Interact with remote machine
Set up connection
Enable Powershell remoting:
PSExec:
Enable PS Remoting using PsExec
Setup logging for IR
Note: If you enter a PSSession, the logging won’t persist, so you will need to enable it on the remote host and pull the file back afterwards. Otherwise refer to PowerShell ♥ the Blue Team mentioned above.
Establish Remote Session
Enter or exit remote session
Issuing remote command/shell
Retrieving/downloading files
Credentials and Exposure
When investigating a compromised asset, it’s important to know what remote triage methods leave your credentials on the infected endpoint, and what ones don’t. Reference can be found on Microsoft Documentation
Connection Method | Logon Type | Reusable credentials on destination | Notes |
---|---|---|---|
Logon via console | Interactive | Y | Includes hardware remote access/network KVM/lights-out cards |
RUNAS | Interactive | Y | Nil |
RUNAS/NETWORK | NewCredentials | Y | Clones LSA session, but uses new creds when connecting to network resources. |
Remote Desktop | RemoteInteractive | Y | Nil |
Remote Desktop Failure | RemoteInteractive | N | Only stored briefly |
Net Use * \SERVER | Network | N | Nil |
Net Use * \ SERVER /user | Network | N | Nil |
MMC snap-ins to remote computer | Network | N | Nil |
PowerShell WinRM | Network | N | e.g. Enter-PSSession SERVER |
PowerShell WinRM with CredSSP | NetworkClearText | Y | e.g. New-PSSession SERVER -Authentication Credssp -Credential PWD |
PsExec without explicit creds | Network | N | e.g. PsExec \SERVER cmd |
PsExec with explicit creds | Network&Interactive | Y | PsExec \SERVER -u USER -p PWD cmd |
Remote Registry | Network | N | Nil |
Remote Desktop Gateway | Network | N | Authenticating to Remote Desktop Gateway |
Scheduled Task | Batch | Y | Also saved as LSA secret on disk |
Tools as Service | Service | Y | Also saved as LSA secret on disk |
Vuln Scanners | Network | N | Most use Network logons; however, those that don’t have the risk of creds on destination. |
IIS “Basic Authentication” | NetworkCleartext | Y | Nil |
IIS “Integrated Windows Authentication” | Network | N | NTLM/Kerberos Providers |
Kerberos Tickets and Exposure
Special thanks to Cert EU for this. When comparing Pass-the-Hash to Pass-the-Ticket attacks, the following key differences apply:
Administrative privileges are required to steal credentials, but NOT to use an obtained Kerberos ticket.
A password change does NOT make Kerberos tickets invalid. By default Kerberos has a max lifetime of 10hrs before the ticket must be renewed, and a max renewal time of 7 days after being granted.
Due to this disabling accounts may not be enough to prevent ongoing compromise, and you may have to purge the users kerberos ticket. Locate the user in question using ‘sessions’ and purge by specifying the user session prior to logging them off.
Last updated