Lateral Movement - Remote Access

Question 1

List the three domains where to look for evidence of remote access using Remote Desktop?

Answer 1

1. ) Event Logs
2. ) Registry
3. ) File System

Question 2

(RDP) - Which two event logs would you investigate further on the attacker computer?

Answer 2

1.) Security.evtx - 4648 will show logon specifying alternate credentials
2.) RDPClientOperational.evtx - 1024 will show destination host name.
1102 will show destination IP address

Question 3

(RDP) - Which six registry artifacts would you investigate further on the attacker computer?

Answer 3

1. ) NTUSER\Software\Microsoft\Terminal Server Client\ Servers
2. ) SYSTEM mstsc.exe (shimcache)
3. ) SYSTEM BAM/DAM mstsc.exe
4. ) AmCache.hve mstsc.exe
5. ) NTUSER.dat UserAssist mstsc.exe
6. ) NTUSER.dat RecentApps mstsc.exe

Question 4

(RDP) - Which three file system artefacts would you investigate further on the attacker computer?

Answer 4

1. ) Jumplists
2. ) Prefetch
3. ) Bitmap cache

Question 5

(RDP) - Which four event logs would you investigate further on the victim computer?

Answer 5

1. ) Security.evtx - 4624 (Logon type 10) will show source IP/Logon User Name. 4778/4779 will show source IP/Logon User Name
2. ) RDPCoreTSOperational.evtx - 131 connection attempts, 98- successful connections
3. ) RemoteConnectionManagerOperational.evtx -1149 will show source IP / Logon User name
4. ) LocalSessionManagerOperational.evtx 21,22,25 wil show source IP/Logon user name

Question 6

(RDP) - Which two registry artefacts would you investigate further on the victim computer?

Answer 6

1. ) SYSTEM rdpclip.exe (shimcache)

2. ) AmCache.hve rdpclip.exe, tstheme.exe

Question 7

(RDP) - Which one file system artefact would you investigate further on the victim computer?

Answer 7

1.) Prefetch (C:\Windows\Prefetch\rdpclip.exe or tstheme.exe

Question 8

(Map Network Shares) - Which two event logs would you investigate further on the attacker computer?

Answer 8

1. ) Security.evtx - 4648

2. ) SmbClientSecurity.evtx - 31001 Failed logon to destination.

Question 9

(Map Network Shares) - Which five registry artefacts would you investigate further on the attacker computer?

Answer 9

1. ) MountPoints2 (Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoint2)
2. ) Shellbags (USRCLASS.DAT) - remote folders accessed inside and interactive session via Explorer by attackers
3. ) Shimcache - SYSTEM net.exe, net1.exe
4. ) BAM / DAM - NTUSER.DAT net.exe, net1.exe
5. ) AmCache.hve net.exe, net1.exe

Question 10

(Map Network Shares) - Which two file system artefacts would you investigate further on the attacker computer?

Answer 10

1. ) Prefetch (C:\Windows\Prefetch\net.exe , net1.exe

2. ) User Profile Artefacts (shortcut files, jump lists)

Question 11

(Map Network Shares) - Which event log would you investigate further on the victim computer?

Answer 11

1. ) Security.evtx
   a) 4624
   b) 4672
   c) 4776
   d) 4768
   e) 4769
   f) 5140
   g) 5145

Question 12

(Map Network Shares) - Which registry artefacts would you investigate further on the victim computer?

Answer 12

None. There would be no evidence of network share access in the registry

Question 13

(Map Network Shares) - Which file system artefacts would you investigate further on victim computer.

Answer 13

1.) File Creations (Attacker’s files (malware)