During the post-exploitation form, attackers ofttimes use tools such as PowerShell and Mimikatz on compromised machines in prescribe to turn a large accomplishment on the victim’s organisation and mesh, and open continual right.
Attackers give want to learn radical grouping entropy for the organization they are on, what somebody circumstance they are spouting low, processes that are flying, services on the scheme, and other fabric principle to read near the machine and capabilities they
Windows PowerShell is a task automation and design direction support from Microsoft, consisting of a command-line take and associated scripting module stacked on the .NET Frame. PowerShell is a real ruling scripting communication included with Windows 7 and after versions of Windows. Some IT organizations use PowerShell to automate and deepen Windows direction tasks. PowerShell can be used to download files from the Internet, to locomote files between systems, institute cloth listeners for tunneling, distil event log accumulation from distant machines, and far solon tasks expedient for administrators, attackers, and defenders.
PowerShell is typically whitelisted and its spiteful scripts are ofttimes not caught by anti-virus software. The characteristics of PowerShell countenance the succeeding:
PowerShell can run from retention (no poverty to compose file to plow)
PowerShell can run on device machine (if aggressor knows the credentials of aim organization)
PowerShell scripts can be obfuscated by fragmentation and encoding with base64 to avoid detection, and these scripts are interpreted by PowerShell.
PowerShell policies on machines to not run unsigned scripts can be bypassed by multiple commands such as -ExecutionPolicy Avoid or by piping commands together in bound sequences.
Unless PowerShell overlook auditing is explicitly enabled on a group, there is no shadow of the types of scripts or different actions that are expropriated by an assailant using PowerShell to aid investigative efforts.
Metasploit is a joint onset investigation software agency. One of the features of Metasploit is its slave armament for spot victimization activities. Meterpreter has been matured within Metasploit for making the station exercise activities faster and easier. Meterpreter is an innovative multi-function load that can be victimised to leverage the Metasploit capabilities dynamically at run clip in a remote grouping where the attackers don’t tally their crime tools there. Meterpreter is a explosive within the Metasploit Support that provides check over an used spot legion. Meterpreter resides completely in the retention of the used army and leaves no traces on the horny propulsion, making it really awkward. Mimikatz is a post-exploitation slave that was typewritten by Benjamin Delpy. Mimikatz is one of the tools to collecting credential information from Windows systems. Mimikatz It’s now easily noted to choose plaintext parole, hash, PIN write, and kerberos tickets from retention. Mimikatz supports 32-bit and 64-bit Windows architectures. Mimikatz can be compiled as a standalone possible, or can be run as a power wrong PowerShell.
Some of the initial commands that are often run by an attacker who gains access to a machine are built-in operating system tools that are used for system administration, and are not unique to malicious activity:
whoami: show the user account and domain information as applicable.
ipconfig: show the network configuration, gateway, DHCP, and DNS server information.
netstat –anop: show all active, listening, and closed network connections.
quser: list the users who are logged on to system.
tasklist: list all the running processes.
schtasks: show all the tasks set to run on the system at certain intervals.
sc: list all the services set to run on the system.
net start: Start services to run on a system.
powershell.exe command can be used to start a Windows PowerShell session from the Windows command line as shown below.
The example below shows using the native Mimikatz command from the Metasploit meterpreter to extract the passwords hashes from the compromised machine.