Following the recent intrusion in one of our clients domain, a relatively benign attacker left a quick note on the server domain controller after he left, indicating his presence.
The attacker was a relatively inexperienced person that didn’t show signs of any major ill intent towards the client, considering he managed to acquire admin privileges on the domain but didn’t hamper the site activity in any sort of meaningful way.
Instead he prefered to leave .txt files where he boasted about the breach, that he was seemingly very proud to have conducted.
This left us with considerable assumptions of internal breach by a relatively young individual with potential direct or indirect aid from other insiders, as he displayed no intent to seriously harm the network, other than playing around with the administrators.
Considering the circumstances surrounding this case, i had less than 24 hours to come up with a quick solution to trap, monitor and eventually catch the attacker whenever he would come back again.
In this case, the best course of action would be to set up an entire honeypot that would impersonate the original server, but it would take way more than half a day to set up.
So, my practical solution to this problem was the following :
- Dump all the server network traffic (ingress + egress) from and to a separate location
- Set up a quick and dirty shadowing script to monitor every action of any intruder on the server in real time
The first requirement would very much depend on the infrastructure you have to work with, in this case, everything was virtualised under VMWare ESXi, but it would be as equally doable under Hyper-V.
If the infrastructure was physical, i would think about either port mirroring if you have access to the L2 network, but that could definitely be tedious and costly to set up depending on the situation, or the cheap solution would be to spin a new machine that would remotely execute tcpdumps from the server.
The only problem with the latter solution, is that you would need to hide the tcpdump process from the attacker which is very much possible, but would require some extra time if you don’t have it already at hand.
Set up ESXi traffic dump
In order to do this, you first need to enable SSH access from the ESXi host, then the process is the following :
List all vswitch port numbers / VM association (similar to an ARP table) : net-stats -l
Dump the egress traffic from the DC switch port to a temporary pcap file : pktcap-uw –switchport XXXX -o /tmp/dc-out.pcap
Dump the ingress traffic from the DC switch port to a temporary pcap file : pktcap-uw –switchport XXXX –dir 1 -o /tmp/dc-in.pcap
Shadowing script
I created this little script in addition, to automate the following :
- Monitor every session currently opened in the server (5 sec. refresh time but it can be changed ofc)
- Create a shadow rdp session on every newly opened session
The script is available in my github.
There are 2 versions to it attended vs unattended.
Attended version plays a little sound everytime a new session is opened, and expects a physical person to execute the shadow rdp command on the target session.
Unattended version is autonomous, and can be left to run on it’s own, it will automatically open a shadow rdp session on every newly created one allowing to set up a recording program on the physical or virtual machine, from which secops team is running the surveillance. You will need to run the recording program on your own, but this will spare you the hastle of having to be present.
This will however require the activation of the following GPOS in the server :
