Summary
- An attacker attempts several exploits on a Active Directory domain controller to a domain called sendai.vl.
- The attacker first runs an smbclient command, likely to enumerate the possibilities for further exploitation.
- The attacker then uses the smbpasswd.py tool to change the password of a user likely via a command injection vulnerability.
- The attacker then uses tools likely from the nxc toolset to further exploit the domain controller.
- The attacker likely uses evil-winrm to spawn a privileged process.
- The attacker uses nxc smb to connect as various users to potentially exploit more vulnerabilities.
- Finally, the attacker attempts to use certipy with ldap bindings and other tools without success.
By Mohamed Eletreby
Original Article