# Part 4 ## ๐Ÿšจ **Exploitation of Remote Services** *** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Exploitation of Remote Services?** * **Exploitation of Remote Services** occurs when attackers **abuse vulnerabilities in remote services** (e.g., RDP, SMB, SSH, FTP) to gain unauthorized access to systems. * Common remote services targeted include: * **Remote Desktop Protocol (RDP)** * **Server Message Block (SMB)** * **Secure Shell (SSH)** * **Telnet** * **FTP** #### ๐Ÿ“‘ **Why Attackers Exploit Remote Services?** * **Initial Access:** Gain foothold on a target system. * **Privilege Escalation:** Exploit misconfigurations or weak credentials. * **Persistence:** Maintain long-term access. * **Lateral Movement:** Move across systems within the network. * **Data Exfiltration:** Steal sensitive information. #### ๐Ÿ“Œ **Common Exploited Services and Techniques** | **Service** | **Common Exploitation Techniques** | **Example Tools** | | ----------- | -------------------------------------------------------------- | ------------------------ | | **RDP** | Brute Force, Credential Stuffing, RDP BlueKeep (CVE-2019-0708) | `xfreerdp`, `Hydra` | | **SMB** | EternalBlue (CVE-2017-0144), SMBGhost (CVE-2020-0796) | `Metasploit`, `Impacket` | | **SSH** | Credential Stuffing, Weak Key Exploitation | `Hydra`, `CrackMapExec` | | **FTP** | Anonymous Login Exploitation, Directory Traversal | `Nmap`, `Hydra` | | **Telnet** | Default Credential Exploitation | `Hydra`, `Metasploit` | *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ Check Active Remote Sessions** ```powershell qwinsta ``` **๐Ÿ•ต๏ธ Review RDP Connection Logs** ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object { $_.Message -like "*RDP*" } ``` **๐Ÿ•ต๏ธ Check for Suspicious SMB Connections** ```powershell Get-SmbSession | Select-Object ClientComputerName, UserName, SessionId ``` **๐Ÿ•ต๏ธ Review Active SSH Connections** ```powershell netstat -ano | findstr ":22" ``` **๐Ÿ•ต๏ธ Identify Failed Login Attempts** ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Suspicious Remote Login Attempts** ```kusto SecurityEvent | where EventID == 4625 | where AccountName != "defaultaccount" | summarize FailedAttempts = count() by AccountName, IpAddress | where FailedAttempts > 5 ``` **๐Ÿ•ต๏ธ Identify SMB Exploitation Attempts** ```kusto DeviceNetworkEvents | where RemotePort == 445 | where ActionType == "ConnectionFailed" | summarize count() by RemoteIP | where count_ > 10 ``` **๐Ÿ•ต๏ธ Monitor RDP Brute Force Attempts** ```kusto SecurityEvent | where EventID == 4625 | where LogonType == 10 or LogonType == 7 | summarize FailedAttempts = count() by IpAddress, AccountName | where FailedAttempts > 5 ``` **๐Ÿ•ต๏ธ Detect EternalBlue Exploitation Patterns** ```kusto DeviceProcessEvents | where FileName contains "ms17-010" | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ SSH Access Attempts** ```kusto DeviceNetworkEvents | where RemotePort == 22 | where ActionType == "ConnectionSuccess" | summarize ConnectionCount = count() by RemoteIP, AccountName | where ConnectionCount > 5 ``` **๐Ÿ•ต๏ธ Monitor FTP Connections** ```kusto DeviceNetworkEvents | where RemotePort == 21 | where ActionType == "ConnectionSuccess" | summarize ConnectionCount = count() by RemoteIP, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ------------------------------------------------- | | **4624** | Successful logon. | | **4625** | Failed logon attempt. | | **4776** | The computer attempted to validate credentials. | | **4648** | A logon was attempted using explicit credentials. | | **4672** | Special privileges assigned to new logon. | **๐Ÿ“Œ Focus on Event ID 4625:** * Repeated login failures from a single **IP address**. **๐Ÿ“Œ Focus on Event ID 4672:** * Look for **privileged account logins** from suspicious IPs. *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Trace Failed Authentication Attempts** * Analyze failed authentication patterns: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | Where-Object { $_.Message -like "*RDP*" } ``` *** #### 2๏ธโƒฃ **Identify Active Remote Sessions** * List active RDP sessions: ```powershell qwinsta ``` * Check SMB Sessions: ```powershell Get-SmbSession ``` *** #### 3๏ธโƒฃ **Inspect Process Activity Related to Remote Services** * Look for suspicious processes: ```powershell Get-Process | Where-Object { $_.Path -like "*Temp*" } ``` *** #### 4๏ธโƒฃ **Check Open Ports** * Verify open ports for remote services: ```powershell netstat -ano | findstr ":3389 :445 :22" ``` *** #### 5๏ธโƒฃ **Review Suspicious Network Connections** * Identify remote connections: ```powershell Get-NetTCPConnection | Where-Object { $_.RemoteAddress -notlike "192.168.*" } ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Terminate Unauthorized Sessions** ```powershell logoff ``` #### ๐Ÿ“Œ **2. Disable Unused Remote Services** ```powershell Set-Service -Name TermService -StartupType Disabled ``` #### ๐Ÿ“Œ **3. Reset Compromised Accounts** ```powershell net user Administrator NewP@ssw0rd! ``` #### ๐Ÿ“Œ **4. Block Suspicious IPs** ```powershell New-NetFirewallRule -DisplayName "Block Suspicious IP" -Direction Inbound -RemoteAddress -Action Block ``` #### ๐Ÿ“Œ **5. Patch Known Vulnerabilities** * Apply patches for vulnerabilities like **BlueKeep (CVE-2019-0708)** and **EternalBlue (CVE-2017-0144)**. #### ๐Ÿ“Œ **6. Enable Network Level Authentication (NLA) for RDP** ```powershell reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f ``` #### ๐Ÿ“Œ **7. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Disable Unused Remote Services:** * Turn off RDP, SMB, FTP, and Telnet if not needed. 2. **Implement Multi-Factor Authentication (MFA):** * Add MFA to remote access. 3. **Apply Network Segmentation:** * Isolate systems with sensitive remote services. 4. **Use Strong Password Policies:** * Enforce complex passwords. 5. **Patch Systems Regularly:** * Keep systems updated to prevent exploitation. 6. **Enable Account Lockout Policies:** ```powershell powershellู†ุณุฎ ุงู„ูƒูˆุฏnet accounts /lockoutthreshold:5 ``` 7. **Monitor Service Logs:** * Regularly review **Event IDs 4625, 4672, 4648**. *** ### ๐Ÿง  **6. Key Takeaways** * **Remote Services Are Prime Targets:** Monitor RDP, SMB, SSH, and FTP. * **Patch Known Vulnerabilities:** Keep services updated. * **Implement Logging and Auditing:** Enable **Event IDs 4625, 4672**. * **Use Network Segmentation:** Restrict access to critical services. * **Apply Least Privilege Principle:** Limit admin access on remote services. *** ## ๐Ÿšจ **File and Directory Discovery: Advanced Threat Analysis** *** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is File and Directory Discovery?** * **File and Directory Discovery** involves **identifying sensitive files, folders, and directories** on a compromised system. * Attackers use discovery techniques to: * Locate **sensitive data** (e.g., credentials, configuration files). * Identify **critical system directories** for further attacks. * Determine **backup locations** and **log files**. * Plan **data exfiltration paths**. *** #### ๐Ÿ“‘ **Why Attackers Use File and Directory Discovery?** * **Gather Information:** Locate files with sensitive data (e.g., `.env`, `config.xml`, `password.txt`). * **Privilege Escalation:** Identify configuration files with hardcoded credentials. * **Persistence:** Locate startup folders for persistence mechanisms. * **Data Exfiltration:** Identify large or important datasets for exfiltration. * **Evasion:** Identify antivirus logs or security tools to bypass them. *** #### ๐Ÿ“Œ **Common Techniques for File and Directory Discovery** | **Technique** | **Command/Tool Example** | **Description** | | ------------------------------ | ------------------------------------------------------------------ | -------------------------------------- | | **List Directories** | `dir /s` (Windows), `ls -R` (Linux) | Recursive directory listing | | **Search for Sensitive Files** | `find / -name *.env` | Search for specific file types | | **Locate Hidden Files** | `ls -la` | Reveal hidden files | | **Check Startup Folders** | `dir C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` | Identify persistence locations | | **System Configuration Files** | `cat /etc/passwd` (Linux) | Extract system user information | | **PowerShell Enumeration** | `Get-ChildItem -Recurse -Force` | Recursive file discovery in PowerShell | *** #### ๐Ÿ“Š **Common Tools Used** | **Tool** | **Purpose** | | ------------------- | -------------------------------------------- | | **PowerShell** | Recursive file enumeration | | **CMD (dir)** | Directory listing | | **Findstr** | Search within files | | **Find (Linux)** | Search for files by name or type | | **grep (Linux)** | Search within files | | **Tree** | Visual directory structure | | **WinPEAS/LinPEAS** | Enumerate sensitive files and configurations | *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ Identify Suspicious File Searches** ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*dir*" -or $_.Message -like "*find*" } ``` **๐Ÿ•ต๏ธ Monitor Access to Sensitive Files** ```powershell Get-ChildItem -Path "C:\Users\*" -Recurse -Include "*.env", "*.xml", "*.config", "*password*" ``` **๐Ÿ•ต๏ธ Check Recent File Access** ```powershell Get-ChildItem -Path "C:\" -Recurse | Where-Object { $_.LastAccessTime -gt (Get-Date).AddHours(-24) } ``` **๐Ÿ•ต๏ธ Look for Hidden File Access** ```powershell Get-ChildItem -Path "C:\" -Hidden -Recurse ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Directory Listing Commands** ```kql DeviceProcessEvents | where ProcessCommandLine contains "dir" or ProcessCommandLine contains "ls" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Identify Sensitive File Access** ```kql DeviceFileEvents | where FileName matches regex ".*(password|config|credentials|backup).*" | where ActionType == "FileAccessed" | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` **๐Ÿ•ต๏ธ Monitor Recursive Directory Scans** ```kql DeviceProcessEvents | where ProcessCommandLine contains "-Recurse" or ProcessCommandLine contains "/s" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Look for Startup Folder Access** ```kql DeviceFileEvents | where FolderPath contains "Startup" | where ActionType == "FileAccessed" | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` **๐Ÿ•ต๏ธ Track Access to System Configuration Files** ```kql DeviceFileEvents | where FileName contains "passwd" or FileName contains "shadow" | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ------------------------------------------------------- | | **4688** | A new process was created (e.g., `dir`, `find`, `grep`) | | **4663** | Object access attempt (e.g., file read/write) | | **4660** | An object was deleted | | **4656** | A handle to an object was requested | **๐Ÿ“Œ Focus on Event ID 4688:** * Look for commands like: * `dir /s` * `ls -R` * `find / -name` * `grep password` **๐Ÿ“Œ Focus on Event ID 4663:** * Monitor file access activity: * `password.txt` * `config.xml` * `sensitive_data.zip` *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Identify Suspicious File Access Commands** * Search executed commands related to file discovery: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*dir*" -or $_.Message -like "*find*" } ``` *** #### 2๏ธโƒฃ **Trace Process Tree** * Identify parent and child processes of discovery commands: ```powershell Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq } ``` *** #### 3๏ธโƒฃ **Inspect Access to Sensitive Folders** * Check critical directories: ```powershell Get-ChildItem -Path "C:\Users\*" -Recurse -Include "*.env", "*.xml", "*.config" ``` *** #### 4๏ธโƒฃ **Identify Recently Accessed Files** * List files accessed in the last 24 hours: ```powershell Get-ChildItem -Path "C:\" -Recurse | Where-Object { $_.LastAccessTime -gt (Get-Date).AddDays(-1) } ``` *** #### 5๏ธโƒฃ **Analyze Command History** * Inspect PowerShell command history: ```powershell (Get-PSReadlineOption).HistorySavePath | Get-Content ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Revoke Unnecessary File Permissions** ```powershell icacls "C:\SensitiveFolder" /inheritance:r ``` #### ๐Ÿ“Œ **2. Monitor Critical Directories** * Enable File Integrity Monitoring (FIM). #### ๐Ÿ“Œ **3. Quarantine Suspicious Processes** ```powershell Stop-Process -Name "cmd" -Force ``` #### ๐Ÿ“Œ **4. Remove Unauthorized Access** * Disable compromised accounts: ```powershell Disable-LocalUser -Name "suspiciousUser" ``` #### ๐Ÿ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable File Auditing:** * Monitor **Event IDs 4663, 4688**. 2. **Implement Least Privilege Access:** * Limit access to sensitive folders. 3. **Monitor Sensitive File Access:** * Alert on unauthorized access to files like `password.txt`, `config.xml`. 4. **Disable Command-Line Access for Non-Admins:** * Restrict tools like `cmd.exe`, `powershell.exe`. 5. **Use File Integrity Monitoring (FIM):** * Detect unauthorized changes to sensitive files. 6. **Educate Users:** * Train users to recognize unauthorized file access patterns. *** ### ๐Ÿง  **6. Key Takeaways** * **File Discovery is Often Reconnaissance:** Attackers seek sensitive data before launching further attacks. * **Focus on Command-Line Patterns:** Commands like `dir /s`, `ls -R`, `find /` are key indicators. * **Audit Sensitive Folders:** Regularly monitor access and modifications. * **Implement File Integrity Monitoring (FIM):** Detect unauthorized file access. * **Enforce Least Privilege Principle:** Restrict file access to only necessary users. *** ## ๐Ÿšจ **Persistence via Registry Run Keys/Startup Folder** *** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Persistence via Registry Run Keys/Startup Folder?** * **Persistence** ensures an attacker maintains access to a compromised system across reboots or interruptions. * Attackers often use: * **Registry Run Keys:** Automatically execute malicious code at system startup. * **Startup Folder:** Place malicious files in folders that run programs at user login. #### ๐Ÿ“‘ **Why Attackers Use These Techniques?** * **Stealth:** Blend into legitimate startup processes. * **Reliability:** Ensure malware executes every time the system reboots. * **Ease of Access:** Run keys and startup folders are often overlooked in security audits. * **Flexibility:** Works across Windows versions and configurations. *** #### ๐Ÿ“Œ **Common Techniques for Persistence** | **Technique** | **Description** | **Registry Key/Folder** | | ------------------------- | ----------------------------------------- | ------------------------------------------------------------------------------- | | **Registry Run Key** | Run malicious code at startup. | `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` | | **RunOnce Key** | Run code only on the next startup. | `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce` | | **Startup Folder** | Add malicious files to startup directory. | `C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup` | | **Scheduled Tasks** | Create scheduled tasks to execute code. | `schtasks /create` | | **Service Configuration** | Modify Windows service binaries. | `HKLM\SYSTEM\CurrentControlSet\Services` | *** #### ๐Ÿ“Œ **Example Commands** * **Add to Registry Run Key:** ```cmd reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v MaliciousKey /t REG_SZ /d "C:\malware.exe" ``` * **Add to Startup Folder:** ```cmd copy C:\malware.exe "C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" ``` * **Add to RunOnce Key:** ```cmd reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Update /t REG_SZ /d "C:\malware.exe" ``` *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ Check Run and RunOnce Registry Keys** ```powershell Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce" ``` **๐Ÿ•ต๏ธ Check Startup Folder for Suspicious Files** ```powershell Get-ChildItem -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" ``` **๐Ÿ•ต๏ธ Check Scheduled Tasks for Suspicious Entries** ```powershell Get-ScheduledTask | Where-Object { $_.TaskPath -like "*Update*" } ``` **๐Ÿ•ต๏ธ Check Service Binaries for Suspicious Paths** ```powershell Get-WmiObject Win32_Service | Select-Object Name, PathName | Where-Object { $_.PathName -like "*Temp*" } ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Registry Key Modifications** ```kusto DeviceRegistryEvents | where RegistryKey contains "CurrentVersion\\Run" or RegistryKey contains "CurrentVersion\\RunOnce" | where ActionType == "RegistryValueSet" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, AccountName ``` **๐Ÿ•ต๏ธ Detect Startup Folder Modifications** ```kusto DeviceFileEvents | where FolderPath contains "Startup" | where ActionType == "FileCreated" or ActionType == "FileModified" | project Timestamp, DeviceName, FolderPath, FileName, AccountName ``` **๐Ÿ•ต๏ธ Identify Suspicious Service Configurations** ```kusto DeviceRegistryEvents | where RegistryKey contains "SYSTEM\\CurrentControlSet\\Services" | where RegistryValueData contains "Temp" or RegistryValueData contains ".exe" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData ``` **๐Ÿ•ต๏ธ Monitor Processes Executing from Startup Locations** ```kusto DeviceProcessEvents | where FolderPath contains "Startup" | where FileName endswith ".exe" or FileName endswith ".bat" | project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ----------------------------------------------- | | **4657** | A registry value was modified. | | **4688** | A new process was created. | | **4697** | A service was installed in the system. | | **4663** | Object access attempt (Startup Folder changes). | **๐Ÿ“Œ Focus on Event ID 4657:** * Look for modifications to: * `HKCU:\Software\Microsoft\Windows\CurrentVersion\Run` * `HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce` **๐Ÿ“Œ Focus on Event ID 4688:** * Look for processes running from: * `C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup` **๐Ÿ“Œ Focus on Event ID 4697:** * Check for newly installed services. *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Identify Malicious Registry Entries** * Look for unexpected keys in `Run` or `RunOnce`: ```powershell Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" ``` *** #### 2๏ธโƒฃ **Analyze Startup Folder** * Identify suspicious files: ```powershell Get-ChildItem -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" ``` *** #### 3๏ธโƒฃ **Trace Malicious Processes** * Correlate process activity: ```powershell Get-EventLog -LogName Security -InstanceId 4688 | Select-String "Startup" ``` *** #### 4๏ธโƒฃ **Inspect Services for Persistence** * Review service binaries: ```powershell Get-WmiObject Win32_Service | Where-Object { $_.PathName -like "*Temp*" } ``` *** #### 5๏ธโƒฃ **Review Scheduled Tasks** * Look for unusual scheduled tasks: ```powershell Get-ScheduledTask | Where-Object { $_.TaskPath -like "*Update*" } ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Remove Malicious Registry Keys** ```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MaliciousKey" ``` #### ๐Ÿ“Œ **2. Delete Malicious Startup Files** ```powershell Remove-Item -Path "C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware.exe" ``` #### ๐Ÿ“Œ **3. Disable Malicious Services** ```powershell sc stop "MaliciousService" sc delete "MaliciousService" ``` #### ๐Ÿ“Œ **4. Terminate Suspicious Processes** ```powershell Stop-Process -Name "malware" -Force ``` #### ๐Ÿ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable Registry Auditing:** * Monitor **Event ID 4657** for `Run` and `RunOnce`. 2. **Restrict Startup Folder Access:** * Limit write permissions to startup folders. 3. **Use Least Privilege Principle:** * Restrict admin rights to essential users. 4. **Enable Application Control Policies:** * Block untrusted applications via **AppLocker**. 5. **Monitor Suspicious Scheduled Tasks:** * Periodically audit scheduled tasks. 6. **Regular Patching:** * Keep systems and software updated. *** ### ๐Ÿง  **6. Key Takeaways** * **Registry Run Keys and Startup Folders are Common Persistence Mechanisms:** Monitor them closely. * **Event IDs 4657, 4688, 4697 Are Crucial:** Set up alerts for modifications. * **Audit Regularly:** Periodically inspect registry keys and startup folders. * **Enforce Application Whitelisting:** Use tools like AppLocker. *** ## ๐Ÿšจ **Valid Accounts: Default Accounts** *** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Default Account Exploitation?** * **Default Accounts** are built-in user accounts that come preconfigured with operating systems, applications, and network devices (e.g., `Administrator`, `Guest`, `sa` for SQL Server). * Attackers exploit these accounts if: * **Default credentials remain unchanged**. * Accounts are **enabled by default**. * Accounts have **excessive privileges**. * **Weak passwords** are set for these accounts. *** #### ๐Ÿ“‘ **Why Attackers Target Default Accounts?** * **Easy Access:** Many systems are deployed without disabling default accounts. * **Privilege Escalation:** Default accounts often have administrative or privileged access. * **Persistence:** Attackers use default accounts to maintain long-term access. * **Stealth:** Legitimate accounts are less likely to trigger alerts. *** #### ๐Ÿ“Œ **Common Default Accounts and Services** | **Default Account** | **Platform/Service** | **Purpose** | | ------------------- | --------------------------------- | -------------------- | | **Administrator** | Windows Systems | System Administrator | | **root** | Linux/Unix Systems | Superuser Access | | **sa** | SQL Server | Database Admin | | **admin** | Network Devices (Cisco, Fortinet) | Device Admin | | **Guest** | Windows Systems | Restricted Access | | **postgres** | PostgreSQL Database | Database Admin | | **pi** | Raspberry Pi | Device Admin | *** #### ๐Ÿ“Œ **Common Techniques for Exploiting Default Accounts** | **Technique** | **Description** | **Example Command** | | ---------------------------- | ------------------------------------- | ------------------------------------------ | | **Brute Force Attack** | Guess passwords for default accounts. | `hydra -l admin -P passwords.txt ` | | **Default Credential Login** | Use known default credentials. | `ssh root@` | | **Account Misconfiguration** | Exploit accounts left enabled. | `net user Administrator` | | **SQL Default Account** | Exploit `sa` accounts in SQL Server. | `sqlcmd -S -U sa` | | **Remote Access via Admin** | Use default accounts over RDP/SSH. | `mstsc /v:` | *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ List Default Accounts in Windows** ```powershell Get-LocalUser | Where-Object { $_.Name -in @("Administrator", "Guest") } ``` **๐Ÿ•ต๏ธ Check if Default Accounts Are Enabled** ```powershell Get-LocalUser | Where-Object { $_.Enabled -eq $true } ``` **๐Ÿ•ต๏ธ List Accounts with Elevated Privileges** ```powershell Get-LocalGroupMember -Group "Administrators" ``` **๐Ÿ•ต๏ธ Check Recent Login Activity for Default Accounts** ```powershell Get-EventLog -LogName Security -InstanceId 4624 | Where-Object { $_.Message -like "*Administrator*" } ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Default Account Logins** ```kusto SecurityEvent | where EventID == 4624 | where AccountName in ("Administrator", "Guest", "sa", "root", "admin") | project Timestamp, AccountName, IpAddress, LogonType, DeviceName ``` **๐Ÿ•ต๏ธ Identify Brute Force Attempts on Default Accounts** ```kusto SecurityEvent | where EventID == 4625 | where AccountName in ("Administrator", "Guest", "sa", "root", "admin") | summarize FailedAttempts = count() by AccountName, IpAddress | where FailedAttempts > 5 ``` **๐Ÿ•ต๏ธ Detect Default Account Modifications** ```kusto DeviceRegistryEvents | where RegistryKey contains "SAM" | where ActionType == "RegistryValueSet" | project Timestamp, DeviceName, RegistryKey, AccountName ``` **๐Ÿ•ต๏ธ Monitor Default SQL Account Logins (`sa`)** ```kusto DeviceProcessEvents | where ProcessCommandLine contains "sqlcmd" | where ProcessCommandLine contains "-U sa" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Identify Default Accounts Used for Remote Access** ```kusto DeviceNetworkEvents | where RemotePort in (3389, 22) | where AccountName in ("Administrator", "root", "admin") | project Timestamp, DeviceName, RemoteIP, RemotePort, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | -------------------------------------------------------- | | **4624** | Successful login (Default accounts are often listed). | | **4625** | Failed login attempt (Repeated attempts are suspicious). | | **4720** | User account created. | | **4728** | User added to privileged group. | | **4732** | User added to global group. | **๐Ÿ“Œ Focus on Event ID 4624:** * Look for logins from: * `Administrator` * `Guest` * `sa` * `root` **๐Ÿ“Œ Focus on Event ID 4728:** * Look for additions to groups like: * `Administrators` * `Domain Admins` *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Identify Enabled Default Accounts** ```powershell Get-LocalUser | Where-Object { $_.Name -in @("Administrator", "Guest") -and $_.Enabled -eq $true } ``` *** #### 2๏ธโƒฃ **Trace Account Activity** * Check event logs for recent usage: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object { $_.Message -like "*Administrator*" } ``` *** #### 3๏ธโƒฃ **Review Remote Access Logs** * Investigate remote sessions: ```powershell Get-EventLog -LogName Security -InstanceId 4624 | Where-Object { $_.Message -like "*RDP*" } ``` *** #### 4๏ธโƒฃ **Check SQL Server Login Logs** * Verify `sa` account activity: ```sql SELECT login_time, host_name, program_name FROM sys.dm_exec_sessions WHERE login_name = 'sa'; ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Disable Unused Default Accounts** ```powershell Disable-LocalUser -Name "Administrator" ``` #### ๐Ÿ“Œ **2. Enforce Strong Passwords for Default Accounts** ```powershell net user Administrator StrongP@ssw0rd! ``` #### ๐Ÿ“Œ **3. Remove Default Accounts from Admin Groups** ```powershell Remove-LocalGroupMember -Group "Administrators" -Member "Administrator" ``` #### ๐Ÿ“Œ **4. Monitor SQL Server `sa` Account** * Disable `sa` if not required: ```sql ALTER LOGIN sa DISABLE; ``` #### ๐Ÿ“Œ **5. Enable Account Lockout Policies** ```powershell net accounts /lockoutthreshold:5 ``` #### ๐Ÿ“Œ **6. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Disable Default Accounts if Not Required:** * Disable accounts like `Administrator`, `Guest`, and `sa`. 2. **Enforce Strong Password Policies:** * Ensure default accounts have strong, unique passwords. 3. **Monitor Default Account Activity:** * Alert on usage of default accounts in remote sessions or privileged tasks. 4. **Limit Default Account Permissions:** * Remove default accounts from sensitive groups. 5. **Use Multi-Factor Authentication (MFA):** * Add MFA to privileged accounts. 6. **Audit Regularly:** * Periodically review account usage logs and group memberships. *** ### ๐Ÿง  **6. Key Takeaways** * **Default Accounts are Low-Hanging Fruit:** Attackers often target them first. * **Disable Unused Accounts:** Remove or disable accounts like `Administrator` and `Guest`. * **Monitor Account Activity:** Use **Event IDs 4624, 4625, 4728**. * **Enforce Strong Passwords:** Always change default passwords. * **Use Multi-Factor Authentication:** Secure critical accounts with MFA. *** ## ๐Ÿšจ **Data Transfer Size Limits** *** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Data Transfer Size Limit Abuse?** * Attackers often **manipulate data transfer limits** to **evade detection** while exfiltrating large volumes of data from a compromised network. * By transferring data in smaller chunks or obfuscating file sizes, attackers can bypass **Data Loss Prevention (DLP)** controls and avoid raising red flags. *** #### ๐Ÿ“‘ **Why Attackers Manipulate Data Transfer Size?** * **Avoid Detection:** Small or irregular data transfers may not trigger monitoring tools. * **Evade Threshold Alerts:** Many DLP systems flag unusually large transfers. * **Blend with Normal Traffic:** Break data into chunks to mimic typical user behavior. * **Exfiltrate Large Volumes Over Time:** Steady, small transfers are harder to detect. *** #### ๐Ÿ“Œ **Common Techniques for Data Transfer Size Manipulation** | **Technique** | **Description** | **Example Tools** | | -------------------------- | -------------------------------------------------------------------- | ---------------------- | | **Chunking** | Split large data files into smaller pieces for gradual exfiltration. | `split`, `7zip` | | **Compression** | Compress files to reduce size before transfer. | `gzip`, `WinRAR` | | **Encryption/Obfuscation** | Encrypt or encode data to hide its true size/type. | `openssl`, `base64` | | **Data Hiding** | Embed data within other file types (e.g., images, PDFs). | `steghide`, `ExifTool` | | **Low-Bandwidth Channels** | Use slow protocols (e.g., DNS tunneling) to avoid suspicion. | `dnscat2`, `iodine` | | **Alternate Protocols** | Use FTP, SFTP, or HTTP for stealthy data transfer. | `curl`, `scp` | *** #### ๐Ÿ“Œ **Common Attack Scenarios** 1. **Chunked Transfers Over FTP:** Files broken into small chunks and exfiltrated slowly. 2. **HTTP POST Data Exfiltration:** Small POST requests carrying encoded data. 3. **DNS Tunneling for Data Transfers:** Data exfiltrated over DNS queries. 4. **Email Attachment Abuse:** Data hidden in small email attachments. 5. **Cloud Services Abuse:** Small file uploads to cloud storage (e.g., Dropbox, Google Drive). *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ Monitor Unusual File Transfers** ```powershell Get-ChildItem -Path "C:\Users\*\Documents" -Recurse | Where-Object { $_.Length -gt 10485760 } ``` * Flag files larger than **10MB**. **๐Ÿ•ต๏ธ Monitor Recent Compressed Files** ```powershell Get-ChildItem -Path "C:\*" -Include *.zip, *.rar, *.7z -Recurse | Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) } ``` **๐Ÿ•ต๏ธ Inspect Network Connections for Large Transfers** ```powershell Get-NetTCPConnection | Where-Object { $_.RemoteAddress -notlike "192.168.*" } ``` **๐Ÿ•ต๏ธ Check Outbound DNS Traffic for Large Payloads** ```powershell Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DNS-Client/Operational'} ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Large File Transfers** ```kusto DeviceFileEvents | where ActionType == "FileCopied" or ActionType == "FileUploaded" | where FileSize > 10485760 // Files larger than 10MB | project Timestamp, DeviceName, FileName, FolderPath, AccountName, FileSize ``` **๐Ÿ•ต๏ธ Monitor Chunked Data Transfers Over HTTP** ```kusto DeviceNetworkEvents | where Protocol == "HTTP" | where RemoteUrl contains "upload" | summarize TotalDataTransferred = sum(NetworkBytesSent) by RemoteUrl, AccountName | where TotalDataTransferred > 10485760 ``` **๐Ÿ•ต๏ธ Identify Compressed File Transfers** ```kusto DeviceFileEvents | where FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z" | where ActionType == "FileCopied" | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` **๐Ÿ•ต๏ธ Detect DNS Tunneling Activity** ```kusto DeviceNetworkEvents | where RemotePort == 53 | where NetworkBytesSent > 512 | summarize TotalDataTransferred = sum(NetworkBytesSent) by RemoteIP | where TotalDataTransferred > 1048576 ``` **๐Ÿ•ต๏ธ Monitor Email Attachments with Large Files** ```kusto EmailEvents | where AttachmentSize > 10485760 | project Timestamp, SenderEmailAddress, RecipientEmailAddress, AttachmentSize, FileName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ------------------------------------------------------------ | | **4663** | Object Access: File copied or transferred. | | **5156** | Network connection allowed (large data transfers). | | **4688** | Process creation (e.g., `curl`, `scp`). | | **4104** | PowerShell script block execution (e.g., `split`, `base64`). | | **6005** | DNS requests (DNS tunneling detection). | **๐Ÿ“Œ Focus on Event ID 4663:** * Look for unusual file access or copying activity: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663} | Where-Object { $_.Message -like "*copy*" } ``` **๐Ÿ“Œ Focus on Event ID 5156:** * Look for outbound connections with large amounts of data transferred. *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Analyze Network Traffic** * Identify outbound traffic spikes to unknown destinations: ```powershell Get-NetTCPConnection | Where-Object { $_.RemoteAddress -notlike "192.168.*" } ``` *** #### 2๏ธโƒฃ **Inspect Compressed/Archived Files** * Search for recent `.zip`, `.rar`, or `.7z` files: ```powershell Get-ChildItem -Path "C:\*" -Include *.zip, *.rar, *.7z -Recurse ``` *** #### 3๏ธโƒฃ **Trace DNS Queries for Data Transfer** * Identify large DNS payloads: ```powershell Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DNS-Client/Operational'} ``` *** #### 4๏ธโƒฃ **Review HTTP/S Traffic for Repeated Small Transfers** * Inspect log files for recurring patterns of file uploads. *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Block Malicious IPs** ```powershell New-NetFirewallRule -DisplayName "Block Suspicious IP" -Direction Outbound -RemoteAddress -Action Block ``` #### ๐Ÿ“Œ **2. Quarantine Suspicious Files** ```powershell Move-Item -Path "C:\Users\*\Documents\large_archive.zip" -Destination "C:\Quarantine" ``` #### ๐Ÿ“Œ **3. Terminate Malicious Processes** ```powershell Stop-Process -Name "curl" -Force ``` #### ๐Ÿ“Œ **4. Monitor DNS Traffic for Tunneling** * Enable deep packet inspection on DNS traffic. #### ๐Ÿ“Œ **5. Enable Data Loss Prevention (DLP) Policies** * Apply limits to outbound file sizes. #### ๐Ÿ“Œ **6. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable Data Loss Prevention (DLP):** * Set thresholds for maximum file sizes. 2. **Implement Network Traffic Monitoring (NTM):** * Track large outbound connections. 3. **Monitor DNS Traffic:** * Detect DNS tunneling patterns. 4. **Block Unauthorized File Transfer Tools:** * Restrict tools like `curl`, `scp`, `ftp`. 5. **Encrypt Sensitive Files:** * Prevent plaintext data exfiltration. 6. **Implement Rate-Limiting Policies:** * Limit bandwidth for external file transfers. *** ### ๐Ÿง  **6. Key Takeaways** * **Data Exfiltration Often Hides in Plain Sight:** Small, frequent transfers can go unnoticed. * **DNS and HTTP/S Are Common Channels:** Monitor these protocols. * **Compression and Obfuscation Are Common Tactics:** Look for `.zip`, `.rar`, and `.7z` files. * **Enable DLP Policies:** Set file transfer thresholds. * **Regular Auditing is Crucial:** Monitor logs, network traffic, and DNS queries. *** ## ๐Ÿšจ **Process Doppelgรคngingysis** *** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Process Doppelgรคnging?** * **Process Doppelgรคnging** is an advanced **code injection technique** that **bypasses antivirus and endpoint protection** by exploiting the Windows NTFS transaction feature. * It allows attackers to **create a malicious process** in a way that: * It **does not create a new file on disk**. * It **appears as a legitimate process**. * It **bypasses process monitoring tools**. #### ๐Ÿ“‘ **Why Attackers Use Process Doppelgรคnging?** * **Stealth:** Avoid detection by antivirus and monitoring tools. * **Fileless Execution:** No malicious file needs to be saved on disk. * **Privilege Escalation:** Run code with high privileges under a legitimate process name. * **Persistence:** Maintain stealthy access across reboots. *** #### ๐Ÿ“Œ **How Does Process Doppelgรคnging Work?** 1. **Transacted File Creation:** A malicious executable is written to disk using **Windows NTFS transactions**. 2. **Rollback Transaction:** The transaction is rolled back, making the file invisible. 3. **Process Creation:** The process is launched in a suspended state using the **rollback file**. 4. **Mapped Section Replacement:** Replace the memory section of the suspended process with malicious code. 5. **Process Execution:** Resume the process to execute the malicious payload. #### ๐Ÿ“Œ **Common Tools for Process Doppelgรคnging** | **Tool** | **Purpose** | | ------------------ | --------------------------------- | | **Mimikatz** | Credential theft | | **Cobalt Strike** | Post-exploitation framework | | **Metasploit** | Exploitation and payload delivery | | **Process Hacker** | Memory and process manipulation | *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ Check for Suspicious Processes Running in Suspended State** ```powershell Get-Process | Where-Object { $_.StartInfo.FileName -eq $null } ``` **๐Ÿ•ต๏ธ Inspect Processes Without Valid Executable Paths** ```powershell Get-CimInstance Win32_Process | Where-Object { $_.ExecutablePath -eq $null } ``` **๐Ÿ•ต๏ธ Monitor NTFS Transactions** ```powershell Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-NTFS/Operational'; Id=142} | Select-Object TimeCreated, Message ``` **๐Ÿ•ต๏ธ Inspect Process Tree Anomalies** ```powershell Get-WmiObject Win32_Process | Select-Object ProcessId, ParentProcessId, Name, CommandLine ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Suspended Processes with Malicious Command Line** ```kusto DeviceProcessEvents | where ProcessCreationTime > ago(1d) | where ProcessIntegrityLevel == "System" | where ProcessCommandLine contains "suspended" | project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountName ``` **๐Ÿ•ต๏ธ Look for NTFS Transaction Abuse** ```kusto DeviceFileEvents | where ActionType == "FileCreated" | where FolderPath contains "NTFS" | where FileName endswith ".tmp" | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` **๐Ÿ•ต๏ธ Identify Process Injection via Doppelgรคnging** ```kusto DeviceProcessEvents | where ProcessCommandLine contains "NtCreateTransaction" | where ProcessCommandLine contains "NtRollbackTransaction" | project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountName ``` **๐Ÿ•ต๏ธ Identify Suspicious Child Processes** ```kusto DeviceProcessEvents | where ParentProcessFileName in ("svchost.exe", "explorer.exe") | where ProcessCommandLine contains ".exe" | where ProcessCreationTime > ago(1d) | project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountName ``` **๐Ÿ•ต๏ธ Detect Memory Manipulation** ```kusto DeviceProcessEvents | where ProcessCommandLine contains "VirtualAlloc" | where ProcessCommandLine contains "WriteProcessMemory" | project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ------------------------------------------ | | **4688** | A new process was created. | | **4656** | A handle to an object was requested. | | **4663** | An attempt was made to access an object. | | **142** | NTFS transaction activity. | | **592** | A new process was created (older systems). | **๐Ÿ“Œ Focus on Event ID 4688:** * Look for: ```kusto ProcessCommandLine: NtCreateTransaction ParentProcess: svchost.exe, explorer.exe ``` **๐Ÿ“Œ Focus on Event ID 142:** * Check NTFS transaction logs for suspicious activity. **๐Ÿ“Œ Focus on Event ID 4663:** * Look for access to unusual memory objects: ```makefile ObjectName: \Device\HarddiskVolumeShadowCopy ``` *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Trace Suspicious Processes** * Identify parent-child process relationships: ```powershell Get-WmiObject Win32_Process | Where-Object { $_.ParentProcessId -eq } ``` *** #### 2๏ธโƒฃ **Inspect Memory Regions** * Check for suspicious memory sections in processes: ```powershell Get-Process -Id | Select-Object Handles, NPM, PM, WS ``` *** #### 3๏ธโƒฃ **Analyze NTFS Transactions** * Investigate NTFS logs: ```powershell Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-NTFS/Operational'; Id=142} ``` *** #### 4๏ธโƒฃ **Check Recent Executable Activity** * Identify recently created temporary executables: ```powershell Get-ChildItem -Path "C:\Windows\Temp\" -Recurse -Include *.tmp, *.exe ``` *** #### 5๏ธโƒฃ **Trace DLL Injections** * List loaded DLLs for suspicious processes: ```powershell Get-Process -Id -Module ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Terminate Suspicious Processes** ```powershell Stop-Process -Id -Force ``` #### ๐Ÿ“Œ **2. Remove Malicious Files** ```powershell Remove-Item -Path "C:\Windows\Temp\suspicious.exe" -Force ``` #### ๐Ÿ“Œ **3. Clear NTFS Transaction Logs** ```powershell fsutil usn deletejournal /d /n c: ``` #### ๐Ÿ“Œ **4. Isolate Compromised Hosts** * Disconnect the system from the network. #### ๐Ÿ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable Windows Defender Advanced Threat Protection (ATP):** * Monitor advanced attack techniques. 2. **Enable Process Auditing:** * Monitor Event IDs **4688**, **4663**, **142**. 3. **Disable Unnecessary NTFS Features:** * Limit NTFS transactions if not required. 4. **Use Application Control (AppLocker/WDAC):** * Block untrusted binaries. 5. **Apply Patches and Updates:** * Keep Windows OS updated. 6. **Restrict Admin Privileges:** * Limit the ability to create NTFS transactions. 7. **Educate Admins and IT Staff:** * Raise awareness about fileless attacks. *** ### ๐Ÿง  **6. Key Takeaways** * **Process Doppelgรคnging is Stealthy:** It bypasses traditional antivirus solutions. * **Focus on NTFS Logs:** Event ID **142** can reveal NTFS transaction abuse. * **Monitor Suspended Processes:** Check for processes with `VirtualAlloc` and `WriteProcessMemory`. * **Use Threat Intelligence:** Stay updated on tools like **Mimikatz** and **Cobalt Strike**. * **Implement Application Whitelisting:** Prevent untrusted binaries from executing. *** ## ๐Ÿšจ **Spearphishing via Service: Advanced Threat Analysis** *** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Spearphishing via Service?** * **Spearphishing via Service** is a technique where attackers exploit **trusted third-party services (e.g., collaboration tools, cloud platforms, email services)** to deliver **malicious payloads** or **phishing links**. * Common targets include: * **Microsoft 365 (Outlook, Teams, SharePoint)** * **Google Workspace (Gmail, Drive, Docs)** * **Cloud Storage Platforms (Dropbox, OneDrive, Box)** * **Communication Platforms (Slack, Discord)** *** #### ๐Ÿ“‘ **Why Attackers Use Spearphishing via Service?** * **Trusted Platforms:** Emails and links originating from known services bypass traditional security filters. * **Spoofing Trust:** Legitimate domains increase user trust and click-through rates. * **Bypass Email Security:** Emails from trusted domains are less likely to be flagged. * **Credential Harvesting:** Fake login prompts on known services fool users. * **Payload Delivery:** Malicious attachments or links are hosted on legitimate platforms. *** #### ๐Ÿ“Œ **Common Techniques Used in Spearphishing via Service** | **Technique** | **Description** | **Example** | | ----------------------------- | ------------------------------------------------ | ------------------------------------------- | | **Cloud Hosted Payloads** | Malicious files hosted on cloud services. | `https://drive.google.com/file/d/123xyz` | | **Fake Login Pages** | Spoofed service login pages. | `https://microsoft-login.xyz` | | **Embedded Malicious Macros** | Documents with hidden malicious scripts. | `Document.docm` | | **URL Shorteners** | Obscure malicious links. | `bit.ly/abc123` | | **OAuth Token Theft** | Abuse OAuth permissions for unauthorized access. | `https://accounts.google.com/o/oauth2/auth` | | **Service Account Hijacking** | Compromise legitimate service accounts. | Attacker takes over `user@domain.com` | *** #### ๐Ÿ“Œ **Common Attack Scenarios** 1. **Malware via OneDrive Link:** A document hosted on OneDrive contains embedded malware. 2. **Phishing via Teams Message:** Fake login page sent through Microsoft Teams. 3. **OAuth Abuse in Google Workspace:** Attacker gains access via rogue OAuth app. 4. **Fake Dropbox Notification:** โ€œYour document is ready, click here to view.โ€ *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ Search Recent Suspicious Emails** ```powershell Get-EventLog -LogName Security | Where-Object { $_.Message -like "*phishing*" } ``` **๐Ÿ•ต๏ธ Monitor Downloads from Cloud Services** ```powershell Get-ChildItem -Path "C:\Users\*\Downloads" | Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) } ``` **๐Ÿ•ต๏ธ Check for Suspicious URLs in Logs** ```powershell Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Where-Object { $_.Message -like "*http*" } ``` **๐Ÿ•ต๏ธ Inspect Browser History for Suspicious Links** ```powershell Get-ChildItem -Path "C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History" ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Identify Suspicious URLs in Emails** ```kusto EmailEvents | where EmailDirection == "Inbound" | where ThreatTypes contains "Phishing" | where Url contains "drive.google.com" or Url contains "dropbox.com" | project Timestamp, SenderEmailAddress, RecipientEmailAddress, ThreatTypes, Url ``` **๐Ÿ•ต๏ธ Detect Malicious Document Downloads** ```kusto DeviceFileEvents | where FolderPath contains "Downloads" | where FileName endswith ".docm" or FileName endswith ".xlsm" | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` **๐Ÿ•ต๏ธ Identify OAuth Token Abuse** ```kusto CloudAppEvents | where ActionType == "OAuthGrant" | where AppDisplayName contains "Unknown" | project Timestamp, AppDisplayName, AccountName, IpAddress ``` **๐Ÿ•ต๏ธ Monitor Microsoft Teams/Slack Activity** ```kusto DeviceProcessEvents | where ProcessCommandLine contains "teams.exe" or ProcessCommandLine contains "slack.exe" | where ProcessCommandLine contains "http" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Check for Suspicious File Execution** ```kusto DeviceProcessEvents | where FolderPath contains "Downloads" | where ProcessCommandLine contains ".docm" or ProcessCommandLine contains ".js" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | --------------------------------------------- | | **4688** | A new process was created. | | **4663** | Object access attempt (e.g., file download). | | **4104** | PowerShell script block logging. | | **5156** | Network connection allowed (HTTP/S requests). | | **1202** | OAuth grant (Azure AD). | **๐Ÿ“Œ Focus on Event ID 4688:** * Look for: ```vbnet ProcessName: powershell.exe ProcessCommandLine: Invoke-WebRequest -Uri "https://malicious.link" ``` **๐Ÿ“Œ Focus on Event ID 4663:** * File downloaded from: ```makefile FolderPath: C:\Users\\Downloads FileType: .docm, .xlsm ``` *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Analyze Malicious URLs** * Verify URL reputation: * **VirusTotal:** `https://www.virustotal.com` * **URLScan:** `https://urlscan.io` *** #### 2๏ธโƒฃ **Inspect OAuth Grants** * Review recent OAuth permissions: ```powershell Get-AzureADServicePrincipal -All $true ``` *** #### 3๏ธโƒฃ **Trace Malicious Downloads** * List recent downloads: ```powershell Get-ChildItem -Path "C:\Users\*\Downloads" ``` * Check file hash: ```powershell Get-FileHash -Path "C:\Users\User\Downloads\malware.docm" ``` *** #### 4๏ธโƒฃ **Inspect User Activity** * Review sign-in logs: ```kql SigninLogs | where AppDisplayName contains "Microsoft Teams" | where Status == "Failure" ``` *** #### 5๏ธโƒฃ **Check OAuth Audit Logs** * Look for suspicious app grants: ```kql AuditLogs | where OperationName == "Consent to application" ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Revoke OAuth Permissions** * Revoke malicious OAuth grants: ```powershell Remove-AzureADServiceAppRoleAssignment ``` #### ๐Ÿ“Œ **2. Quarantine Malicious Files** ```powershell Move-Item -Path "C:\Users\User\Downloads\malware.docm" -Destination "C:\Quarantine" ``` #### ๐Ÿ“Œ **3. Block Malicious URLs** ```powershell New-NetFirewallRule -DisplayName "Block Malicious URL" -Direction Outbound -RemoteAddress -Action Block ``` #### ๐Ÿ“Œ **4. Reset Compromised Accounts** * Force password reset: ```powershell net user User NewP@ssw0rd! ``` #### ๐Ÿ“Œ **5. Terminate Malicious Processes** ```powershell Stop-Process -Name "powershell" -Force ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable Safe Links and Safe Attachments (Microsoft 365):** * Prevent malicious URLs and attachments. 2. **Enforce Multi-Factor Authentication (MFA):** * Reduce credential theft risk. 3. **Block Macros by Default:** * Prevent execution of malicious macros. 4. **Restrict OAuth Consent:** * Require admin approval for OAuth permissions. 5. **Train Users:** * Educate employees about phishing indicators. 6. **Enable DLP (Data Loss Prevention):** * Monitor cloud-based file activities. *** ### ๐Ÿง  **6. Key Takeaways** * **Spearphishing via Services Leverages Trust:** Hosted on legitimate services like OneDrive or Dropbox. * **OAuth is a Growing Attack Vector:** Monitor app grants closely. * **Focus on Event IDs:** **4688, 4663, 5156, 1202.** * **Use Threat Intelligence Tools:** Validate links with **VirusTotal** and **URLScan**. * **User Awareness is Key:** Continuous training is essential. *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmedhat.gitbook.io/whoami/attacks-and-detections/part-4.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.