For example the system utilities within the Sysinternals suite. To collect detailed information, there is more advanced tooling available. The Windows task manager for example, provides us basic information about all the processes running within the system, but what if we need more detailed information like the object handles, network connections or loaded modules within a particular process? Although most of these tools would fit the purpose of basic system administration, some lack the functionality we need for more advanced troubleshooting and monitoring. The Windows Operating System is equipped with many out-of-the-box utilities to administer the system. We can then learn how these utilities collect such information, so that we can subsequently leverage these techniques in our red teaming tools. We will first explore which utilities are available for harvesting process information from a Windows computer. The tools (including source) can be found here: To be able to collect detailed process data from compromised end-points we wrote a collection of process tools which brings the power of these advanced process utilities to C2 frameworks (such as Cobalt Strike). Moreover, periodically polling process data allows us to react on changes within the environment or provide triggers when an investigation is taking place. Collecting and analysing data of running processes from compromised systems gives us a wealth of information and helps us to better understand how the IT landscape from a target organisation is setup. Having a good technical understanding of the systems we land on during an engagement is a key condition for deciding what is going to be the next step within an operation. In this blog post we are going to explore the power of well-known process monitoring utilities and demonstrate how the technology behind these tools can be used by Red Teams within offensive operations.
0 Comments
Leave a Reply. |