Manish Kishan Tanwar, MCTTP

Manish Kishan Tanwar

Security Consultant at MDSec, @IndiShell1046


Manish is interested in web app sec and network Pentest, and has a love of developing vulnerable labs and web shell in his spare time.

Manish has published exploits and papers related to SQL Injection research on Exploit-DB platform.

He has spoken at multiple respected security conferences like SANS HackFest 2022, Black Hat MEA 2023 (Briefing), SteelCon 2022 (UK) and also at VulnCon 2024.

Talks & Q&A

Conference | Sep 19

Alt+CTRL+Del Your Expectations: Fun-Filled Adventures in Windows Active Directory Network Pwnage

“Living Off the Land” techniques inspired by Lapsus$ and ransomware groups.

Description

Have you ever wondered about "some esoteric techniques through which we compromised your networks".


In this session, We will demonstrate some amazing “Living Off the Land” techniques, which helped us to not only evade the defenses of many Fortune 500 organizations, armed with latest security tech and robust defenses, but also helped us to achieve our objectives by exploiting the enterprise environments. Our "attack path" techniques were inspired by Lapsus$ group as well as some ransomware gang operators who made use of funny TTPs to breach the security of several organizations. We compiled a playbook containing the “living-off-the-land” techniques used by ransomware groups, added some of our own tricks to it, and used the playbook to gain control of the entire organizational network. Some of the used techniques are mentioned below:


  1. Exploitation of AD CS related misconfiguration either using in-built Windows tools or using custom Powershell based scripts.
  2. Escalation of privileges from IIS_apppool virtual account to NT Auth/SYSTEM without using any potato exploit or cert-potato technique.
  3. Luring admin into a compromised machine to achieve Domain Admin access.
  4. Learning about misconfigurations introduced into the Active Directory environment by a security product through the vendor’s official product configuration tutorials. Use of HTTP Tunnelling technique, during post-exploitation phase, to reach internal/segregated environment hosts without using C2s
  5. Being silent in heavily monitored environments by using "creative" techniques when web app is vulnerable to RCE (for example, avoiding usage of webshells)
  6. Tampering with AV/EDR processes
  7. Altering host firewalls(including enabling RDP)


Why the committee chose this talk

It´s often the easiest things we miss. And there is always a Cybercrime actor out there to find out.