Stealth

This chapter is about staying stealthy and opsec safe. That means not getting caught by the blue team on engagements.

General

These are some key things we must avoid

Putting files on disk
RDP in to boxes
Trigger pop-ups on desktops
Changing account passwords
Locking out users
Changing group membership of accounts
Changing existing settings and files
Changing GPOs permanently
Messing up Kerberos tickets
Triggering alerts from security products like AV
Killing processes you don't own
Any sort of DOS
Leaving files and tools
Not cleaning up

Using DLLs

Obfuscating mimikatz

Any sysadmin with half a brain can now write and something to stop most common ways of executing mimikatz. Since we don't want to get caught we could obfuscate Mimikatz numerous ways.

Running to memory either through Powershell or through meterpreter (will probably get you caught)
Changing some basic things that will be triggered by signature, see: https://gist.github.com/imaibou/92feba3455bf173f123fbe50bbe80781

Veil Pillage

Veil Pillage is a post exploitation tool and a part of the Veil framework intended for staying undetected through obfuscation.

https://github.com/Veil-Framework/Veil-Pillage

PreviousFrom RDS app to Empire shell NextLink encyclopedia

Last updated 6 years ago