Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Understand the Tools and Technologies Used
| Consult with Peers No matter how long you have been performing IT or security, consult your peers before taking action. This is especially true during exploitation and Command and Control setup. Simple mistakes often lead to Red Team discovery too early in the engagement. Look at the command below. The command could be run as to provide general situational awareness on a Linux system. What is the expected output of the following command? netstat –antb The command above is a netstat command that can be executed on a Windows host. Linux does not have the "b" option and produces an "invalid option " response. Think about it: Have you ever typed ifconfig instead of ipconfig ? Have you ever typed rm in the wrong directory? Have you ever entered credentials only to discover they were "fat fingered" (after an access error)? While these are oversimplifications, they represent the need for peer review on tools, C, setup, execution, and even cleanup. Mistakes can lead to accidental exposure on a Red Team engagement. This can cause significant setbacks and reduce the quality of an engagement. Understand the Tools and Technologies Used Knowing what functionality a tool provides is only one-third of the equation. Before anew tool (script, application, binary, process, etc) is used on a target system, it must be tested, undergo an internal vetting process and be added to an official toolset. So how do we complete the equation By asking: ● What artifacts does the tool leave behind? ● Are any files modified during execution? ● Are there tales in the network traffic? ● Does the tool have negative impacts on specific versions of an OS (It works fine on Windows 8 but causes a system error on Windows Does the tool attempt to run as a specific user or, worse, create a user/group? ● Does the tool try to call home for updates? ○ This can trigger defensive alerts identifying unauthorized persons or software on the network Think about psexec.. What is it The most common answer refers to the PsExec.exe tool from SysInternals [13] What does it do At a high level, it executes commands on local or remote Windows system. What does it do in terms of indicators? ● Copies a service file to the remote system ● Enters a service key into the Registry ● Creates a prefetch file Creates an entry in the Application Compatibility Cache ● Creates a login event ● Creates a profile folder for the remote user ● Attempts to remove the service file and key when exiting (not always successful) What happens when using thee options option? How does this differ from psexec for PowerShell? In short, you must understand how tools or technique interacts with a target, what network traffic it may generate, and what traces it may leave behind. In the case of psexec, this can be considered a lateral movement technique instead of a specific tool. There are multiple methods of achieving the result PsExec.exe provide without the tool itself. Download 4.62 Mb. Share with your friends:
|