The Lay of the Land
TryHackMe Room - Red Team Learning Path Update: 2022
When we get our first foothold in a network, the first goal is to get a better view of our environment in term of architecture, services and security solutions implemented. Indeed, we want to identify any security solutions and hardening that can be an obstacle to our goal and "malicious" activities. Identifying the exact security solutions of a host or network can also help the Red Team to stay stealthy and use the proper tools.
Questions to ask yourself
What is the architecture of the network?
Who are the high privileges users?
What are the applications and services running or installed on the hosts?
Where are the shares/files, printers on the network?
What are the host security solutions on the hosts of the network?
What are the security solutions implemented to defend the network?
Host-based Security Solutions
Antivirus
Once we get our first foothold on a system, we need to be aware if any antivirus solution exists on that system.
Here are list different methods used by AV to detect threat on a system:
Signature based detection: The AV solution scan the malicious file in order to determine if its signature match a known virus or threat found in a large database.
Heuristic based detection: The decision whether the file is a threat is taken based on machine learning algorithms that perform static analysis of the malicious file. The algorithm may check for suspicious pieces of code in the files or calls to unusual Windows API.
Behavior based detection: Based on the behavior and abnormal activities on the victim system when the malicious file is executing.
On Windows workstations (not Windows Server), we can use theses commands to enumerate AV solutions existing on the system.
Windows Defender
On Windows System, Windows Defender is by default the AV solution implemented. Windows Defender can run in active (WD is the standalone AV on the system) or passive (WD run as a second AV solution on the system) mode or can be Disabled.
It is possible to check if Windows Defender is running with the following command
It is possible to list threats that have been identified by Microsoft Defender using this command:
Firewalls
Firewalls are network security solution that allow or deny specific type of traffic over the network. Firewalls can block attackers get access to some part of the network. Red Teamer should always keep in mind that firewalls are very often implemented and that it can be an obstacle to conduct some attacks.
Check if firewall is enabled
Check firewall rules
Being admin on a system, we can disable firewalls
Sysmon
Sysmon is a Windows monitoring solution and is part of the Microsoft Sysinternal suite. It can monitor activities on a system and trigger alert based on different criteria. The Powershell commands below can be used to determine whether Sysmon is installed on a host.
Others Host-based security solutions
In a Red Team, we are also likely to encounter others monitoring and prevention tools on the targeted systems. For example, HIDS/HIPS standings for Host based Intrusion Detection/prevention System and EDR (Endpoint Detection and Response system) are common. Very briefly theses systems are used to records malicious activities on a host and keep track of them in a data base for further analysis. Depending of the product Host based security solutions can help defend the systems against different types of malwares and trigger alert when certain type of activities is detected.
Network based security solutions
Firewalls
IDS/IPS
SIEM
Among the network security solutions that Red Teamers are most likely to encounter, there are network firewalls, IDS/IPS and SIEM. While firewalls block inbound and outbound traffic based on rules and criteria, SIEM (Security Information and Event Management) can log, monitor and analyze data related to the activity on the network in real time. The most sophisticated SIEM can leverage IA to find patterns of malicious activity and new threats.
Moreover, some organizations might have implemented IDS (Intrusion Detection System) and IPS (Intrusion Prevention System). Again, these technologies are used to defend the network by aggregating data on the behaviors and signatures found from different network activities by sniffing packets transitioning into the network. Both technologies compared the data gathered to a pre-loaded database of threats and signatures of known threats.
Applications and Services
It is always useful to list all software installed on a host. The command wmic can help us doing that.
In addition of listing softwares, it is imperative to be able to list services and running process to get a better overview of what the system can offer. To list process on a host we can use the net command.
Last updated