Interact with remote machine

Set up connection

Enable Powershell remoting:

wmic /node:[IP] process call create "powershell enable-psremoting -force"

Powershell:

Enter-PSSession -ComputerName [IP]

PSExec:

PsExec: psexec \\IP -c cmd.exe

Enable PS Remoting using PsExec

psexec.exe \\TARGET -s powershell Enable-PSRemoting -Force;

Setup logging for IR

Note: If you enter a PSSession, the logging won’t persist, so you will need to enable it on the remote host and pull the file back afterwards. Otherwise refer to PowerShell ♥ the Blue Team mentioned above.

Start-Transcript -Path "C:\[location]\investigation-1.log" -NoClobber

Thanks Barnaby Skeggs

Establish Remote Session

$s1 = New-PSsession -ComputerName remotehost -SessionOption (New-PSSessionOption -NoMachineProfile) -ErrorAction Stop

Enter or exit remote session

Enter-PSSession -Session $s1
Exit-PSSEssion

Issuing remote command/shell

Invoke-Command -ScriptBlock {whoami} -Session $s1
Invoke-Command -file file.ps1 -Session $s1

Retrieving/downloading files

Copy-Item -Path "[RemoteHostFilePath]" -Destination "[LocalDestination]" -FromSession $s1

Credentials and Exposure

When investigating a compromised asset, it’s important to know what remote triage methods leave your credentials on the infected endpoint, and what ones don’t. Reference can be found on Microsoft Documentation

Connection MethodLogon TypeReusable credentials on destinationNotes

Logon via console

Interactive

Y

Includes hardware remote access/network KVM/lights-out cards

RUNAS

Interactive

Y

Nil

RUNAS/NETWORK

NewCredentials

Y

Clones LSA session, but uses new creds when connecting to network resources.

Remote Desktop

RemoteInteractive

Y

Nil

Remote Desktop Failure

RemoteInteractive

N

Only stored briefly

Net Use * \SERVER

Network

N

Nil

Net Use * \ SERVER /user

Network

N

Nil

MMC snap-ins to remote computer

Network

N

Nil

PowerShell WinRM

Network

N

e.g. Enter-PSSession SERVER

PowerShell WinRM with CredSSP

NetworkClearText

Y

e.g. New-PSSession SERVER -Authentication Credssp -Credential PWD

PsExec without explicit creds

Network

N

e.g. PsExec \SERVER cmd

PsExec with explicit creds

Network&Interactive

Y

PsExec \SERVER -u USER -p PWD cmd

Remote Registry

Network

N

Nil

Remote Desktop Gateway

Network

N

Authenticating to Remote Desktop Gateway

Scheduled Task

Batch

Y

Also saved as LSA secret on disk

Tools as Service

Service

Y

Also saved as LSA secret on disk

Vuln Scanners

Network

N

Most use Network logons; however, those that don’t have the risk of creds on destination.

IIS “Basic Authentication”

NetworkCleartext

Y

Nil

IIS “Integrated Windows Authentication”

Network

N

NTLM/Kerberos Providers

Kerberos Tickets and Exposure

Special thanks to Cert EU for this. When comparing Pass-the-Hash to Pass-the-Ticket attacks, the following key differences apply:

  • Administrative privileges are required to steal credentials, but NOT to use an obtained Kerberos ticket.

  • A password change does NOT make Kerberos tickets invalid. By default Kerberos has a max lifetime of 10hrs before the ticket must be renewed, and a max renewal time of 7 days after being granted.

Due to this disabling accounts may not be enough to prevent ongoing compromise, and you may have to purge the users kerberos ticket. Locate the user in question using ‘sessions’ and purge by specifying the user session prior to logging them off.

klist.exe sessions
klist purge –li 0x2e079217 
query user
logoff <session id>

Last updated