SlideShare a Scribd company logo

DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents

Download as PPTX, PDF
Christopher Gerritz
Christopher Gerritz

Monthly DFIR Training in collaboration with DFIR Austin. This month's training covered the process of getting remote access during incident response investigations, delving into rapid agent deployment options such as GPOs and RMM tools as well as agentless triage channels such as WMI, Powershell Remoting, SSH, etc.

Software
1 of 19
Austin DFIR Remote Access & Agent DeploymentsFacilitator: Chris Gerritz (Infocyte)
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Getting Remote Access Situation: • Network is compromised but you have no tools, sensors, or access to endpoints/servers Possible Solutions: • Deploy and Execute Temporary Collector • Agentless Collection – SSH – Powershell Remoting – WMI • Deploy/Install an Agent – GPO Startup Script – Use existing RMM Tool (InTune, SCCM, Kaseya, Atera, etc.)
Built-In Remote Management (Agentless) By Chris Gerritz (Infocyte)
Austin DFIR - Gerritz (Infocyte) SSH Description: Remote Secure Shell for Linux platforms. Use SCP via SSH to transfer files. Availability: - Installed by default on most linux distros Mechanism Ports OS Availability SSH TCP 22 Linux Ubiquitous Authentication Password Public Key Key + Sudo Password Capability File Transfer (using SCP) YES Execution YES # sudo syntax # ssh -t user@hostname 'sudo command1 arg1 arg2' # su syntax # ssh user@hostname su -c "/path/to/command1 arg1 arg2" # RHEL/CentOS specific # ssh user@nas01 su --session-command="/path/to/command1 arg1 arg2"
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Powershell Remoting Description: Modern Remote Shell for Windows. Availability: - Installed by default on Windows 7+ (PS 2.0) - Powershell Remoting needs to be enabled via GPO on a domain or Enable-PSRemoting locally - Powershell Core (Pwsh 6.0+) is cross platform and also has built-in capability for access via SSH on all platforms Mechanism Ports OS Availability Psh via WinRM TCP 5985 (HTTP) or TCP 5986 (HTTPS) Windows Common on TCP 5985 Pwsh (Core) via SSH TCP 22 Windows, Linux, MacOS Zero (new in 2019) Capability File Transfer (PS 5.1+ ONLY) YES Execution YES
Austin DFIR - Gerritz (Infocyte) Windows Management Instrumentation (WMI) Description: A set of accessing methods and functions to manage Windows systems. Use `wmi process call create’ to execute a binary. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability WMI via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer NO Execution (process call create) YES # cmd syntax # wmic /node:10.0.0.5 /user:administrator /password:Pass1 "process call create cmd” # powershell syntax # Invoke-WMIMethod -ComputerName 10.0.0.5 -class win32_process - name create -argumentlist ("cmd")
Austin DFIR - Gerritz (Infocyte) Remote Scheduled Tasks (Schtasks) Description: Interacts with the task scheduler on remote systems. Use Run Once to execute a binary/command. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability Schtasks via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer NO Execution (process call create) YES # cmd syntax # schtasks /Create /S 10.0.0.5 /RU "SYSTEM" /U administrator /P Pass1 /SC ONCE /TN MYTASKNAME /ST 00:00 /F /TR "c:tempMyProgram.exe" schtasks /Run /S 10.0.0.5 /U administrator /P Pass1 /TN MYTASKNAME schtasks /Delete /S 10.0.0.5 /U administrator /P Pass1 /TN MYTASKNAME
Austin DFIR - Gerritz (Infocyte) Remote Service Manager (i.e. PSExec) Description: Interacts with the Service Controller Manager on remote systems. Use PSExec to execute a binary/command. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability SCM via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer YES Execution (process call create) YES # cmd syntax # psexec 10.0.0.5 -u administrator -p Pass1 -c "c:tempMyProgram.exe" cmd
Austin DFIR - Gerritz (Infocyte) GPO Startup Script Description: Configures systems in domain to run a script on startup. Can be used to launch a script or powershell command. Script is hosted on Domain Controller NOTE: GPO Logon Scripts CANNOT be used to install agents (unprivileged) Time: 24 hours to a month depending on domain propagation delays Availability: - Ubiquitous in Windows Domains Mechanism Ports/Protocol OS Availability GPO LDAP Windows Ubiquitous in Windows Domains Capability File Transfer NO Execution YES # GPO Editor # Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown)
Austin DFIR - Gerritz (Infocyte) GPO Startup Script Setup Instructions Step 1: Configure Script Delay to 120 seconds: Computer Configuration -> Administrative Templates -> System -> Group Policy “Configure Logon Script Delay” Step 2: Setup Command & Parameters Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown) “Scripts” ● Script Name: %windir%System32WindowsPowerShellv1.0powershell.exe ● Script Parameters: -Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0MyPSScript.ps1 %~dp0 when launched on the client is automatically converted to the UNC path to the script directory on SYSVOL: yourdomainnameSysVolyourdomainnamePolicies{Your_GPO_GUID }MachineScriptsStartup
Reverse Download By Chris Gerritz (Infocyte)
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Reverse Download Commands • Many remote management mechanisms and tools do not support or make it easy to transfer files (scripts or executables) Best Solution: • Execute Reverse Download Command • Any remote execution mechanism can utilize this # Powershell Reverse Download & Execute # (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Infocyte/PowershellTools/maste r/AgentDeployment/install_huntagent.ps1") | iex
Third Party Tools/Agents By Chris Gerritz (Infocyte)
Austin DFIR - Gerritz (Infocyte) Remote Monitoring & Management (RMM) Tools Description: Usually a pre-deployed agent used to manage endpoint configurations. Most can install packages or execute remote commands. Sometimes transfer is not available. Availability: - Each company might use a different one. - No standardization. Examples: - SCCM, InTune, Kasaya, Tanium, Atera Protocol Ports OS Availability RMM Tool Varies Varies Custom (If Installed) Capability File Transfer SOME Execution YES
Austin DFIR - Gerritz (Infocyte) DevOps Server Configuration Tools Description: Either a pre-deployed agent or interface to SSH/WinRM. Used to configure servers in cloud environments. Can be configured to install packages or execute remote commands. Biggest difference with RMM tools is these require development and/or scripting experience. Availability: - Each company might use a different one. - RubyDSL or Python YAML Protocol Ports OS Availability Puppet / Chef Agent-based Cross Platform Common in IaaS (Cloud) Ansible / Saltstack Agentless (SSH/WinRM) Cross Platform Common in IaaS (Cloud) Capability File Transfer YES Execution YES
Troubleshooting By Chris Gerritz (Infocyte)
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Testing / Troubleshooting RPC Error: 0x800706BA RPC Server Unavailable • Possible Issues: The Windows Firewall is blocking the connection. • DCOM or WMI Service is not running Error: 0x80070005 – Access is denied by DCOM • Possible Issues: The user does not have remote access to the computer through DCOM. (Run DCOMCNFG) WMI Diagnostic Tool (local): https://www.microsoft.com/en-us/download/details.aspx?id=7684 WBEMTEST (remote): https://docs.microsoft.com/en-us/configmgr/develop/core/understand/introduction-to-wbemtest - Microsoft Support
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Testing / Troubleshooting RPC • RPC-based mechanisms are very complex due to multiple subsystem involvement: – Windows Firewall -> DCOM -> WMI -> Account Privileges – Each subsystem can deny access (“Access Denied” isn’t always what you think it is) or fail Possible Solutions: • Check Account Permissions and Status • Check Firewall Rule enabled to allow RPC, DCOM, and/or WMI • Check Services are Running and set to Automatic • Check DCOM & WMI Permissions • If all Fails: WMI Class Rebuild? Services: ● DCOM Server Process Launcher ● Remote Procedure Call (RPC) ● RPC Endpoint Mapper ● Windows Management Instrumentation
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Open Source Network Test Script Test-ICNetworkTest https://github.com/Infocyte/PowershellTools/tre e/master/NetworkDiagnostics • Powershell tool used to determine which remote access methods are available and if credentials are configured correctly. • Run this as a pre-checkup to verify if remote access will be possible (i.e. firewalls and accounts are configured correctly) • Drops output to a log file as well # Powershell Commands # Install-Module –name InfocyteNetworkAccess Test-ICNetworkAccess –Target 10.0.0.1 –Credential (Get-Credential)

Recommended

DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP TriageChristopher Gerritz
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1Frank Avila Zapata
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overviewn|u - The Open Security Community
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 

Recommended

DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP TriageChristopher Gerritz
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1Frank Avila Zapata
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overviewn|u - The Open Security Community
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentationTarek Amer
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?AlienVault
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in PerspectiveDragos, Inc.
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationGraeme Wood
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security PuzzleVic Hargrave
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3Muhammad Denis Iqbal
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Softwaredefconmoscow
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
 
McAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint SecurityMcAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint Securitynetlogix
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfdistortdistort
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 

More Related Content

What's hot

BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentationTarek Amer
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?AlienVault
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in PerspectiveDragos, Inc.
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationGraeme Wood
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security PuzzleVic Hargrave
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3Muhammad Denis Iqbal
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Softwaredefconmoscow
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
 
McAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint SecurityMcAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint Securitynetlogix
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 

What's hot (20)

BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning Presentation
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security Puzzle
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Software
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
 
McAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint SecurityMcAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint Security
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 

Similar to DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents

OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
Addmi 03-addm prerequisites
Addmi 03-addm prerequisitesAddmi 03-addm prerequisites
Addmi 03-addm prerequisitesodanyboy
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Linux sever building
Linux sever buildingLinux sever building
Linux sever buildingEdmond Yu
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueChris Sistrunk
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
the NML project
the NML projectthe NML project
the NML projectLei Yang
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit frameworkLe Quyen
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Henry Stamerjohann
 

Similar to DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents (20)

Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Addmi 03-addm prerequisites
Addmi 03-addm prerequisitesAddmi 03-addm prerequisites
Addmi 03-addm prerequisites
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Linux sever building
Linux sever buildingLinux sever building
Linux sever building
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
RemoteAdmin.pptx
RemoteAdmin.pptxRemoteAdmin.pptx
RemoteAdmin.pptx
 
the NML project
the NML projectthe NML project
the NML project
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
 

Recently uploaded

ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 

Recently uploaded (20)

ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 

DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents

  • 1. Austin DFIR Remote Access & Agent DeploymentsFacilitator: Chris Gerritz (Infocyte)
  • 2. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Getting Remote Access Situation: • Network is compromised but you have no tools, sensors, or access to endpoints/servers Possible Solutions: • Deploy and Execute Temporary Collector • Agentless Collection – SSH – Powershell Remoting – WMI • Deploy/Install an Agent – GPO Startup Script – Use existing RMM Tool (InTune, SCCM, Kaseya, Atera, etc.)
  • 4. Austin DFIR - Gerritz (Infocyte) SSH Description: Remote Secure Shell for Linux platforms. Use SCP via SSH to transfer files. Availability: - Installed by default on most linux distros Mechanism Ports OS Availability SSH TCP 22 Linux Ubiquitous Authentication Password Public Key Key + Sudo Password Capability File Transfer (using SCP) YES Execution YES # sudo syntax # ssh -t user@hostname 'sudo command1 arg1 arg2' # su syntax # ssh user@hostname su -c "/path/to/command1 arg1 arg2" # RHEL/CentOS specific # ssh user@nas01 su --session-command="/path/to/command1 arg1 arg2"
  • 5. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Powershell Remoting Description: Modern Remote Shell for Windows. Availability: - Installed by default on Windows 7+ (PS 2.0) - Powershell Remoting needs to be enabled via GPO on a domain or Enable-PSRemoting locally - Powershell Core (Pwsh 6.0+) is cross platform and also has built-in capability for access via SSH on all platforms Mechanism Ports OS Availability Psh via WinRM TCP 5985 (HTTP) or TCP 5986 (HTTPS) Windows Common on TCP 5985 Pwsh (Core) via SSH TCP 22 Windows, Linux, MacOS Zero (new in 2019) Capability File Transfer (PS 5.1+ ONLY) YES Execution YES
  • 6. Austin DFIR - Gerritz (Infocyte) Windows Management Instrumentation (WMI) Description: A set of accessing methods and functions to manage Windows systems. Use `wmi process call create’ to execute a binary. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability WMI via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer NO Execution (process call create) YES # cmd syntax # wmic /node:10.0.0.5 /user:administrator /password:Pass1 "process call create cmd” # powershell syntax # Invoke-WMIMethod -ComputerName 10.0.0.5 -class win32_process - name create -argumentlist ("cmd")
  • 7. Austin DFIR - Gerritz (Infocyte) Remote Scheduled Tasks (Schtasks) Description: Interacts with the task scheduler on remote systems. Use Run Once to execute a binary/command. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability Schtasks via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer NO Execution (process call create) YES # cmd syntax # schtasks /Create /S 10.0.0.5 /RU "SYSTEM" /U administrator /P Pass1 /SC ONCE /TN MYTASKNAME /ST 00:00 /F /TR "c:tempMyProgram.exe" schtasks /Run /S 10.0.0.5 /U administrator /P Pass1 /TN MYTASKNAME schtasks /Delete /S 10.0.0.5 /U administrator /P Pass1 /TN MYTASKNAME
  • 8. Austin DFIR - Gerritz (Infocyte) Remote Service Manager (i.e. PSExec) Description: Interacts with the Service Controller Manager on remote systems. Use PSExec to execute a binary/command. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability SCM via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer YES Execution (process call create) YES # cmd syntax # psexec 10.0.0.5 -u administrator -p Pass1 -c "c:tempMyProgram.exe" cmd
  • 9. Austin DFIR - Gerritz (Infocyte) GPO Startup Script Description: Configures systems in domain to run a script on startup. Can be used to launch a script or powershell command. Script is hosted on Domain Controller NOTE: GPO Logon Scripts CANNOT be used to install agents (unprivileged) Time: 24 hours to a month depending on domain propagation delays Availability: - Ubiquitous in Windows Domains Mechanism Ports/Protocol OS Availability GPO LDAP Windows Ubiquitous in Windows Domains Capability File Transfer NO Execution YES # GPO Editor # Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown)
  • 10. Austin DFIR - Gerritz (Infocyte) GPO Startup Script Setup Instructions Step 1: Configure Script Delay to 120 seconds: Computer Configuration -> Administrative Templates -> System -> Group Policy “Configure Logon Script Delay” Step 2: Setup Command & Parameters Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown) “Scripts” ● Script Name: %windir%System32WindowsPowerShellv1.0powershell.exe ● Script Parameters: -Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0MyPSScript.ps1 %~dp0 when launched on the client is automatically converted to the UNC path to the script directory on SYSVOL: yourdomainnameSysVolyourdomainnamePolicies{Your_GPO_GUID }MachineScriptsStartup
  • 12. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Reverse Download Commands • Many remote management mechanisms and tools do not support or make it easy to transfer files (scripts or executables) Best Solution: • Execute Reverse Download Command • Any remote execution mechanism can utilize this # Powershell Reverse Download & Execute # (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Infocyte/PowershellTools/maste r/AgentDeployment/install_huntagent.ps1") | iex
  • 13. Third Party Tools/Agents By Chris Gerritz (Infocyte)
  • 14. Austin DFIR - Gerritz (Infocyte) Remote Monitoring & Management (RMM) Tools Description: Usually a pre-deployed agent used to manage endpoint configurations. Most can install packages or execute remote commands. Sometimes transfer is not available. Availability: - Each company might use a different one. - No standardization. Examples: - SCCM, InTune, Kasaya, Tanium, Atera Protocol Ports OS Availability RMM Tool Varies Varies Custom (If Installed) Capability File Transfer SOME Execution YES
  • 15. Austin DFIR - Gerritz (Infocyte) DevOps Server Configuration Tools Description: Either a pre-deployed agent or interface to SSH/WinRM. Used to configure servers in cloud environments. Can be configured to install packages or execute remote commands. Biggest difference with RMM tools is these require development and/or scripting experience. Availability: - Each company might use a different one. - RubyDSL or Python YAML Protocol Ports OS Availability Puppet / Chef Agent-based Cross Platform Common in IaaS (Cloud) Ansible / Saltstack Agentless (SSH/WinRM) Cross Platform Common in IaaS (Cloud) Capability File Transfer YES Execution YES
  • 17. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Testing / Troubleshooting RPC Error: 0x800706BA RPC Server Unavailable • Possible Issues: The Windows Firewall is blocking the connection. • DCOM or WMI Service is not running Error: 0x80070005 – Access is denied by DCOM • Possible Issues: The user does not have remote access to the computer through DCOM. (Run DCOMCNFG) WMI Diagnostic Tool (local): https://www.microsoft.com/en-us/download/details.aspx?id=7684 WBEMTEST (remote): https://docs.microsoft.com/en-us/configmgr/develop/core/understand/introduction-to-wbemtest - Microsoft Support
  • 18. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Testing / Troubleshooting RPC • RPC-based mechanisms are very complex due to multiple subsystem involvement: – Windows Firewall -> DCOM -> WMI -> Account Privileges – Each subsystem can deny access (“Access Denied” isn’t always what you think it is) or fail Possible Solutions: • Check Account Permissions and Status • Check Firewall Rule enabled to allow RPC, DCOM, and/or WMI • Check Services are Running and set to Automatic • Check DCOM & WMI Permissions • If all Fails: WMI Class Rebuild? Services: ● DCOM Server Process Launcher ● Remote Procedure Call (RPC) ● RPC Endpoint Mapper ● Windows Management Instrumentation
  • 19. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Open Source Network Test Script Test-ICNetworkTest https://github.com/Infocyte/PowershellTools/tre e/master/NetworkDiagnostics • Powershell tool used to determine which remote access methods are available and if credentials are configured correctly. • Run this as a pre-checkup to verify if remote access will be possible (i.e. firewalls and accounts are configured correctly) • Drops output to a log file as well # Powershell Commands # Install-Module –name InfocyteNetworkAccess Test-ICNetworkAccess –Target 10.0.0.1 –Credential (Get-Credential)