An SEOs Guide To W3C Log Files
Most network activity monitoring tools don’t store actual packets, but rather just log metadata about those packets (minimally: source, destination, protocol).
Protocol Analyzer = Packet Sniffer
Now we’re talking about actual packet capture!
A.k.a. “NetFlow” (originally a Cisco thing, but since genericized). Basically, this is packet capture and analysis on router interfaces. NetFlow (and related tools like sFlow) are oriented towards understanding network usage rather than the behavior of individual machines/connections.
NetFlow data is exported using the IPFIX (Internet Protocol Flow Information Export) format.
SIEM = You 10,000 ft view
The SIEM correlation engine is just a (user defined?) list of event sequences of interest.
IPFIX is an IETF standard.
Wireshark has some statistical packet-analysis capabilities.
General log analysis flow: Filtered down to warnings/errors, locate an event of interest, and then expand your search around that timeframe to include lower-level/priority events.
Call out to WinDbg Preview, which is a free Windows dump file analyzer in the Microsoft Store. Windows typically stores dump files in
C:\Windows, so you’ll need to copy it out to view it.
Meterpreter is fileless, and attempts to mask itself using other process names. It only communicates back to Metasploit on an encrypted channel.
However, most modern antivirus will still recognize it.
Meterpreter supports a wide range of operating systems; there are even variants designed to live inside of common server-side interpreters (Java, Python, and PHP). Most payload versions are singletons, though there are a few staged variants.
Most variants support communication over HTTP (unencrypted), HTTPS, or raw TCP (encrypted). IPv6 (which is often poorly monitored if allowed) is also an option.
As always, be aware that some exploits may limit the available Meterpreter payloads.
Meterpreter’s commands vary depending on host OS. Some notable commands:
background- Background the current session
clearenv- Clears the (Windows) event logs (kinda obvious)
download- Transfer a file from the target to the attacker
edit- Edit a file
execute- Execute a command on the host
getpid- Get current process ID
getsystem- Attempt to elevate to SYSTEM/root
getuid- Get current process user
guid- Get session ID
hashdump- Dump NTLM hashes (on Windows)
ifconfig- Display host network interface information
info- Get information about a Meterpreter extension
load- Load Meterpreter extension
migrate- Migrate Meterpreter to another process
netstat- Display host network connections
portfwd- Forward a port on the host
route- Mess with the host routing tables
run- Run a meterpreter extension
search- Search for files
sessions- Switch to another (Metasploit) session
shell- Drop to system shell
sysinfo- Pull remote system information
upload- Transfer a file from the attacker to the target
Migrating Meterpreter to another process sometimes makes new commands become available; for example, migrating to a text editor will allow you to capture keystrokes.
Note that Meterpreter will happily let you migrate from a privileged to an unprivileged process - which may cause you to loose control of the target system!
You can background system shells launched from Meterpreter with
Ctrl + Z to return to the parent (Meterpreter) process.
It’s always good to look at
help in Meterpreter after loading a new module.
load kiwi will pull in a Meterpreter-specific version of Mimikatz!
net share on Windows to list all current shares. The Metasploit
post/windows/gather/enum_shares module provides cleaner output (requires backgrounding Meterpreter).
hashdump you will need to be connected to the
Note that migrating Meterpreter will change its current working directory to that of the process it’s attaching to.