000 up to Server 2008)
encrypted passwords were stored alongside the decryption key in order to support Digest
21
Post-exploitation techniques are techniques used once a victim's system has been compromised by the attacker.
26
authentication, when the key is extracted from memory it is used to decrypt the encrypted
passwords and provide a clear-text password.
The stored information represents the credentials of users with active Windows
sessions in memory, it lets users seamlessly access network resources without re-entering
their credentials each time.
Adversaries may attempt to dump the LSASS process memory from the target host,
then remotely transfer the dump file to their command and control server22 in order to
extract credentials more stealthily.
3.4.2 Security account manager (SAM)

The Security Account Manager is a database that stores and manages user and group
accounts. It can be used to authenticate local users by allowing access when the provided
credentials match the corresponding entries in the SAM database. It stores information
such as the username, the relative id (RID)23, and the NT password hashes of all the local
accounts.
The SAM database is stored on the hard drive
in %SystemRoot%/system32/config/SAM and is mounted on the registry in the
HKEY_LOCAL_MACHINE\SAM hive. The SAM file is locked and cannot be copied
while the system is running, but adversaries may attempt to dump it by obtaining copies
of the registry via the bias of built-in Windows utilities when administrative rights are
available.
3.4.3 NTDS
NTDS (New Technologies Directory Services) is a database that stores different pieces of
information about domain members including password hashes of domain users, in order
to verify users and credentials. This database is only found on Windows Server machines
that are Domain controllers.
By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS on a
domain controller. Adversaries may attempt to dump the content of the NTDS file using
built-in windows utilities such as ntdsutil.exe which is one of the key tools to manage
Active Directory and its database, or other techniques like shadow copy which is a
technology included in Microsoft Windows that can create backup copies or snapshots of
computer files or volumes even when they are in use, it is implemented as a Windows
service called the Volume Shadow Copy service.
3.4.4 LSA Secrets

24
LSA secrets is a protected storage used by the Local Security Authority . Its main role is
to manage the system's local security policy, in addition to managing authentication and
storing private data.
LSA Secrets data is encrypted and stored in the Security registry hive, in the
key HKEY_LOCAL_MACHINE/SECURITY/Policy/Secrets, under that key, each secret
has its own sub-key.
22
A command-and-control [C&C] server is a computer controlled by an attacker or cybercriminal which is used to
send commands to systems compromised by malware and receive stolen data from a target network.
23
The RID uniquely identifies a security principal relative to the local or domain security authority.
24
The Local Security Authority (LSA) is a protected system process that authenticates and logs users onto different
machines, it maintains information about all aspects of local security on a computer.
27
Adversaries may attempt to extract LSA secrets from memory or the registry.
Credentials stored as LSA secrets might include default passwords if auto-logon is
enabled, the NL$KM secret key which is the key used to encrypt cached domain
passwords, password hashes of service accounts, system account passwords, and private
user data like EFS25 encryption keys.
3.4.5 Cached domain credentials

Cached domain credentials are the information about the domain user's credentials stored
in the registry for verification and validation when a domain-joined computer cannot
connect to Active directory during a logon. Each time a user logs on to a domain,
Windows caches the credentials supplied and stores them in the security hive in the
registry of the operating system, this operation is done by default for the last 10 users
who logged in.
Adversaries may attempt to extract LSA secrets from memory or the registry in the
HKEY_LOCAL_MACHINE \Security\Cache key, these credentials are encrypted with
the NL$KM key, which is part of the LSA secrets and can be extracted from the
HKEY_LOCAL_MACHINE /SECURITY/Policy/NLKM key. The extracted credentials
are hashed in the DCC (Domain Cached Credentials) format, also known as MS-Cache26.
3.4.6 DCSync
DCSync is a sub-technique of the Credential dumping technique, identified on
MITRE ATT&CK as T1003.006. With DCSync adversaries can retrieve credentials from
the domain controller database without having to gain a session on the domain controller
and execute malicious code there, they just need to compromise a domain user that has
enough privileges and then simulate the behavior of a domain controller in order to
retrieve information from it via domain replication protocols.
Domain replication in Active Directory is a service that replicates the content of the
Active Directory in order to ensure that the information between the different domain
controllers stays updated and synchronized. This attack is wildly used by adversaries, it
takes advantage of valid and necessary functions of Active Directory which cannot be
turned off or disabled, also, it's a stealthy attack since it doesn't require the attacker to log
into or execute malicious code on the domain controller.
Adversaries may attempt to leverage a DCSync attack by :
 Discovering the domain controllers in the specified domain name.
 Mimicking a domain controller and sending a replication request to a
legitimate domain controller using the Microsoft Directory Replication Service
Remote Protocol (MS-DRSR) which is a protocol used for replication and
management of data in Active Directory.
The replication request can be submitted by the bias of the GetNCChanges
function which can prompt the legitimate domain controller to replicate the
domain credentials back to the attacker.
 The attacker receives the replicated credentials from the domain controller.
25
The Encrypting File System (EFS) on Microsoft Windows is a feature introduced that enables files to be transparently
encrypted to protect confidential data from attackers with physical access to the computer.
26
It's the MD4 hash of the password, followed by the username in lower case, the result is hashed together with MD4.
28
The following figure demonstrates the DCSync attack process.
Figure 2.5 The DCSync attack process
To execute this attack, adversaries should have access to a compromised domain

user account with the necessary replication permissions which are Replicating Directory
Changes, Replicating Directory Changes All, and Replicating Directory Changes In
Filtered Set. Members of the administrators groups have these privileges by default.
3.6 Using Alternate Authentication Material

Using Alternate Authentication Material is a lateral movement technique. It is identified
in MITRE ATT&CK as the technique T1550 under the tactic Defense evasion.
Alternate authentication material is special data that is generated by systems after a user
successfully authenticates or during the authentication process. This data can be password
hashes, Kerberos tickets, or application access tokens27.
Adversaries may use these alternate authentication materials in order to move laterally
within an environment and bypass normal system access controls. These authentication
materials are cached by systems in order to verify the identity of the authenticated user without
forcing them to repeat the authentication process and entering the authentication factors after
each action. Adversaries may steal this information from systems and use it to bypass
traditional access controls by authenticating to services with authentication materials instead of
clear-text passwords or other authentication factors.
3.6.1 Pass the hash

Pass the hash is a sub technique of the Using Alternate Authentication Material
technique, it's identified in MITRE ATT&CK as T1550.002.
Pass the hash is a method of authenticating to systems with the password hash of a
user only, without having access to their clear-text password. Pass the hash abuses the
nature of the challenge-response NTLM authentication protocol. If a malicious actor
possesses the password hash of a certain user, he can impersonate that user and
authenticate on their behalf by submitting the username and the user's hash during the
NTLM authentication process.
Any service that relies on NTLM authentication can be employed in a pass the hash
attack, such as SMB.
27
An access token is an object that contains the security credentials for a login session and identifies the user, the
user's groups, and the user's privileges among others.
29
The following figure describes the pass the hash attack process.
Figure 2.6 The Pass the hash attack process
3.6.2 Pass the ticket

Pass the ticket is a sub technique of the Using Alternate Authentication Material
technique, it's identified in MITRE ATT&CK as T1550.003.
It is a method of authenticating to systems via Kerberos authentication by using
stolen or forged TGS or TGT Kerberos tickets. TGT tickets are used to request service
tickets from the Ticket Granting Service (TGS), while TGS tickets allow access to
resources on the network.
Adversaries may obtain valid tickets from systems by leveraging credential
dumping techniques on processes such as LSASS to obtain the tickets cached on the
system or forge tickets via other techniques like Golden ticket or Silver ticket.
Pass the ticket attacks provide a way to gain privileged access to network resources
without needing to obtain an actual user password.
3.7 Stealing or Forging Kerberos Tickets

Stealing or forging Kerberos tickets is identified in MITRE ATT&CK as the technique
T1558, under the tactic Credential Access. It is a technique where adversaries attempt to abuse
the nature of the Kerberos authentication protocol in order to gain unauthorized access.
It contains a total of four sub-techniques that cover the attacks used by adversaries to
manipulate Kerberos tickets.
3.7.1 Kerberoasting
Kerberoasting is a post-exploitation, lateral movement, and credential access attack,
it's identified in MITRE ATT&CK as the sub-technique T1558.003 of the Stealing or
forging Kerberos tickets technique.
Kerberoasting is an attack that abuses a combination of weak encryption, poor
service account passwords policy, and the nature of the Kerberos protocol. This attack
allows adversaries to harvest Active Directory service account hashes for offline
cracking.
Adversaries attempt this attack after they have gained an initial foothold into the
network as a valid domain user, which will allow them to query and discover accounts
with Service principal names (SPNs) through SPN scanning which is performed via
LDAP queries to a Domain Controller. In Windows systems, SPNs identify service
accounts that support Kerberos authentication. These service accounts can be linked to
domain host or user accounts. Host service accounts are associated with the computer
accounts in Active directory, they have a randomly generated 128-character long
password which is changed every 30 days, hence, it's almost impossible to crack it using
brute force or wordlist attacks, on the other hand, domain user service accounts with
weak passwords are the ones exploited in the Kerberoasting attack.
30
After determining the available service accounts in the domain, adversaries will
authenticate to the domain in order to receive a Ticket Granting Ticket (TGT) from the
authentication server in the Key Distribution Center (KDC). Upon obtaining a valid TGT,
they can request a service ticket for a specific service they wish to compromise, the
Ticket Granting Server (TGS) will then create a TGS ticket and encrypts it with the
service account's secret key.
At this point, only the service and the domain controller are capable of decrypting
the ticket since those are the only two entities who share the secret key of the service
account.
On a legitimate Kerberos authentication, the TGS provides the user with the TGS
ticket which will be presented by the user to the server hosting the service. The server
will decrypt the ticket with the service account's secret key and determine if the user has
sufficient permissions to access the service. However, adversaries abuse this process by
extracting the TGS ticket from system memory (specifically, the Kerberos tray) after it is
sent by the TGS, and then attempt to crack the service account's secret key offline by
brute force or dictionary attacks on the obtained TGS ticket.
The service accounts secret keys are keys derived from the password depending on
the encryption algorithm used. The default Kerberos encryption algorithm for Windows
systems (starting from XP/Windows server 2003) is AES256, however, the older RC4
algorithm is also still used for backward compatibility. The RC4 algorithm is a weak
algorithm that relies on the NT password hash as the secret key which makes it very
vulnerable to dictionary attacks, contrary to the AES algorithm that includes a salt which
makes cracking it very hard. When a service ticket is requested by an adversary, they can
specify the encryption type in the body of the TGS-REQ request, the RC4 algorithm is
requested to ensure that the service account’s NTLM password hash is used to encrypt
the service ticket.
The following figure describes the process of the Kerberoasting attack.
Figure 2.7 The Kerberoasting attack process
Kerberoasting is effective and widely used by adversaries, because :

 It only requires access as a valid domain user who doesn't need to have high
privileges since discovering SPNs and requesting TGT/TGS tickets can be
done by any domain user.
31
 It leads to obtaining the passwords of service accounts which can be leveraged

to increase the attack surface, especially if the service accounts are over-
permissioned or members of Domain Administrators (which is a vulnerable
configuration that's widely implemented by system administrators).
 Most service account passwords are an easy target for offline cracking. Given
human tendencies, often these passwords are common, weak, and easily
guessable. In addition, they may never expire, don't get changed very often,
and are the same length as the domain password minimum (often 8 characters
long).
3.7.2 AS-REP Roasting

AS-REP Roasting is a post-exploitation and credential access attack, it's identified
in MITRE ATT&CK as the sub-technique T1558.004 of the Steal or Forge Kerberos
Tickets technique.
It's an attack that exploits a known weakness in the Kerberos authentication
protocol against user accounts that do not require pre-authentication. It allows adversaries
to obtain passwords of domain users by offline cracking attacks.
Pre-authentication is a security feature and one of the first steps in the Kerberos
authentication process, when a user requests access to a resource he sends an
authentication request via an AS-REQ message, the authentication request includes an
authenticator that is encrypted by the user's secret key. Upon receiving the AS-REQ
message, the KDC will attempt to decrypt the authenticator with the user's secret key
that's computed from his password retrieved from the Active Directory database, if it's
able to successfully decrypt it, it will confirm that the request was sent by the legitimate
user, and thus confirm his identity, also for every incorrect attempt, the KCD will register
and increase a "badpwcount" value, this value will help to detect and prevent brute force
and password guessing attacks. Additionally, upon decrypting the authenticator that
contains a timestamp (system time) the KDC checks if the timestamp is within a 5
minutes interval from the current time, this will confirm that the request isn't a replay of a
previous request, which prevents replay attacks.
To perform this attack, only connectivity to the Domain controller and a list of
domain users is needed, if adversaries obtain a list of domain users or guesses the
usernames of domain users they can attempt to send AS-REQ messages without Pre-
authentication data for each user and conclude based on the response if that user account
requires pre-authentication or not. Another possible scenario is when adversaries
compromise any valid domain user who doesn't need to have elevated privileges, then
with the compromised user's session they can query the domain controller for accounts
that do not require pre-authentication using built-in Windows tools like Powershell28 and
LDAP queries. For each account found, they can request a TGT ticket from the KDC
instead of the target account by sending an AS-REQ message without having to provide
the target user's secret key. An AS-REP message will be sent back to the attacker
containing the TGT and a session key. The session key is encrypted with the target user’s
secret key, this will allow adversaries to attempt to brute force the session key to obtain
the target user's secret key and eventually their clear-text password.
Pre-authentication is required by default in Active Directory. However, it can be
disabled on user accounts in order to support some services that do not comply with
Kerberos pre-authentication. Also, if adversaries have GenericWrite/GenericAll rights
28
PowerShell is a task automation and configuration management framework from Microsoft, consisting of a
command-line shell and the associated scripting language.
32
over a target user, they can maliciously modify their user account attribute to not require
pre-authentication, attempt AS-REP Roasting, and then reset the value.
Moreover, this attack takes advantage of the RC4 weak encryption algorithm that
relies on the user's NT hash as their secret key which makes cracking it an easy task, RC4
is specified as the encryption type by adversaries when a TGT ticket is requested.
The following figure summarizes the process of this attack.
Figure 2.8 The AS-REP Roasting attack process
3.7.3 Golden ticket

Golden Ticket is a Post-exploitation and persistence attack, it's identified in MITRE
ATT&CK as the sub-technique T1558.001 of the Steal or Forge Kerberos Tickets
technique.
It's an attack where adversaries gain access to any Kerberos authenticated service
and resource on an Active Directory domain by forging Kerberos ticket granting tickets
(TGTs), these forged TGTs are also called golden tickets.
In order to carry out this attack, adversaries should first harvest the NT hash of the
Active Directory key distribution service account (KRBTGT), this can be done by
obtaining access to the domain controller and dumping the KRBTGT hash by using
credential dumping techniques. The next step is to forge TGTs. In order to forge a TGT,
adversaries must have knowledge of the domain name, the domain security identifier
(SID), and the identifier of a domain user who will appear as the entity requesting access
to the different resources (usually, the identifier presented is the one of a highly
privileged user like a domain administrator, who have access to all the resources on the
domain). This information forms a valid TGT of the user and is encrypted with the
KRBTGT NT hash. Since the TGT is used to prove to the KDC that the user was
authenticated by the authentication server, the forged TGT can be presented directly to
the Ticket Granting Server as a valid TGT in order to request access to any service the
adversary wants to compromise. The Ticket Granting Server will then provide the
adversary with the TGS which will grant him access to the service.
By default, TGTs are set to expire after 10 hours, but adversaries can set the ticket
to be valid for up to 10 years, which makes the golden ticket technique one of the most
used to gain persistence on the domain. Moreover, Active Directory stores both the
current and previous NT hash of the KRBTGT account so that tickets from old sessions
can be validated even after the KRBTGT's password was reset, this feature allows
33
adversaries to keep using the Golden ticket even if the KRBTGT's password was reset
once.
The following figures describes the Golden ticket attack process.
Figure 2.9 The Golden ticket attack process
3.7.4 Silver ticket

Silver Ticket is a post-exploitation attack, it's identified in MITRE ATT&CK as the
sub-technique T1558.002 of the Steal or Forge Kerberos Tickets technique.
It's an attack where adversaries employ the harvested password hashes of user or
computer service accounts in order to forge Kerberos ticket granting service (TGS)
tickets and thus gain access to these services and the systems that host them. These
forged TGS tickets are also called silver tickets.
In order to carry out this attack, adversaries should first harvest the NT hash of the
service account of the service they want to compromise, this can be done by obtaining
initial access on the domain then dumping the NT hash by using credentials dumping
techniques. Adversaries can then forge TGS tickets and encrypt them with the target
service account hash, then present them to the server where the service is hosted as valid
tickets which will allow them access to the target service without having to interact with
the Key Distribution Center or the Domain Controller. This makes Silver tickets very
stealthy and thus harder to detect by security monitoring tools.
Figure 2.10 The Silver ticket attack process
Even though silver tickets are limited to compromising one target service, they are
still widely used by adversaries, especially when the obtained service account hash can't be
easily cracked or passed around. Also, a silver ticket can be created and manipulated to
include elevated privileges for its user, which can be used to gain full control over a
service that wasn't fully accessible with the compromised hash (when the compromised
user doesn't have enough privileges to fully manipulate the service).
34
3.7 Brute Force

Brute Force is identified in MITRE ATT&CK as the technique T1110, under the tactic
Credential Access. It is a technique where adversaries attempt to obtain clear-text passwords by
different means in order to gain access to assets on the network.
3.7.1 Password Cracking
Password cracking is a post-exploitation, and credential access technique, it's
identified in MITRE ATT&CK as the sub-technique T1110.002 of the Brute Force
technique. It's a sub-technique where adversaries attempt to recover clean-text credentials
from encrypted or hashed material by different procedures. These procedures include
among others the dictionary or wordlist approach which relies on a file containing words
that are most likely to be used as passwords for a specific target, each entry on the list is
transferred to the format of the material to be cracked and compared to it. When the same
value is obtained the plain-text password is determined.
It is generally executed on an adversary-controlled system outside of the target
network (then, it is called offline cracking). The resulting plaintext password from a
successful cracking attempt may be used to log into systems, resources, and services to
which the victim user has access.
4. Conclusion
In this chapter, we presented an overview of the main authentication protocols used on
Windows systems and are widely targeted by adversaries, this allowed us to study their
weaknesses and vulnerabilities, and the different techniques used by adversaries to abuse them
based on the MITRE ATT&CK knowledge framework.
This will allow us to move to the conception stage which will make the subject of the next
chapter.
35
Chapter III :
Analysis and Conception
1. Introduction
In the previous chapter, we defined the most used techniques by adversaries based on the
MITRE ATT&CK knowledge framework, this allowed us to study these techniques and expound
the weakness and vulnerabilities that allow adversaries to exploit legitimate Windows features for
malicious purposes.
This will allow us to move to the next step which is the conception and analysis phase. It will
be introduced by defining the problematic that pushed us towards working on this solution, and
the objectives that it aims to reach. Next, we will define the functionalities and the general
architecture of our solution, followed by a presentation of each functionality from a conceptual
point of view by the bias of explanatory diagrams.
2. Problematic and objectives

Protecting valuable assets against malicious actors is becoming more and more vital for
corporations that rely widely on Windows infrastructures, especially with the fact that most
attacks against it abuse legitimate and default functionalities that the dangers of are often unknown
to system administrators. This pushes corporations to seek help from security professionals,
whether red or blue teams.
The main goal of the red team is to analyze available knowledge about the different threats,
then identify the present vulnerabilities and misconfigurations that can be exploited by malicious
actors. However, this task can be daunting and time-consuming especially when it comes to
analyzing, understanding, and testing the different threats available. It also requires a big budget
especially for companies with no red teams that have to externalize their security assessments. On
the other hand, blue teams that are focused on preventing and responding to cyber threats by
implementing and maintaining hardware and software detection and prevention tools are faced
with the obstacle of putting their security solutions and incident response capabilities to the test
under real-life conditions repeatedly.
Our proposed solution consists of developing an automated adversary simulation tool that
simulates attacks aimed at Windows infrastructures, the functionalities offered by this tool can be
considered as an automated white-box internal security assessment. The automation of this activity
offers a low-budget and a quick solution for companies with small red-teams or no red teams, as it
allows system administrators to discover the weakness of their architectures regardless of the level
of their security knowledge and without having to rely on a professional red team intervention. On
the other hand, it offers the blue team the ability to test their implemented defenses and incident
response capabilities against common attacks without having to research and manually simulate
the different attacks each time, this will allow them to effectively view the network from the point
of view of an adversary and improve the security posture.
3. Functionalities
Our adversary simulation solution is based on five key functionalities :
-Authentication: Users can create new accounts or log on to their accounts, this will ensure that
each user can run their own personalized simulations and have access to the reports of their
simulations.
36
Chapter 3 : Analysis and conception
-Providing a knowledge framework: For each technique included, a full description is offered.
These descriptions include a full explanation of the technique and the vulnerabilities behind it, the
procedures followed to simulate the technique, and the different ways to detect the attack and
mitigate from it. This will allow the users of the tool to have a full understanding of the attacks
they are simulating and ways to detect them and prevent them, and that's whether they are security
professionals, system administrators, or general Information technology employees.
-Setting up a simulation session: Before simulating some specific techniques, users must set up
a simulation session where they provide information about the target domain. This information is
used differently depending on the technique.
-Running simulations: There are three different types of simulations that users can run, static
simulation, dynamic simulation, and determining attack paths.
 If the user runs a static simulation, he can select a technique to simulate from a pre-
defined list, and then select one or multiple procedures to run depending on the chosen
technique. Finally, the user selects a target to run the simulation on, the target can be a
single domain account, a group of domain accounts, or all the domain accounts. Static
simulations will allow the user to simulate a specific procedure on a specific target that
they chose. These simulations are used when it comes to testing the implemented
defense and detection mechanisms and assessing the incident response capabilities of
the blue team, or determine the risk factor that is presented by the different attacks,
based on the results of the simulation.
 When the user runs a dynamic simulation, he has to provide the IP address of the target
subnet. The simulation will then run specific attacks mimicking the behavior of an
adversary who's actively penetrating the network and in real-time. The simulation will
start by running discovery and enumeration techniques, then depending on the result of
each step the next possible attacks to run are determined and the user can choose the
attacks to simulate on each step of the dynamic simulation. These simulations are useful
for red teams to run automated penetration tests, or for network administrators to run a
penetration test without having to rely on a specialized red team or externalize the task.
 Determining attack paths is a functionality that gathers information from the network in
order to assess and review the security configuration issues and weaknesses that an
adversary can leverage during a breach. This will help organizations that struggle to
properly maintain securely configured environments to identify the risks and attack
surfaces that are present in their environments, and thus reduce the risk and impact of a
security incident by hardening common attack surfaces.
-Generating reports: Upon completion of a simulation, users are provided with a detailed
report containing the results of the simulation, these results include compromised users,
computers, and data among others.
37
4. Architecture of the solution

Our solution consists of a single-tier local web application. It includes two logical sides, the
front end or the client-side where the users will be able to interact with the application in order to
accomplish tasks such as authenticating by providing their credentials, setting up simulation
sessions and running simulations by providing the necessary parameters, or receiving information
about the attacks and simulation reports. On the other hand, the back-end or the server-side which
manipulates and stores data, it receives requests from the front-end and executes them on the
system where the application is deployed by interacting with a locally stored database that
contains the different data manipulated during the simulations, the server-side also interacts with
the different target hosts on the target network to run the simulations.
The tool should be deployed on a machine that is connected to the internal corporate network in
a way that it can reach the primary domain controller and all the endpoints where the attacks will
be simulated on.
The architecture of the application is displayed in the following figure.
Figure 3.1 Architecture of the solution
38
5. Conception of the solution

5.1 Authentication
In order to authenticate to the application, the user should first have a valid account. To
create an account, the user enters his username and password. The entered password
concatenated with a random string (a unique salt for that user) is hashed and the hash of the
password and the used salt are inserted into the database alongside the username.
The following diagram describes the Sign-up function.
Figure 3.2 Sequence diagram of the sign-up function
To log in, the user submits his username and password. If a user with the submitted
username exists in the database the password hash related to it and the salt are retrieved. The
entered password concatenated with the retrieved salt is hashed and compared with the
retrieved hash, if the values are equal access is granted.
The following diagram describes the Login function.
39
Figure 3.3 Sequence diagram of the login function
5.2 Setting up a simulation session

In order to simulate specific techniques in a static simulation, or to run the 'Determining
attack paths' functionality, users are obliged to have a simulation session setup before starting.
Each user can have only one simulation session at a time, if the user would like to set up a new
session the old one is deleted. To set up a simulation session, the user is prompt to submit the
following information :
 The IP subnets of the networks to target: this information is used in order to
determine the scope of the simulation in question and target only the end-points
that belong to the specified subnets.
 The domain name and the primary domain controller IP address: This information
is used to contact the domain controller while simulating some techniques that
require so.
 The username and password of a domain administrator: this information is used to
retrieve the list of user and computer accounts from the domain controller database
(the NTDS database) and their respective password hashes. This information is
needed when running post-exploitation techniques as these techniques require the
possession of a session as a compromised domain account.
To retrieve the necessary information from the NTDS database on the domain controller,
the user can choose between the manual or the automatic method. Upon choosing the manual
method, the user will be prompt to upload the NTDS.dit file and a copy of the SYSTEM
registry hive dump that contains the necessary keys to decrypt the information in the NTDS.dit
file, these two files are manually retrieved from the domain controller by the user. The
40
automatic method will use the DCSync sub-technique (T1003.006) of the Credential dumping
technique.
After completing the acquisition of the domain accounts information, this information is
stored in the database and is used on the simulations of post-exploitation techniques.
This process is displayed in the following diagram.
Figure 3.4 Sequences diagram of the functionality "Setting up a simulation session"
5.3 Static simulation

To simulate a sub-technique on a static simulation, the user has to choose the sub-
techniques from a specific technique. If the chosen sub-technique is a post-exploitation attack
that requires the presence of a simulation session the user is prompt to set up a session before
launching the simulation. The user is asked to input some information related to the specific
sub-technique he chooses to simulate, this information could be choosing one or multiple
domain accounts as the target of the simulation, or choosing from a list of the different
procedures possible for the execution. Once all the required information is submitted, the user
can run the simulation. If the sub-technique requires a simulation session, the information
related to it is retrieved from the currently set up simulation session.
This process is described in the following flowchart.
41
Figure 3.5 Flowchart describing the general process of simulating an attack
The information that the user has to provide before simulating a sub-technique is
dependent on the sub-technique itself except for the simulation name which is required in all
the simulations, this table explains the different information that should be provided by the user
for each sub-technique.
Sub-technique Require a Provided information by the user
simulation session
Scanning IP Blocks ❌ -One or multiple IP subnets to scan.
Vulnerability ❌ -One or multiple IP subnets to scan.
Scanning
Discovery ✔ -One target host (the compromised host to simulate
the sub-technique on it).
LLMNR/NBT-NS ❌ -One or multiple IP subnets of the target
Poisoning network.
LLMNR/NBT-NS ❌ -One or multiple IP subnets of the target
Poisoning and SMB network.
Relaying
LSASS Memory ✔ -One or multiple target hosts to execute the
simulation on.
-One or multiple procedures to execute on each target
host.
Security Account ✔ -One or multiple target hosts to execute the
Manager simulation on.
NTDS ✔ -One or multiple procedures to execute on the target
host (the domain controller).
LSA Secrets ✔ -One or multiple target hosts to execute the
simulation on.
Cached domain ✔ -One or multiple target hosts to execute the
credentials simulation on.
42
DCSync ✔
Pass the hash ✔ -One or multiple domain users to pass their hash.
-One or multiple target hosts to pass the chosen users
hash into in an attempt to compromise them.
-One or multiple procedures to execute on each target
host.
Pass the ticket ✔ -The ticket to pass around.
-One or multiple target hosts to authenticate to by the
chosen ticket.
Kerberoasting ✔ -One compromised domain user to simulate the attack
on their behalf.
AS-REP Roasting ✔ -One compromised domain user to simulate the attack
on their behalf.
Golden Ticket ✔
Silver Ticket ✔ -One or multiple target domain users or computer
accounts to generate a silver ticket to access their
resources.
Table 3.1 Information provided by users before a static simulation
5.4 Dynamic simulation

The user can start a new dynamic simulation or proceed with an old dynamic simulation
that he has started before.
To start a new dynamic simulation, the user is prompt to input the simulation name and
one or multiple IP addresses of subnets of the network to target while simulating the different
attacks. As this is a simulation of an adversary actively penetrating the network, the first sub-
techniques that are automatically run after launching the dynamic simulation are Scanning IP
blocks and Vulnerability scanning in order to map the network and determine the
vulnerabilities present in it. Once the simulation is run, the user can consult the results, if there
were any vulnerabilities discovered on hosts in the network and the exploits of these
vulnerabilities are available in our simulation tool, the user can later exploit them in order to
gain initial access into the network.
If the user chooses to proceed with an already started dynamic simulation, he will be
prompt with a list of all the possible sub techniques that he can run on all the compromised
hosts, this list is determined based on the results of the previous simulation. The user can
choose one or multiple sub-techniques to run.
This process is displayed in the following diagram.
43
Figure 3.6 Sequences diagram of the functionality "Dynamic simulation"
44
The sub-techniques that can be executed on each step of the dynamic simulation are
determined based on the assets that have been compromised on previous simulations, all the
sub-techniques available in static simulations are also available in dynamic simulation, in
addition to the "Lateral movement" technique which is a simulation that's executed when clean
text passwords are compromised on previous simulations, it allows to connect through the
network with the compromised passwords in order to compromise new hosts and move through
the network, and the "Vulnerability exploitation" technique which exploits predefined
vulnerabilities that are discovered on hosts in the network, the exploitation of these
vulnerabilities will lead to compromising the hosts and thus gaining initial access into the
network to start leveraging post-exploitation and lateral movement attacks. The following chart
illustrates the functioning of a dynamic simulation and how the possible sub-techniques to
execute in each step are determined.
45
Figure 3.7 Flow chart describing the functioning of a dynamic simulation
46
5.5 Determining attack paths

In order to determine a specific pre-defined potential attack paths that are present in the
network, a simulation session should be set up, as this functionality depends on the information
extracted from the simulation session especially the domain administrator credentials which are
used to connect remotely to the domain controller and the different hosts in the domain and
extract information from them.
Determining attack paths is composed of many sections, which are :
 Determine domain users with administrative privileges: these users have total control
over the domain controller and thus the whole network which makes them a highly
valuable target for adversaries.
These users generally belong to the built-in groups: Schema Admins, Domain Admins,
Administrators, and Enterprise Admins. Membership to these groups should be
carefully managed to reduce the attack surface to the minimum.
To determine these users, an LDAP query is sent to the domain controller.
 Determine the local administrators of each host on the network: by determining the
local administrators we can extract the level of access that each user has through the
network and thus determine the attack surface that can be obtained upon compromising
each user. Local administrators on hosts represent a high risk as they allow any
adversary that compromises them to have full control over the host and thus leverage all
the techniques that can be executed on that host and all the other hosts where the
compromised user is also a local administrator. If a user is a local administrator on
multiple hosts it will significantly expand the attack surface and allow adversaries to
easily move through the network just by compromising a single user.
To determine the local administrators, a remote connection is established to each host
on the network where a built-in command is executed to extract the members of the
local administrative groups.
 Assessing the strength of the password policy: A strong password policy is one of the
first lines of defense on each organization, as weak passwords are exploited by a range
of attacks, this will help to determine the users with weak passwords that present a
threat and expand the attack surface. To provide a global idea about the strength of the
passwords used on the domain, the password hashes are retrieved from the simulation
session and cracked by a dictionary approach.
 Determine vulnerable users to Kerberoasting and ASREP Roasting: These two
techniques can be exploited by gaining access to the network as any valid user (no
elevated privileges are required), therefore it's essential to determine users that are
vulnerable to these techniques. To do so, an LDAP query is sent to the domain
controller to retrieve user accounts with registered SPNs, and users with Kerberos pre-
authentication disabled. If a retrieved user account is included in the list of users with
weak passwords (extracted from the previous section) the user is added to the list of
vulnerable users.
 Determine shadow administrators by analyzing ACEs from ACLs: Shadow
administrators are user accounts that are not assigned to privileged groups, but they
have permissions that can allow them to take over other privileged accounts, and
leverage them to reach their targets. These permissions were granted through the direct
assignment of Access Control Entries (ACEs) on Access Control Lists (ACLs). An
ACE defines access permission on an object for a specific user or group. while an ACL
is the ordered collection of access control entries defined for an object.
Active Directory objects permissions are often overlooked but they present a threat as
valuable as other techniques since they may give direct access to highly privileged users
47
and they are easy to determine and exploit by an adversary because by default all
authenticated users can read ACEs on all objects, which means if a user account is
compromised, ACEs can be retrieved on all the objects and potential attack paths can be
quickly determined by adversaries.
Some of the Active Directory object permissions and types that can be exploited to
elevate privileges are :
-GenericAll: Full object control such as add users to a group, reset a user's password
without knowing its current values, register an SPN with a user object...etc
-GenericWrite: Update the object's attributes such as the logon script (which is used
to execute specific commands the next time the user logs on).
-WriteOwner: Change the owner of the target object (if the owner is changed to an
object compromised by the adversary, full control is gained over the target object).
-WriteDACL: Modify the object's ACEs.
-ForceChangePassword: Change the user's password without knowing its current
value.
-AddMember: Add objects to a group.
To determine shadow administrators, a remote connection is established to the domain
controller and ACEs of the domain users and groups are retrieved via Powershell.
The following diagram summarized the functioning of the different sections of the functionality
"Determining attack paths".
48
Figure 3.8 Sequences diagram of the functionality 'Determining Attack Paths'
49
5.6 Simulations of the different sub-techniques :

5.6.1 Active scanning
 Scanning IP blocks
In order to simulate the scanning IP blocks technique, the user specifies one or
multiple IP subnets to scan. This technique scans the network to discover live hosts by
ping sweeps where a ping (ICMP echo request packet) is sent to every IP address on the
subnet, if an ICMP echo reply packet is received then the host is alive.
Additional information is discovered on each live host, such as the operating system
of the host, the host name, and the domain and the forest the host is joined to. To
determine this information a feature of the SMBv1 Windows protocol is abused, this
feature allows to return system information without authentication which allows to
fingerprint the host. When a session is started as anonymous (without authentication)
the host with SMBv1 enabled will send information about the host as a response.
The following diagram summarizes the functioning of this simulation.
Figure 3.9 The Scanning IPblocks simulation process
 Vulnerability scanning
In order to simulate the vulnerability scanning technique, the user specifies one or
multiple IP subnets to scan for vulnerabilities. This technique scans the network to
discover live hosts, for each host, it tries to determine the services running on open ports
and the versions of these services. When service versions are retrieved they are checked
against one or multiple databases of known vulnerabilities to determine if a
vulnerability that affects a deployed service is present on the network.
50
Figure 3.10 The Vulnerability scanning simulation process
5.6.2 Account discovery

The account discovery technique can be simulated after gaining access to the
network by compromising a host, it queries the domain controller via Powershell and
LDAP filters to determine :
-The present domain controllers in the network and information about them.
-A list of all domain user accounts and their attributes (such as group membership,
description, principal names, mail accounts..etc).
-The domain administrators by searching for users in privileged Active Directory
groups.
51
Figure 3.11 The Account discovery simulation process
5.6.3 Man in the middle

 LLMNR/NBT-NS Poisoning
To simulate the LLMNR/NBT-NS poisoning attack, first, the network is scanned in
order to find hosts with LLMNR and NBT-NS enabled, this will allow to uncover the
potential attack surface that's present on the network. Then a listener is started in the
middle of the network, it listens for LLMNR/NBT-NS broadcast messages sent from
hosts where a user attempted to access a name that couldn't be resolved by DNS. When
that happens, the listener responds to the broadcast messages and initiates an NTLM
authentication with the victim host by sending them a challenge to encrypt, the victim
encrypts the challenges with their password hash and sends back the encrypted
challenge, upon receiving it, the listener terminates the connection by sending a failed
authentication response. The encrypted challenge can be cracked offline via a dictionary
attack.
52
Figure 3.12 The LLMNR/NBT-NS Poisoning simulation process
 LLMNR/NBT-NS Poisoning and SMB Relaying

To simulate the LLMNR/NBT-NS poisoning and SMB Relaying attack, first the
network is scanned in order to find hosts where SMB signing is not required, this will
allow to discover the target hosts that we can relay authentication packets to them. A
listener is then started in the middle of the network, it listens for LLMNR/NBT-NS
broadcast messages sent from hosts where a user attempted to access a name that
couldn't be resolved by DNS. When that happens, the listener responds to the broadcast
message and initiates an NTLM authentication with the victim host. When the victim
sends an authentication request, the request is relayed to each target host (the hosts with
SMB signing not required), when the target host sends the challenge, the challenge is
relayed to the victim which encrypts the challenge with the user's password hash and
sends it back to the listener, the encrypted challenge is then relayed to the target host. If
the victim user has enough privileges, access is granted to the target host and connection
with the victim host is terminated via a failed authentication response The following
diagram details the functioning of this simulation.
53
Figure 3.13 The functioning of the poisoning and relaying simulation
5.6.4 Dumping credentials

If a credential dumping sub-technique is simulated on a static simulation the chosen
procedures will be executed on each chosen target host after authenticating to the hosts
with the credentials of the domain administrator that was specified while setting up a
simulation session. Otherwise, the sub-techniques are simulated on the session of the
initially compromised host.
The functioning of the different available sub-techniques is as follows :
 LSASS Memory
To extract valuable information from the LSASS process memory from a target host
three different procedures are available.
 Mimikatz procedure: Mimikatz is a leading Windows post-exploitation open-source
tool that includes a variety of modules that allow to perform different techniques
such as dumping password hashes and extracting credentials and Kerberos tickets
from memory.
To simulate this procedure these steps are followed:
54
-In order to avoid signature-based endpoint detection solutions while simulating

this procedure, an obfuscated29 version of the Mimikatz script is generated by
altering the signature of the file.
-A local server is started on the simulation host to serve the obfuscated binary to the
target host.
-A connection is established to the target host.
-An attempt to temporarily disable the endpoint's real-time malware protection is
made via Powershell. Including this step in the simulation will provide the blue
team with additional important artifacts that should be monitored to indicate
malicious activity.
-In another attempt to bypass endpoint malware detection tools, the Mimikatz
obfuscated script will be loaded from the remote server running on the simulation
host and the modules that extract Kerberos tickets and credentials are executed into
a memory buffer without touching the disk. To do this, Powershell's 'Invoke-
Expression' module is used, it is a module that loads a remote PowerShell script
into memory and executes it without touching the disk.
-The extracted tickets are then transferred back to the simulation host and deleted
on the target host, and the received output is parsed and inserted into the database.
-If real-time malware protection was disabled, it is enabled again.
The following diagram summarizes the functioning of this procedure.
Figure 3.14 The functioning of the Mimikatz procedure
29
Malware obfuscation is a process that makes textual and binary data difficult to understand. It helps adversaries hide
critical words (known as strings) a program uses because they reveal patterns of the malware's behavior.
55
Contrary to Mimikatz which is considered a malware and is quite easily detected by

endpoint security products, other procedures can be used that rely on legitimate
Windows tools that blend in with regular network activity and remain hidden. These
procedures are :
 Procdump procedure: Procdump is a Windows command-line utility from the
Sysinternal suite, its primary purpose is monitoring an application and generating
crash dumps that can be used to determine the cause of the crash. This tool can also
serve as a general process dump utility and the fact that it's a legitimate tool signed
by Windows makes it widely employed by adversaries to generate dumps of the
LSASS process memory stealthily.
To generate a dump using Procdump, a remote connection is established to the
victim host, then the Procdump executable file is transferred and a command is
executed to generate a dump file of the process with the PID of the LSASS.exe
process. The dump file is transferred to the simulation host, and it's deleted
alongside the Procdump executable from the target host. The dump file is parsed
offline where credentials and Kerberos tickets are extracted.
The following diagram details the functioning of this procedure.
Figure 3.15 The functioning of the Procdump procedure
 Comsvcs procedure: Comsvcs is a Dynamic-link library (DLL)30 located in

C:\Windows\System32 that dumps process memory whenever they crash. This DLL
contains a function entitled MiniDump that is responsible for dumping process
memory, this function can be called with rundll32.exe which is a program that runs
functions in DLLs. Instead of uploading a binary, this procedure can be executed
directly on the target host which makes it the most stealthy procedure.
After a remote connection is established, a command is executed to generate a
dump file of the process with the PID of the LSASS.exe process by calling the
MiniDump function via rundll32.exe. The dump file is transferred to the simulation
host and then deleted from the target host. The dump file is parsed offline where
credentials and Kerberos tickets are extracted.
30
DLL files are binary files that are dynamically linked with programs that use them during execution rather than
being compiled into the main program (they are loaded when they are required).
56
The following diagram details the functioning of this procedure.
Figure 3.16 The functioning of the Comsvcs procedure
 Security account manager (SAM), LSA Secrets, and Cached domain credentials
If the user wants to simulate the LSA secrets, or Cached domain credentials dumping
sub-techniques on a specific host, the HKEY_LOCAL_MACHINE\SECURITY registry
key is copied on the target host. If the user wants to simulate the Security account
manager (SAM) dumping sub-technique the HKEY_LOCAL_MACHINE\SAM registry
key is the one copied. After connecting to the host, the registry keys are copied by the
reg.exe process which is a process introduces in Windows that enables modifying the
registry via command prompts or scripts and exporting copies of registry keys to external
files. Once the copy files are generated, they are transferred to the simulation host where
they are parsed to extract information from them then deleted from the target host.
The following diagram details the functioning of this simulation.
57
Figure 3.17 The functioning of the SAM, LSA, and Cached credentials, simulation
 NTDS
To extract credentials from the NTDS.dit file on the domain controller, the domain
controller should be compromised first. To simulate this sub-technique, two procedures
are available :
 Volume shadow copy: Volume shadow copy is a Windows service that allows to
take backups of drives when they are locked and in use by the operating system,
the legatine usage is to provide backup files that can be used to restore the
previous state if a problem occurs. Once a shadow copy is created for a specific
drive, files on it will be accessible and can be copied into other locations. To
create volume shadow copies, tools like Vssadmin are used, which is a default
Windows process that creates and manipulates shadow copies.
The steps followed to simulate this procedure are :
-Locate the NTDS.dit file and determine the drive it's stored in.
-Create a volume shadow copy for that drive using vssadmin.exe.
-Copy the NTDS.dit file and the System hive (That contains the necessary keys to
decrypt the NTDS.dit file) from the shadow copy to a temporary folder.
-Transfer the NTDS.dit and the system hive files from the temporary folder to the
simulation host.
-Delete the files and the shadow copy from the target host.
-Parse the files offline to extract credentials and insert them into the database.
58
Figure 3.18 The functioning of the NTDS-Volume shadow copy procedure
 Ntdsutil: Ntdsutil is a command-line tool for accessing and managing a Windows

Active Directory (AD) database. However, it can be abused to take a snapshot of
the database and transfer it for offline analysis and parsing.
The steps followed to simulate this procedure are :
-Create a snapshot of the NTDS.dit database with ntdsutil.exe.
-Transfer the NTDS.dit file and the system hive file (which is also available in the
snapshot) to the simulation host.
-Delete the files from the target host.
-Parse the files offline to extract credentials and insert them into the database.
Figure 3.19 The functioning of the NTDS-Ntdsutil procedure
 DCSync
This technique allows to retrieve information from the domain controller database
without having to obtain a session on the domain controller. A user with Replication
rights should be compromised to execute this technique from their context.
59
A domain controller is mimicked by crafting a replication request and sending it to

the domain controller via the Microsoft Directory Replication Service Remote Protocol
(MS-DRSR), in this request replications of the domain credentials are requested via the
GetNCChange function. Once the primary domain controller replicates the credentials of
the domain controllers it sends them back to the simulation host and they are inserted into
the database.
Figure 3.20 The functioning of the DCSync simulation
5.6.5 Using alternate authentication material

 Pass the hash
If the Pass the hash sub-technique is simulated on a static simulation, the hashes of
the chosen users are retrieved from the simulation session, if it is simulated on a dynamic
simulation, hashes are retrieved from the results of a previous credential dumping
simulation. This sub-technique relies on two parts, the first one is establishing a remote
connection to the target host by authenticating to a service that supports NTLM
authentication by passing the hash of the victim user. The second part consists of sending
commands and retrieving results from the target host once the authentication succeeds.
To connect to a target host through pass the hash sub-technique, an authentication
request is submitted instead of the victim user, once the target host sends the challenge it
will be encrypted with the password hash of the victim user that was previously
compromised. The encrypted challenge is then submitted to the target user for validation,
and access is granted.
The following diagram summarizes the functioning of passing a hash to a target host.
60
Figure 3.21 Sequences diagram of the sub-technique 'pass the hash'
After access is granted to the target host, sending and retrieving commands depends
on the procedure used. There are four different possible procedures that can be executed,
each one produces different indicators of compromise, the different procedures are :
Through SMB (PSexec): PSexec is a command-line utility built for Windows as
part of the Sysinternals suite31, it allows administrators to launch and execute interactive
command prompts on remote computers without having to manually install client
software. This tool is made for legitimate purposes but has been exploited by adversaries
because it authenticates to SMB via the NTLM protocol which allows them to use it for
remote code execution when only the user's password hash is known through pass the
hash technique.
It connects to the ADMIN$ share through SMB, then transfers a binary executable to
the target and places it in the ADMIN$ share folder, then, it creates a service called
PSEXECSVC, this service points to the binary and runs it to create a named pipe32 that
can be used to send commands to the target host and retrieve results from it. Upon
completion of its task, the service will be stopped and the binary file will be deleted
from the ADMIN$ share folder.
The following diagram represents the functioning of this procedure.
31
Windows Sysinternals is a suite of more than 70 freeware utilities that was initially developed by Mark Russinovich and
Bryce Cogswell that is used to monitor, manage and troubleshoot the Windows operating system.
32
Named pipes provide communication between processes on different computers across a network.
61
Figure 3.22 Sequence diagram describing the procedure 'Psexec'
Through SMB (SMBexec): SMBexec connects to the target host's ADMIN$ share
via SMB and allows remote code execution. Instead of transferring an executable file, it
transfers every command on a batch33 file to the target machine via SMB, then a service
is created that runs the batch file and redirects the output to a temporary file placed on a
readable SMB share, the temporary file is then transferred to the attacker's machine.
When the execution is finished, the files and the created service are deleted.
Figure 3.23 Sequence diagram describing the procedure 'SMBexec
33
A BATCH file is a file used to execute commands with the Windows Command Prompt (cmd.exe). It contains a series of
line commands in plain text that are executed to perform various tasks.
62
Through the Windows Management Instrumentation (WMI): WMI is a set of

specifications from Microsoft for consolidating the management of devices and
applications in a network of Windows computing systems.
Adversaries can connect remotely to the target system through WMI and create a
windows process that runs commands by directly launching the command prompt process
(cmd.exe). The output is written to a temporary file in an SMB share ( ADMIN$ by
default), once the output file is retrieved it is deleted.
Figure 3.24 Sequence diagram describing the procedure 'Pass the hash through WMI'
Through scheduled tasks over RPC: Adversaries can connect to a target by passing
the hash through Remote procedure call (RPC), which is a protocol that a process can use
to request a service from another process located in another host on the network. The
requested service is the Task scheduler service, which registers a task with the command
to execute in the action section. The task uses the cmd.exe process to run each command,
and it redirects the output to a temporary file in the ADMIN$ share. The task is run to
execute the command, after the command execution the task is deleted and a connection
is established to the ADMIN$ share over SMB to retrieve the output file, the output file is
then deleted.
63
Figure 3.25 Sequence diagram describing the procedure 'Pass the hash through RPC'
One of the objectives behind this simulation is to determine the attack surface that
can be obtained upon compromising a specific user. For example, the following diagram
represents an example of a simulation where 3 users are chosen as the initially
compromised users, and there are 4 hosts on the network. The user1 has elevated privileges
on the hosts computer1 and computer2 and thus he can connect to them using pass the hash
technique, user2 doesn't have elevated privileges on any host, and user3 has elevated
privileges on all the hosts. This gives an insight into the attack surface that each host is
exposed to based on the compromised user.
Figure 3.26 Diagram describing an example of the results of the pass the hash technique
64
 Pass the ticket

There are two types of Kerberos tickets that can be passed with pass the ticket sub-
technique, TGT tickets, and TGS tickets. When the user chooses the ticket they like to
pass and the resource to authenticate to via that ticket, the path to the chosen ticket is
retrieved from the database.
If the ticket is a TGT ticket :
-A TGS-REQ is sent to the KDC to request a TGS ticket for the target resource that
we want to gain access to. The TGS-REQ contains the ID of the resource and the TGT
ticket.
-Once the KDC receives the TGT ticket, it checks the validity of the ticket before
sending a TGS-REP that contains the TGS encrypted with the secret key of the target
resource.
-The TGS is then saved in the Kerberos tray to be used to request access to the target
resource.
If the chosen ticket is a TGS ticket, that TGS ticket is presented to the Target
resource to request access.
-Once the target resource receives the TGS, it decrypts it with its secret and checks
its validity and the permissions of the client who owns the TGS.
-If the client has enough privileges to access the resource and the TGS is valid,
access is granted, otherwise access is refused.
The following diagram resumes the functioning of this simulation.
Figure 3.27 Sequences diagram of the pass the ticket sub-technique simulation
65
5.6.6 Stealing or forging Kerberos tickets

 Kerberoasting
The kerberoasting sub-technique can be simulated upon gaining access to the domain
as any valid user, the simulation goes as fellow :
-An LDAP request is sent to the target domain controller to query for SPNs of user
service accounts. For each SPN discovered, a service ticket is later requested from the
Key distribution center.
-To request a service ticket, first a Ticket granting ticket (TGT) is requested by
sending an AS-REQ message that contains an authenticator encrypted with the
compromised user's password hash, the CNameString which is the username of the
compromised user, and the SNameString which in this case is the SPN of the KRBTGT
service.
-After the KDC verifies the compromised user’s identity and the validity of the
request, it sends an AS-REP packet that contains the TGT encrypted with the KRBTGT
account's hash and a session key encrypted with the compromised user's hash, the
session key is then decrypted with the compromised user's hash and stored alongside the
TGT.
-With this TGT, a Ticket Granting Service ticket (TGS) is requested for each
discovered SPN. For that, a TGS-REQ request is sent which includes the SNameString
which is the service principal name that the ticket is requested for (the target service),
the encryption type (RC4_HMAC type to request for RC4), an authenticator encrypted
with the session key, and the TGT.
-When the KDC receives the request and checks the validity of the TGT, it sends a
TGS-REP packet that contains a TGS ticket (service ticket) encrypted with the hash of
the target service account and a session key. The encrypted TGS is saved for offline
cracking.
-The saved service tickets are cracked offline using a password list in order to obtain
the clear text passwords of the target service accounts.
The following diagram resumes the functioning of the Kerberoasting simulation.
66
Figure 3.28 Sequences diagram of the Kerberoasting sub-technique simulation
 AS-REP Roasting
The AS-REP Roasting sub-technique can be simulated upon gaining access to the
domain as any valid user, the simulation goes as fellow :
-An LDAP query is sent to the target domain controller to query for user accounts
that do not require Kerberos pre-authentication.
-For each user with the 'Do not require pre-authentication' attribute set an AS-REQ
message can be sent without having to provide the user's password in order to encrypt
the authenticator. The AS-REQ packet is crafted to request for a TGT ticket, it contains
in the request body the CNameString which is set to the target user name and the
encryption type which is set to RC4_HMAC.
-Once the KDC receives the AS-REQ request packet, it will reply with a TGT for the
target user which will be sent via an AS-REP packet, this AS-REP packet contains an
encrypted part which is the session key encrypted with the target user's NT hash (since
RC4 encryption was imposed), this encrypted data is then cracked using a dictionary
attack in order to extract the clear text password of the target user.
The following diagram resumes the functioning of the AS-REP roasting sub-
technique simulation.
67
Figure 3.29 Sequences diagram of the AS-REP Roasting sub-technique simulation
 Golden ticket
To simulate the Golden ticket sub-technique, the hash of the KRBTGT account must
be already compromised. If it's a static simulation the hash is retrieved from the
currently setup simulation session, if it's a dynamic simulation it is retrieved from a
previously simulated credential dumping technique where the KRBTGT hash was
compromised.
The steps followed to simulate this sub-technique are :
-A TGT ticket is forged by specifying the domain name, the domain SID, the ticket
lifetime which is set to 10 years, and an arbitrary PAC.
PAC stands for Privilege Attribute Certificate, which is an extension to Kerberos
tickets that contain information about user's privileges. When a user authenticates to a
resource with a Kerberos ticket the PAC in the ticket is read and used to determine the
privileges of that user and the level of access they have on the resource without having
to reach the domain controller to query for that information each time. This allows
adversaries to forge a PAC that attributes a high level of access to any user (even if the
user doesn't exist), since the information in the PAC isn't validated (unless it is required
which is rare).
The forged PAC includes information about a fake user entitled GoldenUser. Group
membership to the Domain Admins group is defined by adding the RID 51234, this will
indicate that the user is part of the Domain Admins group and thus have access all over
the network.
When this TGT is presented to the KDC to ask for a TGS for any service, the TGS
will have a copy of the forged PAC which will allow access to any resource since the
PAC indicated that the user is a domain administrator.
34
RID 512 is the relative ID for the Domain administrators groups whose members are authorized to
administrate the domain.
68
-The forged TGT is encrypted with the hash of the KGBTGT account.
-The ticket is inserted in the database, and can later be used to request for TGSs to
any service via pass the ticket sub-technique.
The following diagram resumes the functioning of the Golden ticket sub-technique
simulation.
Figure 3.30 Sequences diagram of the Golden Ticket sub-technique simulation
 Silver ticket
To simulate the Silver ticket sub-technique, the hash of a service account (user or
computer) must be already compromised. If it's a static simulation the hash is retrieved
from the currently setup simulation session, if it's a dynamic simulation it is retrieved
from a previously simulated credential dumping technique where the target service
account's hash was compromised.
The steps followed to simulate this sub-technique are :
-A TGS ticket is forged by specifying the domain name, the name of the requested
service (its service principal name), the ticket lifetime which is set to 10 years, and an
arbitrary PAC. The forged PAC includes information about a fake user entitled
SilverUser. Group membership to the Domain Admins group is defined by adding the
RID 512, this will indicate that the user is part of the Domain Admins group and thus
will have elevated privileges on the requested service.
-The forged TGS is encrypted with the hash of the service account.
-The ticket is inserted in the database, and can later be used to request access to the
target service via pass the ticket sub-technique.
The following diagram resumes the functioning of the Silver ticket sub-technique
simulation.
69
Figure 3.31 Sequences diagram of the Silver Ticket sub-technique simulation
5.6.7 Brute Force

 Password cracking
To attempt to crack the dumped password hashes or the encrypted Kerberos tickets
the wordlist (or dictionary) approach is used. When the user wants to crack credentials
or tickets of certain domain users, these domain users and their credentials/tickets are
selected, then the user is prompt to upload a wordlist that will be used in the cracking
process.
If a password hash is the material to be cracked, each entry on the wordlist is hashed
according to the format of the target password hash, if the value of the hashed password
from the wordlist is the same as the target password hash, then the plain-text password
is the word from the wordlist.
If a Kerberos ticket is the material to be cracked (a TGS ticket in the case of a
Kerberoasing attack or a TGT ticket in the case of an AS-REP roasting attack), then
each entry from the wordlist is computed to a specific format and used as the key to
decrypt the ticket, if the ticket is successfully decrypted, then the plain-text password is
the key used.
The following diagram resumes the functioning of the password cracking
simulation.
70
Figure 3.32 Sequences diagram of the password cracking simulation
5.7 Generating reports

After the termination of each simulation, the information retrieved from the simulation is
inserted into the database, this information varies from one technique to another. The user can
consult all the reports of his previous simulations. When the user chooses a report to consult,
the data of the chosen simulation is retrieved from the database, parsed, and presented to the
user.
71
Figure 3.33 Sequences diagram of the functionality "Generating reports"
5.8 Class diagram

The following class diagram describes the structure of the application by showing the
system's classes, their attributes, operations (or methods), and the relationships among objects.
A user can perform the different operations of the functionalities offered by the
application, each user can have a simulation session and each simulation session belong to only
one user.
The simulation session has two different modes, the manual and the automatic, each has a
specific operation to retrieve the necessary information.
Each user can have multiple simulations, and each simulation belongs to only one user. A
simulation has three different types, static, dynamic, or determining attack paths. The different
types have common operations while the dynamic simulation has additional particular
operations.
Each simulation has one or multiple techniques, and each technique can be simulated in
one or multiple simulations. Each technique has one or multiple sub-techniques, and each sub-
technique has one or multiple procedures.
Every user can have multiple reports, each report includes the results of one or multiple
simulations, and each simulation can belong to only one report.
72
Figure 3.34 Class diagram
6. Securing the tool

Since this solution includes a lot of sensitive details about the environment that can be used
directly by an adversary if it is compromised, or by an internal threat actor, it's necessary to think
of ways to secure the access to the tool and protect the sensitive assets.
In order to setup a simulation session and simulate the different attacks, the credentials of a
domain administrator are required. This will insure that only an employee with administrative
privileges can successfully setup a simulation session and start the simulation of the attacks. On
the other side, the solution isn't connected to the external network, it is a local application that's
only used by accessing the physical host itself, thus, securing and carefully managing access to the
physical host is the priority in order to avoid taking over the tool and using it for malicious
purpose.
73
7. Conclusion
This chapter gives a global vision to our work by defining and exposing the conceptual
approaches followed to design our solution. It included the architecture and the different
functionalities offered by the application and the detailed procedures that reflect our reasoning.
This phase will allow us to move to the implementation step, which will be covered in the next
chapter.
74
Chapter IV :
Implementation and Tests
1. Introduction
Through this chapter, we will present the implementation of the application by starting with the
environment and tools used all along the implementation phase. Then move to the presentation,
tests, and scenarios phase which will include a presentation of our application and a selection of
test scenarios that will highlight our work and demonstrate it through use cases and scenarios
extended with screenshots of the different steps and results.
2. Working Environment
2.1 Operating system
2.1.1 GNU/Linux
GNU/Linux is a family of open-source Unix-like operating systems based on
the Linux kernel35. It includes a vast selection of distributions each tailored for specific use
cases.
Our solution is destined to work on any Linux-based operating system. The reasons
behind this choice are the flexibility and the stability that Linux operating systems offer
especially the distributions derived specifically for penetration testing as they include
multiple pre-installed penetration testing tools and utilities that offer a complete toolbox.
This provides a practical solution to interfere with multiple different components of a
remote system and work at different levels of abstraction by relying on flexible tools that
facilitate the task and especially reduce the execution time. It also doesn't cause a problem
to simulate attacks targeted at Windows environments from Linux-based operating systems
because the host where the adversary simulation tool is deployed doesn't have to be joined
to the target domain.
2.2 Servers
2.2.1 MySQL
MySQL is a robust, fast, and open-source relational database management system
based on the SQL (Structured Query Language) which is a standard language for database
processing.
The MySQL server can operate in client/server mode. It controls data access to
ensure that multiple users can simultaneously use the same database, and guarantee that
only authorized users can access data.
2.3 Languages
2.3.1 Python
Python is a high-level, object-oriented, general-purpose, and powerful programming
language. It has a neat and simple syntax that makes the programs readable and easy to
maintain. It supports modules and packages, which encourages program modularity and
code reuse.
75
Chapter 4 : Implementation and tests
2.3.2 SQL
Structured Query Language (SQL) is a programming language that is typically used
in relational databases or data stream management systems.
The SQL data manipulation language allows to search, add, modify or delete data in
relational databases. It is particularly used by web developers to communicate with the
data of a website.
2.3.3 HTML
HTML is the foundation of a webpage. It is a markup language, which defines the
overall structure of the page. It tells a web browser how to display text, images, and other
forms of multimedia on a webpage.
HTML is a formal recommendation by the World Wide Web Consortium (W3C) and
is generally adhered to by all major web browsers, including both desktop and mobile web
browsers.
2.3.4 CSS
Cascading Style Sheets, fondly referred to as CSS, is a simple design language that
allows web designers and developers to style and tune every component that is defined in
HTML. CSS allows controlling the style of fonts, colors, and layout designs as well as a
variety of other effects.
2.3.5 JavaScript
It is a scripting language incorporated into an HTML document. It allows to make
improvements to the HTML language by allowing commands to be executed on the client-
side, i.e., at the level of the browser and not the web server. In addition, it allows to
perform input controls to validate the fields of a form, to open new windows, or to manage
graphic elements.
2.4 Frameworks
2.4.1 Flask
Flask is a web framework written in Python that offers tools, libraries, and
technologies suitable for building a web application. It is known as a micro-
framework because it is lightweight and only provides components that are essential such
as routing, request handling, sessions, and so on.
Flask provides a development server and a debugger, alongside many extensions
which can be used to enhance its functionalities. This makes it an ideal framework for web
application development.
2.4.2 Bootstrap
Bootstrap is the most popular, free, and open-source framework for creating a
responsive layout in web pages with much fewer efforts. It contains HTML, CSS, and JS
components for creating forms, buttons, navigation, dropdown, modals, layout, and many
other interface components.
2.4.3 JQUERY
jQuery is an open-source fast and small JavaScript library that simplifies the
interactions between an HTML document and JavaScript. It makes things like animation,
and event handling. It comes with an easy-to-use API that works on different types of
browsers.
2.4.5 JSON
JavaScript Object Notation (JSON) is a lightweight data-interchange format that is
based on key-value pairs and ordered lists. Although JSON is derived from JavaScript, it is
76
supported either natively or through libraries in most major programming languages. it is

used primarily to transmit data between a server and web application.
2.5 Software and modules

2.5.1 Impacket
Impacket is an open-source collection of Python modules that interacts with network
protocols by providing low-level programmatic access to different network packets and
protocols. It can be used to construct packets from scratch or manipulate them. Some of the
featured protocols are SMB, NTLM, and Kerberos.
2.5.2 Nmap
Nmap, short for Network mapper is a free and open-source utility for network
discovery and security auditing. It is used to discover and fingerprint hosts in the network
by sending specially crafted parquets. One of the main features of Nmap is vulnerability
scanning which is offered by determining services and their versions and comparing them
to local vulnerabilities databases, these local databases include CVEs36 from the most
reliable and famous exploit databases such as ExploitDB37 and Security Focus38 among
others.
2.5.3 Living off land binaries (LOLBins)
Living off land binaries are binaries that are legitimately supplied and signed by the
operating system and often come pre-installed. However, they can be used for a malicious
purpose while evading and hardening the usual detection process by blending in with
regular network activity. These binaries are usually used during the post-exploitation
phase. Some of the most used LOLBins by adversaries while penetrating a Windows-based
system are: powershelle.exe, ntdsutil.exe, vssadmin.exe, reg.exe, cmd.exe, and
rundll32.exe among others. These binaries have been already presented in the previous
chapter.
3. Test environment
In order to continuously perform tests and validate the functioning of our solution, we set up a
test environment that simulates an enterprise domain that runs on Active directory. The test
environment is set up in a virtualized environment.
3.1 Virtualization environment

3.1.1 VMware workstation
VMware workstation is a stable solution for local desktop environments that allows
to run multiple operating systems as a virtual machine on a single physical host and use
them simultaneously which is useful to create a functional client-server environment.
3.2 Domain environment

Ideally, the testing environment includes a complete enterprise architecture with many
workstations, domain controllers, and objects, but due to the very limited available resources,
36
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (i.e., CVE Identifiers) for
publicly known information security vulnerabilities.
37
The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software,
developed for use by penetration testers and vulnerability researchers.
38
Security Focus is an online news portal and community created to share general CVE and exploit information
with developers and security researchers in a centralized location.
77
our environment is limited to an architecture including a domain controller and two

workstations.
Our domain is hosted under the domain name "SSI.DZ". The client hosts are named
"COMPUTER1" and "COMPUTER2", while the machine hosting the domain controller is
named "USTHB". The endpoints of the domain have Windows defender configured as an
endpoint security solution.
Our application is hosted on a Linux-based operating system that is deployed on the same
internal network as the domain environment.
The following figure is a representation of the test environment.
Figure 4.2 Representation of the test environment
4. Presentation of the application

In this section, we will present the main components and interfaces that provide the different
functions of our application entitled "ARCTIC". The first interface that the user will be greeted
with is the login interface, where they can also sign up if they don't already have an account.
Figure 4.2 Login Interface
78
Upon logging into the application, the dashboard contains a list of all the available sub-
techniques under each technique.
Figure 4.3 Dashboard containing the available techniques and sub-techniques
Upon clicking on any sub-technique a knowledge framework is displayed. It contains a detailed

explanation about the sub-technique, the methods and procedures followed to simulate it, and
ways to detect and mitigate against this type of attack.
Figure 4.4 Example: knowledge framework of the scanning IP blocks sub-technique
The menu offers the different functionalities available. The user can set up a simulation session,
simulate an attack (static, dynamic, or determine attack paths), or consult the reports of the
previous simulations.
Figure 4.5 Functionalities menu
79
Upon choosing to start a static simulation, a list of all the available sub-techniques is provided
for the user to choose the desired sub-technique to simulate.
Figure 4.6 Static simulation - list of sub-techniques
If a dynamic simulation is chosen, the user has to choose between starting a new dynamic
simulation or proceeding with an old one.
Figure 4.7 Dynamic simulation - mode choice
On the other hand, the results page includes a list of all the previous simulations, the user can
consult the results of any simulation they want.
Figure 4.8 Previous simulations result interface
80
5. Scenarios and tests

To provide an overview of the functioning of our solution, some tests are presented through
defined scenarios for each functionality.
5.1 Static simulation
In this use case, the user (system administrator or blue team) would like to simulate a static
attack on specific hosts with specific procedures in order to test the detection and incident
response capabilities of the organization. For that, a simulation session should be setup first,
this simulation session will retrieve and store all the necessary information which will be used
by the different simulations (such as the domain controller IP address, the target subnet IP
address, the domain administrator credentials, list of domain users, domain users
credentials...etc). The automatic mode is chosen.
Figure 4.9 Setting up a simulation session- automatic mode
After successfully setting up a simulation session, the user can view the information related
to it, or edit some information.
Figure 4.10 Viewing the simulation session information
81
Figure 4.11 Editing the simulation session information

5.1.1 First scenario
In this scenario, the user chooses to simulate the LLMNR/NBT-NS poisoning and
SMB relaying sub-technique, to do that, he chooses this sub-technique from the sub-
techniques list and then inputs the IP subnet of the target network and starts the simulation.
Figure 4.12 Starting the LLMNR/NBT-NS poisoning & SMB relaying simulation
Once the simulation is terminated, the reports of it can be consulted on the results
page. The reports of this simulation include a section that contains all the hosts on the
target network with SMB signing set as disabled or not required. The second section
contains a graphical representation of the compromised host "COMPUTER2" which we
successfully authenticated to by relaying the credentials of the user "user1" who attempted
to access a share that couldn't be resolved by the DNS on the host "COMPUTER1". It
also includes a table that represents all the poisoned requests from the users in the column
"username" on the hosts in the column "IP Address", if the credentials were successfully
82
relayed to another host on the network that host is shown with the privilege of the access
obtained on it on the columns "Credentials relayed to" and "Privilege obtained".
Figure 4.13 Reports of the LLMNR/NBT-NS poisoning & SMB relaying simulation
5.1.2 Second scenario

In this scenario, the user chooses to simulate the LSASS memory dumping sub-
technique, for the procedure they choose "mimikatz" and "comsvcs", and for the target
hosts "Computer1, Computer2, and USTHB". The simulation is then started.
Figure 4.14 Simulating the LSASS memory dumping sub-technique of the Credential dumping technique
83
Once the simulation is completed, the reports can be consulted on the "View
Results" page. The first section of the report includes the status of the simulation of each
procedure on each host. The second section includes the retrieved credentials and the
extracted Kerberos tickets from each host.
Figure 4.15 Reports of the LSASS memory dumping sub-technique
5.2 Dynamic simulation

In this use case, the user (the system administrator or the red team/penetration tester) is
trying to assess the security of the organization by viewing the network through the eye of an
adversary. For that, a dynamic simulation is chosen in order to determine the weak spots that
can be exploited, how they would be exploited, how the implemented defense mechanisms
would respond, and the magnitude of successful exploitation.
To start a dynamic simulation, the user chooses 'Start a dynamic simulation' then specifies
the IP address subnet of the target network.
84
Figure 4.16 Starting a dynamic simulation
Upon starting the simulation, the "Scanning IP blocks" and "Vulnerability scanning"
techniques are run in order to conduct in-depth research on the chosen network and identify the
vulnerabilities that can be exploited to gain initial access. The reports of the results of the initial
simulations are as follow :
- For the IP Blocks scanning, we can see a graphical representation of all the discovered
Windows hosts in the network, as well as details about the host name, OS, domain name, forest
name..etc
Figure 4.17 Reports of the scanning IP blocks simulation
85
- For the vulnerability scanning simulation, the results indicate that there were three high
severity vulnerabilities discovered on the network, two of them in the host "COMPUTER1",
and one on the host "COMPUTER2". These two vulnerabilities were identified as :
 Remote code execution on Windows SMBv1 servers: this vulnerability affects
Windows system that uses the SMBv1 file-sharing protocol. It exists in the way that the
SMBv1 protocol handles certain request. An adversary can successfully exploit this
vulnerability by sending a specially crafted packet to the target, this will allow them to
gain the ability to execute code on the target network remotely. The exploit of this
vulnerability is known as "EthernalBlue", it has been used to spread one of the most
dreadful malware known as "WannaCry"39.
 Remote desktop protocol remote code execution vulnerability: This vulnerability affects
Windows systems by taking advantage of a vulnerable implementation of the RDP
protocol. An adversary can successfully exploit this vulnerability by sending
maliciously crafted parquets to the targets with RDP enabled which can lead to gaining
the ability to execute arbitrary code remotely. This vulnerability is also known as
"BlueKeep".
Figure 4.18 Reports of the Vulnerability Scanning simulation
In order to proceed with this dynamic simulation and chain another attack, the user goes to
the dynamic simulations page and chooses 'Proceed with a dynamic simulation', then chooses
39
WannaCry is a worldwide ransomware attack launched in May 2017. It targeted computers running
the Microsoft Windows operating system by encrypting data and demanding ransom payments in
the Bitcoin cryptocurrency. It propagated through the EternalBlue exploit.
86
the simulation they would like to proceed with (the simulation with the name 'Dynamic
Simulation' in this case). Since at least a vulnerability was discovered in both the hosts, the
techniques that can be simulated next are 'Vulnerability exploitation' for both.
In this scenario, the user would like to attempt to exploit vulnerabilities on both the hosts
in order to gain initial access to them. He chooses to exploit the "Remote code execution on
Windows SMBv1 servers" on the host "COMPUTER2" and the "Remote desktop protocol
remote code execution vulnerability" on the host "COMPUTER1".
Figure 4.19 Proceeding with a dynamic simulation- Vulnerability exploitation
Once the simulation is completed, on the reports page we can find the results of the
vulnerability exploitation technique. Access has been granted to the host "COMPUTER1"
upon successfully exploiting the vulnerability on it, for the other host the exploitation has
failed.
Figure 4.20 Reports of the Vulnerability exploitation technique
87
Now that we have an initial foothold into the network, we can proceed with other
techniques, the first one being the "Account discovery" technique.
Figure 4.21 Proceeding with a dynamic simulation- Account discovery
Once the simulation is completed, on the reports page we can see the valuable information
that an adversary can harvest once they have initial access into the network. This information
includes the list of domain controllers, domain users and their details including the description
entry which may contain sensitive information, and the list of the domain administrators.
Figure 4.22 Reports of the Account Discovery technique - Domain controllers
88
Figure 4.23 Reports of the Account Discovery technique - Domain users
Figure 4.24 Reports of the Account Discovery technique - Domain administrators
By going back to the dynamic simulation page, we can see the next techniques that can be
simulated on the compromised host.
89
5.2.1 First scenario

In this scenario, the user chooses to simulate the Cached domain credentials sub-
technique.
Figure 4.25 Proceeding with a dynamic simulation - Cached domain credentials
The results of this simulation include two sections, the first contains the status of the
simulation and the second the retrieved password hashes.
Figure 4.26 Reports of the Cached domain credentials dumping simulation
From the previous simulation, we can notice that the credentials of the user "user3"
were cached and retrieved from the host "COMPUTER1", and from the "Account
discovery" simulation we learned that the user "user3" has administrative privileges on
the domain. If we could crack his hash we could gain direct access to the domain
controller. The next sub-technique to run is Password cracking on the compromised hash.
90
Figure 4.27 Proceeding with a dynamic simulation - Password cracking
The reports of this simulation indicate that the password of the user "user3" was
successfully cracked.
Figure 4.28 Reports of the password cracking sub-technique
Now that we possess the credentials of a domain administrator, we can attempt to

login into the domain controller. The next technique to simulate is the "Lateral movement
from dumped passwords" where we will try to authenticate to the Domain controller by the
credentials of the previously compromised user.
Figure 4.29 Proceeding with a dynamic simulation - Lateral movement from dumped passwords
91
From the reports, we conclude that the domain controller has been successfully
compromised.
Figure 4.30 Reports of the Lateral movement from dumped passwords sub-technique
This scenario demonstrates how an adversary can take control over the whole
network just by gaining access to one under-privileged host and taking advantage of the
present vulnerabilities.
On the top of the reports page for the dynamic simulation, a graphical representation
of the simulated techniques and compromised assets is provided on each step of the
simulation, at the end of this scenario, the graph is as follows :
Figure 4.31 Simulations history - Dynamic simulation
5.2.2 Second scenario

In this scenario, the user starts another dynamic simulation entitled "Dynamic
simulation 2", gains access to the host "COMPUTER1" and starts reconnaissance on the
domain by following the same steps mentioned before starting the first scenario on the
Dynamic simulation section.
Once the discovery technique is simulated, the user chooses to simulate the 'Security
account manager" credentials dumping technique on the compromised host.
92
Figure 4.32 Proceeding with a dynamic simulation - Security account manager
Once the simulation is terminated, we can consult the reports to see the retrieved
password hashes of the local users from the compromised host.
Figure 4.33 Reports of the sub-technique Security account manager of the credential dumping technique
Since hashes were compromised, the next technique to simulate is pass the hash, to
try to gain additional access and move laterally through the network via the compromised
credentials.
Figure 4.34 Proceeding with a dynamic simulation - Pass the hash
93
The reports of the simulation indicate that the user "user1" could successfully
connect to both hosts "COMPUTER1" and "COMPUTER2". This means the host
"COMPUTER2" has been compromised as well.
Figure 4.35 Reports of the sub-technique Pass the hash
This scenario demonstrates how an adversary can chain a set of specific techniques
to first gain an initial foothold in the network, then move laterally and compromise
additional assets.
At the end of this scenario, the graph of this dynamic simulation is as follows.
Figure 4.36 Simulations history - Dynamic simulation 2
5.3 Determining Attack Paths

In this use case, the "Determining attack paths" functionality is chosen in order to
identify the potential weaknesses that adversaries can exploit to penetrate the domain. To start
this simulation, the user only has to input the name of the simulation and the wordlist to use for
password cracking when it comes to password strength assessment.
94
Figure 4.37 Determining attack paths- Starting information gathering
After completing the simulation, the reports page will include the following sections
The first section includes the list of domain administrators, this will help to determine
over-privileged users and reduce the attack surface.
Figure 4.38 Reports of Determining Attack Paths - Domain administrators
The second section includes a graphical representation of the access that each user has to
the different hosts through the network. By forcing a least-privilege strategy when it comes to
local administrators the attack surface will shrink considerably and many attack paths will be
eradicated.
Figure 4.39 Reports of Determining Attack Paths - Local administrators through the network
95
The next section is an assessment of the password policy by attempting to crack the
passwords of the domain accounts via the provided wordlist, and determine the percentage of
the weak passwords in addition to the discovered users with weak passwords.
Figure 4.40 Reports of Determining Attack Paths - Password strength assessment
The following section determine the attack paths that can be taken by adversaries to exploit
the Kerberoasting and AS-REP Roasting technique, this is determined by extracting the
vulnerable users to these attacks that have weak passwords based on the previous assessment.
Figure 4.41 Reports of Determining Attack Paths - Users vulnerable to Kerberoasting and ASREP roasting
The last part determines the Shadow administrators present on the domain by analyzing the
ACEs of the configures DACLS. A list containing the domain users is provided and when a
user is chosen all the possible paths that lead to taking control over that user are displayed.
In this example we chose the user "user3" who is a domain administrator, we can see that
there is two paths that lead to compromising them. Either directly from the user 'user1' who
have ForceChangePassword right over 'user3' which allows him to change the password of
'user3' without knowing it, or from the user 'user4' who have GenericAll on the target user
which gives him full access over the target. We can conclude that the users 'user4' and 'user1'
are considered Shadow administrators.
96
Figure 4.42 Reports of Determining Attack Paths - Determining shadow administrators
6. Conclusion
In this last chapter, we have presented the working environment of our project, specifying the
different languages and tools that we have worked with. Followed by a presentation of the test
environment. We concluded by illustrating the different functionalities of our application through
some scenarios in order to give an overview of our solution.
97
General Conclusion
Through this project, we implemented an adversary simulation tool that allows to simulate
different sets of cyber attacks against Windows infrastructures.
Our solution offers multiple functionalities that fit different aspects of cyber security
orientations.
It can be used to test the implemented security politics on the environment in an automated
and flexible way which offers a convenient and time and resource-saving solution for the blue
teams.
Another use case is to determine the security holes in the infrastructure by an automated
penetration testing assessment which provides the red team with the ability to view their network
from the perspective of an adversary by starting with exploiting security holes and working their
way up to the privileged sensitive assets.
It also offers the possibility to assess the network and find the most common and pre-
defined weaknesses and overlooked configurations that allow adversaries to penetrate the
infrastructure, this presents a low-budget solution for companies with no security professionals.
Moreover, it offers a knowledge framework that catalogs and explains the different
techniques in a constructive way to provide the domain administrators with the ability to harden
the security of their environment and fill up the gaps of knowledge when it comes to securing
Windows infrastructures.
Working on this project allowed us to discover and manipulate the different aspects of
Windows infrastructures and explore the common weaknesses present in them and most
importantly how malicious actors take advantage of them.
Many perspectives that allow to improve our solution are planned to work on in the future.
The most important of them are:
-Enhance and extend the solution by including many more tactics, techniques, and
procedures from the most robust knowledge frameworks such as MITRE ATT&CK.
-Provide the users with the ability to dynamically generate, upload, and execute (on the
target network's hosts) scripts that correct the mis-configurations and harden the default features
that are behind each implemented technique.
-Expand the solution to cover cloud-based identity and access management services, such
as Azure AD.
-And finally and most importantly, aim to test the solution under a real enterprise
environment and scale it to an enterprise qualified solution that can be commercialized and
employed in real environments.
98
Webography
[1] AV Test, "Facts & Analyses on the Threat Scenario: The AV-TEST Security Report 2019/2020,"
[Online]. Available: https://www.av-test.org/en/news/facts-analyses-on-the-threat-scenario-the-av-
test-security-report-2019-2020/. [Accessed 18 02 2021].
[2] Satista, ,"Global market share held by operating systems" [Online]. Available:
https://www.statista.com/statistics/268237/global-market-share-held-by-operating-systems-since-
2009/. [Accessed 20 02 2021].
[3] Microsoft Wiki, "Microsoft Windows," [Online]. Available:
https://microsoft.fandom.com/wiki/Microsoft_Windows. [Accessed 16 02 2021].
[4] Tech Traget, "What is Active Directory," [Online]. Available:
https://searchwindowsserver.techtarget.com/definition/Active-Directory. [Accessed 20 02 2021].
[5] Paessler, "Active Directory," [Online]. Available: https://www.paessler.com/it-explained/active-
directory. [Accessed 22 02 2021].
[6] Techadmin, [Online]. Available: https://teckadmin.wordpress.com/2013/10/25/active-directory-logical-
and-physical-components. [Accessed 15 02 2021].
[7] Lockheed Martin, "The cyber Kill chain," [Online]. Available: https://www.lockheedmartin.com/en-
us/capabilities/cyber/cyber-kill-chain.html. [Accessed 10 03 2021].
[8] Semperis, "Recovering Active Directory from Cyber Disasters," [Online]. Available:
https://pages.semperis.com/recovering-ad-from-cyber-disasters/. [Accessed 25 03 2021].
[9] CVE Details, "Microsoft : Vulnerability statistics," [Online]. Available:
https://www.cvedetails.com/vendor/26/Microsoft.html. [Accessed 18 02 2021].
[10] Crowdstrike, "What is cyber threat intelligence ?," [Online]. Available:
https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/. [Accessed 26 02 2021].
[11] Awake Security, "MITRE ATT&CK Framework," [Online]. Available:
https://awakesecurity.com/glossary/mitre-attck-framework/. [Accessed 31 01 2021].
[12] Guardian Digital, "What's the MITRE ATT&CK Framework," [Online]. Available:
https://digitalguardian.com/blog/what-mitre-attck-framework. [Accessed 31 01 2021].
[13] ATT&CK MITRE, "wersions of MITRE ATT&CK," [Online]. Available:
https://attack.mitre.org/resources/versions. [Accessed 16 01 2021].
[14] Howard, "The MITRE ATT&CK Framework Matrices: An Overview," [Online]. Available:
https://resources.infosecinstitute.com/topic/mitre-attck-framework-matrices-an-overview/. [Accessed
02 02 2021].
[15] ATT&CK MITRE, "Entreprise Tactics," [Online]. Available: https://attack.mitre.org/tactics/enterprise/.
[Accessed 02 02 2021].
[16] ATT&CK MITRE, "Mobile Tactics," [Online]. Available: https://attack.mitre.org/tactics/mobile.
[Accessed 02 02 2021].
[17] ATT&CK MITRE, "Entreprise Techniques," [Online]. Available:
https://attack.mitre.org/techniques/enterprise. [Accessed 02 02 2021].
[18] ATT&CK MITRE, "Mobile Techniques," [Online]. Available:
https://attack.mitre.org/techniques/mobile/. [Accessed 02 02 2021].
[19] ATT&CK MITRE, "ICS Techniques," [Online]. Available:
https://collaborate.mitre.org/attackics/index.php/All_Techniques. [Accessed 02 02 2021].
[20] Cambridge Dictionnary, "Meaning of emulate in English," [Online]. Available:
https://dictionary.cambridge.org/dictionary/english/emulate. [Accessed 04 03 2021].
[21] Cambridge Dictionnary, "Meaning of simulate in English dictionnary," [Online]. Available:
https://dictionary.cambridge.org/dictionary/english/simulate. [Accessed 04 03 2021].
[22] Github, "CALDERA™," [Online]. Available: https://github.com/mitre/caldera. [Accessed 15 02 2021].
[23] Github, "ATTPwn," [Online]. Available: https://github.com/Telefonica/ATTPwn. [Accessed 15 02
2021].
[24] Crowdstrike, "NTLM Exlained," [Online]. Available: https://www.crowdstrike.com/cybersecurity-
101/ntlm-windows-new-technology-lan-manager/. [Accessed 14 04 2021].
[25] Varonis, "Kerberos Explained," [Online]. Available: https://www.varonis.com/blog/kerberos-
authentication-explained/. [Accessed 15 04 2021].
ANNEX
MITIGATION AND DETECTION OF THE DIFFERENT ATTACKS
1. Scanning IP Blocks :
Mitigation :
 Focus on reducing the amount of sensitive data exposed to the external.
 Disable old protocols that can be exploited to fingerprint hosts on the network such as
SMBv1.
Detection :
 Implement and harden the configuration of network intrusion detection/prevention systems
to detect and prevent remote service scans.
 Monitor for suspicious network traffic that could be indicative of scanning, such as large
quantities originating from a single source.
2. Vulnerability scanning :
Mitigation :
 Regularly scan systems especially externally faced systems and rapidly patch any
discovered vulnerabilities.
 Prioritizing vulnerability and configuration management, and continuously patch all the
systems.
Detection :
 Monitor for suspicious network traffic that could be indicative of scanning, such as large
quantities originating from a single source.
 Implement and harden the configuration of network intrusion detection/prevention systems
to detect and prevent remote service scans.
3. Account Discovery
Mitigation :
 Disable Domain Users from Enumerating other Domain Users, Domain Admins, and other
objects in Active Directory by denying read permissions to certain objects in the domain
through the use of the access control lists (ACL). A steady solution is to create a new
security group and add users that you want to deny ready permissions for them, when a
user from this group tries to read the domain they will get an ‘access denied’ message.
Detection :
 Monitor processes and command-line arguments for actions that could be taken to gather
system and network information.
 Monitor for processes that can be used to enumerate user accounts, such as "net user"40
especially when executed in quick succession.
 System and network discovery techniques normally occur throughout an operation as an
adversary learns the environment. Data and events should not be viewed in isolation but as
part of a chain of behavior that could lead to other activities, such as Lateral Movement,
based on the information obtained.
40
net user is a command-line tool built into Windows used to display user account information.
4. LLMNR/NBT-NS Poisoning
Mitigation :
 Disable LLMNR and NBT-NS in local computer security settings or by a group policy if
they are not needed within an environment, or block traffic of these protocols with network
traffic filtering solutions.
 If LLMNR/NetBIOS are needed within the environment, implement a strong password
policy to mitigate against password cracking (which may only harden the cracking phase,
but it’s obsolete if the hash is relayed).
 Use solutions like Microsoft LAPS41 to create strong, random, and unique passwords for
local administrator accounts, and automatically rotate them periodically.
Detection :
 Monitor the registry entry HKLM\Software\Policies\Microsoft\Windows
NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "1"
indicates that LLMNR is enabled.
 Implement network detection and prevention intrusion systems that can identify patterns of
Man in the middle activity.
5. SMB Relaying
Mitigation :
 Enable SMB message signing. Unfortunately, this solution has some downsides, like the
decrease in performance (especially when there is a high demand for the service), also,
some devices may not support SMB signing, which makes them a reachable target.
 Enforce the principle of least privilege for user accounts by limiting users with local
administrative privileges on endpoints in the network. This will greatly reduce the risk that
an adversary can gain access to a large surface by relaying the NTLMv2 of a domain user.
 Enabling Kerberos for authentication instead of NTLM.
Detection :
 Implement network detection and prevention intrusion systems that can identify patterns of
Man in the middle activity.
6. Security Account Manager, LSA secrets, Cached domain credentials

Mitigation :
 Add users with elevated privileges to the Protected users groups42.
an adversary can gain access to a host with elevated privileges and execute credential
dumping techniques.
 Use solutions like Microsoft LAPS to create strong, random, and unique passwords for
 Consider limiting the number of cached credentials by changing the value is the registry
keyHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\cachedlogon
scountvalue.
Detection :
 Monitor for the creation of dumps of the registry.
41
Microsoft LAPS (Local Administrator Password Solution) provides management of local account passwords of
domain joined computers.
42
A security group that provides protection for highly-privileges users from credential theft attacks, it ensures that:
Members can't use NTLM or DIGEST (plain text passwords can't be extracted from LSASS), Kerberos keys aren't
reissued automatically (TGT is required at each logon), Credentials are never cached, No RC4 encryption in Kerberos.
 Monitor processes and command-line arguments for program execution that may be
indicative of credential dumping
 Deploy Endpoint protection solutions and ensure they are maintained up to date.
7. LSASS Memory dumping

Mitigation :
 Set the value of “UseLogonCredential”(DWORD) to 0 in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\W
Digest, this disabled Digest password support to prevent clear text passwords from being
extracted from memory.
 In Windows version starting from Windows 10, enable Credential Guard43.
an adversary can gain access to a host with elevated privileges and execute credential
dumping techniques.
 Enable LSA protection44 for LSASS by editing the key
HKLM\SYSTEM\CurrentControlSet\Control\Lsa by adding the
DWORD value RunAsPPL and setting it to 1.
 Add users with elevated privileges to the Protected users groups.
Detection :
 Monitor the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\W
Digest “UseLogonCredential”(DWORD), if it is set to 1 it means that Digest password
support is enabled which allows clear text passwords to be extracted from LSASS memory
for Windows version from Windows 7/2008R2 up to Windows 10/2012R2, in Windows
8.1/2012 R2 and newer The “UseLogonCredential”(DWORD) value isn't available, but it
can be created which is an indicator of compromise.
 Monitor for interaction with LSASS.exe process (such as Mimikatz that interacts with
LSASS.exe by reading it).
 Monitor command-line arguments for commands that can be an indication of credential
dumping, such as invoking the Minidump function with rundll32.exe or Procdump.exe
with the PID of the LSASS process.
 Monitor for the creation of dump files of the LSASS process.
 Monitor the network for the exfiltration45 of LSASS dump files.
43
Microsoft Windows Defender Credential Guard uses virtualization to store credentials in protected containers
separate from the OS. As a result, the information Credential Guard protects is safe even if malware or some other
malicious attack penetrates an organization's network.
44
LSA Protection is a mechanism that provides additional protection for the LSA to prevent reading memory and code
injection by non-protected processes.
45
Data exfiltration is the act of transferring data from a compromised computer to a command and control server for
offline analysis.
8. DCSync
Mitigation :
 Track in real-time memberships in privileged groups such as Domain Admins and
Enterprise Admins which have replication privileges set by default.
 Track in real-time when replication permissions are assigned to unauthorized users
Replicating Directory Changes, Replicating Directory Changes All, and Replicating
Directory Changes In Filtered Set).
Detection :
 Monitor the network for replication requests made by non-DC hosts.
 Set up a list of IP addresses that are allowed to replicate data (the legitimate domain
controllers), and configure an IDS/IPS rule when a GetNCChange request is made from
an IP address that isn't in the white list.
9. NTDS
Mitigation :
 Limit domain administrators from logging to network endpoints other than the domain
controller and administrator servers, delegate remaining tasks to users in a custom
administrative group with the least privileges. This will reduce the probability that an
adversary can compromise an administrative account and gain access to the domain
controller.
Detection :
 Monitor the command line and process for commands that can be an indication of NTDS
dumping (such as Vssdmin and ntdsutil).
10. Pass the hash

Mitigation :
an adversary can gain access to a large surface by obtaining the hash of a domain user.
 Do not allow local accounts to authenticate in the network, this will prevent adversaries to
move laterally through the network when they have compromised a local account.
 Configure a host-based firewall that controls and limits which endpoints can communicate
with other endpoints through the network. Blocking this traffic will limit lateral movement
from a compromised endpoint to other endpoints, especially that most hosts don't usually
need to communicate with other hosts.
 Prevent credential overlapping to reduce the attack surface when credentials of a certain
user are compromised.
 Enforce the usage of multi-factor authentication.
Detection :
 Audit windows event logs for unusual behavior, if PSexec was used a binary file is
uploaded to the target’s network share (ADMIN$) and a windows event log
id 5145 (network share was checked for access) will be logged. Also, the existence of the
binary file itself is an indication that should be monitored.
 Detect for processes that redirect output to temporary files in SMB shares such as the
ADMIN$ share (by analyzing file write events).
 Monitor for Event id 7045 for initial service installation when a service is installed and
started by tools such as PSexec and SMBexec.
 Monitor for multiple accounts authenticating from the same host in the same session.
11. Pass the ticket

Mitigation :
 Reduce the attack surface on the network and focus on mitigating against ticket theft and
forging.
Detection :
 Monitor for Kerberos tickets that do not match the user currently logged in the session (it
means that the ticket was injected into memory).
 Monitor for TGS requests from a client that has no associated TGT request from that
client.
 Monitor and audit Kerberos traffic for tickets that appear on multiple hosts.
12. Kerberoasting
Mitigation :
 Ensure all service accounts (user accounts with Service Principal Names) have long,
complex passwords greater than 25 characters, preferably 30 or more, especially accounts
with elevated privileges.
 Ensure that service accounts passwords are changed regularly (by setting a password
policy with maximum password age attribute).
 Use group managed service accounts that have random complex passwords (>100
characters) and are managed automatically by Active Directory.
 Disable RC4 support for Kerberos (this requires a minimum of Windows server 2008
domain functional level and an environment where all Kerberos clients, application
servers, and trust relationships to and from the domain support AES).
 Ensure to implement the principle of least privilege on service accounts.
 Add servers accounts to the Protected users groups.
Detection :
 Monitor the network for TGS-REQ packets with RC4 encryption
(Ticket_Encryption_Type=0x17) (which may generate a lot of false positives).
 Monitor the network for multiple TGS-REQ requests in a short period of time by a single
user. To do so you can enable Kerberos service ticket request monitoring to log successful
Kerberos TGS ticket requests and then search for users with multiple 4769 events
(Eventid 4769 “A Kerberos service ticket was requested”).
 Create a Kerberos service account honeypot: create a user service account and give it a
fake unique SPN, this service account isn't linked to any legitimate service, thus, access to
it isn't normally requested. If an attacker gains access to the network and scans for SPNs,
the honeypot SPN will also be available, and the attacker will make a TGS request for the
fake server. An IDS/IPS rule can be configured to alert for TGS-REQ packets with the
fake SPN.
13. AS-REP Roasting
Mitigation :
 Make sure that all accounts have Kerberos pre-authentication enabled, and audit changes to
this setting.
 Carefully consider if accounts with Kerberos pre-authentication disabled really need it.
 Ensure that all accounts have long, complex passwords greater than 25 characters,
preferably 30 or more, especially accounts with elevated privileges.
 Disable RC4 support for Kerberos (this requires a minimum of Windows server 2008
domain functional level and an environment where all Kerberos clients, application
servers, and trust relationships to and from the domain support AES).
 Ensure to implement the principle of least privilege on user accounts.
 Add users with elevated privileges to the Protected users groups.
Detection :
 Monitor the network for AS-REQ packets with RC4 encryption
(Ticket_Encryption_Type=0x17) (which may generate a lot of false positives).
 Monitor the network for multiple AS-REQ packets without an authenticator (or pre-
authentication data: timestamp encrypted with the user's secret) and with a failed login
attempt as a reply. This may detect when an adversary is attempting to enumerate accounts
with Kerberos pre-authentication disabled by sending crafted AS-REQ packets for each
user.
 Monitor user accounts for changes in the Do not require pre-authentication attribute (check
out event 4738 looking for changes to the User Account Control ‘Don’t Require Preauth’
value).
 Create a honeypot account: Create a unique account with Kerberos pre-authentication
disabled and configure an IDS/IPS rule to alert for TGT requests made from that account.
14. Golden ticket :

Mitigation :
 Mitigate against compromising the password hash of the KRBTGT account via the NTDS
and DCSync sub-techniques.
 Enforce a least privilege access model and carefully manage membership to highly
privileged groups.
 Change the password of the KRBTGT account regularly, after changing it once wait for
domain replications (12 to 14 hours) then change it twice, this will update the password in
a way that doesn't invalidate the existing Kerberos tickets.
 Consider enabling PAC (Privilege Authorization Certificate) validation through a group
policy. Setting it to 'Enforced' will allow verifying that the user's PAC information is from
a trusted domain controller. If PAC Validation fails, the PAC information is discarded and
the user login is denied.
Detection :
 Monitor of signs of a golden ticket in tickets with usernames that don’t exist, modified
group memberships, username and RID mismatches, weak encryption types (e.g. RC4
used instead of AES-256), and ticket lifetimes exceeding the domain maximum (domain
default lifetime is 10 hours while forged ticket are usually set for 10 years).
 If a golden ticket has been used after the KRBTGT password has been reset twice, an event
ID 4769 is generated on the domain controller with the status code 0x1F "Integrity check
on decrypted field failed" which indicates an authentication attempt by a previously
invalidated golden ticket
15. Silver Tickets :

Mitigation :
 Mitigate against the different credential dumping sub-technique that can be used to obtain
password hashes of domain accounts.
 Enforce a least privilege access model and carefully manage membership to highly
privileged groups.
 Ensure that no computer accounts are a member of the Administrators group.
 Consider enabling PAC (Privilege Authorization Certificate) validation through a group
policy. Setting it to 'Enforced' will allow to verify that the user's PAC information is from a
trusted domain controller. If PAC Validation fails, the PAC information is discarded and
the user login is denied.
Detection :
 Since silver tickets are forged without communicating with the domain controller detecting
them is only possible on the endpoint. Monitor for TGS tickets with signs such as:
usernames that don’t exist, modified group memberships, username and id mismatches,
weak encryption types, or ticket lifetimes exceeding the domain maximum.
16. Password cracking

Mitigation :
 Enable multi-factor authentication where possible, especially on externally facing services.
 Ensure a strong robust password policy that applies to all domain accounts (refer to NIST
cyber security framework46 guidelines).
 Limit credential overlap across accounts and systems by training users and administrators
not to use the same password for multiple accounts.
Detection :
 Password cracking is usually done offline, which makes it very difficult to detect. Focus on
mitigating and detecting adversarial behavior related to credential dumping.
46
It is a set of guidelines and best practices to help organizations build and improve their cyber security posture.
MITRE ATT&CK FRAMEWORK COVERAGE
Throughout our project, we have implemented the MITRE ATT&CK framework as the
knowledge framework used to map the different techniques. To keep track of the covered and
implemented tactics, techniques, and sub-techniques on the different simulations we have been
using the MITRE ATT&CK navigator.
The ATT&CK Navigator is an open-source web application that provides basic navigation and
annotation of the ATT&CK matrices, it is used to visualize the ATT&CK matrices coverage, it
allows to manipulate the cells in the matrix (by color coding, adding a comment, assigning a
numerical value, etc.). The techniques that have been implemented and covered in our solution are
highlighted in orange, while the implemented sub-techniques are highlighted in red.
The following figures represent a screenshot of our ATT&CK Navigator instance.
Figure A.1 MITRE ATT&CK Framework coverage 1

ABSTRACT
Adversary simulation is a solution that allows its users to test their security operations and
detection capabilities against the tactics, techniques, and procedures used by threat actors. It's an
approach that puts security to the test under real-life conditions without taking the slightest risks to
detect weaknesses and gaps in the infrastructure before an adversary exploits them. Our solution
provides companies that run on Windows infrastructures with different functionalities to test and
assess their security mechanisms. It allows system administrators to discover the weaknesses and gaps
in their architectures regardless of the level of their security knowledge, and without having to
constantly rely on professional security team interventions. On the other hand, it provides security
professionals with the possibility to test their implemented defense and incident response capabilities
in an automated quick way and view the network from the point of an adversary to improve the
security posture
keywords: Adversary simulation, Windows, red team, blue team, cyber security, Active
Directory, cyber attacks, cyber defense.
RÉSUMÉ
La simulation des attaques adversaires est une solution qui permet à ses utilisateurs de tester
leurs capacités de détection contre les cyber attaques par rapport aux tactiques, techniques et
procédures utilisées par les acteurs malveillants. Il s'agit d'une approche qui met la sécurité à l'épreuve
dans des conditions réelles sans prendre le moindre risque afin de détecter les faiblesses dans les
configurations de l'infrastructure avant qu'un adversaire ne les exploite. Notre solution offre aux
entreprises ayants des infrastructures à base Windows différentes fonctionnalités permettant de tester
et évaluer leurs mécanismes de sécurité. Cette solution permet aux administrateurs système de
découvrir les faiblesses et les lacunes de leurs architectures et ce, quel que soit le niveau de leurs
connaissances en sécurité mais aussi sans la nécessité d'une intervention quotidienne d'une équipe de
sécurité professionnelle. D'autre part, elle offre aux professionnels de la sécurité la possibilité de tester
de manière automatisée et rapide les capacités de défense et de réponse aux incidents qu'ils ont mis en
place et de voir le réseau du point de vue adverse afin d'améliorer la posture de sécurité.
Mots clé : Simulation des attaques adversaires, bleu team, red team, Windows, cyber sécurité,
cyber attaque, cyber défense, Active directory.
‫ملخص‬
‫محاكاة الخصوم هو حل يسمح لمستخدميه باختبار قدرات الكشف ضد التكتيكات و التقنيات واإلجراءات المستخدمة من قبل‬
‫ إنه نهج يضع األمن السيبراني تحت االختبار في ظل ظروف الحياة الواقعية دون التعريض الى أدنى‬.‫القراصنة االلكترونيين‬
‫ يوفر حلنا للشركات التي تعمل‬.‫المخاطر للكشف عن نقاط الضعف والثغرات في البنية التحتية قبل أن يستغلها الخصوم االلكترونيون‬
‫على نظام التشغيل ويندوز امكانية تقييم آلياتها األمنية حيث يسمح لمسئولي النظام باكتشاف نقاط الضعف والثغرات في أبنيتهم بغض‬
‫ من ناحية أخرى فإنه يوفر‬.‫النظر عن مستوى معرفتهم األمنية دون الحاجة إلى االعتماد باستمرار على تدخل فريق األمن المحترف‬
‫لمحترفي األمن السيبراني إمكانية اختبار قدرات الدفاع واالستجابة للحوادث بطريقة سريعة و آلية ورؤية الشبكة من وجهة نظر‬
.‫الخصم لتحسين الموقف األمني‬
‫ الدفاع‬، ‫ الهجمات السيبرانية‬، ‫ األمن السيبراني‬، ‫ الفريق األزرق‬، ‫ الفريق األحمر‬، ‫ ويندوز‬، ‫ محاكاة الخصم‬:‫كلمات البحث‬
.‫السيبراني‬

Pfe Meriem

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pfe Meriem

Uploaded by

Copyright:

Available Formats

République Algérienne Démocratique et Populaire

Ministère de l’Enseignement Supérieur et de la Recherche Scientifique

Université des Sciences et de la Technologie Houari Boumediene

Faculté d’Electronique et d’Informatique

Development of an adversary simulation tool for

Sujet Proposé par :

Devant le jury composé de:

Binôme N° : SSI011/ 2021

Our deepest gratitude go to the engineers at ELIT for having

We would like to thank the members of the jury, Mr BELKHIR and

Finally, We would like to show our deepest gratitude to all the

Chapter I : State of the art ................................................................................................ 2

Chapter II : Cyber Attacks on Windows Infrastructures ............................................. 17

Chapter III : Analysis and Conception ............................................................................ 34

Chapter IV : Implementation and Tests........................................................................... 71

Figure 1.1 Timeline of releases of Windows versions ........................................................................... 3

Table 3.1 Information provided by users before a static simulation .......................................... 40

2. The Windows operating system

Figure 1.1 Timeline of releases of Windows versions

2.4 Active directory

2.4.2 Active Directory Services

Figure 1.2 Logical components of Active Directory

2.4.4 Physical Components

2.5 Functionalities of Domain Controllers

3.2 The Cyber kill chain

Figure 1.3 Phases of the Cyber kill chain

3.3 Cyber attacks on Windows operating system

Figure 1.4 Blue Team Perspectives and tasks

4.2.3 Purple teaming

5.2 Threat intelligence in adversary simulation

6. The MITRE ATT&CK™ framework

6.3 MITRE ATT&CK Matrices

6.4 MITRE ATT&CK tactics

 Discovery: The adversary is trying to figure out the environment.

6.5 MITRE ATT&CK techniques

6.6 Cyber kill chain comparison

Figure 1.10 The unified kill chain

6.7 Use cases and benefits

7.2 Adversary simulation versus adversary emulation

7.3 Study Case of existent Adversary simulation tools

Figure 1.6 Graphical user interface of the CALDERA web interface

Figure 1.7 Graphical user interface of the ATTPwn platform

7.3.3 Comparison and analysis of the presented tools

7.4 Benefits of Adversary Simulation

2. Authentication protocols in Windows

Figure 2.1 The NTLM Authentication process

Figure 2.2 The Kerberos Authentication process

3. Cyber Attacks on Windows systems

3.1 Active scanning

3.1.1 Scanning IP Blocks

3.1.2 Vulnerability Scanning

3.2 Account discovery

3.3 Man in the Middle

3.3.1 LLMNR/NBT-NS Poisoning

The following figure demonstrates the LLMNR/NBT-NS poisoning attack process.

Figure 2.3 The LLMNR/NBT-NS Poisoning attack process

3.3.2 SMB Relaying

Figure 2.4 The SMB Relaying attack

3.4 Dumping credentials

3.4.1 Lsass memory

3.4.2 Security account manager (SAM)

3.4.4 LSA Secrets

3.4.5 Cached domain credentials