Lateral Movement - Remote Access Flashcards

Determine artifacts of lateral movement

1
Q

List the three domains where to look for evidence of remote access using Remote Desktop?

A
  1. ) Event Logs
  2. ) Registry
  3. ) File System
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

(RDP) - Which two event logs would you investigate further on the attacker computer?

A

1.) Security.evtx - 4648 will show logon specifying alternate credentials
2.) RDPClientOperational.evtx - 1024 will show destination host name.
1102 will show destination IP address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

(RDP) - Which six registry artifacts would you investigate further on the attacker computer?

A
  1. ) NTUSER\Software\Microsoft\Terminal Server Client\ Servers
  2. ) SYSTEM mstsc.exe (shimcache)
  3. ) SYSTEM BAM/DAM mstsc.exe
  4. ) AmCache.hve mstsc.exe
  5. ) NTUSER.dat UserAssist mstsc.exe
  6. ) NTUSER.dat RecentApps mstsc.exe
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

(RDP) - Which three file system artefacts would you investigate further on the attacker computer?

A
  1. ) Jumplists
  2. ) Prefetch
  3. ) Bitmap cache
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

(RDP) - Which four event logs would you investigate further on the victim computer?

A
  1. ) Security.evtx - 4624 (Logon type 10) will show source IP/Logon User Name. 4778/4779 will show source IP/Logon User Name
  2. ) RDPCoreTSOperational.evtx - 131 connection attempts, 98- successful connections
  3. ) RemoteConnectionManagerOperational.evtx -1149 will show source IP / Logon User name
  4. ) LocalSessionManagerOperational.evtx 21,22,25 wil show source IP/Logon user name
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

(RDP) - Which two registry artefacts would you investigate further on the victim computer?

A
  1. ) SYSTEM rdpclip.exe (shimcache)

2. ) AmCache.hve rdpclip.exe, tstheme.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

(RDP) - Which one file system artefact would you investigate further on the victim computer?

A

1.) Prefetch (C:\Windows\Prefetch\rdpclip.exe or tstheme.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

(Map Network Shares) - Which two event logs would you investigate further on the attacker computer?

A
  1. ) Security.evtx - 4648

2. ) SmbClientSecurity.evtx - 31001 Failed logon to destination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

(Map Network Shares) - Which five registry artefacts would you investigate further on the attacker computer?

A
  1. ) MountPoints2 (Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoint2)
  2. ) Shellbags (USRCLASS.DAT) - remote folders accessed inside and interactive session via Explorer by attackers
  3. ) Shimcache - SYSTEM net.exe, net1.exe
  4. ) BAM / DAM - NTUSER.DAT net.exe, net1.exe
  5. ) AmCache.hve net.exe, net1.exe
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

(Map Network Shares) - Which two file system artefacts would you investigate further on the attacker computer?

A
  1. ) Prefetch (C:\Windows\Prefetch\net.exe , net1.exe

2. ) User Profile Artefacts (shortcut files, jump lists)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

(Map Network Shares) - Which event log would you investigate further on the victim computer?

A
  1. ) Security.evtx
    a) 4624
    b) 4672
    c) 4776
    d) 4768
    e) 4769
    f) 5140
    g) 5145
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

(Map Network Shares) - Which registry artefacts would you investigate further on the victim computer?

A

None. There would be no evidence of network share access in the registry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

(Map Network Shares) - Which file system artefacts would you investigate further on victim computer.

A

1.) File Creations (Attacker’s files (malware)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly