Kittens at Play - Reference

Reference Material for Kittens at Play Presentation at BSides San Antonio 2022

Presentation Reference

Discovery Commands

net user

net user win001

netstat -nao

quser

Persistence

Create User

net.exe user /add new.admin Password1!

Add user to local administrators

net.exe localgroup /add administrators new.admin

Jump Lists

Provide input for mini start menus

%AppData%\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms

https://forensicswiki.xyz/wiki/index.php?title=List_of_Jump_List_IDs

LNK Files

Populate “Recent Items” directory

%AppData%\Roaming\Microsoft\Windows\Recent\ OutlookCN.aspx.lnk %AppData%\Roaming\Microsoft\Windows\Recent\logon.aspx.lnk

Lateral Movement

Remote Web Shell Creation

notepad.exe \\10.0.0.2\c$\inetpub\wwwroot\1.aspx
notepad.exe \\10.0.0.2\c$\inetpub\wwwroot\1.aspx
notepad.exe \\10.0.0.2\e$\webapps\PRD_PMO_JiraPM\1.aspx
notepad.exe \\CORPCOMP\d$\Microsoft\Exchange\FrontEnd\HttpProxy\owa\auth\logon.aspx
notepad.exe \\CORPCOMP\d$\Microsoft\Exchange\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx

Remote Task Creation

schtasks /Create /TN "\Microsoft\Windows\Server Managements" /sc ONCE /tr "cmd.exe /c 'iisreset /restart'" /S 10.0.0.2 /u local\admin /p "Password1!" /ru system /st 06:00

Remote Task Run

schtasks /Run /TN "\Microsoft\Windows\Server Managements" /S 10.0.0.2 /u local\admin /p "Password1!"

Remote Task Deletion

schtasks /delete /TN "\Microsoft\Windows\Server Managements" /S 10.0.0.2 /u local\admin /p "Password1!"

Defense Evasion

Disable Remote Desktop Prompt

reg.exe add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /V Shadow /T REG_DWORD
/D 2 /F
  • 0: Deny remote control.
  • 1: Obtain user permission and interact with the session.
  • 2: Do not obtain user permission and interact with the session.
  • 3: Obtain user permission and display session.
  • 4: Do not obtain user permission and display session.

Clear RDP History

reg.exe" delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f

reg.exe" delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f

WDigest Cleartext Password Storage

reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
findstr UseLogonCredential

Before

After

Recommendations

Data Sources - Windows Event IDs

4720 – Account Creations 4698 – Task Created 4699 – Task Deleted 4700 – Task Enabled 4701 – Task Disabled 4701 – Task Updated 4688 – Process Started (CMD Line Auditing Enabled)

Account Creations

Discovery Commands

  • Build rules to look for variety of Discovery commands
  • Investigate hosts with multiple hits over period of time
  • Adversaries have to learn about the environment they have landed in

Examples of Discovery Commands:

whoami
net user
net group
ipconfig
nltest
ps –aux
cat /etc/passwd
uname
arp
netstat
findstr
hostname

Scheduled Tasks

Establish Baseline

  • Query existing scheduled tasks across environment hosts
  • Use long tail analysis to find outliers

Ongoing Monitoring

  • Monitor instances of scheduled tasks, especially those created from command line tools (schtasks.exe)

Registry Modifications

Historical

  • Query for existing environment query registry keys known to be used by adversaries

Ongoing Monitoring

  • Legitimate registry modifications are rarely performed manually (reg.exe, powershell, regedit)
  • Registry telemetry is noisy but can be useful for investigations of GUI registry changes