Post compromise enumeration
xfreerdp /v:[IP] /u:kkidd /p:Pass123321@
Network Infrastructure -enumeration of compromised machine is key to finding out what to do net -VLAN - hosts within VLAN can only communicate with other hosts in the same VLAN network
Internal Networks -subnetworks that are segmented and separated based on importance of the internal device -share information faster and easier tools with in an organization -use segmentation to control traffic, optimize performance and improve security posture
Demiliterized Zone (DMZ) -edge of network that protects and adds an extra security layer to a corporation’s internal LAN from untrusted traffic
Network Enumeration -check TCP and UDP open ports netstat -na -ARP table - contains the IP and physical address of the computers arp -a
Internal Network Services -provides private and internal network communication access for internal network devices -not accessible outside the network
Active Directory -Windows based directory service that stores and provides data objects to the internal network environment -allows for centralized mangement of authentication and authorization -contains: users, computers, printers etc -details: job title, phone numbers, address, passwords, groups, permissions, etc
Domain Controller: windows server that provides AD services and controls entire domain -encryption of user data -control access to network -enables resource access and sharing -lot of high-value information
Organizational Units (OU’s): containers within the AD domain with a hierarchical structure
AD objects: single user or group or hardware component
AD domains: collection of Microsoft components within an AD network
AD Forest: collection of domains that trust each other
systeminfo | findstr Domain -thmredteam.com
AD Enum
-get all AD user accounts Get-ADUser -Filter * -LDAP hierarchical tree structure: find a user within AD environment -CN: common name -OU: organizational Unit Name -DC: Domain component Get-ADUser -Filter * -SearchBase “CN=Users,DC=THMREDTEAM,DC=COM”
Host Security Solution #1 -enumerate antivirus and security detection methods to remain undetected as possible and avoid detection
- Antivirus Software -monitor, detect and pervent malicious softawre from being executed in the host -perform: background scanning, full system scanning, virus definitions -detection techniques: a. Signature-based: signature of malicious software is registered in database and antivirus scan checks signature if file being scanned matches a malicious signature b. Heuristic-based: machine learning to decide if file is malicious or not c. Behavior-based: relies on monitoring and examining the execution of applications to find abnormal behaviors
check if antivirus exists wmic /namespace:\root\securitycenter2 path antivirusproduct Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
- Windows Defender -preinstalled antivirus security tool -uses various algorithms in detection -Active: runs as primary antivirus protection and remediation -Passive: 3rd party antivirus is installed -Disable: diabled or uninstalled from the system
check state of windows defender Get-Service WinDefend Get-MpComputerStatus | select RealTimeProtectionEnabled
- Host-based Firewall -security tool installed and run on host machine that can prevent and block attack attempts -control inbound and outbound traffic -analyze traffic including packet analysis
Get-NetFirewallProfile | Format-Table Name, Enabled
-disable firewall in admin privileges Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
-see rules Get-NetFirewallRule | select DisplayName, Enabled, Description
Host Security Solution #2
Event Logging and Monitoring Get-EventLog -List
Sysmon-gathering and logging events -useful in trouble shooting
-check to see if ‘Sysmon’ is running: Get-Process | Where-Object { $_.ProcessName -eq “Sysmon”}
-check services Get-CimInstance win32_service -Filter “Description = ‘System Monitor service’” # or Get-Service | Where-Object {$_.DisplayName -like “sysm”}
-check windows registry reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
Host-Based intrusion Detection/Prevention Systems (HIDS/HIPS) -HIDS detect suspicious activity a. Signature-based: look at checksums and message authentication b. Anomaly-based: unexpected activity, abnormal bandwidth, protocols and ports -HIPS secure operating system - detection and prevention
Endpoint Detection and Response (EDR) -defend against malware and other threats -Malware: virsuses, trojans, adware, keyloggers -Exploit chains -Ransomware
Network Security Solutions
-
Network Firewall -packet-filtering -proxy firewalls -NAT firewalls -Web Application firewalls
-
SIEM -monitor and analyze events and track and log data in real time -log management -event analytics -incident monitoring and security alerts -compliance management eg. Splunk
Applications and Services
-Enumerate installed apps to find vulnerabilities wmic product getname,version -look for particular text strings, hidden directories, backup files Get-ChildItem -Hidden -Path C:\Users\kkidd\Desktop
-services and processes -list services net start -list more info about service wmic service where “name like ‘service’” get Name,PathName -get process Get-Process -Name ‘service’ -use process ID to find network usage netstat -noa | findstr “LISTENING” | findstr “[processID]”
13337 http://127.0.0.1:13337 THM{S3rv1cs_1s_3numerat37ed}
nslookup.exe -provide DNS server -DNS zone transfer ls -d thmredteam.com
THM{DNS-15-Enumerated!}