-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathLateral Movement Notes
45 lines (32 loc) · 3 KB
/
Lateral Movement Notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Microsoft-Windows-SMBServer%4Audit.evtx - 3000 connection in; 30806 connection out
Microsoft-Windows-TerminalService-RDPClient%4Operational.evtx - 1024 RDP connection out <Dest IP>; 1102 - RDP connection out <Dest IP>
Microsoft-Windows-WinRM%4Operational.evtx - 6 WSMan session out <dest hostname>; 91 WSMan shell on system (connection in)
Microsoft-Windows-RemoteDesktopService-RdpCoreTs - 131 New TCP connection from <source IP> and <username> (connection in)
TerminalServices-RemoteConnectionManager - 1149 RDP authentication sucessful from <source IP> and <username>
TerminalServices-LocalSessionManager - 21 - RDP logon sucessful from <source IP> and <source username>
System - 7045 - service install PSExeSvc
Security - 4624 - Account Login; 4648 - Attemptd login using RunAs/Explicit creds; 4672 - special privileges assigned to new login; 4776 - login with NTLM instead of Kerberos; 4778 - session was reconnected; 5140 - networkshare was accessed; 5145 - network share was checked if it could be accessed
HKCU\Software\Microsoft\Terminal Server Client
\Servers - subkeys include remote system accessed via RDP
\Default - contain remote systems acccessed via RDP. Value name MRU<int> suggests access order with MRU0 being latest
HKCU\Network\ - subkeys include drive letters of mapped shares (RemotePath value includes the mapped shares)
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer - MountPoints 2 - Subkeys include remote share mounted/mapped on source system; Map Network Drive MRU - MRU list suggest order of mapped drives from latest to earliers; RunMRU - data contains mapped remote shares;TypedPaths - may contain data regarding remote shares access via explorer
Shellbags - Interacting with shares in Explorer Window
Ntuser.dat\software\microsoft\windows\shell\bagmru\*
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bagmru\**
---Destination hostname\IP of network share along with username
C:\users\*\appdata\roaming\microsoft\windows\recent\*.lnk - can contain destination hostname/IP of network share accessed via shortcut file along w/ username
User Access Logs - Server 2012+ - Can show what user accessed the server from 1+ week out (server logs sometimes turnsover quickly, so this can be somewhere to check)
C:\Windows\System32\LogFiles\SUM\*.mdb
current.mdb - remote access from source system including username and type of access
systemidenity.mdb - contains roles assigned to the system
<GUID>.mdb - contains data up to 2 years prior; Different GUID for file server, remote server, webserver, and FTP server
Remote access tools -
Teamviewer
Anydesk
WinSCP - ntuser.dat\software\Martin Prikryl\WinSCP 2\*
SSH Access - OpenSSH Event log - OpenSSH%4Operational.evtx
Altera - HKLM\Software\Atera Networks\AlphaAgent\**
Putty - ntuser.dat\software\SimonTatham\Putty\SshHostKeys
Splashtop - HKLM\Software\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo (also check Application.evtx)
ScreenConnect/ConnectWise - Application.evtx - not very verbose, just says there was a connection