GLITCH
  • Who Am I ?
  • WRITEUPS
    • CyberDefenders Labs
      • PhishStrike Write-up
      • OpenWire Write-up
      • BlueSky Ransomware Write-up
      • PsExec Hunt Write-up
      • Red Stealer Write-up
      • Amadey Write-up
      • GrabThePhisher Write-up
      • BlackEnergy Write-up
  • SUMMARIEs
    • Phishing
    • Kerberos_AD
    • Bug Hunting
    • MITRE
  • OSEP
  • GLITCH HUB
    • Books
    • Courses
      • Youtube
    • Githubs
    • Tools
    • Bookmarks
  • Projects
    • Youtube Downloader
  • Malware Analysis
    • SOON!
Powered by GitBook
On this page
  • Scenario:
  • Tools:
  • Questions:
  • 1. In order to effectively trace the attacker’s activities within our network, can you determine the IP address of the machine where the attacker initially gained access?
  • 2. To fully comprehend the extent of the breach, can you determine the machine’s hostname to which the attacker first pivoted?
  • 3. After identifying the initial entry point, it’s crucial to understand how far the attacker has moved laterally within our network. Knowing the username of the account the attacker used for authentication will give us insights into the extent of the breach. What is the username utilized by the attacker for authentication?
  • 4. After figuring out how the attacker moved within our network, we need to know what they did on the target machine. What’s the name of the service executable the attacker set up on the target?
  • 5. We need to know how the attacker installed the service on the compromised machine to understand the attacker’s lateral movement tactics. This can help identify other affected systems. Which network share was used by PsExec to install the service on the target machine?
  • 6. We must identify the network share used to communicate between the two machines. Which network share did PsExec use for communication?
  • 7. Now that we have a clearer picture of the attacker’s activities on the compromised machine, it’s important to identify any further lateral movement. What is the machine’s hostname to which the attacker attempted to pivot within our network?
  • You Can Find me Here!
  1. WRITEUPS
  2. CyberDefenders Labs

PsExec Hunt Write-up

PreviousBlueSky Ransomware Write-upNextRed Stealer Write-up

Last updated 6 months ago

Scenario:

Our Intrusion Detection System (IDS) has raised an alert, indicating suspicious lateral movement activity involving the use of PsExec. To effectively respond to this incident, your role as a SOC Analyst is to analyze the captured network traffic stored in a PCAP file.

Tools:

  • Wireshark

Link: (pass: )

Medium:

Questions:

1. In order to effectively trace the attacker’s activities within our network, can you determine the IP address of the machine where the attacker initially gained access?

Answer: 10.0.0.130

2. To fully comprehend the extent of the breach, can you determine the machine’s hostname to which the attacker first pivoted?

Answer: sales-pc

3. After identifying the initial entry point, it’s crucial to understand how far the attacker has moved laterally within our network. Knowing the username of the account the attacker used for authentication will give us insights into the extent of the breach. What is the username utilized by the attacker for authentication?

Answer: ssales

4. After figuring out how the attacker moved within our network, we need to know what they did on the target machine. What’s the name of the service executable the attacker set up on the target?

Answer: PSEXESVC.exe

5. We need to know how the attacker installed the service on the compromised machine to understand the attacker’s lateral movement tactics. This can help identify other affected systems. Which network share was used by PsExec to install the service on the target machine?

Answer: ADMIN$

6. We must identify the network share used to communicate between the two machines. Which network share did PsExec use for communication?

Answer: IPC$

7. Now that we have a clearer picture of the attacker’s activities on the compromised machine, it’s important to identify any further lateral movement. What is the machine’s hostname to which the attacker attempted to pivot within our network?

Answer: Marketing-PC

You Can Find me Here!

Blog:

Linkedin:

Facebook:

Tryhackme:

https://g1it0h.gitbook.io/glitch/
https://www.linkedin.com/in/glitchgc/
https://www.facebook.com/GLITC.GC/
https://tryhackme.com/p/GLITCH1GC
https://cyberdefenders.org/blueteam-ctf-challenges/psexec-hunt/
cyberdefenders.org
https://medium.com/@GLITCHGC/psexec-hunt-write-up-985e9418950c