In this chapter, you will need to have access to the following:

• VMware Workstation or Oracle VirtualBox with at least 16 GB of RAM, 10 CPU cores, and at least 115 GB of total space (more if you take snapshots)
• A Linux-based host OS is strongly recommended
• Vagrant installed with the plugin for the corresponding virtualization platform and Ansible

Even if creating and deploying a test lab can be daunting and time consuming, it is an important preparation step before jumping into attack emulation. MITRE ATT&CK has a dedicated tactic for this activity called Resource Development.

There are a few free but formidable projects available for automated lab deployment. You can choose any of them depending on your workstation’s resources and replicate the vulnerabilities yourself. For example, there is a very good open source project maintained by the Splunk Threat Research Team called Splunk Attack Range[1], where you can quickly deploy a small lab to perform attack simulations. However, I will use two other projects throughout the book.

The first project I will use throughout the book is the GOADv2 lab created by Orange Cyberdefense[2]. To deploy it, you will need a Linux-based host OS with VMware Workstation or Oracle VirtualBox. It is also possible to deploy the lab on Proxmox, as...

What is Active Directory? In plain words, it is a hierarchically structured storage of object information. One of the main benefits is that Active Directory allows centralized management and authentication. Now, let us briefly discuss what the Cyber Kill Chain is. This framework was developed by Lockheed Martin and has a military background. It is a concept that identifies the structure of an attack. We can adapt Cyber Kill Chain concepts for Active Directory as in the diagram from infosecn1nja on GitHub[5]. It has several steps, but it always follows the same cycle – recon, compromise, lateral movement – just with more privileged access:

Figure 1.4 – Active Directory kill chain

The focus of this book is Windows-based infrastructure and its services only, so themes such as local privilege escalation on the host, initial access, and external recon are out of the scope of this book. I will briefly explain...

Initial access is a vital, early-stage step to compromise the target environment. However, this will not be covered in this book for the following reasons. To be honest, this theme is as wide as it is deep. It requires cross-field knowledge from different areas of IT as well as psychology, so it would require a separate book itself. Also, there is a high chance that at the moment of such a book being published, half of the attack vectors will be killed by implementing security solutions, such as Endpoint Detection and Response (EDR), and/or covered by a blue team’s comprehensive detection capabilities. The reason is that it is rapidly developing, full of private research that isn’t published. In general, to obtain stable initial access to the target environment, there are three main topics to take care of – a resilient and secure attack infrastructure, covert tooling with the required capabilities, and...

Exchange Server is a collaboration server developed by Microsoft. Despite the fact that more and more companies are moving to the O365 cloud, there is still a good possibility that you will encounter on-premises deployment. Exchange has multiple useful features for end users, but it is also extremely difficult to develop all of them securely. In recent years, a lot of research has been published revealing critical vulnerabilities in its different components. Moreover, patches from Microsoft did not always completely fix these vulnerabilities, meaning that adversaries attempted to develop a one-day exploit by reverse engineering the patch and were able to find a suitable bypass. Considering that sometimes it is not possible for businesses to react in a timely manner to such rapidly changing situations, the chance of being compromised is quite high.

But what is the benefit for an adversary to compromise Exchange? First of all, a successful takeover gives...

In this chapter, we deployed our lab for future activities. We are lucky to have two outstanding free projects available for training and research purposes. After that, we discussed the Active Directory kill chain, vital steps to compromise the target environment, and what OpSec is. Then, we dived deeper into the assume breach model, showing solid hurdles that need to be overcome to achieve stable initial access. We covered three main attack vectors for Exchange Server: credential access, Zero2Hero exploits, and abuse of client-side software. In the next chapter, we will scratch the surface of the defense evasion theme. It is a broad and deep topic, which you will see eventually narrows down to the rule know your tooling.

The following resources for further study will help you dive deeper into the attacks covered in the chapter:

1. Splunk Attack Range – https://github.com/splunk/attack_range
2. Orange Cyberdefense GOADv2 – https://github.com/Orange-Cyberdefense/GOAD
3. Deploy GOADv2 on Proxmox – https://mayfly277.github.io/categories/proxmox/
4. DetectionLab project – https://www.detectionlab.network/
5. Active Directory kill chain diagram – https://github.com/infosecn1nja/AD-Attack-Defense
6. Red team infrastructure wiki – https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
7. EDR bypass team – https://dispatch.redteams.fyi/red-team-edr-bypass-team/
8. Assume breach model – https://www.redsiege.com/wp-content/uploads/2019/09/AssumedBreach-ABM.pdf
9. Mind map to assess the security of Exchange Server – https://github.com/Orange-Cyberdefense/arsenal/blob/master/mindmap/Pentesting_MS_Exchange_Server_on_the_Perimeter...