This screenshot shows Bro recording the mapping of of shares. It is also easy to relay the password hash without needing the plaintext password. Attackers will often use this account to move laterally as less mature environments tend to keep the password the same on every system. We can see that it is the Administrator account. Here we can see the actual username of the user who connected. Notable is the last column for path, which is what the attacker connected to (The C$ share) before pulling the file down. In this next screenshot we see something very similar. This can be seen as suspicious, as you will not often see remote systems pulling files from the Windows Temp directory of other systems. The file is in the Temp directory with the filename that appears to be a semi-random six character alphanumeric string. In the screenshot below we can see that Bro saw the attacker accessed a file. ![]() Bro will automatically extract metadata about files it sees pass over the SMB protocol. The first type of log source we are going to look at is Bro. The first is command execution to launch a Powershell Empire stager. With these 3 types of logs, we can step through some actions performed by an attacker. See: Greater Visibility Through PowerShell Logging. FireEye has an excellent guide on how to configure the local/group policy to get better visibility. Because of this, it is commonly used to control and enumerate Windows systems. Powershell is great for system administrators and hackers alike. Lastly you will need to increase the amount of logging for Powershell. These logs are arguably the most useful from a security perspective. This is an extremely useful addition to any Windows system. ![]() You will also need Sysmon, which is a Microsoft Sysinternals tool. There is also a Splunk add-on specifically for parsing Bro logs. You can also download this for free from their website. I will also be using the Bro Network Security Monitor. ![]() They have a free version as well as a Splunk Enterprise trail. To set up Splunk, you can go to their website and download the software. This blog won’t go into detail how to set up the infrastructure, but how to analyze the artifacts. By default, Windows doesn’t provide many logs which provide an Incident Responder with the information they need to identify what actions the attacker performed. In order to get the logs needed to detect this activity, there will need to be some configuration changes to Windows as well as some new tools added to the host and the network. Many guides exist on detecting Metasploit and PSExec, but not many on newer tools such as this. My goal with this blog post is to give defenders some techniques on how they can detect this tool and tools that use similar methods to move laterally and extract data from compromised systems. I use it personally on my penetration tests, as I’ve found that it does a really good job at moving from system to system without detection. CrackMapExec is a popular tool that is used by attackers to move laterally throughout an environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |