Scribd
Upload
60 views1 page

Mindmap - Analysis Scenarios

Windows admin shares like C$, Admin$, and IPC$ can provide full access to the file system and are commonly abused to perform pass-the-hash attacks and allow unauthorized access to protected shares. These shares should be implemented with SMB signing and require domain/built-in admin rights to access on newer versions of Windows.

Uploaded by

Jonas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
60 views1 page

Mindmap - Analysis Scenarios

Windows admin shares like C$, Admin$, and IPC$ can provide full access to the file system and are commonly abused to perform pass-the-hash attacks and allow unauthorized access to protected shares. These shares should be implemented with SMB signing and require domain/built-in admin rights to access on newer versions of Windows.

Uploaded by

Jonas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Use: to give admin applications access to the entire file system.

The many flaws of


SMB can be abused (pass the hash with NTLM) to allow systems to access these
shares. - implement SMB Signing
C$: access to entire user drive - Since Vista, need domain/built-in admin rights to access these shares
Admin$: access to all Windows folders
IPC$: shared commenly used by shared pipes.

Windows Admin Shares


- MountPoints2: shows a list of shares that a user is connected to (NTUSER is
Source directly linked to a user)
- net use: most used tool for mapping shares

Audit

Destination

- Eula: Users need to execpt the user agreement before they can use the
Source sysinternals suite.
- EID 4648 will be on the source system if explicit creds are used (runas)

Audit

- FILE SYSTEM: PsExec will create a user profile on the destination by default
(als -e niet is mee gegeven). The creation time of this profile and its corresponding
Destination NTUSER.DAT registry data can be an indicator when PsExec was executed.
- look for the pipes: \\<ip>\pipe\PSEXECSVC-<sourcehostname>-<PID>-stdin
lookup all pipes in powershell: PS> get-childitem \\.\pipe\

PsExec

Steps needed to establish Remote Execution:


1) authenticate to dest system
Malware Execution Analysis Lateral Movement 2) Named pipes are then set up:
1) = id 4624
2a) = id 5140
a) ADMINS$ share is mounted on the destination
Scenarios b) Due to its implementation, PsExec copies itself to the destionation
2b) Creation of service PsExecSvc creates a key called SYSTEM
\CurrentControlSet... (is sometimes automatically deleted after the session ends..)
(PsExeSvc.exe to create the PsExecSvc service) and other binaries are copied to the
3) PsExec executions = EID 7045
Windows folder (by default)
3) Windows Service is started and the copied files are executed (how PsExec works)

you can create a policy that prevents users from downloading software tools such as
PsExec and AppLocker. You can also configure the Windows Registry to require User
Account Control (UAC) approvals for any PsExec operations requiring administrator
privileges

difficult to see if sc was used on a local service or a destination system without


Source
command line auditing

sc: Remote Service Audit

if a new DLL is used to create a new service, creation of those files and subsequent
Destination
application execution artifacts can be identified.

difficult to see if sc was used on a local service or a destination system without


Source
command line auditing

at: Remote Scheduled Task Audit

if a new DLL is used to create a new service, creation of those files and subsequent
Destination
application execution artifacts can be identified.

reg add: Remote Registry

Any Remote Command

Source
Code or Remote Commands

command:"process call create"


gives the adversaries similar capabilities to PsExec while leaving fewer artifacts.

WMI Audit - wmiprvse.exe: good indication


- best indicator: new log in Microsoft-Windows-WMI-Activity/Operationa
Destination
-.mof files or the execution of mofcomp.exe can indicate WMI event
consumers

WMI commands are not encrypted -> Network forensics can be useful for tracking
Network WMI usage.
except if used over WinRM protocol (eg using powershell)

Source

command:"Invoke-Command"
command: "Enter-PSSession" Enter-PSSession creates an encrypted interactive shell like SSH
gives the adversaries similar capabilities to PsExec while leaving fewer artifacts.
Audit

PS v5 now includes detailed script block logging, including logging suspicious


Destination activity by default. This means that even in environments with weak audit
Powershell Remoting policies, there can still be very useful PowerShell loggin.

- uses the WinRM protocol


- has access to WMI and much moreff

If adversaries gain access to the patch distribution server, then can create a package/
Application Deployment Software
malware to spread that looks like a legit software update.

By exploiting vulnerabilities in OS systems or installed software.

Crash reports

Audit
EID 4688: Mandatory Label: (new to Win10) In addition to each objects Discretionary Access
Event Logs A new process has been created Control List (permissions on a file) Windows also enforces Mandatory Integrity Control
Malware based (MIC) over object access attempts which compares the object's integrity label to the
the integrity level on the process trying to access the object.

HIPS/Antivirus/EMET logging

Crash Detection
Detection
Application control logs

Code-injection trackers

You might also like