Contact Form

Name

Email *

Message *

Tips for an Information Security Analyst/Pentester career - Ep. 64- Lateral movement detection

In this post I'm going to continue from where I left off in my previous post Tips for an Information Security Analyst/Pentester career - Ep. 60: Pivoting attack

This post will be divided into two parts: an offensive part and a defensive part.

The offensive part will pretty much repeat the same steps described within episode 60, so I'll refer you to that post, both for time constraints and not to repeat myself (view embedded video for more info).



Offensive part

Without going too much in detail, I performed the following steps:

On Kali:

  • Created Msfvenom executable and copied it to /var/www/html
  • Started Apache server
  • Configured multi/handler  exploit in Metasploit with windows/meterpreter/reverse_tcp payload
  • Launched the exploit
  • Achieved privilege escalation in Windows 7 by using windows/local/bypassuac.
  • Launched mimikatz and stole password hashes and Kerberos passwords in clear text
  • Created a manual route to 172.16.137.0/28 network, where my vulnerable XP SP2 machine lies
  • Exploited Windows XP through smb_08_067_netapi  exploit, performing a pivoting attack.

On Windows 7:

  • Before launching the exploit from Kali, I installed Sysinternals' Sysmon, which monitors system changes.

Defensive part 


We're going to analyze the specific logs created by Sysmon, which can be found in Event Viewer under Application and Services Logs/Microsoft/Windows/Sysmon/Operational.

Sysmon blog recommends to specifically check for certain event IDs, which are displayed below.

I therefore used my EventIDs.ps1 PowerShell script for this purpose.

I added a commented out line to my script allowing to retrieve the more critical event IDs associated with Sysmon.

You can enable that line if you installed Sysmon in your system, otherwise it can be left as commented out.

I enabled that line in my specific Windows 7 configuration and I was able to retrieve several event IDs falling within the ones listed above.


We can now be sure a pivoting attack has been successfully run against our victim machine and we can decide what the next steps will be in our incident response procedure.


External sources 

Comments

Related Posts Plugin for WordPress, Blogger...