12/13/2023 0 Comments Sysinternals memory monitor![]() Now we have looked at some interesting process information we can gather using Process Explorer, you might wonder how we can get access to the same information available from user-mode within our favourite C2 frameworks. An incoming PowerShell remoting session or RDP session might indicate that an investigation is started. From an offensive perspective this can be useful to detect when connections are made from a system under our control. This will show all the network connection related to the process. As a Red Team operator with a long background in network and system administration I have always been a big fan of the Sysinternals tools.Īnother interesting tab in Process Explorer is the TCP/IP tab. For example the system utilities within the Sysinternals suite. To collect detailed information, there is more advanced tooling available. The Windows task manager for example, provides us basic information about all the processes running within the system, but what if we need more detailed information like the object handles, network connections or loaded modules within a particular process? Although most of these tools would fit the purpose of basic system administration, some lack the functionality we need for more advanced troubleshooting and monitoring. The Windows Operating System is equipped with many out-of-the-box utilities to administer the system. We can then learn how these utilities collect such information, so that we can subsequently leverage these techniques in our red teaming tools. We will first explore which utilities are available for harvesting process information from a Windows computer. The tools (including source) can be found here: To be able to collect detailed process data from compromised end-points we wrote a collection of process tools which brings the power of these advanced process utilities to C2 frameworks (such as Cobalt Strike). Moreover, periodically polling process data allows us to react on changes within the environment or provide triggers when an investigation is taking place. Collecting and analysing data of running processes from compromised systems gives us a wealth of information and helps us to better understand how the IT landscape from a target organisation is setup. Having a good technical understanding of the systems we land on during an engagement is a key condition for deciding what is going to be the next step within an operation. In this blog post we are going to explore the power of well-known process monitoring utilities and demonstrate how the technology behind these tools can be used by Red Teams within offensive operations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |