avatarNicole Dake

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

6344

Abstract

lass="hljs-keyword">Get</span>-EventLog -logname security -InstanceId <span class="hljs-number">4720</span> | <span class="hljs-keyword">Select</span>-<span class="hljs-type">Object</span> *</pre></div><figure id="9247"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*1ogBlqZ-7dNeDpNg7baIUw.png"><figcaption></figcaption></figure><p id="fab0">Our initial assumption was accurate. Now, let’s list the privileges held by the <b><i>‘apt’ </i></b>user. Since we already know this user belongs to the Administrator group, we can confirm this by enumerating the admin group.</p><div id="0989"><pre>net localgroup Administrators</pre></div><figure id="31eb"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*n8AmAAO-wgl9guGrSdE1PQ.png"><figcaption></figcaption></figure><p id="2be9">However, the privileges held by the user <b><i>‘apt’</i></b> remain uncertain. To determine their access level, we will employ the Sysinternals tool called <b><i><a href="https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk">accesschk</a>,’</i></b> which will assist us in identifying the extent of access granted to the ‘apt’ user. Go to the respective folder and this file with the below command attribute.</p><div id="f085"><pre>.\accesschk64<span class="hljs-selector-class">.exe</span> apt -<span class="hljs-selector-tag">a</span> *</pre></div><figure id="9f6f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*kHHnzdbij_wQaZXIosY8sg.png"><figcaption></figcaption></figure><p id="7afb">Indeed, it’s confirmed that the user ‘apt’ possesses full privileges within the operating system. Our next step is to identify any active sessions associated with this user. To acquire this information, we can leverage system commands, Sysinternals tools, or even examine event logs. For now, we’ll opt for the Sysinternals tool ‘<a href="https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon">PsLoggedon</a>,’ which will help us determine any active login sessions.</p><figure id="7a36"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*SFoW2OOgM7DZZyVHPuDfSw.png"><figcaption></figcaption></figure><p id="e60d">This observation reveals that the user ‘apt’ has logged into the victim machine through system shares. To determine the origin of this connection, we can utilize the ‘net’ command to gather more information.</p><div id="d661"><pre>net session</pre></div><figure id="9ac1"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*JApyNvTUPHprvRSnyaJE6A.png"><figcaption></figcaption></figure><p id="0b6d">The observation indicates that the attacker’s machine is identified as <b><i>192.168.0.104</i></b>, and the connection to the victim’s machine remains active, suggesting that the attacker is currently on that system.</p><h1 id="0006">Process and Service Information</h1><p id="3547">Now, let’s extract valuable information from processes and services, as critical data is often concealed there. To gather process information, we have two PowerShell cmdlets at our disposal: ‘Get-Process’ and ‘Get-WmiObject Win32_Process.’ I recommend using ‘WmiObject’ because it provides more comprehensive data compared to the first cmdlet. We will retrieve a list of processes running at the time of the investigation.</p><div id="54a8"><pre><span class="hljs-keyword">Get</span>-WmiObject -<span class="hljs-keyword">Class</span> Win32_Process | <span class="hljs-keyword">select</span> ProcessName, ProcessId,CommandLine</pre></div><figure id="ea4e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*okLiTkQMzF-ji_193xAgCg.png"><figcaption></figcaption></figure><p id="b190">Numerous processes are running, making it challenging to identify anomalies. However, given that user <b><i>VictimA</i></b> has been compromised, we should focus on processes initiated by this user.</p><div id="cca5"><pre>Get-WmiObject -Class Win32_Process | <span class="hljs-built_in">where</span> { <span class="hljs-variable">$_</span>.GetOwner().User -eq <span class="hljs-string">"VictimA"</span> } | <span class="hljs-keyword">select</span> ProcessId, Name, CommandLine</pre></div><figure id="4972"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*sh5NIGAVwx9SSsyg5ED1bg.png"><figcaption></figcaption></figure><p id="66f7">We noticed that some processes initiated by user <b><i>VictimA</i></b> appear suspicious based on their command lines. Let’s investigate the parent-child relationships for these processes using its Process ID.</p><div id="3dd1"><pre><span class="hljs-keyword">Get</span>-WmiObject -<span class="hljs-keyword">Class</span> Win32_Process | <span class="hljs-keyword">where</span> processid -<span class="hljs-keyword">In</span> <span class="hljs-number">7036</span>,<span class="hljs-number">5892</span>,<span class="hljs-number">5776</span>,<span class="hljs-number">9112</span>,<span class="hljs-number">7912</span>,<span class="hljs-number">460</span>,<span class="hljs-number">8864</span> | <span class="hljs-keyword">select</span> ParentProcessId,ProcessId, Name, CommandLine</pre></div><figure id="1b1a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*5CeYdOtVvcy4bDPKdmxXbA.png"><figcaption></figcaption></figure><p id="ddaa">It has been observed that the <b><i>‘ad.bat’</i></b> file executed a PowerShell command. The purpose of this command was to download a PowerShell script and run it, specifying an IP address and port number as attributes. This suggests that the PowerShell script was designed to establish a reverse connection as part of an attack. The reference image is given from Process Explorer.</p><figure id="aaaa"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*fNdvmFTnbrtYE9MBTCAvdQ.png"><figcaption></figcaption></figure><p id="c8d3">Now that we have collected a significant amount of information about the suspicious processes, let’s shift our focus to the services, where we might find valuable insights. We will gather a list of all actively running services.</p><div id="6cfd"><pre>Get-WmiObject -<span class="hljs-keyword">class</span> <span class="hljs-title class_">Win32_service</span> |<span class="hljs-title">where</span> <span class="hljs-title">State</span> -<span class="hljs-title">eq</span> '<span class="hljs-title">Running</span>'| <span class="hljs

Options

-title">select</span> <span class="hljs-title">name</span>,<span class="hljs-type">processid</span>,<span class="hljs-type">status</span>,<span class="hljs-type">started</span>,<span class="hljs-type">state</span>,<span class="hljs-type">pathname</span></pre></div><figure id="1a9a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*WVIZinER8JAbBjd-6vzfgg.png"><figcaption></figcaption></figure><p id="7bd7">No suspicious findings so far, but I’d like to take a closer look at the running services associated with the Process IDs we identified during our process investigation.</p><div id="2ff9"><pre>Get-WmiObject -<span class="hljs-keyword">class</span> <span class="hljs-title class_">Win32_service</span> |<span class="hljs-title">where</span> <span class="hljs-title">State</span> -<span class="hljs-title">eq</span> '<span class="hljs-title">Running</span>' |<span class="hljs-title">where</span> <span class="hljs-title">processid</span> -<span class="hljs-title">In</span> 7036,<span class="hljs-type">5892</span>,<span class="hljs-type">5776</span>,<span class="hljs-type">9112</span>,<span class="hljs-type">7912</span>,<span class="hljs-type">460</span>,<span class="hljs-type">8864|</span> <span class="hljs-title">select</span> <span class="hljs-title">name</span>,<span class="hljs-type">processid</span>,<span class="hljs-type">status</span>,<span class="hljs-type">started</span>,<span class="hljs-type">state</span>,<span class="hljs-type">pathname</span></pre></div><figure id="4c35"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*6CV3yOovqZM7JUBwaHnxYA.png"><figcaption></figcaption></figure><p id="49a9">Nothing suspicious was observed!!</p><h1 id="7870">Network Information</h1><p id="f2ac">As we’re aware of the reverse connection, our next step is to confirm its presence or establishment. To achieve this, we will utilize the <b><i>‘netstat</i></b>’ utility. Our first action is to retrieve a list of all connections.</p><figure id="786e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*Ap9HOX5ljV59a3JvaZHSVQ.png"><figcaption></figcaption></figure><p id="11b0">Now, we’ll inspect the established connections and identify their owners. In our particular instance, we noted a connection on port 4444, and it’s associated with PowerShell, which is indicated by the PID 7912. This confirmation implies that a Command and Control session has been established on <b><i>192.168.0.108</i></b>.</p><figure id="0027"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*z-wRQ1UG_jCLSdxaYQPCdw.png"><figcaption></figcaption></figure><p id="b7dd">We’ll now examine the nature of communication between the compromised machine and the C2C server, which typically functions as a Master-Slave relationship. To inspect this interaction, we’ll employ Wireshark</p><figure id="5026"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*a_g9T6ZW98cMgq_iPdOznA.png"><figcaption></figcaption></figure><h1 id="c47c">Autorun and schedule task information</h1><p id="ab11">As we approached the final phase of our live forensics on the Windows machine, our attention was drawn to the C2C (Command and Control) connection, where the server was attempting to add a .bat file to the registry to establish persistence on the system. Before delving into the registry path, we conducted a preliminary check to see if any applications were located in the startup locations. Unfortunately, we did not discover any malicious applications in these areas.</p><figure id="bf7a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*1_Ng1FqB8eP4KK8XE_jOxA.png"><figcaption></figcaption></figure><p id="43dd">At this point, our attention is directed towards the startup commands within the registry. We’ve noticed that a registry key has been added, and the associated file is named “sd.bat.”</p><div id="93c4"><pre>gwmi <span class="hljs-title class_">Win32</span>_StartupCommand</pre></div><figure id="2a07"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*6C5wTI9ysapfJD6q5WY_OA.png"><figcaption></figcaption></figure><p id="3a9e">We’ll make an effort to gather more detailed information regarding this specific startup location to gain deeper insights into the activity. This confirms that the activity recorded in network forensics has been successfully executed, and persistence has been maintained.</p><div id="f52f"><pre>gwmi Win32_StartupCommand | <span class="hljs-keyword">where</span> name -eq <span class="hljs-string">"APT"</span> | <span class="hljs-keyword">select</span> *</pre></div><figure id="8544"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*lfQO-8KyGLRyWen8Hg44-g.png"><figcaption></figcaption></figure><p id="bdef">We will now check if any other persistence activity has been observed via scheduled tasks. Unfortunately, no suspicious activity has been found.</p><div id="0fac"><pre><span class="hljs-keyword">Get</span><span class="hljs-operator">-</span>ScheduledTask <span class="hljs-operator">|</span> <span class="hljs-keyword">where</span> state <span class="hljs-operator">-</span>eq <span class="hljs-string">'Ready'</span></pre></div><figure id="cfb5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*EihxglbQgcwtDh4rC5VPbQ.png"><figcaption></figcaption></figure><h1 id="51e5">Indicator of Attack</h1><p id="f3aa">- New user APT has been created — <b>Initial Access (T1078.003)</b>

  • User APT added to the admin group — <b>Privilege Escalation (T1098)</b>
  • The user ‘APT’ has logged into the victim’s machine using network services from the IP address 192.168.0.104 — <b>Lateral Movement (T1021.002)</b>
  • PowerShell commands were executed from a batch file, with the aim of downloading a PowerShell script and running it, providing an IP address and port number as inputs. This indicates the establishment of a reverse shell. — <b>Execution (T1059)</b>
  • I noticed a batch file added to HKU<user>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, indicating that this file will be executed upon user VictimA’s login. — <b>Persistence (T1547.001)</b></p><h1 id="afc0">Conclusion</h1><p id="3dda">The process we’ve discussed in this blog is not exhaustive, and there are other artifacts that can also be observed. We’ll aim to cover those in the next blog.</p></article></body>

Why I Stopped Having my Mother Babysit

Even if you need help, sometimes you can’t rely on the people in your life

Photo by Christian Bowen on Unsplash

Everyone needs a village to raise a child, but what do you do when that village is toxic for everyone living there?

When I got divorced, I lived in an apartment for a while, but ended up moving back in with my mom for a while to help save money. At the same time, my mom would pick my daughter up from school and babysit her for a couple of hours after school, until I got home from work.

My mom still charged me the same amount for babysitting that she had when I was married, even though she only had my daughter half the time. I never said anything about it, because I thought my daughter was well cared for.

I never even said anything when she started babysitting another family member’s kids for the same price. For two kids, all the time. My sister, she never charged for babysitting at all. But that was my sister.

When my mom took my niece’s side over my daughter’s in arguments between the two, I still never said anything to my mom. I just did my best to intervene when I was there and to mitigate the damage to my daughter. My niece was younger. Everyone caters to a baby.

Finally though, something happened that made me put it all to a stop.

What Went Down

After my sister’s college graduation, my mom had a bunch of people over to her house for a party.

Apparently, sometime during the party, my daughter told my mom that she had head lice. She had had it before so she knew.

My mom made my daughter go in the shower to comb the lice out of her hair by herself. She didn’t help her. She didn’t even come get me to help her, and I was home.

The next day, my mom actually bothered to tell me, once I had gotten home from work. I went to get more lice shampoo. Then, in the parking lot of the store I had a meltdown.

I couldn’t think of looking my mother in the face again.

I called my ex-husband and asked him to go pick up Atlantis from my mom’s house, so that she would be taken care of for a few days so I could find a new place.

When Atlantis stayed at her dad’s house, his neighbor picked her up from school. I made a deal with him to get her picked up by the neighbor on my days too, so I wouldn’t need to rely on my mom anymore.

Since my ex and I had a recent and fairly hostile divorce, it wasn’t the easiest call to make.

A few days later, my mom called me to ask me to come back and comb lice out of her hair.

I should have told her that if my 10 year old daughter could do it herself, so could she as an adult. But I didn’t. I went to help her.

I didn’t move back in though, or ever let her babysit my daughter again.

When Your ‘Village’ is Toxic

As a single mom, I didn’t really have people jumping out of the woodwork to help me with my daughter. I went through hard times basically on my own, without much help.

Sometimes, when we are faced with the idea of not having help, we will accept it from anyone in the vicinity. In this case, for me, that was my mother.

However, you don’t always have to accept this substandard help just because it is all that is available for you. There is other help out there if you are willing to look hard enough for it.

In most cities and towns, there are afterschool programs for kids. Many are available at schools or churches, and will help you with free or reduced rates if you are low-income.

If your children are younger, there are programs like Head Start available that can keep your kids all day, again for free or reduced rates.

If you are anything like me, and struggling with family care that isn’t working out the way that you had hoped, you may want to consider looking into this type of option.

❤ Nicole

Be well until next time my friends.

Did you like this article? Follow me for more! I am also on social media.

Facebook | Instagram | Twitter | YouTube

More parenting articles you may like:

You can also become a Medium member with my link for only $5 per month.

I am the author of “Trauma Survivor’s Guide to Coping With Panic Attacks” and “Happy. Healthy. Rich. The smart mom’s guide to living your best life” on Amazon.

Motherhood
Parenting
Single Moms
Childcare
Moms
Recommended from ReadMedium