Windows Confidential The Known DLLs Balancing Act
Splunk Notes
The bucket command will slice the Splunk timeline of events into discrete buckets of time determined by the user. The search syntax below will bucket a Splunk timeline into discrete five minute chunks, regardless of the length of the timeline:
bucket _time span=5min
The second method is provided by the Splunk search command "stats." The stats command does many things, but one of the things it does best is sorting data by other data. The following search syntax will show all DNS queries of every host in the Splunk timeline, regardless of the length of the timeline:
stats values(dns_query) by source_host
bucket _time span=5min
The second method is provided by the Splunk search command "stats." The stats command does many things, but one of the things it does best is sorting data by other data. The following search syntax will show all DNS queries of every host in the Splunk timeline, regardless of the length of the timeline:
stats values(dns_query) by source_host
Koadic
Choose your stager.
regsrvr and mshta seem to work well.
After you have a zombie, run other toys
implant/elevate/bypassuac_
set payload to 0 on this
Once you have an admin session you can dump the hashes:
implant/gather/hashdump_sam
You can scan the internal network:
implant/scan/tcp
Mimikatz works well for me, as long as you have an admin session. You can tell that buy running zombies by itself. Under the ID column, if it has an asterisk (*) that means admin session.
Binary files are stored here: /pentest/post-exploitation/koadic/data/bin
Note: I installed my version through the PTF tool by Dave K.
regsrvr and mshta seem to work well.
After you have a zombie, run other toys
implant/elevate/bypassuac_
set payload to 0 on this
Once you have an admin session you can dump the hashes:
implant/gather/hashdump_sam
You can scan the internal network:
implant/scan/tcp
Mimikatz works well for me, as long as you have an admin session. You can tell that buy running zombies by itself. Under the ID column, if it has an asterisk (*) that means admin session.
Binary files are stored here: /pentest/post-exploitation/koadic/data/bin
Note: I installed my version through the PTF tool by Dave K.
Subscribe to:
Posts (Atom)