Session 3 Resources

3 Mar 2021

Thanks Kris for a great session today!

Kris used quite a few queries which are listed below for you to test out and use on your network:

RDP Status- https://community.sophos.com/intercept-x-endpoint/i/device/simple-query-to-audit-microsoft-rdp-enablement-status-from-registry
Generic Search- https://community.sophos.com/intercept-x-endpoint/i/anomalies/generic-search
Some MITRE TTPs- https://community.sophos.com/intercept-x-endpoint/i/att-ck/mitre-att-ck-generic-detector-for-some-ttps
Sysinternals Installed- https://community.sophos.com/intercept-x-endpoint/i/processes/live-discover-query---sysinternals
New Admin Accounts- https://community.sophos.com/intercept-x-endpoint/i/user/live-discovery-query-identify-new-admin-accounts

And he also referenced using CTF events or other online resources to learn attacker tactics, so that you can better defend against those attacks in your environments. Here's a few sites that he personally recommends:

Windows 10 Privilege Escalation- https://tryhackme.com/room/windows10privesc
Linux Privilege Escalation- https://tryhackme.com/room/linuxprivesc
Brute Forcing- https://academy.hackthebox.eu/course/preview/login-brute-forcing
Hashcat- https://academy.hackthebox.eu/course/preview/cracking-passwords-with-hashcat
Hack The Box- https://www.hackthebox.eu/
VulnHub - https://www.vulnhub.com/

I hope those are all useful to you - let me know in the comments if you have anything else that others might benefit from!

Great seeing all of you on the sessions this week - see you Tuesday for session 4.

Parents

Mark Shorts1 over 3 years ago

Hello, I am looking for the Logon Events Across Estate Query?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Justin Weis over 3 years ago in reply to Mark Shorts1

I copied it from the screen when they showed it. When I run it the Where event IN (4672, 4624,4625) only shows events for 4624, when I remove 4672 and 4624 and leave only 4625, my 4625 results are shown.. Not sure why the loop does not run all the way through.

SELECT DISTINCT
eventid,
datetime(time, 'unixepoch') Date_Time,
Count(task_message) Logon_Count,
JSON_EXTRACT(swe.data, '$.EventData.LogonType') LogonType,
JSON_EXTRACT(swe.data, '$.EventData.IpAddress') IP_Address,
JSON_EXTRACT(swe.data, '$.EventData.TargetUserName') TargetUserName,
data
FROM sophos_windows_events swe
WHERE eventID IN (4625) AND time > strftime('%s','NOW','-90 DAYS') AND TargetUserName LIKE '%$$UserName$$%'
Group BY LogonType;
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Comment

Justin Weis over 3 years ago in reply to Mark Shorts1

I copied it from the screen when they showed it. When I run it the Where event IN (4672, 4624,4625) only shows events for 4624, when I remove 4672 and 4624 and leave only 4625, my 4625 results are shown.. Not sure why the loop does not run all the way through.

SELECT DISTINCT
eventid,
datetime(time, 'unixepoch') Date_Time,
Count(task_message) Logon_Count,
JSON_EXTRACT(swe.data, '$.EventData.LogonType') LogonType,
JSON_EXTRACT(swe.data, '$.EventData.IpAddress') IP_Address,
JSON_EXTRACT(swe.data, '$.EventData.TargetUserName') TargetUserName,
data
FROM sophos_windows_events swe
WHERE eventID IN (4625) AND time > strftime('%s','NOW','-90 DAYS') AND TargetUserName LIKE '%$$UserName$$%'
Group BY LogonType;
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Children

No Data