Adding pentest templates for internal infrastructure and AD

Author: RRudder

submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/recommendations.md

@@ -0,0 +1,5 @@
+# recommendation(s)
+
+Disable Unconstrained Delegation on the affected system/account. Where delegation is strictly necessary, consider migrating more restrictive delegation types (such as Resource-Based Constrained Delegation (RBCD)). 
+
+Ensure that highly privileged accounts are protected from delegation by enabling the "Account is sensitive and cannot be delegated" option in Active Directory.

submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/template.md

@@ -0,0 +1,21 @@
+A system configured with unconstrained delegation was compromised during the assessment, leading to domain privilege escalation. 
+
+Unconstrained delegation is a Kerberos feature introduced with Server 2000 which allows a service to impersonate any user who authenticates to it and subsequently access any other service in the domain on behalf of that user. This is a highly permissive configuration and the least restrictive form of delegation available in an active directory environment. 
+
+When a user authenticates to a service configured with unconstrained delegation, the Key Distribution Center (KDC) issues a Ticket-Granting Ticket (TGT) for the user, and a copy of this TGT is forwarded to and stored in the memory of the delegating service. If this delegating service account is compromised, an attacker can extract these cached TGTs. With a user's TGT, the attacker can then request service tickets for any service within the domain, effectively impersonating that user to any resource. 
+
+Rather than waiting for a highly privileged user to authenticate to the service, unconstrained delegation is usually combined with authentication coercion techniques where the target account is forcibly triggered to authenticate to the controlled service. A typical abuse pathway is to coerce authentication from a Domain Controller (DC) machine account, which is then leveraged to perform a DCSync attack. The DCSync simulates the replication process of one DC to another in order to retrieve the stored credentials/hashes of domain-wide user accounts. With access to these hashes, the attacker can then forge additional TGT’s on behalf of any arbitrary user in the domain (including privileged domain administrator accounts), resulting in full domain compromise.
+
+**Business Risk**
+
+This vulnerability could be abused by an attacker to gain unauthorised access to any user account, effectively leading to full domain compromise. This could result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised.
+
+**Steps to Reproduce**
+
+<Provide numbered steps to reproduce this issue in the context of the in-scope domain>
+
+**Proof of Concept (PoC)**
+
+The screenshot(s) below demonstrate(s) the vulnerability:
+>
+> {{screenshot}}

submissions/description/active_directory/excessive_domain_admin_membership/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/active_directory/excessive_domain_admin_membership/recommendations.md

@@ -0,0 +1,6 @@
+# recommendation(s)
+
+The Domain Administrators group should contain only accounts that strictly require such authority to complete their roles. The accounts themselves should be used infrequently, so as to further reduce the chance of compromise. 
+
+Ensure that regular auditing of security group membership and user access rights is undertaken to prevent unnecessary permissions from being granted to user accounts.
+ 

submissions/description/active_directory/excessive_domain_admin_membership/template.md

@@ -0,0 +1,19 @@
+The Active Directory (AD) domain had a large number of user accounts belonging to the highly privileged “Domain Admins” security group. 
+
+The "Domain Admins" group possesses the highest level of administrative authority within an Active Directory domain, granting full control over all domain controllers, workstations, servers, and every object in the domain.
+
+Having an excessive number of Domain Admins (DA) enlarges the attack surface by presenting a broad range of high-value targets, in turn increasing the likelihood of domain compromise.
+
+**Business Risk**
+
+Having an excessive number of highly privileged accounts in the domain expands the attack surface and increases the risk of an attacker compromising the domain. In turn, this could allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised.
+
+**Steps to Reproduce**
+
+<Provide numbered steps to reproduce this issue in the context of the in-scope domain>
+
+**Proof of Concept (PoC)**
+
+The screenshot(s) below demonstrate(s) the vulnerability:
+>
+> {{screenshot}}

submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/recommendations.md

@@ -0,0 +1,3 @@
+# recommendation(s)
+
+Install the KB2962486 patch on all affected systems to prevent new credentials from being placed in Group Policy Preferences. As this patch will not fix existing Group Policy Preference files, refer to the vendor security bulletin MS14-025, where Microsoft has provided a PowerShell script to detect existing stored passwords for removal.

submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/template.md

@@ -0,0 +1,19 @@
+The Group Policy implementation was vulnerable to Microsoft Security Bulletin MS14-025, which allows an attacker to retrieve and decrypt passwords stored within Group Policy Preferences (GPP).
+
+In Older Windows servers, when GPP are used to deploy local user accounts, the passwords for these accounts are stored as encrypted strings within XML files (e.g., Groups.xml, Services.xml, ScheduledTasks.xml) hosted on the SYSVOL share. The private key used to encrypt the stored passwords has been publicly shared by Microsoft. 
+
+As SYSVOL is accessible to all authenticated users, an attacker in possession of a domain account can search the SYSVOL share for XML files containing stored passwords. With access to the XML file(s), the attacker could then use the publicly available encryption key to decrypt the GPP password and retrieve the plaintext credential(s). This presents a trivial attack vector for a malicious user to escalate privileges or gain lateral movement within the domain.
+
+**Business Risk**
+
+An attacker could leverage the credentials obtained through this vulnerability to escalate privileges or exploit lateral movement vectors. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised.
+
+**Steps to Reproduce**
+
+<Provide numbered steps to reproduce this issue in the context of the in-scope domain>
+
+**Proof of Concept (PoC)**
+
+The screenshot(s) below demonstrate(s) the vulnerability:
+>
+> {{screenshot}}

submissions/description/active_directory/insecure_name_resolution_protocols_enabled/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).