Post Compromise

Internal Networks

A Demilitarized Zone (DMZ)

A DMZ Network is an edge network that protects and adds an extra security layer to a corporation's internal local-area network from untrusted traffic. A common design for DMZ is a subnetwork that sits between the public internet and internal networks.

Designing a network within the company depends on its requirements and need. For example, suppose a company provides public services such as a website, DNS, FTP, Proxy, VPN, etc. In that case, they may design a DMZ network to isolate and enable access control on the public network traffic, untrusted traffic

Network Enumeration

netstat -na

What is the Active Directory (AD) environment?

More details here :

The following is a list of Active Directory components that we need to be familiar with:

Domain Controllers
Organizational Units
AD objects
AD Domains
Forest
AD Service Accounts: Built-in local users, Domain users, Managed service accounts
Domain Administrators

AD domains are a collection of Microsoft components within an AD network.

AD Forest

Host Security Solution

It is a set of software applications used to monitor and detect abnormal and malicious activities within the host, including:

Antivirus software
Microsoft Windows Defender
Host-based Firewall
Security Event Logging and Monitoring
Host-based Intrusion Detection System (HIDS)/ Host-based Intrusion Prevention System (HIPS)
Endpoint Detection and Response (EDR)

Antivirus Software (AV)

There are various detection techniques that the antivirus uses, including

Signature-based detection
Heuristic-based detection

Heuristic VS Signature

Behavior-based detection

Microsoft Windows Defender

We can use the following PowerShell command to check the service state of Windows Defender:

Get-Service WinDefend

 Get-MpComputerStatus | select RealTimeProtectionEnabled

Host-based Firewall:

Get-NetFirewallProfile | Format-Table Name, Enabled

Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
Get-NetFirewallProfile | Format-Table Name, Enabled

We can also learn and check the current Firewall rules, whether allowing or denying by the firewall.

Get-NetFirewallRule | select DisplayName, Enabled, Description

Test-NetConnection -ComputerName 127.0.0.1 -Port 80
(New-Object System.Net.Sockets.TcpClient("127.0.0.1", "80")).Connected

threat details

Get-MpThreat

Get Firewall Rules connection

 Get-NetFirewallRule | findstr "THM-Connection"

Security Event Logging and Monitoring

Event logs in Windows

Get-eventlog -list

Last updated 1 year ago

hashtagInternal Networks

hashtagA Demilitarized Zone (DMZ)

hashtagNetwork Enumeration

hashtagWhat is the Active Directory (AD) environment?

hashtagAD Forest

hashtagHost Security Solution

hashtagAntivirus Software (AV)

hashtagHeuristic VS Signature

hashtagMicrosoft Windows Defender

hashtagSecurity Event Logging and Monitoring