Scratch Notes
Basics
- List of Microsoft Windows components
- Architecture of Windows NT
- The Component Object Model
- Common Information Model
- About Windows Management Instrumentation (WMI)
- Uses CIM to represent components
- Remote connections are made via DCOM (or WinRM)
- Extra: Introduction to WMI Basics with PowerShell Part 1
- WMI Architecture
- See the diagram
- Windows Management Infrastructure (MI)
- Because that isn't confusing... (MI != WMI)
- NOTE: seems to be new/a revamp of sorts
- What are the exact roles of a Windows account's SID, and more specifically its RID, for Windows security?
- TL;DR The security ID (SID) can be created by DC or local security authority (LSA), and it has many different (standardized) parts. The last one is the relative ID (RID), which is a unique identifier for whoever issued the SID.
- MS reference: link
- Service overview and network port requirements for Windows
- WMI 4 Atatckers
PowerShell
Random finds
- xCyclopedia
- Reference of all executables, DLLs, etc.
- Windows X86 System Call Table
- Understanding Windows SysCalls - SysCall Dumper
- Possibly some interesting stuff in this forum
- What the hell is COM? part 1
- IPC$ share and null session behavior in Windows
- [MS-NRPC]: Netlogon Remote Protocol
- NSudo
- sysadmin tools
- WMI Providers for script kiddies
- Learn more abotu WMI
- WindowsDllsExport
- All DLLs exported in C:\Windows\System32\
- Windows Access Tokens and Alternate Credentials
- Cobalt Strike-specific, but useful for better understanding of how auth works
- The Defender's Guide to the Windows Registry
Useful Tools
Later
- Enumerating Registry Hives
- PDB Stream Decomposition
- Auditing the System Call Table
- Linking Processes to Users
- Memory Registry Tools!
- Also has pointers to non-memory registry resources
- For a good orientation to the registry in general, see:
- The Internal Structure of the Windows Registry
- (Sys)Call Me Maybe: Exploring Malware Syscalls with PANDA
- Demystifying the "SVCHOST.EXE" Process and Its Command Line Options
- WMI Internals Part 3
Python ideas
- Python: check out winreg module in stdlib - there's info about HKEYs here
- Script to parse SID?
From secretsdump.py:
- DCSync (dead link)
- SysKey and the SAM
- NTLM is basically just MD4.
- SysKey, or the boot key, is a key in the system hive used to encrypt SAM hashes.
- It's composed of four other separate keys, and must be unscrambled.
- Before messing w/ SAM, need hashed boot key to derive RC4 keys used for decrypting SAM.
- Semi-complicated, but not too bad. Just need to steal system and SAM hives, or even just SAM if bootkey can be obtained in some other way.
- For a POC, see: creddump
- Decrypting LSA secrets
- LSA secrets are in security hive, aiming for NL$KM, the key that encrypts cached domain passwords
- Of course, the boot key comes into play here
- Can search memory space of lsass.exe to get this key
- Key follows a "rolling" (?) decryption scheme (not super important except for dev work)
- To make things a bit easier, we can also just rip from a separate registry key and do some magic with the boot key
- See lsadump.py in the creddump repo
- LSA secrets are in security hive, aiming for NL$KM, the key that encrypts cached domain passwords
- Cached domain creds
- Needed so that users aren't locked out in the event that the DC goes down
- Found in HKLM\Security\Cache - check values NL$1, NL$2, etc.
- Just builds off the previous articles, more fun with NL$KM
- See cachedump.py in the creddump repo
- https://web.archive.org/web/20130901115208/www.quarkslab.com/en-blog+read+13
- https://lab.mediaservice.net/code/cachedump.rb
- https://insecurety.net/?p=768
- https://web.archive.org/web/20190717124313/http://www.beginningtoseethelight.org/ntsecurity/index.htm
- https://www.exploit-db.com/docs/english/18244-active-domain-offline-hash-dump-&-forensic-analysis.pdf
- https://www.passcape.com/index.php?section=blog&cmd=details&id=15