Lateral Movement - Remote Execution Flashcards

Learn where to look for remote execution

1
Q

(PsExec) Which event logs would you investigate further on an attacker computer?

A

1.) Security.evtx 4648

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

(PsExec) Which registry hive and artefacts would you investigate further on the attacker computer?

A
  1. ) NTUSER.dat (Software\SysInternals\PsExec\EulaAccepted)
    a) Shimcache - SYSTEM psexec.exe
    b) BAM/DAM - System psexec.exe
    c) AmCache.hve - psexec.exe
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

(PsExec) Which file system artefacts would you investigate further on the attacker computer?

A

1.) Prefetch - C:\Windows\Prefetch\psexec.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

(PsExec) Which event logs would you investigate further on the victim computer?

A
  1. ) Security.evtx 4624 (Logon type 3), 4672, 5140

2. ) System.evtx 7045

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

(PsExec) Which registry artefacts would you investigate further on the victim computer?

A
  1. ) system\CurrentControlSet\Services\PSEXESVC
  2. ) ShimCache - SYSTEM psexesvc.exe
    3) AmCache.hve - psexesvc.exe
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

(PsExec) Which file system artefacts would you investigate further the victim computer?

A

1.) Prefetch - C:\Windows\Prefetch\psexesvc.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

(Scheduled Tasks at.exe) Which events logs would you investigate further on the attacker computer?

A

1.) Security.evtx - 4648

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

(Scheduled Tasks at.exe) Which registry artefacts would you investigate further on the attacker computer?

A
  1. ) ShimCache SYSTEM at.exe / schtasks.exe
  2. ) BAM / DAM SYSTEM at.exe / schtasks.exe
  3. ) AmCache.hve at.exe / schtasks.exe
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

(Scheduled Tasks at.exe) Which file system artefacts would you investigate further on the attacker computer?

A

Prefetch - C:\Windows\Prefetch\ at.exe, schtasks.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

(Scheduled Tasks at.exe) Which event logs would you investigate further on the victim computer?

A
  1. ) Security.evtx 4624 (logon type3), 4672, 4698, 4702, 4699, 4700
  2. ) MicrosoftWindowsTaskSchedulerMaintenance.evtx 106,140,141,200
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

(Scheduled Tasks at.exe) Which registry artefacts would you investigate further on the victim computer?

A

1.) Software - Microsoft\Windows\NT\CurrentVersion\Schedule\TaskCache\Tasks
Microsoft\Windows\CurrentVersion\Schedule\TaskCache\Tree
2.) Shimcache SYSTEM evil.exe
3.) AmCache.hve evil.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

(Scheduled Tasks at.exe) Which file system artefacts would you investigate further on the victim computer?

A
  1. ) File Creation
  2. ) Job Files created C:\Windows\Tasks
  3. ) Prefetch C:\Windows\Prefetch\evil.exe
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

(Services sc.exe) Which event logs would you investigate further on the attacker computer?

A

None

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

(Services sc.exe) Which registry artefacts would you investigate further on the attacker computer?

A
  1. ) ShimCache SYSTEM sc.exe
  2. ) BAM / DAM SYSTEM sc.exe
  3. ) AmCache.hve sc.exe
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

(Services sc.exe) Which file system artefacts would you investigate further on the attacker computer?

A

1.) Prefetch - C:\Windows\Prefetch\sc.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

(Services sc.exe) Which event logs would you investigate further on the victim computer?

A
  1. ) Security.evtx 4624 (Logon 3), 4697

2. ) System.evtx 7034,7035,7036,7040,7045

17
Q

(Services sc.exe) Which registry artefacts would you investigate further on the victim computer?

A
  1. ) SYSTEM \CurrentControlSet\Services\
  2. ) ShimCache SYSTEM evil.exe
  3. ) AmCache.hve evil.exe
18
Q

(Services sc.exe) Which file system artefacts would you investigate further on the victim computer?

A
  1. ) File creation of evil.exe or evil.dll

2. ) Prefetch - C:\Windows\Prefetch

19
Q

(WMI/WMIC) Which event logs would you investigate further on the attacker computer?

A

1.) Security.evtx 4648

20
Q

(WMI/WMIC) Which registry artefacts would you investigate further on the attacker computer?

A
  1. ) Shimcache SYSTEM wmic.exe
  2. ) BAM/DAM SYSTEM wmic.exe
  3. ) AmCache.hve wmic.exe
21
Q

(WMI/WMIC) Which file system artefacts would you investigate further on the attacker computer?

A

1.) Prefetch C:\Windows\Prfetech\wmic.exe

22
Q

(WMI/WMIC) Which event logs would you investigate further on the victim computer?

A
  1. ) Security.evtx 4624, 4672

2. ) WMIActivityOperational.evtx 5857,5860,5861

23
Q

(WMI/WMIC) Which registry artefacts would you investigate further on the victim computer?

A
  1. ) Shimcache SYSTEM wmiprvse.exe, evil.exe

2. ) AmCache.hve wmiprvse.exe, evil.exe, mofcomp.exe

24
Q

(WMI/WMIC) Which file system artefacts would you investigate further on the victim computer?

A
  1. ) File Creation evil.exe, evil.mof
  2. ) Prefetch C:\Windows\Prefetch\ evil.exe wmiprvse.exe mofcomp.exe
  3. ) Unauthorised changes to the WMI repository C:\Windows\ System32\wbem\Respository
25
Q

(Powershell Remoting) Which event logs would you investigate further on the attacker computer?

A
  1. )Security.evtx 4648
  2. ) WinRMOperational.evtx
  3. ) PowershellOperational.evtx
26
Q

(Powershell Remoting) Which registry artefacts would you investigate further on the attacker computer?

A
  1. ) Shimcache SYSTEM powershell.exe
  2. ) BAM / DAM SYSTEM
  3. ) AmCache.hve powershell.exe
27
Q

(PowerShell Remoting) Which file system artefacts would you investigate further on the attacker computer?

A
  1. ) Prefetch C:\Windows\Prefetch\ powershell.exe

2. ) Command History: C:\Users\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_History.txt

28
Q

(Powershell Remoting) Which event logs would you investigate further on the victim computer?

A
  1. ) Security.evtx 4624 (logon type 3)
  2. ) PowershellOperational.evtx
  3. ) Windows Powershell.evtx
  4. ) WinRMOperational.evtx
29
Q

(Powershell Remoting) Which registry artefacts would you investigate further on the victim computer?

A
  1. ) ShimCache SYSTEM wsmprovhost.exe, evil.exe
  2. ) SOFTWARE\Microsoft\Powershell\1\ShellIDS\Microsoft\Powershell\ExecutionPolicy
  3. ) AmCache.hve wsmprovhost.exe, evil.exe
30
Q

(PowerShell Remoting) Which file system artefacts would you investigate further on the victim computer?

A
  1. ) File creation evil.exe

2. ) Prefetch C:\Windows\Prefetch\evil.exe , wsmprovhost.exe