How to check if the system was accessed remotely? What sort of remote connections is the attacker likely to be using?
The number or applications installed or present on a device can sometimes be frightening. Not all of them are installed with the user’s consent. Some of them might be malicious. How does one spot these little pesky rodents?
Admins on payroll and those “magnanimous volunteers” often tread the very same path, albeit guided by different compasses of motivation. Once our cunning adversary ascends to the lofty heights of respect usually reserved for the admin on payroll, the misuse of these management tools becomes bound only by the limits of their mischievous imagination.
Think of the terminal as a magic wand 🪄 of the attacker. The beauty for them is that they can do all sorts of nasty things remotely, but their beauty also lies with their forensics perks: one can review the history of this activity.
Windows ❗️These techniques require admin or higher privileges. ❗️Common with ransomware When the Security trail is deleted, 1102 is usually created afterwards.
Windows Tasks Event logs Two trails are of use are Microsoft-Windows-TaskScheduler/Operational 🍇 (disabled by default on the newer systems) and Security 🛡️.
Windows Event logs Monitoring for these events will cause a lot of noise and false positives.
Windows You can use Prefetch which is the most reliable source. However, if the program is NOT there, it doesn’t mean it wasn’t executed.
Windows Registry, of course. AmCache, Registry 🗄️ You can see firmware, hardware and OS info there.
Windows Event logs It starts with the event 4720 (account created) and multiple 4732 events (member added to some security-enabled group).
Windows Event Logs There is a fine line between logon and account logon events, and that line is not just one word.
Windows Event logs There will be no shortage of 4625 events (unsuccessful login) showing up in the logs.
Windows Sysmon logs, 25. References Expand… Something here