SlideShare a Scribd company logo

DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents

Download as PPTX, PDF
Christopher Gerritz
Christopher Gerritz

Monthly DFIR Training in collaboration with DFIR Austin. This month's training covered the process of getting remote access during incident response investigations, delving into rapid agent deployment options such as GPOs and RMM tools as well as agentless triage channels such as WMI, Powershell Remoting, SSH, etc.

1 of 19
Austin DFIR Remote Access & Agent DeploymentsFacilitator: Chris Gerritz (Infocyte)
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Getting Remote Access Situation: • Network is compromised but you have no tools, sensors, or access to endpoints/servers Possible Solutions: • Deploy and Execute Temporary Collector • Agentless Collection – SSH – Powershell Remoting – WMI • Deploy/Install an Agent – GPO Startup Script – Use existing RMM Tool (InTune, SCCM, Kaseya, Atera, etc.)
Built-In Remote Management (Agentless) By Chris Gerritz (Infocyte)
Austin DFIR - Gerritz (Infocyte) SSH Description: Remote Secure Shell for Linux platforms. Use SCP via SSH to transfer files. Availability: - Installed by default on most linux distros Mechanism Ports OS Availability SSH TCP 22 Linux Ubiquitous Authentication Password Public Key Key + Sudo Password Capability File Transfer (using SCP) YES Execution YES # sudo syntax # ssh -t user@hostname 'sudo command1 arg1 arg2' # su syntax # ssh user@hostname su -c "/path/to/command1 arg1 arg2" # RHEL/CentOS specific # ssh user@nas01 su --session-command="/path/to/command1 arg1 arg2"
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Powershell Remoting Description: Modern Remote Shell for Windows. Availability: - Installed by default on Windows 7+ (PS 2.0) - Powershell Remoting needs to be enabled via GPO on a domain or Enable-PSRemoting locally - Powershell Core (Pwsh 6.0+) is cross platform and also has built-in capability for access via SSH on all platforms Mechanism Ports OS Availability Psh via WinRM TCP 5985 (HTTP) or TCP 5986 (HTTPS) Windows Common on TCP 5985 Pwsh (Core) via SSH TCP 22 Windows, Linux, MacOS Zero (new in 2019) Capability File Transfer (PS 5.1+ ONLY) YES Execution YES
Austin DFIR - Gerritz (Infocyte) Windows Management Instrumentation (WMI) Description: A set of accessing methods and functions to manage Windows systems. Use `wmi process call create’ to execute a binary. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability WMI via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer NO Execution (process call create) YES # cmd syntax # wmic /node:10.0.0.5 /user:administrator /password:Pass1 "process call create cmd” # powershell syntax # Invoke-WMIMethod -ComputerName 10.0.0.5 -class win32_process - name create -argumentlist ("cmd")
Austin DFIR - Gerritz (Infocyte) Remote Scheduled Tasks (Schtasks) Description: Interacts with the task scheduler on remote systems. Use Run Once to execute a binary/command. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability Schtasks via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer NO Execution (process call create) YES # cmd syntax # schtasks /Create /S 10.0.0.5 /RU "SYSTEM" /U administrator /P Pass1 /SC ONCE /TN MYTASKNAME /ST 00:00 /F /TR "c:tempMyProgram.exe" schtasks /Run /S 10.0.0.5 /U administrator /P Pass1 /TN MYTASKNAME schtasks /Delete /S 10.0.0.5 /U administrator /P Pass1 /TN MYTASKNAME
Austin DFIR - Gerritz (Infocyte) Remote Service Manager (i.e. PSExec) Description: Interacts with the Service Controller Manager on remote systems. Use PSExec to execute a binary/command. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability SCM via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer YES Execution (process call create) YES # cmd syntax # psexec 10.0.0.5 -u administrator -p Pass1 -c "c:tempMyProgram.exe" cmd
Austin DFIR - Gerritz (Infocyte) GPO Startup Script Description: Configures systems in domain to run a script on startup. Can be used to launch a script or powershell command. Script is hosted on Domain Controller NOTE: GPO Logon Scripts CANNOT be used to install agents (unprivileged) Time: 24 hours to a month depending on domain propagation delays Availability: - Ubiquitous in Windows Domains Mechanism Ports/Protocol OS Availability GPO LDAP Windows Ubiquitous in Windows Domains Capability File Transfer NO Execution YES # GPO Editor # Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown)
Austin DFIR - Gerritz (Infocyte) GPO Startup Script Setup Instructions Step 1: Configure Script Delay to 120 seconds: Computer Configuration -> Administrative Templates -> System -> Group Policy “Configure Logon Script Delay” Step 2: Setup Command & Parameters Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown) “Scripts” ● Script Name: %windir%System32WindowsPowerShellv1.0powershell.exe ● Script Parameters: -Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0MyPSScript.ps1 %~dp0 when launched on the client is automatically converted to the UNC path to the script directory on SYSVOL: yourdomainnameSysVolyourdomainnamePolicies{Your_GPO_GUID }MachineScriptsStartup
Reverse Download By Chris Gerritz (Infocyte)
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Reverse Download Commands • Many remote management mechanisms and tools do not support or make it easy to transfer files (scripts or executables) Best Solution: • Execute Reverse Download Command • Any remote execution mechanism can utilize this # Powershell Reverse Download & Execute # (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Infocyte/PowershellTools/maste r/AgentDeployment/install_huntagent.ps1") | iex
Third Party Tools/Agents By Chris Gerritz (Infocyte)
Austin DFIR - Gerritz (Infocyte) Remote Monitoring & Management (RMM) Tools Description: Usually a pre-deployed agent used to manage endpoint configurations. Most can install packages or execute remote commands. Sometimes transfer is not available. Availability: - Each company might use a different one. - No standardization. Examples: - SCCM, InTune, Kasaya, Tanium, Atera Protocol Ports OS Availability RMM Tool Varies Varies Custom (If Installed) Capability File Transfer SOME Execution YES
Austin DFIR - Gerritz (Infocyte) DevOps Server Configuration Tools Description: Either a pre-deployed agent or interface to SSH/WinRM. Used to configure servers in cloud environments. Can be configured to install packages or execute remote commands. Biggest difference with RMM tools is these require development and/or scripting experience. Availability: - Each company might use a different one. - RubyDSL or Python YAML Protocol Ports OS Availability Puppet / Chef Agent-based Cross Platform Common in IaaS (Cloud) Ansible / Saltstack Agentless (SSH/WinRM) Cross Platform Common in IaaS (Cloud) Capability File Transfer YES Execution YES
Troubleshooting By Chris Gerritz (Infocyte)
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Testing / Troubleshooting RPC Error: 0x800706BA RPC Server Unavailable • Possible Issues: The Windows Firewall is blocking the connection. • DCOM or WMI Service is not running Error: 0x80070005 – Access is denied by DCOM • Possible Issues: The user does not have remote access to the computer through DCOM. (Run DCOMCNFG) WMI Diagnostic Tool (local): https://www.microsoft.com/en-us/download/details.aspx?id=7684 WBEMTEST (remote): https://docs.microsoft.com/en-us/configmgr/develop/core/understand/introduction-to-wbemtest - Microsoft Support
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Testing / Troubleshooting RPC • RPC-based mechanisms are very complex due to multiple subsystem involvement: – Windows Firewall -> DCOM -> WMI -> Account Privileges – Each subsystem can deny access (“Access Denied” isn’t always what you think it is) or fail Possible Solutions: • Check Account Permissions and Status • Check Firewall Rule enabled to allow RPC, DCOM, and/or WMI • Check Services are Running and set to Automatic • Check DCOM & WMI Permissions • If all Fails: WMI Class Rebuild? Services: ● DCOM Server Process Launcher ● Remote Procedure Call (RPC) ● RPC Endpoint Mapper ● Windows Management Instrumentation
Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Open Source Network Test Script Test-ICNetworkTest https://github.com/Infocyte/PowershellTools/tre e/master/NetworkDiagnostics • Powershell tool used to determine which remote access methods are available and if credentials are configured correctly. • Run this as a pre-checkup to verify if remote access will be possible (i.e. firewalls and accounts are configured correctly) • Drops output to a log file as well # Powershell Commands # Install-Module –name InfocyteNetworkAccess Test-ICNetworkAccess –Target 10.0.0.1 –Credential (Get-Credential)

Recommended

DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
Christopher Gerritz
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 

Recommended

DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
Christopher Gerritz
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
Tarek Amer
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
Dragos, Inc.
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationGraeme Wood
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security Puzzle
Vic Hargrave
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
EC-Council
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
Muhammad Denis Iqbal
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
AlienVault
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
Dragos, Inc.
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
Frank Lesniak
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Software
defconmoscow
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
Soya Aoyama
 
McAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint SecurityMcAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint Security
netlogix
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
Tomasz Jakubowski
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
distortdistort
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 

More Related Content

What's hot

BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
Tarek Amer
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
Dragos, Inc.
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationGraeme Wood
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security Puzzle
Vic Hargrave
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
EC-Council
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
Muhammad Denis Iqbal
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
AlienVault
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
Dragos, Inc.
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
Frank Lesniak
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Software
defconmoscow
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
Soya Aoyama
 
McAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint SecurityMcAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint Security
netlogix
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
Tomasz Jakubowski
 

What's hot (20)

BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning Presentation
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security Puzzle
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Software
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
 
McAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint SecurityMcAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint Security
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 

Similar to DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents

Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
distortdistort
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 
Addmi 03-addm prerequisites
Addmi 03-addm prerequisitesAddmi 03-addm prerequisites
Addmi 03-addm prerequisitesodanyboy
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
Linux sever building
Linux sever buildingLinux sever building
Linux sever buildingEdmond Yu
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Chris Sistrunk
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
All Things Open
 
RemoteAdmin.pptx
RemoteAdmin.pptxRemoteAdmin.pptx
RemoteAdmin.pptx
hoangdinhhanh88
 
the NML project
the NML projectthe NML project
the NML projectLei Yang
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit frameworkLe Quyen
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
Henry Stamerjohann
 

Similar to DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents (20)

Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Addmi 03-addm prerequisites
Addmi 03-addm prerequisitesAddmi 03-addm prerequisites
Addmi 03-addm prerequisites
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Linux sever building
Linux sever buildingLinux sever building
Linux sever building
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
RemoteAdmin.pptx
RemoteAdmin.pptxRemoteAdmin.pptx
RemoteAdmin.pptx
 
the NML project
the NML projectthe NML project
the NML project
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
 

Recently uploaded

Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Hivelance Technology
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024
Sharepoint Designs
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
Jelle | Nordend
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
ayushiqss
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 

Recently uploaded (20)

Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 

DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents

  • 1. Austin DFIR Remote Access & Agent DeploymentsFacilitator: Chris Gerritz (Infocyte)
  • 2. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Getting Remote Access Situation: • Network is compromised but you have no tools, sensors, or access to endpoints/servers Possible Solutions: • Deploy and Execute Temporary Collector • Agentless Collection – SSH – Powershell Remoting – WMI • Deploy/Install an Agent – GPO Startup Script – Use existing RMM Tool (InTune, SCCM, Kaseya, Atera, etc.)
  • 4. Austin DFIR - Gerritz (Infocyte) SSH Description: Remote Secure Shell for Linux platforms. Use SCP via SSH to transfer files. Availability: - Installed by default on most linux distros Mechanism Ports OS Availability SSH TCP 22 Linux Ubiquitous Authentication Password Public Key Key + Sudo Password Capability File Transfer (using SCP) YES Execution YES # sudo syntax # ssh -t user@hostname 'sudo command1 arg1 arg2' # su syntax # ssh user@hostname su -c "/path/to/command1 arg1 arg2" # RHEL/CentOS specific # ssh user@nas01 su --session-command="/path/to/command1 arg1 arg2"
  • 5. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Powershell Remoting Description: Modern Remote Shell for Windows. Availability: - Installed by default on Windows 7+ (PS 2.0) - Powershell Remoting needs to be enabled via GPO on a domain or Enable-PSRemoting locally - Powershell Core (Pwsh 6.0+) is cross platform and also has built-in capability for access via SSH on all platforms Mechanism Ports OS Availability Psh via WinRM TCP 5985 (HTTP) or TCP 5986 (HTTPS) Windows Common on TCP 5985 Pwsh (Core) via SSH TCP 22 Windows, Linux, MacOS Zero (new in 2019) Capability File Transfer (PS 5.1+ ONLY) YES Execution YES
  • 6. Austin DFIR - Gerritz (Infocyte) Windows Management Instrumentation (WMI) Description: A set of accessing methods and functions to manage Windows systems. Use `wmi process call create’ to execute a binary. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability WMI via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer NO Execution (process call create) YES # cmd syntax # wmic /node:10.0.0.5 /user:administrator /password:Pass1 "process call create cmd” # powershell syntax # Invoke-WMIMethod -ComputerName 10.0.0.5 -class win32_process - name create -argumentlist ("cmd")
  • 7. Austin DFIR - Gerritz (Infocyte) Remote Scheduled Tasks (Schtasks) Description: Interacts with the task scheduler on remote systems. Use Run Once to execute a binary/command. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability Schtasks via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer NO Execution (process call create) YES # cmd syntax # schtasks /Create /S 10.0.0.5 /RU "SYSTEM" /U administrator /P Pass1 /SC ONCE /TN MYTASKNAME /ST 00:00 /F /TR "c:tempMyProgram.exe" schtasks /Run /S 10.0.0.5 /U administrator /P Pass1 /TN MYTASKNAME schtasks /Delete /S 10.0.0.5 /U administrator /P Pass1 /TN MYTASKNAME
  • 8. Austin DFIR - Gerritz (Infocyte) Remote Service Manager (i.e. PSExec) Description: Interacts with the Service Controller Manager on remote systems. Use PSExec to execute a binary/command. Transfer is not available so you’ll need to use SMB or a common file share. Availability: - Installed by default on Windows XP+ - Non-domain joined systems are deny by default Mechanism Ports OS Availability SCM via RPC TCP 135 + Dynamic Port TCP 59152 - 65535 Windows Ubiquitous Capability File Transfer YES Execution (process call create) YES # cmd syntax # psexec 10.0.0.5 -u administrator -p Pass1 -c "c:tempMyProgram.exe" cmd
  • 9. Austin DFIR - Gerritz (Infocyte) GPO Startup Script Description: Configures systems in domain to run a script on startup. Can be used to launch a script or powershell command. Script is hosted on Domain Controller NOTE: GPO Logon Scripts CANNOT be used to install agents (unprivileged) Time: 24 hours to a month depending on domain propagation delays Availability: - Ubiquitous in Windows Domains Mechanism Ports/Protocol OS Availability GPO LDAP Windows Ubiquitous in Windows Domains Capability File Transfer NO Execution YES # GPO Editor # Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown)
  • 10. Austin DFIR - Gerritz (Infocyte) GPO Startup Script Setup Instructions Step 1: Configure Script Delay to 120 seconds: Computer Configuration -> Administrative Templates -> System -> Group Policy “Configure Logon Script Delay” Step 2: Setup Command & Parameters Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown) “Scripts” ● Script Name: %windir%System32WindowsPowerShellv1.0powershell.exe ● Script Parameters: -Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0MyPSScript.ps1 %~dp0 when launched on the client is automatically converted to the UNC path to the script directory on SYSVOL: yourdomainnameSysVolyourdomainnamePolicies{Your_GPO_GUID }MachineScriptsStartup
  • 12. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Reverse Download Commands • Many remote management mechanisms and tools do not support or make it easy to transfer files (scripts or executables) Best Solution: • Execute Reverse Download Command • Any remote execution mechanism can utilize this # Powershell Reverse Download & Execute # (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Infocyte/PowershellTools/maste r/AgentDeployment/install_huntagent.ps1") | iex
  • 13. Third Party Tools/Agents By Chris Gerritz (Infocyte)
  • 14. Austin DFIR - Gerritz (Infocyte) Remote Monitoring & Management (RMM) Tools Description: Usually a pre-deployed agent used to manage endpoint configurations. Most can install packages or execute remote commands. Sometimes transfer is not available. Availability: - Each company might use a different one. - No standardization. Examples: - SCCM, InTune, Kasaya, Tanium, Atera Protocol Ports OS Availability RMM Tool Varies Varies Custom (If Installed) Capability File Transfer SOME Execution YES
  • 15. Austin DFIR - Gerritz (Infocyte) DevOps Server Configuration Tools Description: Either a pre-deployed agent or interface to SSH/WinRM. Used to configure servers in cloud environments. Can be configured to install packages or execute remote commands. Biggest difference with RMM tools is these require development and/or scripting experience. Availability: - Each company might use a different one. - RubyDSL or Python YAML Protocol Ports OS Availability Puppet / Chef Agent-based Cross Platform Common in IaaS (Cloud) Ansible / Saltstack Agentless (SSH/WinRM) Cross Platform Common in IaaS (Cloud) Capability File Transfer YES Execution YES
  • 17. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Testing / Troubleshooting RPC Error: 0x800706BA RPC Server Unavailable • Possible Issues: The Windows Firewall is blocking the connection. • DCOM or WMI Service is not running Error: 0x80070005 – Access is denied by DCOM • Possible Issues: The user does not have remote access to the computer through DCOM. (Run DCOMCNFG) WMI Diagnostic Tool (local): https://www.microsoft.com/en-us/download/details.aspx?id=7684 WBEMTEST (remote): https://docs.microsoft.com/en-us/configmgr/develop/core/understand/introduction-to-wbemtest - Microsoft Support
  • 18. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Testing / Troubleshooting RPC • RPC-based mechanisms are very complex due to multiple subsystem involvement: – Windows Firewall -> DCOM -> WMI -> Account Privileges – Each subsystem can deny access (“Access Denied” isn’t always what you think it is) or fail Possible Solutions: • Check Account Permissions and Status • Check Firewall Rule enabled to allow RPC, DCOM, and/or WMI • Check Services are Running and set to Automatic • Check DCOM & WMI Permissions • If all Fails: WMI Class Rebuild? Services: ● DCOM Server Process Launcher ● Remote Procedure Call (RPC) ● RPC Endpoint Mapper ● Windows Management Instrumentation
  • 19. Austin DFIR - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Open Source Network Test Script Test-ICNetworkTest https://github.com/Infocyte/PowershellTools/tre e/master/NetworkDiagnostics • Powershell tool used to determine which remote access methods are available and if credentials are configured correctly. • Run this as a pre-checkup to verify if remote access will be possible (i.e. firewalls and accounts are configured correctly) • Drops output to a log file as well # Powershell Commands # Install-Module –name InfocyteNetworkAccess Test-ICNetworkAccess –Target 10.0.0.1 –Credential (Get-Credential)