Free AI web copilot to create summaries, insights and extended knowledge, download it at here

6344

Abstract

lass="hljs-keyword">Get-EventLog -logname security -InstanceId 4720 | Select-Object *</pre></div><figure id="9247"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*1ogBlqZ-7dNeDpNg7baIUw.png"><figcaption></figcaption></figure>Our initial assumption was accurate. Now, let’s list the privileges held by the ‘apt’ user. Since we already know this user belongs to the Administrator group, we can confirm this by enumerating the admin group.<div id="0989"><pre>net localgroup Administrators</pre></div><figure id="31eb"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*n8AmAAO-wgl9guGrSdE1PQ.png"><figcaption></figcaption></figure>However, the privileges held by the user ‘apt’ remain uncertain. To determine their access level, we will employ the Sysinternals tool called ‘<a href="https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk">accesschk</a>,’ which will assist us in identifying the extent of access granted to the ‘apt’ user. Go to the respective folder and this file with the below command attribute.<div id="f085"><pre>.\accesschk64.exe apt -a *</pre></div><figure id="9f6f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*kHHnzdbij_wQaZXIosY8sg.png"><figcaption></figcaption></figure>Indeed, it’s confirmed that the user ‘apt’ possesses full privileges within the operating system. Our next step is to identify any active sessions associated with this user. To acquire this information, we can leverage system commands, Sysinternals tools, or even examine event logs. For now, we’ll opt for the Sysinternals tool ‘<a href="https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon">PsLoggedon</a>,’ which will help us determine any active login sessions.<figure id="7a36"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*SFoW2OOgM7DZZyVHPuDfSw.png"><figcaption></figcaption></figure>This observation reveals that the user ‘apt’ has logged into the victim machine through system shares. To determine the origin of this connection, we can utilize the ‘net’ command to gather more information.<div id="d661"><pre>net session</pre></div><figure id="9ac1"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*JApyNvTUPHprvRSnyaJE6A.png"><figcaption></figcaption></figure>The observation indicates that the attacker’s machine is identified as 192.168.0.104, and the connection to the victim’s machine remains active, suggesting that the attacker is currently on that system.<h1 id="0006">Process and Service Information</h1>Now, let’s extract valuable information from processes and services, as critical data is often concealed there. To gather process information, we have two PowerShell cmdlets at our disposal: ‘Get-Process’ and ‘Get-WmiObject Win32_Process.’ I recommend using ‘WmiObject’ because it provides more comprehensive data compared to the first cmdlet. We will retrieve a list of processes running at the time of the investigation.<div id="54a8"><pre>Get-WmiObject -Class Win32_Process | select ProcessName, ProcessId,CommandLine</pre></div><figure id="ea4e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*okLiTkQMzF-ji_193xAgCg.png"><figcaption></figcaption></figure>Numerous processes are running, making it challenging to identify anomalies. However, given that user VictimA has been compromised, we should focus on processes initiated by this user.<div id="cca5"><pre>Get-WmiObject -Class Win32_Process | where { $_.GetOwner().User -eq "VictimA" } | select ProcessId, Name, CommandLine</pre></div><figure id="4972"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*sh5NIGAVwx9SSsyg5ED1bg.png"><figcaption></figcaption></figure>We noticed that some processes initiated by user VictimA appear suspicious based on their command lines. Let’s investigate the parent-child relationships for these processes using its Process ID.<div id="3dd1"><pre>Get-WmiObject -Class Win32_Process | where processid -In 7036,5892,5776,9112,7912,460,8864 | select ParentProcessId,ProcessId, Name, CommandLine</pre></div><figure id="1b1a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*5CeYdOtVvcy4bDPKdmxXbA.png"><figcaption></figcaption></figure>It has been observed that the ‘ad.bat’ file executed a PowerShell command. The purpose of this command was to download a PowerShell script and run it, specifying an IP address and port number as attributes. This suggests that the PowerShell script was designed to establish a reverse connection as part of an attack. The reference image is given from Process Explorer.<figure id="aaaa"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*fNdvmFTnbrtYE9MBTCAvdQ.png"><figcaption></figcaption></figure>Now that we have collected a significant amount of information about the suspicious processes, let’s shift our focus to the services, where we might find valuable insights. We will gather a list of all actively running services.<div id="6cfd"><pre>Get-WmiObject -class Win32_service |where State -eq 'Running'| <span class="hljs

Options

-title">select name,processid,status,started,state,pathname</pre></div><figure id="1a9a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*WVIZinER8JAbBjd-6vzfgg.png"><figcaption></figcaption></figure>No suspicious findings so far, but I’d like to take a closer look at the running services associated with the Process IDs we identified during our process investigation.<div id="2ff9"><pre>Get-WmiObject -class Win32_service |where State -eq 'Running' |where processid -In 7036,5892,5776,9112,7912,460,8864| select name,processid,status,started,state,pathname</pre></div><figure id="4c35"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*6CV3yOovqZM7JUBwaHnxYA.png"><figcaption></figcaption></figure>Nothing suspicious was observed!!<h1 id="7870">Network Information</h1>As we’re aware of the reverse connection, our next step is to confirm its presence or establishment. To achieve this, we will utilize the ‘netstat’ utility. Our first action is to retrieve a list of all connections.<figure id="786e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*Ap9HOX5ljV59a3JvaZHSVQ.png"><figcaption></figcaption></figure>Now, we’ll inspect the established connections and identify their owners. In our particular instance, we noted a connection on port 4444, and it’s associated with PowerShell, which is indicated by the PID 7912. This confirmation implies that a Command and Control session has been established on 192.168.0.108.<figure id="0027"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*z-wRQ1UG_jCLSdxaYQPCdw.png"><figcaption></figcaption></figure>We’ll now examine the nature of communication between the compromised machine and the C2C server, which typically functions as a Master-Slave relationship. To inspect this interaction, we’ll employ Wireshark<figure id="5026"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*a_g9T6ZW98cMgq_iPdOznA.png"><figcaption></figcaption></figure><h1 id="c47c">Autorun and schedule task information</h1>As we approached the final phase of our live forensics on the Windows machine, our attention was drawn to the C2C (Command and Control) connection, where the server was attempting to add a .bat file to the registry to establish persistence on the system. Before delving into the registry path, we conducted a preliminary check to see if any applications were located in the startup locations. Unfortunately, we did not discover any malicious applications in these areas.<figure id="bf7a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*1_Ng1FqB8eP4KK8XE_jOxA.png"><figcaption></figcaption></figure>At this point, our attention is directed towards the startup commands within the registry. We’ve noticed that a registry key has been added, and the associated file is named “sd.bat.”<div id="93c4"><pre>gwmi Win32_StartupCommand</pre></div><figure id="2a07"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*6C5wTI9ysapfJD6q5WY_OA.png"><figcaption></figcaption></figure>We’ll make an effort to gather more detailed information regarding this specific startup location to gain deeper insights into the activity. This confirms that the activity recorded in network forensics has been successfully executed, and persistence has been maintained.<div id="f52f"><pre>gwmi Win32_StartupCommand | where name -eq "APT" | select *</pre></div><figure id="8544"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*lfQO-8KyGLRyWen8Hg44-g.png"><figcaption></figcaption></figure>We will now check if any other persistence activity has been observed via scheduled tasks. Unfortunately, no suspicious activity has been found.<div id="0fac"><pre>Get-ScheduledTask | where state -eq 'Ready'</pre></div><figure id="cfb5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*EihxglbQgcwtDh4rC5VPbQ.png"><figcaption></figcaption></figure><h1 id="51e5">Indicator of Attack</h1>- New user APT has been created — Initial Access (T1078.003)

User APT added to the admin group — Privilege Escalation (T1098)
The user ‘APT’ has logged into the victim’s machine using network services from the IP address 192.168.0.104 — Lateral Movement (T1021.002)
PowerShell commands were executed from a batch file, with the aim of downloading a PowerShell script and running it, providing an IP address and port number as inputs. This indicates the establishment of a reverse shell. — Execution (T1059)
I noticed a batch file added to HKU<user>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, indicating that this file will be executed upon user VictimA’s login. — Persistence (T1547.001)<h1 id="afc0">Conclusion</h1>The process we’ve discussed in this blog is not exhaustive, and there are other artifacts that can also be observed. We’ll aim to cover those in the next blog.</article></body>

10 Minimalist Lessons From Marcus Aurelius

How to combine Marcus’ Stoic teachings with modern minimalism

“Very little is needed to make a happy life, it is all within yourself, in your way of thinking.”

Not many ancient philosophers influence modern thinking quite like Marcus Aurelius.

Roman Emperor between AD 161 and 180, Aurelius’ writings nowadays illustrate the deep-rooted connection between Stoicism and minimalism.

Marcus Aurelius never had it easy. His small stature and fragile health made him an unlikely candidate for the Roman throne and his tenure started badly.

Wars, invasions, and chronic pain nearly ended Aurelius’ reign before it had gotten off the ground.

The future master of perception needed to get his focus right, or else he would be replaced.

Adept in Greek philosophy, Marcus’ adverse situation lead him to Stoicism.

Originally a Hellenistic school of philosophy, the birth of Stoicism is nowadays credited to Zeno of Citium who lived in the 3rd century BC.

So, what is Stoicism and how does it coincide with minimalism?

In very simple terms, Stoicism focuses on how we interpret events — not the events themselves.

In this vein, Aurelius learned how to bundle his energy in the right areas by controlling his thoughts and emotions.

This is where Stoicism and minimalism go hand in hand.

His Stoic training allowed him to see each obstacle as an opportunity — forging a legacy as one of the greatest Roman emperors in the process.

Thanks to his achievements, he became known as the last of the “Five Good Emperors”.

He was preceded by Nerva, Trajan, Hadrian, and Antoninus Pius, all of whom oversaw stunning growth and prosperity.

Aside from his success at the helm of the Roman Empire, Marcus Aurelius changed the world with Meditations.

Originally meant as a series of personal notes, Meditations became the reference for Stoicism as a way of thinking.

1. Obstacles are opportunities

Marcus mastered the art of turning every obstacle into an opportunity. Nothing was universally negative in his mind.

In this vein, every hardship has at least one positive aspect.

Utilizing this positive element — be it minuscule — is the key to creating a new opportunity.

Reflecting minimalism in ancient philosophy, this Stoic point is perfectly compatible with an essentialist mindset.

Whatever your situation may be, look for the positives and concentrate your energy on turning them into opportunities.

You may struggle financially right now. You are forced to live in a cramped space with two roommates because NYC rents are insane.

Instead of moaning your lack of space, see what you can learn from this experience.

You’ll have the opportunity to improve your organizational adroitness as well as your social skills.

Take this predicament as a chance — the chance to become better at space management and to handle different personalities in a tight area.

2. Don’t spend time worrying about what people think of you

The “philosopher emperor” was always mindful of his own impediments.

Never the healthiest, he knew that both his body and his mind had limited energy to work with.

This made him wary of spending time with the wrong people.

“Your energy and time are both limited, so don’t waste them on what those inconsequential to your life are doing, thinking, and saying.”

In true minimalist fashion, toxic relations, as well as frivolous acquaintances, don’t deserve our attention.

Accordingly, our limited time and energy should be directed toward helpful, supportive, and appreciative people — not the ones holding us back.

3. Focus on the present

As Marcus says: “each of us lives only now, this brief instant. The rest has been lived already, or is impossible to see.”

This statement emphasizes the importance of the present. In this sense, Stoicism is all about training your current perceptions.

Marcus goes on to state that nothing is won by separating your mind and body in time.

In simple terms: the only moment that matters is now. The future is unknown and the past cannot be changed.

Reiterated by modern business icons as well as most minimalist thinkers, Marcus’ prioritization of the present is a major aspect of both Stoicism and minimalism.

4. You are the architect of your own perceptions

One of the most timeless lessons from philosopher Marcus Aurelius is the magnitude of your own perceptions.

“You have the power over your mind — not outside events. Realize this and you will find strength.“

Meditations is built on the premise that nature and the universe are fundamentally unalterable.

Consequently, we as humans have no control over what happens outside of our own sphere of influence.

Outside events occur in a completely neutral way — to the universe. To us, they are either positive or negative.

This is where the art of mastering your perceptions comes in.

We cannot stop negative things from happening to us — they are essentially inevitable.

We can, however, train our way of dealing with them.

In simple terms, we do not control events, we only control our reactions.

As an example, a breakup is always a tough situation.

Let’s say you have been together with your partner for 4 years and you broke up for one reason or another.

In Marcus’ mind, the universe doesn’t care about your breakup. You might feel sadness, disappointment, or regret, but these feelings only exist in your mind.

While the Emperor doesn’t advocate suppressing all forms of emotions, he favors taming them.

In the spirit of Stoicism, your emotions should be accepted until your mind decides to overpower them.

5. Never stop progressing

Like many ancient philosophers, Marcus Aurelius dreaded the prospect of monotony.

His whole life was a journey and he never felt complete — neither in his work nor as a person.

Written in Ancient Greek during the last 10 years of his life, Marcus’ notes were never intended to be published. He was a bit like Da Vinci in this regard.

While he knew that his teachings about Stoicism had a lot of value, he felt that his intellectual evolution was far from over.

This is why the 12 books he wrote — now compiled in Meditations — weren’t officially published until the mid-16th century.

This sense of progression fits well into minimalism and Stoicism — both philosophies require a journey.

Whether it’s the journey to a more meaningful life on your own terms or the quest to become the master of your perceptions, the importance of progress is clear.

6. Value the right things in life and your life will have value

“A person’s worth is measured by the worth of what he values.”

Stoicism and minimalism concur in many ways and especially in the context of prioritization.

If you pursue the wrong values — attention, money, or material possessions — your priorities might need a makeover.

Setting the right priorities can, on the other hand, lead to permanent satisfaction.

Satisfaction is not to be confused with happiness. While happiness is a temporary concept, satisfaction is an achievable status.

Ergo, happiness encompasses brief surges of joy while satisfaction entails a long-lasting state of contentment.

In light of Marcus’ teachings, you have to curate your values. By prioritizing the right things — family, friends, meaningful endeavors, and personal wellbeing — you will find satisfaction and maybe even fulfillment.

7. No goal is out of reach

When it comes to strenuous endeavors, Marcus knows what he is talking about.

“ Because a thing seems difficult for you, do not think it impossible for anyone to accomplish.“

In Meditations, Aurelius constantly underlines the importance of believing in oneself.

Mind you, this was written over 2,200 years ago and it sounds like straight out of a modern self-help book.

While Marcus Aurelius had to withstand invasions in every corner of the Empire, he transmitted his philosophy to the army — with resounding success.

The leading generals were constantly reminded of Marcus’ Stoic beliefs and managed to keep the Empire together — for the most part at least.

As the Emperor always said: the fact that something seems difficult to you makes it by no means unachievable.

In this sense, the perception of adversity should be transformed into a firm belief of success.

In concrete terms, you might see a certain project — your next job assignment for example — as a difficult task.

Stop thinking about the task’s arduousness and focus your thoughts on the fact that it is — while difficult — very much doable.

8. Be grateful for what you have

Stoicism and minimalism both encourage gratitude in everyday life. Marcus always underlined the importance of recognizing your own mortality.

Memento mori — remember that you are mortal — is, in fact, one of his cardinal principles.

This emphasizes the importance of gratitude. Be grateful for what you have - it will not last.

Everything is temporary and a lack of present rejoicing will lead to unhappiness.

In concrete terms: you might not be where you want to be right now. You might not have everything you desire.

You have, nonetheless, achieved something — even if it’s just the fact of being alive. Whatever you have, express gratitude and relish it.

9. Be a good person rather than thinking about being a good person

While most lessons from philosopher Marcus Aurelius revolve around training your perceptions, his very simple ethos of doing good things should not be overlooked.

Marcus says this with such class that we ought to simply quote: “don’t go on discussing what a good person should be. Just be one.”

One of my favorite parts of the book, this sentence highlights the importance of simple acts of kindness.

In this respect, being kind and honest in everyday life accomplishes more than overthinking what a good person is.

Helping one or two people — even in the banalest way — is ultimately worth much more than an hour-long discussion on how to be “good”.

10. Don’t mistake opinions and preferences for facts

“Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth.”

This strong quote accentuates the fallibility of thoughts and views. Nothing is black and white or unquestionable — there are always different sides.

The news is a classic case in point. Especially in our ultra-rapid, highly globalized world, we tend to mistake media preferences for scientific facts.

As an example: “Climate change is happening now“! You’ve probably heard and read that statement at least 5,000 times in the last 2 years.

Is that a fact? Here is one for you: climate change has been happening for thousands of years and it has been accelerating and intensifying for at least 3 decades.

The first major climate treaty, the Kyoto Protocol, was signed in 1992.

The fact that most media outlets started to magnify their coverage of climate change in the last couple of years has nothing to do with science or urgency.

It is a pure and simple shift of agenda.

While the phrase “ climate change is happening now “ is not intrinsically wrong, it doesn’t tell the wrong story — it depicts the issue from perspective.

The correct phrase would be: “climate change has been happening for a long time but we started to talk about it now — because it fits our current agenda.” This wouldn’t make a great headline, but it would be a lot more factual.

The lesson here is the following: take every “fact” with a pinch of salt.

Learn how to analyze whether something is an opinion or a real fact. The line between the two is often very thin.

5 Stoic Questions to Ask Yourself Daily as a Minimalist

How to use Stoic teachings as a modern minimalist

medium.com

Originally published at https://minimalistfocus.com on January 31, 2020.