Hacking Notes
  • Ports & Enumeration
  • Antivirus Evasion
    • AMSI bypass
    • Macros / VBA
    • ETW bypass
    • EDR Evasion
    • EXE Packers
    • Powershell process-injection
    • Shellter
    • Payload generation
  • Port Forwarding
    • SSH
    • NetSH
    • Tools
    • Chisel
    • Meterpreter
  • Cloud
  • Word List Creation
  • Active Directory
    • Domain Enumeration
    • Domain Trusts
    • Domain Mapping
    • discretionary access control list (DACL)
      • ForceChangePassword
      • AddKeyLinkCredential
      • GenericWrite/ GenericAll
      • WriteOwner
      • GPO Exploitation
    • MS SQL
    • gMSA
    • Exchange
    • Group Exploitation
    • Domain Exploitation
    • Kerberos Attacks
    • SCCM
    • NTDS dumping
    • Impacket
    • ADCS exploitation
      • ESC 1
      • ESC4
      • ESC7
    • Privilege Escalation
      • Windows
        • System Enumeration
        • Credentials enumeration
        • Unsecure Service Path
        • Unsecure Path security
        • Misconfigured Reg
        • DLL Hijacking
        • Privilege enumeration
          • Tools
        • Vulnerable Apps
        • UAC Bypass
        • Service Enumeration
      • Unix
        • Linux Enumeration
        • Insecure File Permissions
        • Linux Escalate
        • Restricted shell escape
    • LAPS
  • Cloud
    • Azure
      • Tools
        • AzureCli - AZ
        • AzureCli - PowerShell
        • AzureAD
        • MicroBurst
        • SkyArk
        • PowerZure
        • BlueMap
        • AzureHound
        • BARK
        • GraphRunner
      • User attacks
        • CredMaster
        • TrevorSpray
      • o365
    • G-Cloud
    • Enumeration
      • AWS Cli
        • AWS Cli
      • Pacu
      • Organizational Trust
  • Web Application
    • Info
    • Log Poisoning / PHP Wrapping
    • HTTP Request Smuggling
    • Client Side Desync
    • Enumeration
    • Databases
    • SQL Injection
      • WAF Bypass
    • WebSocket
    • File Inclusion
    • Brute forcing
    • Cross Site Scripting (XSS)
  • Cracking
    • Hashcat
    • John The Ripper
    • Wireless
  • Wireless
    • Tools
    • WPS
    • WEP
    • WPA/ WPA-2/ WPA-3
    • WPA-Enterprise
    • PMKID
    • Captive Portal
  • DFIR
    • Forensics
      • Plaso
      • Microsoft
      • Windows
        • Anti-Forensics
        • Microsoft Forensics
          • ShimCache/ AppCompatCache
          • Defender
          • PowerShell / CMD
          • Registry
          • AmCache
          • Zone.Identifiers ADS
          • RecentFileCache
          • Prefetch
          • Lnk
          • Jumplist / RecentFiles
          • Shellbags
          • BAM/ DAM
          • SRUM
          • NTFS
          • EVTX
            • Security logs
            • WMI-Activity Operations
              • PowerShell/WinRM Operational
            • Task Scheduler
            • RDP Activity
            • Lateral Movement
          • hunting
          • Recycle Bin
          • Scheduled Tasks
        • o365
          • Mailbox Rules
      • Timeline Analysis
      • Forensics Tooling
        • Log2Timline / Plaso
        • Quarantine extraction
        • Scanning
          • Signature Scanning
          • AV Scanning
        • Logon Tracer
        • TimeSketch
        • Bulk_Extractor
        • FLS & Mactime
        • Manual Forensics
        • FTK
        • BulkExtractor & BulkExtractor-Rec
      • Linux
      • Azure
      • Active Directory
      • AnyDesk
    • Memory Analysis
      • Windows
        • Memory Acquisition
        • Code Injection
        • Rootkits
        • Rootkits
        • WMI/ PowerShell
        • Persistence & Lateral movement
        • Memory Acquisition
        • Baseliner
        • Identifying Code injection
        • Rookits
        • Process Objects
      • Tooling
        • Strings, bstrings and grep
        • Volatility
          • VolWeb
          • Memory Baseliner
        • MemProcFS
          • Code Injection
    • ReverseEngineering
    • Mobile
  • Networking
    • Radio
    • Vlans & Wired networking
    • Network Access Control
    • IPV6
    • Wireless
      • cracking
      • Aircrack-ng
      • WEP
      • WPA/ WPA2
      • WPA Enterprise
      • WPS
    • Bluetooth
  • Misc
    • Shells
      • WinRM / PowerShell
      • WinRM
      • Msfconsole
      • WinRM// PowerShell
      • Socat
      • Python
      • Netcat
      • PHP
      • Upgrade Shells
      • PowerCat
    • Buffer Overflow
      • General Information
      • Exploiting BufferOverflow
        • Find the Offset
        • Build the Exploit
        • Identifiy The BufferOverflow Character
        • Identify BadChars
        • Find the Jump Point
        • Generate Payload
        • Create Padding
    • Powershell
      • Quick Commands
      • Powershell Lateral Movement
    • Random Bits
    • Phishing
    • Coding
      • C#
    • Git
  • Command & Control
    • Meterpreter
    • Droppers
    • CobaltStrike
      • teamserver
      • Payload generation
        • Stagers
        • AV/EDR Bypass
          • Obfuscation
          • Sandbox Evasion
          • Win32 API
          • EDR Evasion
          • Encrypters
      • Listeners
      • Malleable Profiles
      • Initial Acces / Aggressors
      • Beacon Object Files (BOF)
      • Cheatsheet
    • Lateral Movement
    • Persistence
      • Low Priv User
      • High Priv User
  • Mobile App Testing
    • IOS
Powered by GitBook
On this page
  • RDP:
  • Share Drive:
  • Remote Service control:
  • Remote scheduled task control:
  • Remote Registry control:
  • WMI
  • PowerShell:
  • PsExec:
Edit on GitHub
  1. DFIR
  2. Forensics
  3. Windows
  4. Microsoft Forensics
  5. EVTX

Lateral Movement

RDP:

Artifact Location
Host
Target

Security EVTX

4648 - Logon specifying alternate credentials - if NLA enabled on destination

4624 - Logon 4672 - Logon Admin 4778/4779 - IP address source/ system & username

RDPClient-Operational

1024 - Destination Hostname 1102 - Destination IP Address

RemoteConnectionManager-Operational

1149 - Source IP/ Logon username (Blank username may indicate sticky keys)

RemoteDesktopServices-RdpCore-Operational

131 - Connection attempts - source IP 98 - Successful connection

TermainalServices-LocalSessionManager-Operational

21,22,25 - Source IP/ Logon Name 41 - Logon user name

Registry

NTUser\Software\Microsoft\Terminal Server Client\Servers ShimCache: mstsc.exe (SYSTEM) Bam/DAM: (SYSTEM) Last time executed AmCache.hve - First time executed UserAssist - NTUSER.dat: mstsc.exe - last time and number of times executed RecentApps - NTUSER.dat: mstsc.exe - last time and number of times executed

Shimcache - (SYSTEM) - rdclip.exe, tstheme.exe Amcache.hve - First time executed - rdclip.exe, tstheme.exe

FileSystem

Jumplists - AutomaticDestinations\{MSTSC-APPID} - Connection destination and times Prefetch - mstsc.exe-{hash}.pf bitmap Cache: AppData\Local\Microsoft\Terminal Server Client\Cache: bcache##.bmc & cache####.bin

Prefetch - rdpclip.exe / tstheme.exe

Share Drive:

net use z: \\host\C$ /user:domain\username <password>

Artifact Location
Host
Target

Security EVTX

4648 - Logon specifying alternate credentials

4624 - Logon 4672 - Logon Admin 4776 - IP address source/ system & username 4768 - TGT Granted - source hostname/logon username (only on DC) 4769 - Service Ticket Granted (only on DC) 5140 - Share Access 5145 - Auditing of Shared Files

SMBClient-Security

31001- failed logon to Destination

Registry

NTUSER\Software\Microsoft\Explorer\MountPoints2 Shellbags - USRCLASS.dat - remote folder accessed ShimCache: net.exe & net1.exe (SYSTEM) Bam/DAM: (NTUSER.dat) net.exe & net1.exe (SYSTEM) AmCache.hve - First time executed

FileSystem

Prefetch - net.exe-{hash}.pf, net1.exe-{hash}.pf

Remote Service control:

sc \\host create servicename binpath=C:\temp\Evil.ex sc \\host start servicename

Artifact Location
Host
Target

Security EVTX

4624 - Logon 4697 - Service Install

System EVTX

7034 - Service crashed unexpectedly 7035 - Service sent start/stop 7040 - Start type change 7045 - Service was installed

Registry

shimCache - sc.exe BAM/DAM - Last time executed Amcache- First time executed

SYSTEM\CurrentControlSet\Services - new service creation ShimCache: evil.exe (SYSTEM) AmCache.hve - First time executed

FileSystem

Prefetch - sc.exe-{hash}.pf

Remote scheduled task control:

at \\host 13:00 C:\temp\evil.exe schtasks /CREATE /TN taskname /TR C:\evi.exe /sc once /RU "SYSTEM" /ST 13:00 /s host /U user

Artifact Location
Host
Target

Security EVTX

4648 - Logon specifying alternate credentials

4624 - Logon 4672 - Logon Admin 4698 - Scheduled task created 4702 - Scheduled task updated 4699 - Scheduled task deleted 4700/4701 - Scheduled task enabled/disabled

Windows-TaskScheduled-Operational

106 - Task created 140 - Task updated 141 - Task Deleted 200/201 - Task executed/completed

Registry

ShimCache: at.exe & schtasks.exe (SYSTEM) Bam/DAM: (NTUSER.dat) at.exe & schtasks.exe (SYSTEM) AmCache.hve - First time executed

Software: Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks & \Tree ShimCache: - SYSTEM - evil.exe AmCache.hve - First time executed

FileSystem

Prefetch - at.exe-{hash}.pf, schtasks.exe-{hash}.pf

File creation Prefetch - exe.exe-{hash}.pf

Remote Registry control:

reg add \\host\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Data /t REG_SZ /d C:\evil.exe

WMI

Host: wmic.exe -> Target: wmiprvse.exe

wmic /node:host /user:user process call create C:\temp\evil.exe Invoke-WmiMethod - computer host -class Win32_Process -Name create - Argument C:\evil.exe wmic.exe PROCESS CALL CREATE "C:\\Windows\\System32\\rundll32.exe C:\evil.dll"

Artifact Location
Host
Target

Security EVTX

4648 - Logon specifying alternate credentials

4624 - Logon 4672 - Logon Admin

WMI-Activity Operational

5857 - Indicates WMIC execution and path of DLL 5860/5861 - Registry of temporary/permanent event consumer

Registry

Shimcache: SYSTEM - wmic.exe BAM/DAM - last time executed amcache - First time executed

shimcache: scrons.exe, mofcomp.exe, wmiprivse.exe, evil.exe amcache: scrons.exe, mofcomp.exe, wmiprivse.exe, evil.exe

Prefect - wmic.exe-{hash}.pf

File Creation - evil.exe & evil.mof (used to manage WMI Repository) Prefetch - scrons.exe-{hash}.pf, mofcomp.exe-{hash}.pf, wmiprivse.exe-{hash}.pf, evil.exe-{hash}.pf changes to C:\Windows\System32\wbem\Repository

PowerShell:

Host: powershell.exe -> Target: wsmprovhost.exe Enter-PSSession -ComputerName host Invoke-Command -ComputerName host -ScriptBlock {Start-Process C:\evil.exe}

Artifact Location
Host
Target

Security EVTX

4648 - credential logon

4624 - Logon (Type 3) 4672 - Logon Admin

WinRM-Operational

6 - WSMan session initialised - Session created, destination host IP/Name - current logged on user 8, 15, 16, 33 - WSMan Session deinitliased

91 - session created 168 - Records authenticating user

Powershell.evtx

400, 403 - ServeRemoteHost - indicates start/end of Remoting session 800 - includes partial script code

PowerShell-Operational

40691, 40692 - records local initiation of PowerShell and user 8193, 8194 - session created 8197 - Session closed

4103, 4104 - Script Block Logging (logs suspicious scripts - Default in PSv5) 53504 - Records the authenticating user

Registry

Shimcache - SYSTEM powershell.exe BAM/DAM - Last time executed Amcache - First Time executed

ShimCache - wsmprovhost.exe SOFTWARE - \Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy AmCache.hve - wsmprovhost.exe

Prefetch - powershell.exe-{hash}.pf Command history - AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_History.txt

prefectch - wsmprovhost.exe-{hash}.pf

PsExec:

psexec,exe \\host -accepteula -d -c C:\temp\evil.exe

Host: psexec.exe -> psexecsvc.exe

Artifact Location
Host
Target

Security EVTX

4648 - Logon specifying alternate credentials - if NLA enabled on destination

4624 - Logon 4672 - Logon Admin 5140 - Share Access ADMIN$

Registry

Software\SysInternals\PsExec\EulaAccepted ShimCache: PsExec.exe (SYSTEM) Bam/DAM: psexec.exe (SYSTEM) - last time exectued AmCache.hve - First time executed

New service creation: SYSTEM\CurrentControlSet\Services\PSEXESVC (can be renamed) ShimCache: SYSTEM - psexesvc.exe AmCache - psexesvc.exe

FileSystem

Prefectch - C:\windows\prefectch File Creation

Prefetch - Psexesvc.exe-{hash}.pf

PreviousRDP ActivityNexthunting

Last updated 1 year ago