subat0mik / misconfiguration-manager Goto Github PK

For TAKEOVER-3, TAKEOVER-8:

Domain controller settings:
RestrictNTLMInDomain = 0 or not present, or is configured with any value and DCAllowedNTLMServers contains coercion target
LmCompatibilityLevel < 5 or not present, or = 5 and LmCompatibilityLevel >= 3 on the coercion target

I'm assuming that should be "LmCompatibilityLevel <= 3 on the coercion target"?

Hi! First of all, congratulations on this awesome project, it's an amazing reference already.

I noticed a (very minor) issue with some Unicode characters breaking links from some of the Markdown technique descriptions. Specifically, there are some Zero-Width spaces (\u200b) floating around after hyperlinks, which actually break the link as follows (example from CRED-1):

https://github.com/MWR-CyberSec/PXEThief%E2%80%8B

Here's the full list (obviously, not all of these are actually breaking links):

It's obviously simple to remediate with a single find-and-replace and I would submit a PR for this, but it's so minor that I wouldn't want to take 'contributor' credit for it 😂. Let me know if that's what you prefer anyway.

biskopp3n on the BloodHound Slack found a new CRED technique involving the deobfuscation of the MEP_MachineVariables table on the site database server.

https://bloodhoundhq.slack.com/archives/C03N78QCRKJ/p1710329409609879

Minor Quibble about PXE Creds: I'd like to see this broken out into separate issues for each different type of credentials found. The different creds can appear under different circumstances, and prevention that is effective for some is not for others.