- The document discusses remote operations and credential exposure during remote management. It highlights the use of various living off the land techniques like RPC, WMI, PSRemoting and RDP. - It provides tips for preventing lateral movement without dedicated security products by leveraging configurations like LogonWorkstations to restrict where accounts can logon. - The key takeaways are to embrace a living off the land mindset, be aware of credential exposure risks during remote operations, and that single configurations can be effective for preventing issues like lateral movement when properly configured and monitored.

1. InSecure Remote Operations
What Sucks, Rocks & a Super-CLI
Yossi Sassi

2. WhoAmI
• InfoSec Researcher; H@‫כ‬k3r (1nTh35h311)
• Red mind, Blue heart
• Co-Founder @
• Consulting in 4 continents (Banks/gov/F100)
• 30+ years of keyboard access – Code, IT Sec, Net Comms.
• The HAcktive Directory guy; Ex-Javelin Networks (Acquired by Symantec)
• Ex-Technology Group Manager @ Microsoft (Coded Windows Server Tools)
• Volunteer (Youth at risk); Oriental Rock Bouzoukitarist; Aviator

3. ChatGPT was Not used in the making of this
presentation, code & content

4. • Remoting ‘Mindset’ – LoTL examples
• PSRemoting / WinRM
• Credentials exposure during Remote Operations
• Preventing Lateral movement without products
• Tips & open-source toolZ
What we’ll talk about

5. Living off the land…
Remote Management or Lateral Movement?
• Multiple LoLBins…
• RPC: WMI, DCOM
• ‘API heaven’ – e.g. IPC (MailSlots, NamedPipes..)
• RDP
• WinRM / PSRemoting
etc.

6. Remote Procedure Call (RPC)
•System service that is an inter-process communication (IPC)
mechanism, enabling data exchange and invocation of
functionality that is located in a different process.
•The different process can be on the same computer, on the
LAN, or in a remote location
•The RPC service serves as the RPC Endpoint Mapper and
Component Object Model (COM) Service Control Manager
(Remotely – DCOM)
•Many services depend on the RPC service to start
successfully
https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

7. The RpcSs System service
https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements
Application Protocol Protocol Ports
RPC TCP 135
RPC over HTTPS TCP 593
NetBIOS datagram service UDP 138
NetBIOS Name Resolution UDP 137
NetBIOS Session Service TCP 139
SMB TCP 445
Dynamic port range TCP & UDP 1025 - 5000*,
49152 – 65535

8. Protocol / Port AD DS Usage Type of traffic
TCP 25 Replication SMTP
TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS
TCP 135 Replication RPC, EPM
TCP 137 NetBIOS Name resolution NetBIOS Name resolution
TCP 139 User and Computer Authentication, Replication
DFSN, NetBIOS Session Service,
NetLogon
TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP
TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL
TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC
TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts
SMBv1/2/3, CIFS, DFSN, LSARPC,
NbtSS, NetLogonR, SamR, SrvSvc
TCP 9389 AD DS Web Services SOAP
TCP 5722 File Replication RPC, DFSR (SYSVOL)
TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password
UDP 123 Windows Time, Trusts Windows Time
UDP 137 User and Computer Authentication
NetLogon, NetBIOS Name
Resolution
UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing
DFSN, NetLogon, NetBIOS
Datagram Service
UDP 67 and UDP 2535
DHCP (Note: DHCP is not a core AD DS service, but these ports may be
necessary for other functions besides DHCP, such as WDS)
DHCP, MADCAP, PXE
TCP & UDP 1024-5000;
49152-65535
Ongoing (RPC etc’) RPC / DCOM / WMI...
TCP 593 DCOM/Messaging/Exchange RPC over HTTP

9. What ports/protocols does tool XX use?
(AND – why understanding pre-AuthN matters)

10. ‘Netstat loop’ – Ports Monitor

11. • Pass strings/objects/execute code between
processes, local or remote – using Named Pipes
• Communicate between local or remote powershell
runspaces over one/two-way, encrypted pipe
• Pass info between processes on same machine
easily through IPC$
Inter-Process Communications (IPC)

12. • Can also use it for C2, without opening FW port,
without local admin privileges
– No need to Bind() server local port, just “rides” 445 ☺

13. Named-Pipe/SMB One-liner
(Exfil data/C2 with No socket bind)

14. IPC C’n’C

15. RPC Not Available / Kerberos Clock Skew

16. •e.g. ‘RPC not available’ errors (host is online, yet no Kerberos)
•Determine if clock skew exists
• Net time computer (does Not require special permissions)
• $varDate = Get-Date; Invoke-Command -ComputerName <IP>
-ScriptBlock {set-date $using:varDate} -Authentication Negotiate
• Cannot run winrm, or even ping(!) the host, because clock Diff,
and no KRB? try WMI process create w/IP (NTLM)
Invoke-WmiMethod -ComputerName <IP> -Class win32_process
-Name Create -ArgumentList "w32tm /resync"
TIP: Fixing Clock Skew issues Remotely

17. Fix Clock Skew Remotely

18. RDP – Windows admins’ favorite feature

19. RDP Attacks & adversary tools
• Brute force
• Change default user, default port…
• Seth.sh
• pyRdp
.. and more

20. RDP MiTM
•Get netNTLM, at minimum
•Can also get clear text password, if NLA is Not used
•Downgrades session, fakes certificate, attempts CredSSP
•Can also get clipboard/typed text directly to attacker
•Victim is totally unaware (RDP session functions normal,
just a bit slower initial connection time)

21. RDP MiTM

22. Getting Clear-Text password from any RDP Server
•With proper permissions – can disable NLA remotely –
either by modifying the Regkey directly, or via Powershell:
(Get-WmiObject -class Win32_TSGeneralSetting
-Namespace rootcimv2terminalservices
-ComputerName SRV1 -Filter "TerminalName='RDP-
tcp'").SetUserAuthenticationRequired(0)
• More silent, efficient & quicker than mimikatz etc. ;-)
• Can use inveigh/responder to relay the Registry
command, and/or ‘net localgroup administrators /add user’

24. • Remote Desktop Protocol (RDP)
• Remote WMI access over RPC/DCOM
• Remote event log management | service management
• SMB file share access
• PsExec
• Other…
• Yet “overlook” PSRemoting, always encrypted,
single port 5985 or 5986, does all of the above,
and much more??!?
Soooo… You perform Remote Management using:

25. PSRemoting Architecture
Remote Computer
Local Computer
PowerShell
Wsmprovhost
Endpoint
WinRM
Listener (HTTP)
WS-MAN
Traffic

26. PSRemoting w/Jobs

27. Copying to/from remote session
•Copy-item –ToSession $pssession c:myConfig.txt
c:folder-on-remote-srv
•Local Variables cast to remote session with $using
•Local functions cast to remote session with
${function:My-Function}

28. Copy files without SMB

29. For the Blue Team -
Just Enough Access –
Secure constrained remote access
• Utilizes PS Session Configurations
–WSMan config (per nic/IP, http/s, limit bandwidth and more)
–All the Logging you can ask for
–Transcriptions
–ConstrainedLanguage
–Virtual Account (virtual SID)
–Whitelist scripts, apps, commands, parameters – anything!

30. PSSession Configurations

31. Mapping / Hunting for WSMan sessions
• EDR/Sysmon etc. (wsmprovhost.exe)
• WinRM / PowerShell-operational logs
• Try Get-RemotePSSession ps1

32. Query PSRemoting Sessions

33. Remote Operations: Credentials Exposure
Action/Tool Logon Type Creds on Target Notes
Console login 2 Yes* * Except when Credential Guard is
enabled
RunAs 2 Yes* * Except when Credential Guard is
enabled
RDP 10 Yes* * Except when Remote Credential
Guard enabled
Net Use 3 No Inc. /u: parameter
PS Remoting 3 No -u <username> -p <pass>
PsExec w/Creds 3+2 Yes
PsExec no Creds 3 No
Remote SchedTask 4 Yes Password saved in LSA (on disk)
Run as a Service 5 Yes Password saved in LSA (w/account)
Remote Registry 3 No

34. Let’s get advice from Microsoft… ☺

36. Get TGT without ANY lsass secrets

37. Process token -> TGT

38. “Mitigation” – Virtual accounts

39. Using Virtual Accounts

40. But… the adversary can edit the Role Capabilities file ☺

41. But… Defenders can monitor for file/config changes, hash change etc’
(e.g. sign config file)

45. “Small step for IT, Giant step against Lateral Movement”
• No EDR
• No segmentation
• No firwewalls config
• No MFA
• All the misconfigurations you can think of …
• No proper auditing/SIEM/SOC
… and yet ☺

46. LogonWorkstations

47. Preventing DAs from logging to EndPoints
Living off the land
• Before setting LogonWorkstations, 1st reduce/”cleanup” priv users
• Ensure DA(s) not running on other targets to prevent services
& applications interruption (e.g. IIS AppPools, SchedTasks, Svc)
• Add at least one PAW/”Jump host” together with the Target(s)
– Protect/Harden PAW (.. & consider a Shielded VM)
• Monitor changes of LogonWorkstations attribute (see github)
• Other configuration options exist (e.g. Restrictive GPOs)

48. github.com/YossiSassi

49. Key Takeaways
• Embrace ‘Living off the land’ mindset (Red & Blue)
• Note Credentials exposure during Remote Operations
• A single configuration can do more than few products
(e.g. lateral movement prevention)
• PSRemoting Rocks! And JEA is effective. But ….
• Almost no security features are enabled by default. proper
configuration is needed. And can be bypassed (e.g. Invisi-Shell)
• Logging and continuous monitoring can be effective (and tools)
• Check out github.com/YossiSassi for code & scripts

50. Everything is a set of nested ‘if’ statements

51. D@nk3!
Yossi_Sassi
yossis@protonmail.com