For this livestream we are going to talk about commands to run on a host box to find a malicious actor. If you have a few you prefer, let me know what those are and I’ll see about adding them to the list. We’ll also talk a little about automating these checks using auto-typing USB options.
Live Stream Link: https://youtu.be/9kciKi4s3VA
April 7, 2020 at 10:00 Central Time
Instructions for this livestream:
- Send me your commands. I’m sure my list isn’t exhaustive. If you have some you like to run, let me know.
- If you have a USB Rubber Ducky and/or a micro-controller called a Teensy, go ahead and digs those out. We will spend a little time using them to automate our commands. If you have one, do the following.
- If you have a Teensy microcontroller, download and install the Arduino programming software (https://www.arduino.cc/en/main/software) and and the Teensyduino software (https://www.pjrc.com/teensy/td_download.html).
- Download the following library: http://www.irongeek.com/downloads/phukdlib0.4.zip
- If you have a USB Rubber Ducky, grab one of the Ducky Encoders or just bookmark this page: https://shop.hak5.org/pages/ducky-encoder
Resources:
- Ducky Script – https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript
- Online Ducky Encoder – https://shop.hak5.org/pages/ducky-encoder
- Standalone Ducky Encoder – https://downloads.hak5.org/ducky
- Teensy Keyboard Emulation – http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
Command Line:
- systeminfo
- wmic qfe list
- wmic diskdrive list brief
- wmic logicaldisk list brief
- ipconfig -all
- netstat -ano
- arp -a
- tasklist /v
- net share
- net user
- query user
Powershell:
- get-pnpdevice | select caption, manufacturer, description, present, deviceid, status
- get-process
- get-nettcpconnection
- get-netudpendpoint
- get-netneighbor
- get-localuser
Porting wmic commands to ASCII
- wmic <rest of the command> |more >> example.txt
Porting Powershell to ASCII
- <powershell command> | Out-file -FilePath example.txt -Append -Encoding ascii