avatarSusi Moore

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

6344

Abstract

lass="hljs-keyword">Get</span>-EventLog -logname security -InstanceId <span class="hljs-number">4720</span> | <span class="hljs-keyword">Select</span>-<span class="hljs-type">Object</span> *</pre></div><figure id="9247"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*1ogBlqZ-7dNeDpNg7baIUw.png"><figcaption></figcaption></figure><p id="fab0">Our initial assumption was accurate. Now, let’s list the privileges held by the <b><i>‘apt’ </i></b>user. Since we already know this user belongs to the Administrator group, we can confirm this by enumerating the admin group.</p><div id="0989"><pre>net localgroup Administrators</pre></div><figure id="31eb"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*n8AmAAO-wgl9guGrSdE1PQ.png"><figcaption></figcaption></figure><p id="2be9">However, the privileges held by the user <b><i>‘apt’</i></b> remain uncertain. To determine their access level, we will employ the Sysinternals tool called <b><i><a href="https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk">accesschk</a>,’</i></b> which will assist us in identifying the extent of access granted to the ‘apt’ user. Go to the respective folder and this file with the below command attribute.</p><div id="f085"><pre>.\accesschk64<span class="hljs-selector-class">.exe</span> apt -<span class="hljs-selector-tag">a</span> *</pre></div><figure id="9f6f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*kHHnzdbij_wQaZXIosY8sg.png"><figcaption></figcaption></figure><p id="7afb">Indeed, it’s confirmed that the user ‘apt’ possesses full privileges within the operating system. Our next step is to identify any active sessions associated with this user. To acquire this information, we can leverage system commands, Sysinternals tools, or even examine event logs. For now, we’ll opt for the Sysinternals tool ‘<a href="https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon">PsLoggedon</a>,’ which will help us determine any active login sessions.</p><figure id="7a36"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*SFoW2OOgM7DZZyVHPuDfSw.png"><figcaption></figcaption></figure><p id="e60d">This observation reveals that the user ‘apt’ has logged into the victim machine through system shares. To determine the origin of this connection, we can utilize the ‘net’ command to gather more information.</p><div id="d661"><pre>net session</pre></div><figure id="9ac1"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*JApyNvTUPHprvRSnyaJE6A.png"><figcaption></figcaption></figure><p id="0b6d">The observation indicates that the attacker’s machine is identified as <b><i>192.168.0.104</i></b>, and the connection to the victim’s machine remains active, suggesting that the attacker is currently on that system.</p><h1 id="0006">Process and Service Information</h1><p id="3547">Now, let’s extract valuable information from processes and services, as critical data is often concealed there. To gather process information, we have two PowerShell cmdlets at our disposal: ‘Get-Process’ and ‘Get-WmiObject Win32_Process.’ I recommend using ‘WmiObject’ because it provides more comprehensive data compared to the first cmdlet. We will retrieve a list of processes running at the time of the investigation.</p><div id="54a8"><pre><span class="hljs-keyword">Get</span>-WmiObject -<span class="hljs-keyword">Class</span> Win32_Process | <span class="hljs-keyword">select</span> ProcessName, ProcessId,CommandLine</pre></div><figure id="ea4e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*okLiTkQMzF-ji_193xAgCg.png"><figcaption></figcaption></figure><p id="b190">Numerous processes are running, making it challenging to identify anomalies. However, given that user <b><i>VictimA</i></b> has been compromised, we should focus on processes initiated by this user.</p><div id="cca5"><pre>Get-WmiObject -Class Win32_Process | <span class="hljs-built_in">where</span> { <span class="hljs-variable">$_</span>.GetOwner().User -eq <span class="hljs-string">"VictimA"</span> } | <span class="hljs-keyword">select</span> ProcessId, Name, CommandLine</pre></div><figure id="4972"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*sh5NIGAVwx9SSsyg5ED1bg.png"><figcaption></figcaption></figure><p id="66f7">We noticed that some processes initiated by user <b><i>VictimA</i></b> appear suspicious based on their command lines. Let’s investigate the parent-child relationships for these processes using its Process ID.</p><div id="3dd1"><pre><span class="hljs-keyword">Get</span>-WmiObject -<span class="hljs-keyword">Class</span> Win32_Process | <span class="hljs-keyword">where</span> processid -<span class="hljs-keyword">In</span> <span class="hljs-number">7036</span>,<span class="hljs-number">5892</span>,<span class="hljs-number">5776</span>,<span class="hljs-number">9112</span>,<span class="hljs-number">7912</span>,<span class="hljs-number">460</span>,<span class="hljs-number">8864</span> | <span class="hljs-keyword">select</span> ParentProcessId,ProcessId, Name, CommandLine</pre></div><figure id="1b1a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*5CeYdOtVvcy4bDPKdmxXbA.png"><figcaption></figcaption></figure><p id="ddaa">It has been observed that the <b><i>‘ad.bat’</i></b> file executed a PowerShell command. The purpose of this command was to download a PowerShell script and run it, specifying an IP address and port number as attributes. This suggests that the PowerShell script was designed to establish a reverse connection as part of an attack. The reference image is given from Process Explorer.</p><figure id="aaaa"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*fNdvmFTnbrtYE9MBTCAvdQ.png"><figcaption></figcaption></figure><p id="c8d3">Now that we have collected a significant amount of information about the suspicious processes, let’s shift our focus to the services, where we might find valuable insights. We will gather a list of all actively running services.</p><div id="6cfd"><pre>Get-WmiObject -<span class="hljs-keyword">class</span> <span class="hljs-title class_">Win32_service</span> |<span class="hljs-title">where</span> <span class="hljs-title">State</span> -<span class="hljs-title">eq</span> '<span class="hljs-title">Running</span>'| <span class="hljs

Options

-title">select</span> <span class="hljs-title">name</span>,<span class="hljs-type">processid</span>,<span class="hljs-type">status</span>,<span class="hljs-type">started</span>,<span class="hljs-type">state</span>,<span class="hljs-type">pathname</span></pre></div><figure id="1a9a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*WVIZinER8JAbBjd-6vzfgg.png"><figcaption></figcaption></figure><p id="7bd7">No suspicious findings so far, but I’d like to take a closer look at the running services associated with the Process IDs we identified during our process investigation.</p><div id="2ff9"><pre>Get-WmiObject -<span class="hljs-keyword">class</span> <span class="hljs-title class_">Win32_service</span> |<span class="hljs-title">where</span> <span class="hljs-title">State</span> -<span class="hljs-title">eq</span> '<span class="hljs-title">Running</span>' |<span class="hljs-title">where</span> <span class="hljs-title">processid</span> -<span class="hljs-title">In</span> 7036,<span class="hljs-type">5892</span>,<span class="hljs-type">5776</span>,<span class="hljs-type">9112</span>,<span class="hljs-type">7912</span>,<span class="hljs-type">460</span>,<span class="hljs-type">8864|</span> <span class="hljs-title">select</span> <span class="hljs-title">name</span>,<span class="hljs-type">processid</span>,<span class="hljs-type">status</span>,<span class="hljs-type">started</span>,<span class="hljs-type">state</span>,<span class="hljs-type">pathname</span></pre></div><figure id="4c35"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*6CV3yOovqZM7JUBwaHnxYA.png"><figcaption></figcaption></figure><p id="49a9">Nothing suspicious was observed!!</p><h1 id="7870">Network Information</h1><p id="f2ac">As we’re aware of the reverse connection, our next step is to confirm its presence or establishment. To achieve this, we will utilize the <b><i>‘netstat</i></b>’ utility. Our first action is to retrieve a list of all connections.</p><figure id="786e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*Ap9HOX5ljV59a3JvaZHSVQ.png"><figcaption></figcaption></figure><p id="11b0">Now, we’ll inspect the established connections and identify their owners. In our particular instance, we noted a connection on port 4444, and it’s associated with PowerShell, which is indicated by the PID 7912. This confirmation implies that a Command and Control session has been established on <b><i>192.168.0.108</i></b>.</p><figure id="0027"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*z-wRQ1UG_jCLSdxaYQPCdw.png"><figcaption></figcaption></figure><p id="b7dd">We’ll now examine the nature of communication between the compromised machine and the C2C server, which typically functions as a Master-Slave relationship. To inspect this interaction, we’ll employ Wireshark</p><figure id="5026"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*a_g9T6ZW98cMgq_iPdOznA.png"><figcaption></figcaption></figure><h1 id="c47c">Autorun and schedule task information</h1><p id="ab11">As we approached the final phase of our live forensics on the Windows machine, our attention was drawn to the C2C (Command and Control) connection, where the server was attempting to add a .bat file to the registry to establish persistence on the system. Before delving into the registry path, we conducted a preliminary check to see if any applications were located in the startup locations. Unfortunately, we did not discover any malicious applications in these areas.</p><figure id="bf7a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*1_Ng1FqB8eP4KK8XE_jOxA.png"><figcaption></figcaption></figure><p id="43dd">At this point, our attention is directed towards the startup commands within the registry. We’ve noticed that a registry key has been added, and the associated file is named “sd.bat.”</p><div id="93c4"><pre>gwmi <span class="hljs-title class_">Win32</span>_StartupCommand</pre></div><figure id="2a07"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*6C5wTI9ysapfJD6q5WY_OA.png"><figcaption></figcaption></figure><p id="3a9e">We’ll make an effort to gather more detailed information regarding this specific startup location to gain deeper insights into the activity. This confirms that the activity recorded in network forensics has been successfully executed, and persistence has been maintained.</p><div id="f52f"><pre>gwmi Win32_StartupCommand | <span class="hljs-keyword">where</span> name -eq <span class="hljs-string">"APT"</span> | <span class="hljs-keyword">select</span> *</pre></div><figure id="8544"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*lfQO-8KyGLRyWen8Hg44-g.png"><figcaption></figcaption></figure><p id="bdef">We will now check if any other persistence activity has been observed via scheduled tasks. Unfortunately, no suspicious activity has been found.</p><div id="0fac"><pre><span class="hljs-keyword">Get</span><span class="hljs-operator">-</span>ScheduledTask <span class="hljs-operator">|</span> <span class="hljs-keyword">where</span> state <span class="hljs-operator">-</span>eq <span class="hljs-string">'Ready'</span></pre></div><figure id="cfb5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*EihxglbQgcwtDh4rC5VPbQ.png"><figcaption></figcaption></figure><h1 id="51e5">Indicator of Attack</h1><p id="f3aa">- New user APT has been created — <b>Initial Access (T1078.003)</b>

  • User APT added to the admin group — <b>Privilege Escalation (T1098)</b>
  • The user ‘APT’ has logged into the victim’s machine using network services from the IP address 192.168.0.104 — <b>Lateral Movement (T1021.002)</b>
  • PowerShell commands were executed from a batch file, with the aim of downloading a PowerShell script and running it, providing an IP address and port number as inputs. This indicates the establishment of a reverse shell. — <b>Execution (T1059)</b>
  • I noticed a batch file added to HKU<user>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, indicating that this file will be executed upon user VictimA’s login. — <b>Persistence (T1547.001)</b></p><h1 id="afc0">Conclusion</h1><p id="3dda">The process we’ve discussed in this blog is not exhaustive, and there are other artifacts that can also be observed. We’ll aim to cover those in the next blog.</p></article></body>

CALL FOR SUBMISSIONS — WRITE FOR US!

Meet our Musers! (5)

MUSERSCRIBE NEWSLETTER 0.5

Photo by Kirk Schwarz on Unsplash

Hello Musers! Welcome to our latest newsletter!

MuserScribe is your space … to talk about the people or things that influence your writing. If the role of the Muse is to bring life and colour to your craft, MuserScribe is the place to talk about it …

In case you missed it, here’s our previous newsletter:

Backstory

MuserScribe has been in existence on Facebook and Twitter since 2009, functioning as ‘go-to pages littered with writerly musings, advice, original writing prompts and more 💜’.

You may know what inspires you, but have you ever written about it? And if so, do you enjoy writing about it? Well, come on down, this is what MuserScribe is all about!

Converting the Muse into Words

It’s been my dream to convert MuserScribe into its own publication, a space for writers to get us all thinking about how we transform our muse into words …

We can draw inspiration from anywhere, poetry, art, myths, old films, photographs, trees, clouds, books, memories, the moon, the stars, or the contents of our back pocket. Oh, and the actual Greek Muses

MuserScribe wants to inspire and be inspired by you …

★ Muser of the Month

Josh E. describes himself as a ‘fiction writer, bookworm, and Tolkien fanatic!’

‘Chains in the Sky’ presents an immersive ‘what if’ around the concept of the ‘sky is the limit …’

Our Favourite Quote from ‘Chains in the Sky’ …

To a child who wants to be a chef or a doctor or an architect, it is quite a reasonable thing to say, but if you were talking to an astronaut, one who has trained and prepared for space travel, saying “the sky is the limit” isn’t necessarily the most reassuring choice of words. Then, from that strain of curiosity, this poem was born. It is derived from the question: what if the sky truly is the limit, where we could not… or at least should not go beyond our own plot of space real estate?

Read Josh’s full story here:

Want to see more? Here’s some examples of previously published stories in MuserScribe:

Want the opportunity to discuss your Muse? Simply join our merry band of Musers. Please follow MuserScribe and respond with ‘I’d love to write for MuserScribe!’

Don’t forget to leave your @ username!

Suggested Topics

  1. Write a stand-alone ‘about me’ story talking about the people, places, or events that first inspired you to become a writer;
  2. Write a story (fiction or non-fiction) then write an introduction talking about the inspiration behind your work. Similarly, you can write a poem and talk about the inspiration behind that. The introduction should preface the content of your story or poem;
  3. If you want to talk about the inspiration behind a previously published piece of work, it’s acceptable to include a link to that work in your story (and also provides you with double exposure!);
  4. Short form, personal essays, chapter extracts, fiction, poetry, non-fiction, or self-help stories with your discussion of the inspiration behind them are all welcomed.

★ As writers for MuserScribe, we support each other! We are respectful, we read, we engage and we clap, (yes, keep that finger down and enjoy those fireworks until it reaches a nice round ❤️ 50!❤️) Those 50 claps cost you nothing but the boost of morale to your fellow writers is everything.

Let’s cheer on our new and current writers …

Britt H., Cailey Renee, C. Elyse, Colleen McManus Hein, Jay M E, Josh E., KAKA LAM 嘉嘉 @iamkakalamkk, LucyRebecca, Mario Lopez, passarozumbido, Paige Holloway, Theodore McDowell, Steffi Timm, Susi Moore, Qusay Alzubaidy,

MuserScribe looks forward to submissions by new and returning contributors.

★ Please see Breaking News below for our new publishing schedule.

Summary

My vision is to create a community of writers sharing the magic … eg what it is that inspires each of us to write.

This sharing of ‘the muse’ is intended not only to help you reflect on your own creativity but also to form a library of collective processes for us all.

Happy Musings! ★。・:*:・゚☆

‘Let’s convert the Muse into words!’ — Susi Moore

© 2023 Susi Moore. All Rights Reserved.

Breaking News …

Thank you for reading and supporting MuserScribe! We now publish five days a week — Monday to Friday.

Submissions received Friday evenings, Saturdays, or Sundays will be reviewed and published on Mondays

If you’ve already been added as a writer for MuserScribe, I look forward to you jumping in with your submissions.

★ If you’ve already been added as a writer for MuserScribe, please jump in and tell us about your Muse …

Calling all fiction writers! Aspiring or established! Want to showcase your writing and imagination? Write for our sister publication, The Scriber’s Nook! We love fiction, poetry, memoirs, flights of fancy, and more …

Call For Submissions
Fiction
Nonfiction
Writers On Writing
Muserscribe
Recommended from ReadMedium