Zeroska
  • 🐱Zeroska - The Bold
  • Computer/Cyber Security
    • ⭐Fresh off the boat - for new Blue Teamer/ SOC Analyst
    • 💀Necromancer (DFIR)
      • 🕵️DFIR and DFIR case
        • 🗃️Case Files
          • Misconfiguration 0x01
      • 📔My own DFIR notes
        • The Mark of The Web (MOTW)
        • LNK Shortcut
        • Prefetch, AmCache, ShimCache in Windows
        • Malicious Document (VBA, Office, PDF, ...)
        • SRUM (System Resource Usage Monitor)
        • Volatility notes
        • Understand Logon Session in Windows
        • "Very" Hidden sheets in Excel
        • Hidden Processes
      • 📔Notes
        • Useful Resources
        • Useful Resources DFIR
        • Saved Content (Backup for the OG content get deleted)
          • How to be best SOC analyst ever
    • 🧙‍♂️Defense Witchcraft
      • Data Analysis as a Defender
      • Active Directory
      • Windows Event Logs
        • Authentication (Windows Account Life Cycle Events)
      • MS Exchange
      • Windows
    • 💙My Current Blue Team Operation
      • VLAN Monitoring Template
      • Daily Monitoring Report
      • General Playbook
      • JupyterHub Configuration Guide
      • How to train your Blue Team
    • 🏭ICS/OT
      • Setup ICS/OT Simulation Learning Lab
      • Smart Grids
      • Learning Modbus TCP
      • Learning DNP3
      • Resources/Blogs/Links
    • 🥷Threat Intelligence
      • Small Cyber Threat Intelligence Program
      • Intelligence Analysis [VN]
      • OSINT Information Monitoring
        • Telegram Info-Stealer Monitoring
      • C2 Tracker
      • Fake Website Tracker
      • Dark Web Investigation Attempt
      • Threat Intelligence Quick Win
      • Resources/Blogs/Links
  • 😒Computer and Technology
    • My Home Lab Setup
    • 🐴ELK Stack
      • Useful Resources
      • ELK Stack - Container - Docker Compose - AWS ECS
      • ECS - Elastic Common Schema
      • Elasticsearch
      • Logstash
      • Troubleshooting and Problems
    • 🐧Linux
      • Setting up good SSH Authentication
      • Configure Auditd and how to leverage it
      • ELF Format
      • Useful Links
    • 📦Containers
      • Docker container logs is quite big
      • Worth Reading
    • 🪠Splunk Learning Experience
      • Splunk Test Lab
      • Data Collection Tier (How to get the data)
      • SC4S Custom Filter For Windows Event Log in Syslog Format (NXLog)
      • Useful Resources
  • Threat Hunting
    • Hunting for Implant
    • Using STRIDE and DREAD
    • 🐳Predators and Preys (Computing)
      • Tracks or Hunting Artifacts
    • 📦Network Packet Analysis
      • The Basic
      • Tshark | Zeek Copy & Paste
      • Network Analysis Resources
    • Grep | Powershell Search | Regex
    • Hunting Resources
  • 🎵In my remains
    • Choices
    • The Art of Facing Unknown Problems
    • Build the best DFIR team
    • Reverse Engineering - Đồ án hướng ngành A "Hụt" của tôi
Powered by GitBook
On this page
  • Knowing your Environment
  • Which path leads to Domain Controller?
  • Which is the easiest path?
  • Pass the hash

Was this helpful?

  1. Threat Hunting
  2. Predators and Preys (Computing)

Tracks or Hunting Artifacts

PreviousPredators and Preys (Computing)NextNetwork Packet Analysis

Last updated 2 years ago

Was this helpful?

Knowing your Environment

How they move is very important. Understanding how they will leave trails and track is essential for effective hunting. Most prey you hunt will have one common goal: travel to the Domain Controller or steal your crown jewel assets -> Knowing your environment will make you a better predator

No matter how they move they always leave something.

Which path leads to Domain Controller?

There is a tool called , how can you hunt your prey when you don't know which path they will typically take? using this tool and you can answer that question.

Where should I run this tool you might ask and does it will affect my network traffic? you can run it anywhere you want.

Which is the easiest path?

When the prey finds a hole to hide, they have plenty of time to plan their next move, they will gather as much information as they can, and they will try to find the easiest, most effective, and stealthiest move:

Pass the hash

Activity: Dump lsass.exe for credentials

Tools: Mimikatz, Impacket, ... and so many tools and techniques to do this type of move

Look for:

  • Windows Error Reporting (WER) fault process -> could be use to dump the lsass hash (Application crashes are recorded in the Windows Application event log under Event ID 1000 and 1001)

Refs:

(Talk about how to defend against it, will take a look at how it leaves trails)

🐳
BloodHound
https://blog.zsec.uk/path2da-pt3/