Stealth
This chapter is about staying stealthy and opsec safe. That means not getting caught by the blue team on engagements.
General
These are some key things we must avoid
- Putting files on disk
- RDP in to boxes
- Trigger pop-ups on desktops
- Changing account passwords
- Locking out users
- Changing group membership of accounts
- Changing existing settings and files
- Changing GPOs permanently
- Messing up Kerberos tickets
- Triggering alerts from security products like AV
- Killing processes you don't own
- Any sort of DOS
- Leaving files and tools
- Not cleaning up
Using DLLs
https://pentestlab.blog/tag/rundll32/
Obfuscating mimikatz
Any sysadmin with half a brain can now write and something to stop most common ways of executing mimikatz. Since we don't want to get caught we could obfuscate Mimikatz numerous ways.
- Running to memory either through Powershell or through meterpreter (will probably get you caught)
- Changing some basic things that will be triggered by signature, see: https://gist.github.com/imaibou/92feba3455bf173f123fbe50bbe80781
Veil Pillage
Veil Pillage is a post exploitation tool and a part of the Veil framework intended for staying undetected through obfuscation.