Roberto Rodriguez comments

Results 214 comments of


                                            Roberto Rodriguez

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.4 System Network Configuration Discovery Procedure: Enumerated the current domain name using PowerShell Criteria: powershell.exe executing $env:USERDOMAIN Same as before but looking for `LIKE "%$env:userdomain%"`

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.5 Process Discovery Procedure: Enumerated the current process ID using PowerShell Criteria: powershell.exe executing $PID Same as before but looking for LIKE "%$pid%"

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.6 System Information Discovery Procedure: Enumerated the OS version using PowerShell Criteria: powershell.exe executing Gwmi Win32_OperatingSystem Same as before but looking for `"%gwmi win32_operatingsystem%"`

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.7 Security Software Discovery Procedure: Enumerated anti-virus software using PowerShell Criteria: powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct Same as before but looking for `"%-class antivirusproduct%"`

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.8 Security Software Discovery Procedure: Enumerated firewall software using PowerShell Criteria: powershell.exe executing Get-WmiObject ... -Class FireWallProduct Same as before but looking for `"%-class firewallproduct%"`

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.9 Permission Groups Discovery Procedure: Enumerated user's domain group membership via the NetUserGetGroups API Criteria: powershell.exe executing the NetUserGetGroups API One could look for the `Invoke-NetUserGetGroups` script name in...

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.10 Execution through API Procedure: Executed API call by reflectively loading Netapi32.dll Criteria: The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll Correlating the netapi32.dll load with the previous...

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.11 Permission Groups Discovery Procedure: Enumerated user's local group membership via the NetUserGetLocalGroups API Criteria: powershell.exe executing the NetUserGetLocalGroups API One could look for the Invoke-NetUserGetLocalGroups script name in...

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.12 Execution through API Procedure: Executed API call by reflectively loading Netapi32.dll Criteria: The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll Correlating the netapi32.dll load with the previous...

5.A) New Service

Hey @0xtf Did you get any Security 4697s for that?