From flat networks to locked up domains with tiering models#2042
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
From flat networks to locked up domains with tiering models#2042carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://sensepost.com/blog/2026/from-flat-networks-to-locked-up-domains-with-tiering-models/ Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (Access Token impersonation / token theft) and/or Active Directory Methodology -> Lateral Movement (Pass-the-Hash with NetExec; RDP Shadowing abuse; Scheduled Tasks run-as when user is logged on; CredUI prompt phishing on-host)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
The post explains (from an internal pentest/red-team perspective) why “flat” Windows/AD networks typically collapse after a single foothold, and how applying a tiering model (privilege + network segmentation) reduces credential exposure and lateral movement. It demonstrates multiple ways to compromise or usurp privileged identities even when classic LSASS dumping is detected, emphasizing that attackers often don’t need the password itself—only the victim’s security context.
1) Wh...
🔧 Technical Details
LSASS → NT hash extraction → Pass-the-Hash at scale: When privileged users authenticate on a compromised host, LSASS may contain cleartext credentials, NT hashes (MD4-derived), and Kerberos tickets. Dump LSASS (e.g., with Mimikatz) to recover an NTLM hash, then authenticate to other hosts (including DCs) using Pass-the-Hash with frameworks like NetExec. This enables rapid lateral movement without knowing the plaintext password.
Access token impersonation (security-context usurpation): Windows creates a primary access token at logon (SID, groups, privileges) and duplicates it into child processes. If an attacker can locate/duplicate a privileged token and spawn a new process bound to it, Windows authorizes actions as the victim without re-checking the password and without touching LSASS. Tools such as SensePost’s
Impersonate(integrated into NetExec) automate token discovery/hijacking and command execution under the stolen context.Shadow RDP...
🤖 Agent Actions
Updated rdp-sessions-abuse.md with the blog’s missing technical content around abusing an already logged-on victim context: Shadow RDP policy values and commands, scheduled-task execution as a logged-on user without their password, CredUI prompt abuse from the victim session, and requesting a PFX in the victim context for certificate-based AD auth.
I kept it to one file, because the repo already covers token impersonation and generic token abuse elsewhere, while this page was the best fit for the session-bound tradecraft that was not yet documented together. I also added a proper
## Referencessection at the end with the SensePost post and relevant NetExec/Microsoft links.Verification: reviewed the final diff and confirmed the new material is only in that file and does not duplicate the stronger existing token-focused pages.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.