Lateral Movement - Remote Access Flashcards
Determine artifacts of lateral movement
List the three domains where to look for evidence of remote access using Remote Desktop?
- ) Event Logs
- ) Registry
- ) File System
(RDP) - Which two event logs would you investigate further on the attacker computer?
1.) Security.evtx - 4648 will show logon specifying alternate credentials
2.) RDPClientOperational.evtx - 1024 will show destination host name.
1102 will show destination IP address
(RDP) - Which six registry artifacts would you investigate further on the attacker computer?
- ) NTUSER\Software\Microsoft\Terminal Server Client\ Servers
- ) SYSTEM mstsc.exe (shimcache)
- ) SYSTEM BAM/DAM mstsc.exe
- ) AmCache.hve mstsc.exe
- ) NTUSER.dat UserAssist mstsc.exe
- ) NTUSER.dat RecentApps mstsc.exe
(RDP) - Which three file system artefacts would you investigate further on the attacker computer?
- ) Jumplists
- ) Prefetch
- ) Bitmap cache
(RDP) - Which four event logs would you investigate further on the victim computer?
- ) Security.evtx - 4624 (Logon type 10) will show source IP/Logon User Name. 4778/4779 will show source IP/Logon User Name
- ) RDPCoreTSOperational.evtx - 131 connection attempts, 98- successful connections
- ) RemoteConnectionManagerOperational.evtx -1149 will show source IP / Logon User name
- ) LocalSessionManagerOperational.evtx 21,22,25 wil show source IP/Logon user name
(RDP) - Which two registry artefacts would you investigate further on the victim computer?
- ) SYSTEM rdpclip.exe (shimcache)
2. ) AmCache.hve rdpclip.exe, tstheme.exe
(RDP) - Which one file system artefact would you investigate further on the victim computer?
1.) Prefetch (C:\Windows\Prefetch\rdpclip.exe or tstheme.exe
(Map Network Shares) - Which two event logs would you investigate further on the attacker computer?
- ) Security.evtx - 4648
2. ) SmbClientSecurity.evtx - 31001 Failed logon to destination.
(Map Network Shares) - Which five registry artefacts would you investigate further on the attacker computer?
- ) MountPoints2 (Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoint2)
- ) Shellbags (USRCLASS.DAT) - remote folders accessed inside and interactive session via Explorer by attackers
- ) Shimcache - SYSTEM net.exe, net1.exe
- ) BAM / DAM - NTUSER.DAT net.exe, net1.exe
- ) AmCache.hve net.exe, net1.exe
(Map Network Shares) - Which two file system artefacts would you investigate further on the attacker computer?
- ) Prefetch (C:\Windows\Prefetch\net.exe , net1.exe
2. ) User Profile Artefacts (shortcut files, jump lists)
(Map Network Shares) - Which event log would you investigate further on the victim computer?
- ) Security.evtx
a) 4624
b) 4672
c) 4776
d) 4768
e) 4769
f) 5140
g) 5145
(Map Network Shares) - Which registry artefacts would you investigate further on the victim computer?
None. There would be no evidence of network share access in the registry
(Map Network Shares) - Which file system artefacts would you investigate further on victim computer.
1.) File Creations (Attacker’s files (malware)