Red Teaming Experiments
linkedintwitterpatreongithub
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Windows Event IDs and Others for Situational Awareness
Enumerating COM Objects and their Methods
Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks
Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
Dump GAL from OWA
Application Window Discovery
Account Discovery & Enumeration
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Detecting Sysmon on the Victim Host
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Account Discovery & Enumeration
Discovery

Let's run some of the popular enumeration commands on the victim system:
[email protected]
net user
net user administrator
whoami /user
whoami /all
...

Having command line logging can help in identifying a cluster of enumeration commands executed in a relatively short span of time on a compromised host .
For this lab, I exported 8600+ command lines from various processes and wrote a dirty powershell script that ingests those command lines and inspects them for a couple of classic windows enumeration commands that are executed in the span of 2 minutes and spits them out:
hunt.ps1
function hunt() {
[CmdletBinding()]Param()
$commandlines = Import-Csv C:\Users\mantvydas\Downloads\cmd-test.csv
$watch = 'whoami|net1 user|hostname|netstat|net localgroup|cmd /c'
$matchedCommandlines = $commandlines| where-object { $_."event_data.CommandLine" -match $watch}
​
$matchedCommandlines| foreach-Object {
[datetime]$eventTime = $_."@timestamp"
[datetime]$low = $eventTime.AddSeconds(-60)
[datetime]$high = $eventTime.AddSeconds(60)
$clusteredCommandlines = $commandlines | Where-Object { [datetime]$_."@timestamp" -ge $low -and [datetime]$_."@timestamp" -le $high -and $_."event_data.CommandLine" -match $watch}
if ($clusteredCommandlines.length -ge 4) {
Write-Verbose "Possible enumeration around time: $low - $high ($eventTime)"
$clusteredCommandlines
}
}
}
Invoking the script to start the hunt:
. \hunt.ps1; hunt -verbose
Below are some of the findings which may warrant further investigation of the suspect host:

Account Discovery, Technique T1087 - Enterprise | MITRE ATT&CK®
Previous
Application Window Discovery
Next
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Last modified 3yr ago
Copy link
On this page
Execution
Hunting and Observations
References