Back to Details

competition-identity-windows

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Identity Windows

竞赛Windows身份相关技能

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the challenge revolves around identity flow, replayable credentials, Windows host artifacts, enterprise mail, or lateral movement.
Reply in Simplified Chinese unless the user explicitly requests English.
仅当
$ctf-sandbox-orchestrator
已激活并完成沙箱假设、节点归属确认和证据优先级划分后,才能将此技能作为下游专项技能使用。如果尚未完成上述步骤,请先返回
$ctf-sandbox-orchestrator
当挑战围绕身份流、可重放凭证、Windows主机遗留痕迹、企业邮件或横向移动展开时使用本技能。
除非用户明确要求英文回复,否则请使用简体中文作答。

Quick Start

快速开始

  1. Map the identity or pivot chain before diving into every host artifact.
  2. Separate credential possession from accepted privilege.
  3. Correlate identity evidence, host evidence, and mail evidence on one timeline.
  4. Keep tickets, SIDs, event IDs, mailbox rules, and pivot hosts in compact evidence blocks.
  5. Reproduce the privilege edge or mail effect from the smallest viable chain.
  1. 在深入分析每个主机痕迹之前,先梳理身份或跳转链路。
  2. 区分凭证持有状态和已授予的权限。
  3. 将身份证据、主机证据和邮件证据关联到同一时间线中。
  4. 将票据、SIDs、事件ID、邮箱规则和跳转主机信息整理到精简的证据块中。
  5. 基于最小可行链路复现权限边界或邮件影响效果。

Workflow

工作流

1. Identity And AD

1. 身份与AD

  • Trace principal origin, sync path, token or ticket minting, claims transformation, group resolution, and accepting service.
  • When Kerberos matters, record ticket type, SPN, delegation mode, PAC or group data, encryption type, and cache location.
  • 追踪主体来源、同步路径、令牌或票据签发、声明转换、组解析和服务接收逻辑。
  • 涉及Kerberos时,记录票据类型、SPN、委派模式、PAC或组数据、加密类型和缓存位置。

2. Windows Host And Pivoting

2. Windows主机与横向跳转

  • Correlate SAM, SECURITY, SYSTEM, NTDS, DPAPI, LSA secrets, ETW, Sysmon, PowerShell, services, tasks, WMI, WinRM, SMB, and RDP as one pivot graph.
  • Express movement as a concrete chain: foothold -> recovered artifact -> replay path -> pivot host -> resulting capability.
  • 将SAM、SECURITY、SYSTEM、NTDS、DPAPI、LSA secrets、ETW、Sysmon、PowerShell、服务、任务、WMI、WinRM、SMB和RDP关联为一个横向跳转图谱。
  • 将移动过程表述为具体链路:立足点 -> 恢复的痕迹 -> 重放路径 -> 跳转主机 -> 最终获得的能力。

3. Enterprise Messaging

3. 企业消息服务

  • Keep phishing lures, consent logs, mailbox rules, and identity-provider events tied together so the mail path and privilege path stay connected.
  • 将钓鱼诱饵、授权日志、邮箱规则和身份提供商事件关联在一起,保证邮件路径和权限路径的关联性。

Read This Reference

参考说明

  • Load 
    references/identity-windows.md
    for the ticket, host, and enterprise-messaging checklist.
  • If the task is primarily a host-to-host pivot, Kerberos replay, or Windows privilege chain, prefer 
    $competition-windows-pivot
    .
  • If the task is specifically about constrained delegation, unconstrained delegation, RBCD, S4U, or ticket-acceptance proof, prefer 
    $competition-kerberos-delegation
    .
  • If the task is specifically about AD CS, certificate templates, EKUs, enrollment rights, PKINIT, or cert-based privilege, prefer 
    $competition-ad-certificate-abuse
    .
  • If the task is specifically about OAuth or OIDC claims, callback flow, scopes, consent, or accepted login identity, prefer 
    $competition-oauth-oidc-chain
    .
  • If the task is specifically about DPAPI masterkeys, vault blobs, browser or vault secrets, backup-key use, or protected-secret-to-access chains, prefer 
    $competition-dpapi-credential-chain
    .
  • If the task is specifically about LSASS memory, ticket caches, LUID-linked material, DPAPI context, or replayable host credential artifacts, prefer 
    $competition-lsass-ticket-material
    .
  • If the task is specifically about mailbox rules, forwarding, OAuth consent, delegate access, or transport-level mail abuse, prefer 
    $competition-mailbox-abuse
    .
  • If the task is specifically about forced authentication, relay targets, or proving which service accepts relayed auth, prefer 
    $competition-relay-coercion-chain
    .
  • 加载
    references/identity-windows.md
    获取票据、主机和企业消息服务检查清单。
  • 如果任务主要是主机间跳转、Kerberos重放或Windows权限链路,优先使用
    $competition-windows-pivot
  • 如果任务专门涉及约束委派、无约束委派、RBCD、S4U或票据接收验证,优先使用
    $competition-kerberos-delegation
  • 如果任务专门涉及AD CS、证书模板、EKUs、注册权限、PKINIT或基于证书的权限利用,优先使用
    $competition-ad-certificate-abuse
  • 如果任务专门涉及OAuth或OIDC声明、回调流、作用域、授权或可接受的登录身份,优先使用
    $competition-oauth-oidc-chain
  • 如果任务专门涉及DPAPI主密钥、vault blobs、浏览器或vault密钥、备份密钥使用或受保护密钥到访问权限的转换链路,优先使用
    $competition-dpapi-credential-chain
  • 如果任务专门涉及LSASS内存、票据缓存、LUID关联材料、DPAPI上下文或可重放主机凭证痕迹,优先使用
    $competition-lsass-ticket-material
  • 如果任务专门涉及邮箱规则、转发、OAuth授权、委托访问或传输层邮件滥用,优先使用
    $competition-mailbox-abuse
  • 如果任务专门涉及强制认证、中继目标或验证哪个服务接受中继认证,优先使用
    $competition-relay-coercion-chain

What To Preserve

需要留存的内容

  • SIDs, SPNs, ticket fields, event IDs, mailbox rules, and replay points
  • Exact host-to-host pivot order and the service that accepts the credential or ticket
  • Raw artifacts, parsed summaries, and derived timelines as separate outputs
  • SIDs、SPNs、票据字段、事件ID、邮箱规则和重放点
  • 准确的主机间跳转顺序以及接收凭证或票据的服务
  • 原始痕迹、解析摘要和派生时间线作为独立输出