Method 1: using psexec to move laterally
After obtaining valid domain privileged credentials (we name here EXAMPLE\admin01), the attacker will create a fake computer account (named EXAMPLE\SERVER01) using Net.exe.
This move, will generate an event 4720 User Account Created (instead of 4741 for Computer Account Created):
Next the attacker will use psexec.exe to start a privileged interactive shell from PC01 to the Primary Domain Controller (10.0.2.15):
This action, will generate some artifacts related to PsExec excution we've already discussed in a previous post. In this case we are more interested by possible artifacts related to the use of the fake/rogue computer account (SERVER01$).
On PC01 (client) you can see below, no file system user profile is loaded (which is expected, no local authentication):
Same for the server side (10.0.2.15|DC), no file system or registry user profile is loaded (expected as well, because we are running in the context of a system service PsExec created spoolsrv):
For more information about the different windows user profiles please refer to this article.
Method 2: Using Net.exe use to move laterally with the fake computer account
Same as for method 1, no user profile is loaded (registry, file system and user profile service application logs). BUT because our authentication went through ntlm, we can see below some event logs that can help us spot the abnormal authentication activity (if monitored):
But, for 4624, not always the source workstation names is populated, only when the authentication package is NTLM, for kerberos it will usually be equal to "-".
Method 3: Logon with explicit credentials using RunAs utility
Same as for method 2, the authentication will go via NTLM which will generate same artifacts:
Takeaways:
- No user profile is loaded (file system, registry) for the above remote access methods.
- If NTLM is used as the authentication package, the source workstation name will be populated, in 4624, otherwise if it's Kerberos only the source IP will be logged.
- Net users or Net users /domain will return only accounts without the $ sign in their names (not necessarily a real computer account).
- Implement the use cases we've shared in Part 1/2 of this post.
References:
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/troubleshoot-user-profiles-events
It was wonderfull reading your article. Great writing style # BOOST Your GOOGLE RANKING.It’s Your Time To Be On #1st Page Our Motive is not just to create links but to get them indexed as will Increase Domain Authority (DA).We’re on a mission to increase DA PA of your domain High Quality Backlink Building Service Boost DA upto 15+ at cheapest Boost DA upto 25+ at cheapest Boost DA upto 35+ at cheapest capturedcurrentnews
ReplyDeleteThank you for sharing the information
ReplyDeleteMPM Corner
Jumma Mubarak
tnmachiDa
teluguwap net
Coolmoviez
up Scholarship
Om Jai Jagdish
skymovies
There are a wide range of kinds of commemoration gifts sold by venders on Etsy. A portion of the famous commemoration Send Gift to Pakistan accessible on GiftKarte include: commemoration gifts for beau, commemoration gifts for sweetheart, commemoration gifts for spouse, commemoration gifts for him, commemoration gifts for couples, and even commemoration gifts for guardians.
ReplyDelete