-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label windows. Show all posts
Showing posts with label windows. Show all posts
  • TryHackMe windows sysmon utilize to monitor and log your endpoint and environments

     

    TryHackMe windows sysmon utilize to monitor and log your endpoint and environments

     

     

     

    Sysmon, a tool used to monitor and log events on Windows, is commonly used by enterprises as part of their monitoring and logging solutions. Part of the Windows Sysinternals package, Sysmon is similar to Windows Event Logs with further detail and granular control. TryHackMe windows sysmon utilize to monitor and log your endpoint and environments




    Task 2 Sysmon Overview


    Sysmon Overview


    From the Microsoft Docs, "System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network."


    Sysmon is used to get better detailed and high-quality logs and event tracing to aid in identify anomalies in your environment. Sysmon is most commonly used in conjunction with a SIEM or other log parser to ingest and visualize/filter the events. Sysmon is a binary executed on endpoints to then be forwarded to a SIEM. In this room, we will focus on Sysmon itself and the events that it provides.

    Events within Sysmon are stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational




    Sysmon Config Overview


    Sysmon requires a config file in order to tell the binary how to analyze the events that it is receiving. You can create your own Sysmon config or you can download a config. An example of a high-quality config that works well for identifying anomalies in the Sysmon-Config by SwiftOnSecurity. Sysmon includes 24 different types of Event IDs all of which can be used within the config to specify how the events should be handled and analyzed. Below we will go over a few of the most important Event IDs and show examples of how they are used within config files.


    When creating or modifying configuration files you will notice that a majority of rules in sysmon-config will exclude events rather than include events. This is because there will be a lot more noise in your environment than anomalies by excluding normal activity will decrease the number of events and alerts you will have to manually audit or search through in a SIEM. This can also change to have a lot of include rules this is typically a much more proactive ruleset rather than using mainly exclude rules, an example of this is the ION-Storm sysmon-config fork. You will have to play with and modify configuration files to find what you prefer this may also be already set up for you if you're coming onto an existing SOC team. prepare to be flexible when monitoring.


    Note: As there are so many Event IDs Sysmon analyzes  we will only be going over a few of the ones that we think are most important to understand



    Event ID 1: Process Creation


    This event will look for any processes that have been created. You can use this to look for known suspicious processes or processes with typos that would be considered an anomaly. This event will use the CommandLine and Image XML tags.




    <RuleGroup name="" groupRelation="or">
        <ProcessCreate onmatch="exclude">
             <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc</CommandLine>
        </ProcessCreate>
    </RuleGroup>




    The above code snippet is specifying the Event ID to pull from as well as what condition to look for, in this case, it is excluding the svchost.exe process from the event logs.




    Event ID 3: Network Connection


    The network connection event will look for events that occur remotely. This will include files and sources of suspicious binaries as well as opened ports. This event will use the Image and DestinationPort XML tags.



    <RuleGroup name="" groupRelation="or">
        <NetworkConnect onmatch="include">
             <Image condition="image">nmap.exe</Image>
             <DestinationPort name="Alert,Metasploit" condition="is">444</DestinationPort>
        </NetworkConnect>
    </RuleGroup>


     

    The above code snippet includes two ways of looking for suspicious activity within network connections. The first way will look for files transmitted over open ports in this case it is specifically looking for nmap.exe this will then be reflected within the event logs. The second method will look for open ports in this case 444 is a known port that is used with Metasploit so it will create the event as well as generate an alert for the event.





    Event ID 7: Image Loaded


    This event will look for DLLs loaded by processes, this can be useful when hunting for DLL Injection, DLL Hijacking, etc. It is recommended to exercise caution when using this Event ID as it causes a high system load. This event will use the Image, Signed, ImageLoaded, and Signature XML tags.



    <RuleGroup name="" groupRelation="or">
        <ImageLoad onmatch="include">
             <ImageLoaded condition="contains">\Temp\</ImageLoaded>
        </ImageLoad>
    </RuleGroup>



    The above code snippet will look for any DLLs that have been loaded within the \Temp\ directory. If a DLL is loaded within this directory it can be considered an anomaly and require further investigation.




    Event ID 8: CreateRemoteThread



    The CreateRemoteThread Event ID will monitor for processes injecting code into other processes. This can be used for legitimate tasks and applications or it can be used by malware to hide its actions. This event will use the SourceImage, TargetImage, StartAddress, and StartFunction XML tags.



    <RuleGroup name="" groupRelation="or">
        <CreateRemoteThread onmatch="include">
             <StartAddress name="Alert,Cobalt Strike" condition="end with">0B80</StartAddress>
             <SourceImage condition="contains">\</SourceImage>
        </CreateRemoteThread>
    </RuleGroup>



    The above code snippet shows two ways of analyzing for CreateRemoteThread. The first method will look at the memory address for a specific ending condition, this specific condition is an indicator of a Cobalt Strike beacon. The second method will look for injected processes that do not have a parent process this is considered an anomaly and requires further investigation.




    Event ID 11: File Created


    This event will analyze events for file names or signatures that have been created on the endpoint. This will be one of the easiest ways to cut down a lot of alerts as well as quickly identify a lot of simple attacks simply by identifying names and signatures of files on disk. This event uses TargetFilename XML tags.



    <RuleGroup name="" groupRelation="or">
        <FileCreate onmatch="include">
             <TargetFilename name="Alert,Ransomware" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
        </FileCreate>
    </RuleGroup>




    The above code snippet is an example of a ransomware event monitor. This is just one example of a variety of different ways you can utilize Event ID 11.




    Event ID 12 / 13 / 14: Registry Event


    This event will analyze and changes or modifications to the registry. Malicious activity from the registry can include persistence and credential abuse. This event uses TargetObject XML tags.




    <RuleGroup name="" groupRelation="or">
        <RegistryEvent onmatch="include">
             <TargetObject name="T1484" condition="contains">Windows\System\Scripts</TargetObject>
        </RegistryEvent>
    </RuleGroup>




    The above code snippet will look for registry objects that are in the "Windows\System\Scripts" directory this is a common directory for adversaries to place persistence scripts.





    Event ID 15: FileCreateStreamHash



    This event will look for any files created in an alternate data stream. This is a common technique used by adversaries to hide malware. This event uses TargetFilename XML tags.




    <RuleGroup name="" groupRelation="or">
        <FileCreateStreamHash onmatch="include">
             <TargetFilename condition="end with">.hta</TargetFilename
        </FileCreateStreamHash>
    </RuleGroup>




    The above code snippet will look for files with the .hta extension that have been placed within an alternate data stream.






    Event ID 22: DNS Event



    This event will log all DNS queries and events for analysis. The most common way to deal with these events is to exclude all trusted domains that you know will be very common "noise" in your environment. Once you get rid of the noise you can then look for DNS anomalies. This event uses QueryName XML tags.



    <RuleGroup name="" groupRelation="or">
        <DnsQuery onmatch="exclude">
             <QueryName condition="end with">.microsoft.com</QueryName>
        </DnsQuery>
    </RuleGroup>




    The above code snippet will get exclude any DNS events with the .microsoft.com query. This will get rid of the noise that you see within the environment. 



    There are a variety of ways and tags that you can use to customize your configuration files. We will be using the ION-Storm and SwiftOnSecurity config files for the rest of this room however feel free to use your own configuration files.
    Read the above and become familiar with the Sysmon Event IDs.

     

     

     Investigating File Download Here :-





     


     

     


     



    Task 3 Installing and Preparing Sysmon


    Installing Sysmon


    The installation for Sysmon is fairly straightforward and only requires you to download a binary from the Microsoft website. You can also download all of the Sysinternals tools with a PowerShell command if you wanted to rather than grabbing a single binary. It is also recommended to use a Sysmon config file along with Sysmon to get more detailed and high-quality event tracing. As an example config file we will be using the sysmon-config file from the SwiftOnSecurity GitHub repo.


    You can find the Sysmon binary from the Microsoft Sysinternals website. You can also download the Microsoft Sysinternal Suite or use the below command to run a PowerShell module download and install all of the Sysinternals tools.



    PowerShell command: Download-SysInternalsTools C:\Sysinternals




    To fully utilize Sysmon you will also need to download a Symon config or create your own config. We suggest downloading the SwiftOnSecurity sysmon-config. A Sysmon config will allow for further granular control over the logs as well as more detailed event tracing. In this room, we will be using both the SwiftOnSecurity configuration file as well as the ION-Storm config file.





    Starting Sysmon


    To start Sysmon you will want to open a new PowerShell or Command Prompt as an Administrator. Then run the below command it will execute the Sysmon binary as well as accept the end-user license agreement and start Sysmon with the SwiftOnSecurity config file.


    Command Used: Sysmon.exe -accepteula -i sysmonconfig-export.xml



    TryHackMe windows sysmon utilize to monitor and log your endpoint and environments

     

    Now that Sysmon is started with the configuration file we want to use we can look at the Event Viewer to monitor events. The event log is located under Applications and Services Logs/Microsoft/Windows/Sysmon/Operational

    Note: At any time you can change the configuration file used by uninstalling or updating the current configuration and replacing it with a new configuration file. For more information look through the Sysmon help menu.

    If installed correctly your event log should look similar to the following.

     


     

     



    For this room, we have already created an environment with Sysmon and configuration files already installed. Deploy and use this machine for the remainder of this room.



    Machine IP: MACHINE_IP

    User: THM-Analyst

    Pass: 5TgcYzF84tcBSuL1Boa%dzcvf

     

     


     

    Task 4 Cutting out the Noise



    Malicious Activity Overview


    Since most of the normal activity or "noise" seen on a network is excluded or filtered out with Sysmon we can focus on only the important stuff allowing us to quickly identifying and investigate suspicious activity. When actively monitoring a network you will want to use multiple detections and techniques simultaneously to optimize your hunt. For this room, we will only be looking at what suspicious logs will look like with both Sysmon configs and how to optimize your hunt using only Sysmon. We will be looking at how to detect ransomware, persistence, Mimikatz, Metasploit, and C2 beacons. Obviously, this is only a small handful of events that can happen in an environment however the hunting methodology is largely the same as Sysmon and the configuration file does a majority of the analysis for you.


    You can download the event logs used in this room from this task or you can open them in the Practice folder on the provided machine.




    Sysmon "Best Practices"



    Sysmon offers a fairly open and configurable platform for you to use how you or your company want but there are generally a few best practices that you can implement to ensure you're operating efficiently and not missing any possible threats. A few common best practices are outlined and explained below.



    • Exclude > Include

        
        

    When creating rules for your Sysmon configuration file it is typically best to prioritize excluding events rather than including events this prevents you from accidentally missing crucial events and only seeing the events that matter the most.




    • CLI gives you further control



     

    As is common with most applications the CLI gives you the most control and filtering allowing for further granular control. You can use either Get-WinEvent or wevutil.exe to access and filter logs. As you incorporate Sysmon into your SIEM or other detection implementations these tools will become less used and needed.


    • Know your environment before implementation



     

    This should be considered with any platform or tool you implement into a production environment but you should have a firm understanding of the network or environment you are working within to fully understand what is normal and what is suspicious so you can effectively craft your rules.




    Filtering Events with Event Viewer


    Event Viewer is not the best for filtering events but it offers a small amount of control over logs. The main filter you will be using with Event Viewer is by filtering the EventID and keywords; you can also choose to filter by writing XML but this is tedious and typically not recommended.


    To open the filter menu select Filter Current Log from the Actions menu.




     

    TryHackMe windows sysmon utilize to monitor and log your endpoint and environments

     

    If you have successfully opened the filter menu it should look like the menu below.

     

     

     


     

     From this menu, we can add any filters or categories that we want.






    Filtering Events with PowerShell


    To view and filter events with PowerShell we will be using Get-WinEvent along with XPath queries. We can use any XPath queries that can be found in the XML view of events. And we will be using wevutil.exe to view events once filtered. The command line is typically used over the Event Viewer GUI because it can allow for further granular control and filtering that the GUI does not offer.  For more information about using Get-WinEvent and wevutil.exe check out the Windows Event Log room by Heavenraiza.


    For this room, we will only be going over a few basic filters as the Windows Event Log room already extensively covers this topic.


    Filter by Event ID: */System/EventID=<ID>


    Filter by XML Attribute/Name: */EventData/Data[@Name="<XML Attribute/Name>"]



    Filter by Event Data: */EventData/Data=<Data>


    We can put these filters together with various attributes and data to get the most control out of our logs. Look below for an example of using Get-WinEvent to look for network connections coming from port 444.



    Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=444'

     

     

     


     

     

    1) How many event ID 3 events are in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx.

    Ans :- 73,591



    2) What is the UTC time created of the first network event in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx

    Ans :- 2021-01-06 01:35:50.464




     

     

    Task 5 Hunting Metasploit



    Hunting Metasploit



    Metasploit is a commonly used exploit framework for penetration testing and red team operations. Metasploit can be used to easily run exploits on a machine and connect back to a meterpreter shell. We will be hunting the meterpreter shell itself and the functionality it uses. To begin hunting we will look for network connections that originate from suspicious ports such as 444 and 5555, by default, Metasploit uses port 4444. If there is a connection to any IP known or unknown it should be investigated. To start an investigation you can look at packet captures from the date of the log to begin looking for further information about the adversary. We can also look for suspicious processes created. This method of hunting can be applied to other various RATs and C2 beacons.


    For more information about this technique and tools used check out MITRE ATT&CK Software.


    For more information about how malware and payloads interact with the network check out the Malware Common Ports Spreadsheet. This will be covered in further depth in the Hunting Malware task.


    You can download the event logs used in this room from this task or you can open them in the Practice folder on the provided machine.


     

    Hunting Network Connections


    We will first be looking at a modified Ion-Security configuration to detect the creation of new network connections. The code snippet below will use event ID 3 along with the destination port to identify active connections specifically connections on port 444 and 5555.



    <RuleGroup name="" groupRelation="or">
        <NetworkConnect onmatch="include">
            <DestinationPort condition="is">4444</DestinationPort>
            <DestinationPort condition="is">5555</DestinationPort>
        </NetworkConnect>
    </RuleGroup>




    Open C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Hunting_Metasploit.evtx in Event Viewer to view a basic Metasploit payload being dropped onto the machine.

     



    TryHackMe windows sysmon utilize to monitor and log your endpoint and environments

     

     

     

    Once we identify the event it can give us some important information we can use for further investigation like the ProcessID and Image.



    Hunting for Open Ports with PowerShell


    To hunt for open ports with PowerShell we will be using the PowerShell module Get-WinEvent along with XPath queries. We can use the same  XPath queries that we used in the rule to filter out events from NetworkConnect with DestinationPort. The command line is typically used over the Event Viewer GUI because it can allow for further granular control and filtering that the GUI does not offer. For more information about using XPath and the command line for event viewing, check out the Windows Event Log room by Heavenraiza.



    Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=444'



     


     

     

     

     

    We can break this command down by its filters to see exactly what it is doing. It is first filtering by Event ID 3 which is the network connection ID. It is then filtering by the data name in this case DestinationPort as well as the specific port that we want to filter. We can adjust this syntax along with our events to get exactly what data we want in return.
     

     Read the above and practice hunting Metasploit with the provided event file.




     



    Task 6 Detecting Mimikatz


    Detecting Mimikatz Overview


    Mimikatz is well known and commonly used to dump credentials from memory along with other Windows post-exploitation activity. Mimikatz is mainly known for dumping LSASS. We can hunt for the file created, execution of the file from an elevated process, creation of a remote thread, and processes that Mimikatz creates. Anti-Virus will typically pick up Mimikatz as the signature is very well known but it is still possible for threat actors to obfuscate or use droppers to get the file onto the device. For this hunt, we will be using a custom configuration file to minimize network noise and focus on the hunt.


    For more information about this technique and the software used check out MITRE ATTACK T1055 and S0002.


    You can download the event logs used in this room from this task or you can open them in the Practice folder on the provided machine.





    Detecting File Creation


    The first method of hunting for Mimikatz is just looking for files created with the name Mimikatz. This is a simple technique but can allow you to find anything that might have bypassed AV. Most of the time when dealing with an advanced threat you will need more advanced hunting techniques like searching for LSASS behavior but this technique can still be useful.

    This is a very simple way of detecting Mimikatz activity that has bypassed anti-virus or other detection measures. But most of the time it is preferred to use other techniques like hunting for LSASS specific behavior. Below is a snippet of a config to aid in the hunt for Mimikatz.




    <RuleGroup name="" groupRelation="or">
        <FileCreate onmatch="include">
            <TargetFileName condition="contains">mimikatz</TargetFileName>
        </FileCreate>
    </RuleGroup>




    As this method will not be commonly used to hunt for anomalies we will not be looking at any event logs for this specific technique.



    Hunting Abnormal LSASS Behavior


    We can use the ProcessAccess event ID to hunt for abnormal LSASS behavior. This event along with LSASS would show potential LSASS abuse which usually connects back to Mimikatz some other kind of credential dumping tool. Look below for more detail on hunting with these techniques.



    If LSASS is accessed by a process other than svchost.exe it should be considered suspicious behavior and should be investigated further, to aid in looking for suspicious events you can use a filter to only look for processes besides svchost.exe. Sysmon will provide us further details to help lead the investigation such as the file path the process originated from. To aid in detections we will be using a custom configuration file. Below is a snippet of the config that will aid in the hunt.




    <RuleGroup name="" groupRelation="or">
        <ProcessAccess onmatch="include">
               <TargetImage condition="image">lsass.exe</TargetImage>
        </ProcessAccess>
    </RuleGroup>




    Open C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Hunting_LSASS.evtx in Event Viewer to view an attack using an obfuscated version of Mimikatz to dump credentials from memory.



     

    TryHackMe windows sysmon utilize to monitor and log your endpoint and environments
     

     

    We see the event that has the Mimikatz process accessed but we also see a lot of svchost.exe events? We can alter our config to exclude events with the SourceImage event coming from svhost.exe. Look below for a modified configuration rule to cut down on the noise that is present in the event logs.




    <RuleGroup name="" groupRelation="or">
        <ProcessAccess onmatch="exclude">
            <SourceImage condition="image">svchost.exe</SourceImage>
        </ProcessAccess>
        <ProcessAccess onmatch="include">
            <TargetImage condition="image">lsass.exe</TargetImage>
        </ProcessAccess>
    </RuleGroup>



     

    By modifying the configuration file to include this exception we have cut down our events significantly and can focus on only the anomalies. This technique can be used throughout Sysmon and events to cut down on "noise" in logs.





    Detecting LSASS Behavior with PowerShell

    To detect abnormal LSASS behavior with PowerShell we will again be using the PowerShell module Get-WinEvent along with XPath queries. We can use the same XPath queries used in the rule to filter out the other processes from TargetImage. If we use this alongside a well-built configuration file with a precise rule it will do a lot of the heavy lifting for us and we only need to filter a small amount.



    Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'


     

     

     

    TryHackMe windows sysmon utilize to monitor and log your endpoint and environments




    Task 7 Hunting Malware


    Hunting Malware Overview


    Malware has many forms and variations with different end goals. The two types of malware that we will be focusing on are RATs and backdoors. RATs or Remote Access Trojans are used similar to any other payload to gain remote access to a machine. RATs typically come with other Anti-Virus and detection evasion techniques that make them different than other payloads like MSFVenom. A RAT typically also uses a Client-Server model and comes with an interface for easy user administration. Examples of RATs are Xeexe and Quasar. To help detect and hunt malware we will need to first identify the malware that we want to hunt or detect and identify ways that we can modify configuration files, this is known as hypothesis-based hunting. There are of course a plethora of other ways to detect and log malware however we will only be covering the basic way of detecting open back connect ports.


    For more information about this technique and examples of malware check out MITRE ATT&CK Software.


    You can download the event logs used in this room from this task or you can open them in the Practice folder on the provided machine.




    Hunting Rats and C2 Servers


    The first technique we will use to hunt for malware is a similar process to hunting Metasploit. We can look through and create a configuration file to hunt and detect suspicious ports open on the endpoint. By using known suspicious ports to include in our logs we can add to our hunting methodology in which we can use logs to identify adversaries on our network then use packet captures or other detection strategies to continue the investigation. The code snippet below is from the Ion-Storm configuration file which will alert when specific ports like 1034 and 1604 as well as exclude common network connections like OneDrive, by excluding events we still see everything that we want without missing anything and cutting down on noise.



    When using configuration files in a production environment you must be careful and understand exactly what is happening within the configuration file an example of this is the Ion-Storm configuration file excludes port 53 as an event. Attackers and adversaries have begun to use port 53 as part of their malware/payloads which would go undetected if you blindly used this configuration file as-is.



    For more information about the ports that this configuration file alerts on check out this spreadsheet.




    <RuleGroup name="" groupRelation="or">
        <NetworkConnect onmatch="include">
            <DestinationPort condition="is">1034</DestinationPort>
            <DestinationPort condition="is">1604</DestinationPort>
        </NetworkConnect>
        <NetworkConnect onmatch="exclude">
            <Image condition="image">OneDrive.exe</Image>
        </NetworkConnect>
    </RuleGroup>


     

    Open C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Hunting_Rats.evtx in Event Viewer to view a live rat being dropped onto the server.



     


     

     

     

    In the above example, we are detecting a custom rat that operates on port 8080 this is a perfect example of why you want to be careful when excluding events in order to not miss potential malicious activity.





    Hunting for Common Back Connect Ports with PowerShell


    Just like previous sections when using PowerShell we will again be using the PowerShell module Get-WinEvent along with XPath queries to filter our events and gain granular control over our logs. We will need to filter on the NetworkConnect event ID and the DestinationPort data attribute. If you're using a good configuration file with a reliable set of rules it will do a majority of the heavy lifting and filtering to what you want should be easy.


    Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'


     

     


     

     

    Task 8 Hunting Persistence


    Persistence Overview


    Persistence is used by attackers to maintain access to a machine once it is compromised. There is a multitude of ways for an attacker to gain persistence on a machine we will be focusing on registry modification as well as startup scripts. We can hunt persistence with Sysmon by looking for File Creation events as well as Registry Modification events. The SwiftOnSecurity configuration file does a good job of specifically targeting persistence and techniques used. You can also filter by the Rule Names in order to get past the network noise and focus on anomalies within the event logs.


    You can download the event logs used in this room from this task or you can open them in the Practice folder on the provided machine.



    Hunting Startup Persistence


    We will first be looking at the SwiftOnSecurity detections for a file being placed in the \Startup\ or \Start Menu directories. Below is a snippet of the config that will aid in event tracing for this technique. For more information about this technique check out MITRE ATT&CK T1547.




    <RuleGroup name="" groupRelation="or">
        <FileCreate onmatch="include">
            <TargetFilename name="T1023" condition="contains">\Start Menu</TargetFilename>
            <TargetFilename name="T1165" condition="contains">\Startup\</TargetFilename>
        </FileCreate>
    </RuleGroup>



    Open C:\Users\THM-Analyst\Desktop\Scenarios\Practice\T1023.evtx  in Event Viewer to view a live attack on the machine that involves persistence by adding a malicious EXE into the Startup folder.




     


     

     

    When looking at the Event Viewer we see that persist.exe was placed in the Startup folder. Threat Actors will almost never make it this obvious but any changes to the Start Menu should be investigated. You can adjust the configuration file to be more granular and create alerts past just the File Created tag. We can also filter by the Rule Name T1023



    TryHackMe windows sysmon utilize to monitor and log your endpoint and environments


     

     

    Once you have identified that a suspicious binary or application has been placed in a startup location you can begin an investigation on the directory.





    Hunting Registry Key Persistence


    We will again be looking at another SwiftOnSecurity detection this time for a registry modification that adjusts that places a script inside CurrentVersion\Windows\Run and other registry locations. For more information about this technique check out MITRE ATT&CK T1112.




    <RuleGroup name="" groupRelation="or">
        <RegistryEvent onmatch="include">
            <TargetObject name="T1060,RunKey" condition="contains">CurrentVersion\Run</TargetObject>
            <TargetObject name="T1484" condition="contains">Group Policy\Scripts</TargetObject>
            <TargetObject name="T1060" condition="contains">CurrentVersion\Windows\Run</TargetObject>
        </RegistryEvent>
    </RuleGroup>





    Open C:\Users\THM-Analyst\Desktop\Scenarios\Practice\T1060.evtx in Event Viewer to view an attack where the registry was modified to gain persistence.



     

     



     

    When looking at the event logs we see that the registry was modified and malicious.exe was added to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Persistence We also see that the exe can be found at %windir%\System32\malicious.exe



    Just like the startup technique, we can filter by the RuleName T1060 to make finding the anomaly easier.



    If we wanted to investigate this anomaly we would need to look at the registry as well as the file location itself. Below is the registry area where the malicious registry key was placed.




    TryHackMe windows sysmon utilize to monitor and log your endpoint and environments

     

     


     



    Task 9 Detecting Evasion Techniques


    Evasion Techniques Overview


    There are a number of evasion techniques used by malware authors to both evade anti-virus and evade detections. Some examples of evasion techniques are Alternate Data Streams, Injections, Masquerading, Packing/Compression, Recompiling, Obfuscation, Anti-Reversing Techniques. In this task, we will be focusing on Alternate Data Streams and Injections. Alternate Data Streams are used by malware to hide its files from normal inspection by saving the file in a different stream apart from $DATA. Sysmon comes with an event ID to detect newly created and accessed streams allowing us to quickly detect and hunt malware that uses ADS. Injection techniques come in many different types: Thread Hijacking, PE Injection, DLL Injection, and more. In this room, we will be focusing on DLL Injection and backdooring DLLs. This is done by taking an already used DLL that is used by an application and overwriting or including your malicious code within the DLL.


    For more information about this technique check out MITRE ATT&CK T1564 and T1055.



    You can download the event logs used in this room from this task or you can open them in the Practice folder on the provided machine.



    Hunting Alternate Data Streams


    The first technique we will be looking at is hiding files using alternate data streams using Event ID 15. Event ID 15 will hash and log any NTFS Streams that are included within the Sysmon configuration file. This will allow us to hunt for malware that evades detections using ADS. To aid in hunting ADS we will be using the SwiftOnSecurity Sysmon configuration file. The code snippet below will hunt for files in the Temp and Startup folder as well as .hta and .bat extension.




    <RuleGroup name="" groupRelation="or">
        <FileCreateStreamHash onmatch="include">
            <TargetFilename condition="contains">Downloads</TargetFilename>
            <TargetFilename condition="contains">Temp\7z</TargetFilename>
            <TargetFilename condition="ends with">.hta</TargetFilename>
            <TargetFilename condition="ends with">.bat</TargetFilename>
        </FileCreateStreamHash>
    </RuleGroup>




    Open C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Hunting_ADS.evtx in Event Viewer to view hidden files using an alternate data stream.



    TryHackMe windows sysmon utilize to monitor and log your endpoint and environments
     

     

    As you can see the event will show us the location of the file name as well as the contents of the file this will be useful if an investigation is necessary.



    TryHackMe windows sysmon utilize to monitor and log your endpoint and environments

     

     

     

    Detecting Remote Threads


    Adversaries also commonly use remote threads to evade detections in combination with other techniques. Remote threads are created using the Windows API CreateRemoteThread and can be accessed using OpenThread and ResumeThread. This is used in multiple evasion techniques including DLL Injection, Thread Hijacking, and Process Hollowing. We will be using the Sysmon event ID 8 from the SwiftOnSecurity configuration file. The code snippet below from the rule will exclude common remote threads without including any specific attributes this allows for a more open and precise event rule.




    <RuleGroup name="" groupRelation="or">
        <CreateRemoteThread onmatch="exclude">
            <SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
            <TargetImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</TargetImage>
        </CreateRemoteThread>
    </RuleGroup>



    Open C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Detecting_RemoteThreads.evtx in Event Viewer to observe a Process Hollowing attack that abuses the notepad.exe process.




     

    TryHackMe windows sysmon utilize to monitor and log your endpoint and environments



     

    As you can see in the above image powershell.exe is creating a remote thread and accessing notepad.exe this is obviously a PoC and could in theory execute any other kind of executable or DLL. The specific technique used in this example is called Reflective PE Injection.



    Detecting Evasion Techniques with PowerShell


    We have already gone through a majority of the syntax required to use PowerShell with events. Like previous tasks, we will be using Get-WinEvent along with the XPath to filter and search for files that use an alternate data stream or create a remote thread. In both of the events, we will only need to filter by the EventID because the rule used within the configuration file is already doing a majority of the heavy lifting.


    Detecting Alternate Data Streams


    Syntax: Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'




     

     

    Detecting Remote Thread Creation

    Syntax: Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'




     

    Read the above and practice detecting evasion techniques




     




    Task 10 Practical Investigations



    Event files used within this task have been sourced from the EVTX-ATTACK-SAMPLES and SysmonResourcesGithub repositories.


    You can download the event logs used in this room from this task or you can open them in the Investigations folder on the provided machine.





    Investigation 1 - ugh, BILL THAT'S THE WRONG USB!


    In this investigation, your team has received reports that a malicious file was dropped onto a host by a malicious USB. They have pulled the logs suspected and have tasked you with running the investigation for it.



    Logs are located in C:\Users\THM-Analyst\Desktop\Scenarios\Investigations\Investigation-1.







    Investigation 2 - This isn't an HTML file?

    Another suspicious file has appeared in your logs and has managed to execute code masking itself as an HTML file, evading your anti-virus detections. Open the logs and investigate the suspicious file. 

    Logs are located in C:\Users\THM-Analyst\Desktop\Scenarios\Investigations\Investigation-2.






    Investigation 3.1 - 3.2 - Where's the bouncer when you need him


    Your team has informed you that the adversary has managed to set up persistence on your endpoints as they continue to move throughout your network. Find how the adversary managed to gain persistence using logs provided.

    Logs are located in C:\Users\THM-Analyst\Desktop\Scenarios\Investigations\Investigation-3.1

    and C:\Users\THM-Analyst\Desktop\Scenarios\Investigations\Investigation-3.2.






    Investigation 4 - Mom look! I built a botnet!



    As the adversary has gained a solid foothold onto your network it has been brought to your attention that they may have been able to set up C2 communications on some of the endpoints. Collect the logs and continue your investigation.


    Logs are located in C:\Users\THM-Analyst\Desktop\Scenarios\Investigations\Investigation-4.





    1) What is the full registry key of the USB device calling svchost.exe in Investigation 1?

    Ans :- HKLM\System\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_

    SANDISK&PROD_U3_CRUZER_MICRO&REV_8.01#4054910EF19005B3&0

    #\FriendlyName





    2) What is the device name when being called by RawAccessRead in Investigation 1?

    Ans :- \Device\HarddiskVolume3



    3) What is the first exe the process executes in Investigation 1?


    Ans :- rundll32.exe
     


    4) What is the full path of the payload in Investigation 2?

    Ans :- C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta



    5) What is the full path of the file the payload masked itself as in Investigation 2?

    Ans :- C:\Users\IEUser\Downloads\update.html



    6) What signed binary executed the payload in Investigation 2?

    Ans :- C:\Windows\System32\mshta.exe


    7) What is the IP of the adversary in Investigation 2?

    Ans :- 10.0.2.18



    8) What back connect port is used in Investigation 2?

    Ans :- 4443



    9) What is the IP of the suspected adversary in Investigation 3.1?

    Ans :- 172.30.1.253



    10) What is the hostname of the affected endpoint in Investigation 3.1?

    Ans :- DESKTOP-O153T4R



    11) What is the hostname of the C2 server connecting to the endpoint in Investigation 3.1?


    Ans :- empirec2



    12) Where in the registry was the payload stored in Investigation 3.1?

    Ans :- HKLM\SOFTWARE\Microsoft\Network\debug



    13) What PowerShell launch code was used to launch the payload in Investigation 3.1?

    Ans :-  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKLM:Software\Microsoft\Network debug).debug);start -Win Hidden -A \"-enc $x\" powershell";exit;



    14) What is the IP of the adversary in Investigation 3.2?

    Ans :- 172.168.103.188



    15) What is the full path of the payload location in Investigation 3.2?

    Ans :- c:\users\q\AppData:blah.txt



    16) What was the full command used to create the scheduled task in Investigation 3.2?

    Ans :- "C:\WINDOWS\system32\schtasks.exe" /Create /F /SC DAILY /ST 09:00 /TN Updater /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String($(cmd /c ''more &lt; c:\users\q\AppData:blah.txt'''))))\""



    17) What process was accessed by schtasks.exe that would be considered suspicious behavior in Investigation 3.2?

    Ans :- lsass.exe



    18) What is the IP of the adversary in Investigation 4?

    Ans :- 172.30.1.253



    19) What port is the adversary operating on in Investigation 4?

    Ans :- 80



    20) What C2 is the adversary utilizing in Investigation 4?

    Ans :- Empire





    Disclaimer


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


      


  • TryHackMe Investigating Windows

     


     

     

    Investigating Windows


    A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done. TryHackMe Investigating Windows
     

    TryHackMe Room Here :- Click Here 


    Task 1 Investigating Windows




    This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.


    Connect to the machine using RDP. The credentials the machine are as follows:


    Username: Administrator
    Password: letmein123!


    Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.




    1) Whats the version and year of the windows machine?

    Ans :- Windows Server 2016



     

     

    TryHackMe Investigating Windows

     

     

     

    2) Which user logged in last?

    Ans :- Administrator



     

     

     

     

    3) When did John log onto the system last?
    Answer format: MM/DD/YYYY H:MM:SS AM/PM


    Ans :- 03/02/2019 5:48:32 PM


    In cmd Prompt :- 

    net users

    net users john


     

     

    TryHackMe Investigating Windows

     

     

     

    4) What IP does the system connect to when it first starts?

    Ans :- 10.34.2.3



    when I connected to the THM machine... after 2 minutes from its implementation then he sent a message in command connecting to this IP and this is the address we are looking for.

     

    TryHackMe Investigating Windows

     

     

     

     

    5) What two accounts had administrative privileges (other than the Administrator user)?
    Answer format: username1, username2


    Ans :- Jenny, Guest

    In cmd Prompt :- net users



     

    TryHackMe Investigating Windows

     

     

     

    6) Whats the name of the scheduled task that is malicous.

    Ans :- Clean file system



     

     

     

     

    7) What file was the task trying to run daily?

    Ans :- nc.ps1



     

    TryHackMe Investigating Windows

     

     

     

    8) What port did this file listen locally for?

    Ans :- 1348





     

     

     

    9) When did Jenny last logon?

    Ans :- Never


    In cmd Prompt :- 

    net users

    net users jenny


     

     tryhackme investigating windows

     

     

    10) At what date did the compromise take place?
    Answer format: MM/DD/YY


    Ans :- 03/02/2019



     


     

     

     

    11) At what time did Windows first assign special privileges to a new logon?
    Answer format: MM/DD/YYYY HH:MM:SS AM/PM


    Ans :- 03/02/2019 4:04:49 PM



     

    TryHackMe Investigating Windows

     

     

    12) What tool was used to get Windows passwords?

    Ans :- Mimikatz



     

     

     

    13) What was the attackers external control and command servers IP?

    Ans :- 76.32.97.132



     

    TryHackMe Investigating Windows

     

     

     

    14) What was the extension name of the shell uploaded via the servers website?

    Ans :- .jsp


    TryHackMe Investigating Windows


     

     

     

    15) What was the last port the attacker opened?

    Ans :- 1337



     


     

     

     

    16) Check for DNS poisoning, what site was targeted?

    Ans :- google.com



     

    TryHackMe Investigating Windows


     




    Disclaimer


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


     

  • Intro to windows - active directory and Azure active directory

    Intro to windows - active directory and Azure active directory  
       

     

     

    Windows history


    On November 20, 1985 Microsoft announced its operating system named Windows which was a graphical operating system shell as a response to growing GUIs (graphical user interfaces). At the moment Windows dominates the word of computers with around 90% market share and it overtook Apple (Mac OS) which was introduced in 1984. Intro to windows - active directory and Azure active directory



    Windows versions:

    •     Windows 1
    •     Windows 2
    •     Windows 2.x
    •     Windows 3.x
    •     Windows 95
    •     Windows 98
    •     Windows NT
    •     Windows XP
    •     Windows Vista
    •     Windows 7
    •     Windows 8.x
    •     Windows 10



    Windows server versions:



    •     Windows Server 2003
    •     Windows Server 2008
    •     Windows Server 2012 / 2012 R2
    •     Windows Server 2016
    •     Windows Server 2019


    Read a little about Windows history and versions.

    1) When was Windows announced?

    Ans :- November 20 1985



    2) Which is the latest version of Windows?

    Ans :- windows 10



    3) Which is the latest version of Windows Server?


    Ans :- windows server 2019




    Task 2 Windows file system and permissions explained


    What is the file system?



    It is the method and data structure that an operating system uses to keep track of files on a disk or partition. Without a file system, the information saved in a storage media would be one large body of data with no way to tell where the information begins and ends.



    Windows file system structure is:


    • Logical drives (Ex: Local Disk C)
    • Folders (these are the folders that come by default. Ex: Documents, Downloads, Music)
    • Files




    Something that might also interest you would be the folders located on the C drive and their role. These folders are:



    •     PerfLogs
    •     Program Files
    •     Program Files (x86)
    •     Users
    •     Windows




    Let me break them down and explain each of them:


    • PerfLogs - Stores the system issues and other reports regarding performance
    • Program Files and Program Files (x86) - Is the location where programs install unless you change their path (Ex: Choosing to install software on D drive)
    • Users - In this folder are stored the users created. It also stores users generated data (Ex: Saving a file on your Desktop)
    • Windows - It's the folder which basically contains the code to run the operating system and some utility tools (we'll talk about them later)

     

     

     


     

     


    File permissions


    FIles permissions can be set by an administrator or a privileged account. These permissions can be applied to:

    •     Users
    •     Groups

       

    Permissions that can be set are:


    •     Full control
    •     Modify
    •     Read & execute
    •     List folders content
    •     Read
    •     Write
    •     Special permissions

       
       

    • Full control - allows the user/users/group/groups to set the ownership of the folder, set permission for others, modify, read, write, and execute files.
    •  
    • Modify - allows the user/users/group/groups to modify, read, write, and execute files.
    •  
    • Read & execute - allows the user/users/group/groups to read and execute files.
    •  
    • List folder contents - allows the user/users/group/groups to list the contents (files, subfolders, etc) of a folder.
    •  
    • Read - only allows the user/users/group/groups to read files.
    •  
    • Write - allows the user/users/group/groups to write data to the specified folder (automatically set when "Modify" right is checked).

     


    Note: You can allow or deny permissions for users or groups.

    To set permissions for a file or folder right click on the file and select "Properties". Go to the "Security" tab and click on the "Edit" button.

     

     

    Intro to windows - active directory and Azure active directory



     

    As you can see Users can only read, execute, and list the folder contents. However, we want to allow them to be able to store, edit, or delete files inside that folder. To do that, check the "Modify" box (you will see that by checking the Modify box the Write box will be automatically checked too).



    Intro to windows - active directory and Azure active directory

     

    To apply the changes click on the "Apply" button.



    The reason we do not set the full control permission on the folder is that users could set permissions and take ownership of the folder themselves (without the action of an administrator/privileged user).

    A tool you can use to check the files or folder permissions is "icacls".


    Intro to windows - active directory and Azure active directory


     

    Let's explain what those letters in parentheses mean as right now you might be confused.

    • I - permission inherited from the parent container
    • F - full access (full control)
    • M - Modify right/access
    • OI - object inherit
    • IO - inherit only
    • CI - container inherit
    • RX - read and execute
    • AD - append data (add subdirectories)
    • WD - write data and add files




    You can use icacls to check permissions, set ownership of the folder, set, remove or deny permissions. An example would be setting the ownership of the folder to Users.


    To check if that applied you can right-click on the folder and select "Properties", go to the "Security" tab, and click on "Advanced". There you should be able to see that the owner is "Users".


    Intro to windows - active directory and Azure active directory



    Read the above.

    In which folder are users profiles stored?


    Ans :- users

     

     

    Task 3 Understanding the authentication process



    What is authentication?


    Authentication is a process for verifying the identity of a person (or an object or a service). When you authenticate a person, the goal is to verify that the person is not an imposter.


    Local authentication


    Local authentication is done using the Local Security Authority (LSA). LSA is a protected subsystem that keeps track of the security policies and the accounts that are on a computer system. It also maintains information about all aspects of local security on a computer.



    Types of Active Directory

    There are two types of Active Directory:

    • On-Premise Active Directory (AD)
    • Azure Active Directory (AAD)




    Authentication on On-Premise Active Directory
     

     

    Intro to windows - active directory and Azure active directory

     

     

    On-premise Active Directory has a record of all users, PCs and Servers and authenticates the users signing in (the network logon). Once signed in, Active Directory also governs what the users are, and are not, allowed to do or access (authorization).


    In an on-premise Active Directory environment the authentication can be made by using the following protocols:


    •     NTLM
    •     LDAP / LDAPS
    •     KERBEROS




    NTLM / NTLM 2

    _______________

    NTLM uses a challenge-response sequence of messages between a client and a server system. NTLM  provides authentication based on a challenge-response authentication scheme. It does not provide data integrity or data confidentiality protection for the authenticated network connection.


     

    Intro to windows - active directory and Azure active directory

     

     

     

    LDAP / LDAPS

    _______________

    The main difference between LDAP and LDAPS is that LDAPS support encryption and therefore the credentials are not sent in plain text across the network.

    Another thing to keep in mind is that the Domain Controller (DC) can be considered a database of users, groups, computers and so on (contains information about objects). Using LDAP/LDAPS the user's workstation sends the credentials using an API to the Domain Controller in order to validate them and be able to log in.

    The procedure is similar to the image below:



    Intro to windows - active directory and Azure active directory




    KERBEROS

    _______________

    Another way to authenticate is using Kerberos. Kerberos uses symmetric-key cryptography and requires trusted third-party authorization to verify user identities. The authentication process is similar to the one below:

     

     

    Intro to windows - active directory and Azure active directory

     

     

    Authentication on Azure Active Directory



    Azure Active Directory is a secure online authentication store, which can contain users and groups. Users have a username and a password which are used when you sign in to an application that uses Azure Active Directory for authentication. So, for example, all of the Microsoft Cloud services use Azure Active Directory for authentication: Office 365, Dynamics 365 and Azure.


    Intro to windows - active directory and Azure active directory



     

    Azure Active Directory supports the following authentication methods:

    •     SAML (Security Assertion Markup Language)
    •     OAUTH 2.0
    •     OpenID Connect




    SAML (Security Assertion Markup Language)

    _______________

    Security Assertion Markup Language (SAML) is a type of Single Sign-On (SSO) standard. It defines a set of rules/protocols that allow users to access web applications with a single login. This is possible because those applications (referred to as “Service Providers”) all trust the systems that verify users’ identities (referred to as “Identity Providers”).

    • Service Providers - These are the systems and applications that users access throughout the day.


    • Identity Providers - This would be the system that performs user authentication.




    OAUTH 2.0


    _______________

    OAuth 2.0 is a standard that apps use to provide client applications with access.

    OAuth 2.0 spec has four important roles:



    • The authorization server, which is the server that issues the access token.
    • The resource owner, normally your application's end-user, that grants permission to access the resource server with an access token.
    • The client, which is the application that requests the access token, and then passes it to the resource server.
    • The resource server, which accepts the access token and must verify that it is valid. In this case, this is your application.




    OpenID Connect

    _______________

    OpenID Connect is an authentication standard built on top of OAuth 2.0. It adds an additional token called an ID token.

    For that, it uses simple JSON Web Tokens (JWT). While OAuth 2.0 is about resource access and sharing, OIDC is all about user authentication

     

    1) Which Active Directory is cloud based?

    Ans :- Azure Active Directory


     

    2) Which authentication method does not provide data integrity?

    Ans :- NTLM


     
    4) Authentication method that assings a ticket in order for a user to login?

    Ans :- kerberos

     

    3) Which authentication method allow users to access applications with a single login (short name)?

    Ans :- SAML


    4) Authentication method that uses JSON Web Tokens?

    Ans :- openID connect



     



    Task 4 Utility tools


    Built-in utility tools

    Windows comes with a variety of utility tools. Some of them are:

    •     Computer Management
    •     Local Security Policy
    •     Disk Cleanup
    •     Registry Editor
    •     Command-line tools
    •     Registry Editor (Regedit)


    Let's break each of them down and see their usage and why they are important.


    Computer Management


    Computer Management contains more tools such as:

    •     Task Scheduler
    •     Event Viewer
    •     Shared Folders
    •     Local users & computers
    •     Performance Monitor
    •     Disk Management
    •     Services & Applications


     

    Task Scheduler - This is a tool that allows predefined actions to be automatically executed whenever a certain set of conditions is met(Ex: You can set up a date and time for a piece of software to be installed, or a script to run).

    Event Viewer - Probably one of the most important tools that come with Windows. The Event Viewer logs events that happen across the device (Ex: Successful & Failed login attempts, System Errors, etc). The reason Event Viewer is important is because it can be used to forward the events to a SIEM (Security Information and Event Manager) which helps the IT team of a company determine possible malicious activities.

    Shared Folders
    - Is a directory or a folder that can be shared across the network and can be accessed by multiple users.

    Local users and computers - Using local users and computers we can create users, add them to different built-in groups, and they can be given different levels of access (Ex: User A can connect through RDP to a machine but user B can't).

    Performance Monitor -Performance Monitor monitors the different activities across the device such as CPU usage, memory usage, etc.

    Disk Management - Using Disk Management you can shrink, expand, create new partitions (drives) and format the partitions.

    Services & Applications - It is possible to check the running services on the system and you have the ability to start, stop or restart them.


     

    Local Security Policy


    Local Security Policy is a group of settings you can configure to strengthen the computer's security. Even though
    most policy settings in Windows are fine, there are a few that need adjusting for enhanced security. You can set the minimum password length, the password complexity level, you can disable guest & local administrator accounts, and many more.

    Note: If the computer is not integrated into an Active Directory environment disabling local administrator account is a bad idea.


    Disk Cleanup

    Another useful utility is Disk Cleanup. Using Disk Cleanup we can delete files that are no longer needed by the system and are just adding up to the computer disk space. Running Disk Cleanup as administrator we can also clean system files (Ex: sometimes, after getting updates some files remain on disk, but these are no longer needed).

    To access Disk Cleanup right-click on Local Disk C and click Properties. You should see a button in the General tab named "Disk Cleanup".


     

     

    Intro to windows - active directory and Azure active directory

     





    You just need to tick the box/files you want to clean and press OK.


    Registry Editor


    The Windows registry database stores many important operating system settings. For example, it contains entries with information about what should happen when double-clicking a particular file type or how wide the taskbar should be. Built-in and inserted hardware also stores information in the registry when the driver is installed; this driver is called up every time the system is booted up.

    To access the Registry Editor you can either search it or use Windows Key + R and type RegEdit.


    Command-line tools


    Windows comes equipped with two command-line tools:


    •     CMD
    •     Powershell
    •     Windows Terminal


    CMD is the command-line interpreter for Microsoft Windows operating systems used to automate various system-related tasks using scripts and batch files. Users can interact with the OS directly using text-based commands. It emulates most of the command line abilities available in MS-DOS through a command-line interface.


    Powershell is mainly used by sysadmins to manage the network and domain they handle, as well as the computers and other devices that are part of it. PowerShell is a scripting language. The PowerShell can interpret batch commands and Powershell commands, but the command prompt can only interpret batch commands.


    Both CMD and Powershell are powerful command-line tools used to automate system administration tasks by writing a script/batch file. However, CMD has limited administration capabilities as compared to Powershell, which, on the other hand, is a more advanced and modern shell implementation with additional features and enhancements (Ex: cmdlets).


    Windows Terminal can be used instead of Powershell and CMD and can be installed from the Microsoft Store. The application includes multiple tab support, alongside themes and customization for developers who want to tweak the Terminal.

    Registry Editor


    Registry Editor can be considered a database that contains low-level settings for Microsoft Windows settings and applications. The registries are structured as follows:

    •     HKEY_CLASSES_ROOT
    •     HKEY_CURRENT_USER
    •     HKEY_LOCAL_MACHINE
    •     HKEY_USERS
    •     HKEY_CURRENT_CONFIG




    A feature of Powershell is that you can browse the registries. You can do that by typing: "cd <REG DB>" (Example: cd HKLM:\).

     


     

    Intro to windows - active directory and Azure active directory



    Windows also has a builtin tool named "reg" which can be used from the command line to add, remove, query, import, export, etc registry keys.


    Intro to windows - active directory and Azure active directory


    There is also available a GUI that can be used. You can search for "Regedit" or type it in the command line.


    There is no point to remember the paths for some settings that are located in the registry editor. You can look up for the settings on the internet.





    Task 5 Types of servers

    What is a server?

    A server is a piece of hardware or software equipment that provides functionality for other softwares or devices.



    Intro to windows - active directory and Azure active directory




    Types of servers

    Servers can be used for a variety of actions or things. The most common ones are:

    •     Domain Controller
    •     File server
    •     Web server
    •     FTP Server
    •     Mail Server
    •     Database Server
    •     Proxy Server
    •     Application Server



    Domain Controller - Might be one of the most important servers because in an AD or AAD infrastructure we can control users, groups, restrict actions, improve security, and many more of other computers and servers.

    File Server - File servers provide a great way to share files across devices on a network.

    Web Server- It serves static or dynamic content to a Web browser by loading a file from a disk and serving it across the network to a user’s Web browser.

    FTP Server - Makes possible moving one or more files securely between computers while providing file security and organization as well as transfer control.

    Mail Server - Mail servers move and store mail over corporate networks (via LANs and WANs) and across the Internet.

    Database Server
    - A database server is a computer system that provides other computers with services related to accessing and retrieving data from one or multiple databases.

    Proxy Server - This server usually sits between a client program and an external server to filter requests, improve performance, and share connections.

    Application Server - They're usually used to connect the database servers and the users.
     

    Read the above.
     

    1) Which can be considered the most important server?

    Ans :- Domain Controller


    2) Which server can store emails?

    Ans :- Mail Server






    Task 6 Users and Groups Management


    Users and Groups Management in Active Directory

    In Active Directory user management is done using the Active Directory Users and Computers. To access it go to Tools > Active Directory Users and Computers.


    Intro to windows - active directory and Azure active directory



    Before any other action let's enable Advanced Features which adds additional features when looking at an object properties. That is doable by going to View > Advanced Features.


    Intro to windows - active directory and Azure active directory



    By double-clicking on thm.lab we are presented with the Active Directory tree.



    Intro to windows - active directory and Azure active directory



    Let's create an Organizational Unit (OU) where to store the users. To do that right-click on the domain name (thm.lab) and go to New > Organizational Unit. I named it LAB and clicked OK to create it.



    Intro to windows - active directory and Azure active directory



    Let's create two more OUs inside the newly created OU (it will look nested). In one OU we'll store users and in the second one, we'll store Groups. To create the OU's we can repeat the steps above (Right-click on LAB OU > New > Organizational Unit).

    Time to create some users and groups! To do so right-click on the Users OU and go to New > User and fill in the information required.



    Intro to windows - active directory and Azure active directory


    Click Next and set a password for the user.



    Intro to windows - active directory and Azure active directory




    The reason I checked only "Password never expires" is because I do not want the password to expire after a period of time (the default period of time in AD is 42 days). In a production environment, you would probably check "User must change password at next logon" so the user can set a password he desires after you created his AD account.

    Since the password can be set to expire after a period of time it would be a bad idea to check the "User cannot change password" because he won't be able to reset the password and you will have to manually intervene.

    As for the last box "Disable account" it's obvious the action that will take place. It will disable the user account. You might want to disable a user account in case he has a leave (let's say 6 months leave) and you do not want him or any other colleague or malicious entity to use his account.

    Click on Next and you will be shown the account information and click Finish to finish the account creation.

    Note: The username that is going to be used by the user in order to authenticate is the one you set in the User Logon Name.

    You've successfully created your first AD user. Now, create two more users and name them as you wish.

    We should have three users in the AD:




    Intro to windows - active directory and Azure active directory




    Let's move to the Groups OU. Right click on the OU > New > Group.

    I named the group Admins and clicked OK to create it.



    Intro to windows - active directory and Azure active directory


    Then I created another group named RDP Access.


    Intro to windows - active directory and Azure active directory



    And finally using the same method create one more group named No RDP Access.

    We should have the following groups in AD:


    Intro to windows - active directory and Azure active directory



    To assign a user to a group you can do that in two ways:

        Right-clicking a user > Add to a group



    Intro to windows - active directory and Azure active directory


    2. Double-clicking a group > click on Members tab > Add



    Intro to windows - active directory and Azure active directory


    Using the first method let's add Albert Einstein to the Admins group. A window will be prompted to search for an object in the AD. You can type in the Enter object name to select field the name of the group created (in my case Admins), click Check Names, and OK to add the user to the specified group.



    Intro to windows - active directory and Azure active directory





    Proceed to add one of the created users to the RDP Access group and the other to the No RDP Access group.

    Another thing to keep in mind is that an object can be a member of another object (Ex: A group can be a member of another group).

    We added Albert Einstein to a group named Admins. Let's add the Admins group to the Domain Admins group. To do that we can right-click on Admins group > Add to a group and search for Domain Admins and press OK.



    Intro to windows - active directory and Azure active directory



    As we've done with Albert Einstein's account, add both RDP Access and No RDP Access groups to the Remote Desktop Users group

    Note: Even though adding the No RDP Access group to the RDP Users group the No RDP Access group can be blocked using GPO. This will be done in the next task (Creating your first GPO).



    Task 7 Creating your first GPO


    What is Group Policy Objects?

    A GPO or a Group Policy Object is a feature of Active Directory that adds additional controls to user accounts and computers.

    Group Policy settings including local settings, site-wide settings, domain-level settings and settings applied to organizational units.

    Creating our first GPO


    To create a GPO we need to go to Tools > Group Policy Management inside the Server Manager.


     

     Intro to windows - active directory and Azure active directory

     



    Right-click on "Group Policy Objects" and create a new object. I will name mine "Groups GPO".
    To edit the GPO right-click on it > Edit.

     


    Intro to windows - active directory and Azure active directory

     

     

    For the purpose of this demo, we will set different permissions for the groups recently created.

    First, let's let users authenticate using RDP. To do so, go to Policies > Windows Settings > Security Settings > Local Policies > Users Right Assignment and double click on Allow log on through Remote Desktop Services.

     

     

     

    Intro to windows - active directory and Azure active directory

     



    Select Define these policy settings > Add user or group > Browse

     


    Intro to windows - active directory and Azure active directory

     

     

    Search for Admins and RDP Access groups and click OK > OK to add them.


     

     

    Intro to windows - active directory and Azure active directory

     

     

    To block a user or a group to login using RDP we can do that by double-clicking Deny log on through Remote Desktop Services and adding No RDP Access group in there.


    Intro to windows - active directory and Azure active directory


     

     

    We can close the editor and go back to our Group Policy Management console/tab/panel. In order to make the policy apply, we have to link the GPO to the root of the domain (thm.lab). To do that right-click on Domain Controllers OU > Link an existing GPO and select the GPO you created (Group GPO in my case) and press OK.



     

    Intro to windows - active directory and Azure active directory

     

    To apply the GPO open a CMD as an administrator (right-click on it > Run as administrator) and type the following: gpupdate /force and wait for the policy to apply.


    Intro to windows - active directory and Azure active directory


     

    Testing the GPO


    Let's try to RDP into the machine using each user and see the different level of access each has.

    The first user I'm going to login is Albert Einstein which has Domain Admin rights. The logon is successful. Open a CMD as admin and type "whoami".



     

    Intro to windows - active directory and Azure active directory

     

     

    As noticed we were able to start an elevated CMD.


    Sign out and log in using the account added to RDP Access group (In my case Jim Carrey).

    Try prompting an elevated CMD (Right-click on CMD > Run as administrator). You notice that UAC (User Account Control) asks for admin credentials. If you try entering the credentials (username and password) of the account you are currently logged in you will notice the CMD prompt will not pop out. This happens because you are a simple user on the machine, not an administrator.


     

    Intro to windows - active directory and Azure active directory

     

     

     

    Note: You can spawn the shell if you use an administrator credential (in my case Albert Einstein).


    Lastly, try logging in with the account added to the No RDP Access. You will get the following error:


    Intro to windows - active directory and Azure active directory


     

     

    This happens because even though the No RDP Access group has been added to the Remote Desktop Users group using the GPO earlier created he have blocked RDP access to the users that are in that group.




  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.