In this case, we will look into how we can use LLMNR to poisoning to get the hash for a specific user and crack that in order to gain access. We have a domain called master.loc where the domain controller is dc1. The client workstation is client1. LLMNR is a protocol which is used to discover any hosts present in the network. In our scenario, we will try to access a fileserver called wow.
init If you want to find out which executable were executed on a workstation in windows it is bit tricky to find. There are some ways you can detect that. In this post we will look into PowerForensic powershell scripts to check some of its features. PowerForensic After you download and import the script, you will see the following commands available to the system. Remember to run the powershell as Administrator Below we can see that we can get last execution time for a specific application.
init Lets try to exploit the yet-another-windows-vulnerability known as CVE-2023-38146 aka ThemeBleed. To do that we need to create the theme file which will consist of “path” from where the payloads will be delivered. Please note that as per my testing, the command execution only happens if both the SMB server and the theme file is in the same machine. Pulling dll(s) from remote system appears not to work. In the attacker machine, you will need to disable the SMB by disabling the Server service from the services.
init In the previous post 1 we have installed osquery and seen how it works. In the writeup, we will try to match a yara rule with one of the file we will create to understand how it wall works. Now we will make a directory in the home directory called yara-rules in that directory you will need two files. The contents of those files are given below: $ cat ~/yara-rules/example1.
init The primary objective of this writeup is to check if an attacker can use this technique to bypass UAC and gain additional privilege ONLY using Command / Powershell window got from a Reverse Shell. User Account Control (UAC) in Windows is a “feature” (do not know how to attribute it) which can be used to prevent a user from making unwanted changes into the system. When running a application in a privileged permission, Windows asks the user if the action is actually legit.
In the last writeup we were able to generate logs based on file change. But that does not help us much because we again have to monitor every single machine in the environment manually which is impossible. It is certainly better if we can centralize all the logs into a single dashboard. As ELK one of the common tool to search and visualize data, we can transfer logs using Logstash to Elastic and eventually view them in Kibana dashboard.
In this article we will look into how we can use osquery to check the integrity of the filesystem of FIM. FIM is File Integrity Monitoring which monitors the changes in the filesystem. Usually when a attacker is inside a victim’s machine, the victim will certainly will try to download some scripts/programs to the victims machine so that the attacker can perform privilege escalation. This is valuable if you are searching for movement of any adversary in a system.
- OLDER POSTS
- page 1 of 5