PSExec Hunt Lab Cyberdefenders

hello everyone so today we will do a

quick lab by sa Defenders called the PS

exec hunt lab so I already did it but

let's let's do it together so let's

start by reading the scenario so the

scenario says an alert from the

intrusion detection system flag

suspicious lateral movement activity

involving P exit this indicates

potential unauthorized access and

movement across the network the sock

analyst your task is to investigate the

provided pickup file to trace the attack

activities identify the entry point the

mching target the extent of the bridge

and critical indicator that repal the

tactics and objective within the

compromised environment right so here we

have seven

question let's start by answering it

them all right so uh of course after you

download the files and you know here we

have the password after you download the

files it will have the pickup file and

yeah just for your understanding for

those who don't know for those who don't

know P PSX is basically a command line

tool that allow users to run programs on

remote system and so you know this can

be used by you on at the same time it

can also be abused by attackers if they

were successful in compromising you so

let's start so number one says question

number one uh says to effectively Trace

theack activities within our Network can

you identify the IP address of the

machine from which the attack in

initially gained access all right here

so here we have the pickup files so

let's let's have a look at the

statistics conversations and ip4 so as

you can see here you know um as you can

see for this this IP is a bit suspicious

because you know the number of bucket

the number of bucket here is huge

8,284 all right

so so this might be the IP address in

order to double check for those who

don't know PS exit use the SMB protocol

you know for for lateral movement so if

you can search for sb2 and look at the

statistics um conversation ipv4 and so

indeed you can see that the the IP or

the source IP is actually

10.0.0 one. 130 all right so it's trying

to access 1 131 and 133 so indeed the

initial compromise was uh started by

this IP address 10.0.0

130 all

right here it is 130 question number two

to fully understand the extent of the

breach can you determine the MCH and

host name to which the attaka first

privated okay all right so coming back

to our bucket

capture all right smb2 as you can see

here okay here um here we have 130

negotiating protocol request negotiating

protocol response session set up until

negotiate all right status more

processing all right so we can assume

that it first started to compromise this

MCH this uh this IP address or this

machine 10.0.0 to 133 all right so there

will be a session setup request all

right and then it's authent

authenticated using the user SSL so um

we can follow the TCP

stream all right and what was the

question they're asking the host name so

the host name is uh easily we can draw

from here the host name is indeed here

sales

PC sorry this one sales PC is the host

name of the machine that was initially

compromised all right

so M yes okay so the answer is

indeed sales PCR question number three

knowing the username of the account the

attacker used for authentication will

give us insights into the extent of the

breach so what's the username utilized

by the attacker from the authentication

so here as we have seen the username

that has been used to uh comp compromise

this host name or use for authentication

is here SS cells this one yeah this is

the

username that has been

utilized all right we can check

here yeah think host PC account ssls

right so yeah this is the username SS

CS indeed SS CS question number four

After figuring out how the attackers

moved with with within our Network we

need to know what did what the what they

did on the taret machine what's the name

of the service executable the attacker

set up on the target so uh as you can

see uh the has inter process

communication and then he got admin

access all right and then he he created

as you can

see uh three connect he

created he created a request file with

the PSX exe and then he got a

response you know successfully so we can

assume that the file that he tried to

upload or tried to uh set up is PS exit

we can also double check by going to

file EXP Port

objects yeah sorry and then we look at

the S SMP so as you can see here file

name

PSX as you can see so yeah this is the

answer PSX is indeed the

answer yeah

correct

okay question number five we need to

know how the attack install the service

on the compromised machine to understand

the attacker lateral movement tactics

this can help identify Al affect the

system which network share use was used

by PSX to install the service on the

target machine all right so normally to

install Services you need you know some

kind of uh admin access right so uh we

can look at if we look at this file if

you click here at PS exit Okay and we

look down here we can see at the three

ID we have 10.0.0 23 admin this is the

network share that has been used by the

user admin dollar sign and it's actually

here this one this is the so this is the

network share that was utilized by

attacker right so yeah it's

admin all right and we question number

six says we must identify the network

share used to communicate between the

two machine which network share did PSX

used for communication and of course

this is like the uh this is interprocess

communication

ipcs you can check this by going to down

we have it

here we have it here already is IPC but

also to double check that we can look

for the set ID down down down maybe yeah

this one

s yeah this one STD i n all right and if

you look at here the three ID here we

can have the interprocess communication

is set so this is the uh this is the

network share that was used for

communication question number seven

says now that we have a clearer picture

of the attack activities on the

compromise machine it's important to

identify any further lateral movement

what's the host name of the second

machine the attacker targeted and pivate

within our Network all right so as we

have you know pointed in the first part

that when you look at the conversations

we have here two IP address the first

one which was the initial compromise or

was of this IP address and the second

one is actually this one 131 okay but to

double check let's apply this as a

filter and selected it to be all right

so we can have it here this one 13 to

131 let's follow TCB stream to know

what's the name of the host name so as

you can see here the host name is

marketing PC yeah marketing PC this is

the name of the second machine that was

compromized or you know went lateral

movement so yeah this is the name of the

second machine so yeah I hope you

enjoyed this lab was a quick lab and you

know

informative you see you in the next one