The Hunters Hut
The Hunters Hut

Sq00ky/SMB-Session-Spoofing

Article Excerpt

________ _________ _____ _ _____ __ / ___| / || ___ \ / __| () / ___| / _| \ --.| . . || |_/ / \ --. ___ ___ ___ _ ___ _ __ \ --. _ __ ___ ___ | |_ ___ _ __ --. \ |/| || ___ \ --. \/ _ \/ __/ __| |/ _ \| '_ \ --.

property
value
tags
cyber-deception,defensive-tradecraft,tactic-session-enum,tradecraft-tool
url
https://github.com/Sq00ky/SMB-Session-Spoofing
original_word_count
502

Long Summary

This article provides an overview of a utility program that can be compiled with Visual Studio 2019 (or newer) to create a fake SMB Session. The primary purpose of this is to serve as a method to lure attackers into accessing a honey-device. The program requires slight modifications to the code, such as changing the default username and domain values, and then must be installed as a service. To verify the program is functioning correctly, users can check the sessions on the system with the command 'net sessions'.

The theory behind this is that when an adversary runs SharpHound and collects sessions, they can identify that a high privileged user is signed in on Tier-2 infrastructure (Workstations), which they can then access and dump credentials on to gain Domain Admin access. To monitor for this, it is important to alert on any logon and have email, SMS, and other alerts set up to triage incidents quickly.

Overall, this program is a useful tool for luring attackers into accessing a honey-device, and it is important to configure monitoring to ensure that incidents involving this machine are triaged as quickly as possible. With the right implementation and monitoring, this program can be a powerful tool for security teams.

Short Summary

šŸ““ Sq00ky/SMB-Session-Spoofing

šŸ‘‰šŸ½ ________ _________ _____ _ _____ __ / ___| / || ___ \ / __| () / ___| / _| \ --.| . . || |_/ / \ --. ___ ___ ___ _ ___ _ __ \ --. _ __ ___ ___ | |_ ___ _ __ --. \ |/| || ___ \ --. \/ _ \/ __/ __| |/ _ \| '_ \ --. šŸ‘‰šŸ½ Overview of utility program that creates a fake SMB session šŸ‘‰šŸ½ Purpose is to lure attackers into accessing a honey-device šŸ‘‰šŸ½ Program requires modification and installation as a service šŸ‘‰šŸ½ Verification through checking sessions with 'net sessions' command šŸ‘‰šŸ½ SharpHound collects sessions to identify high privileged users on Tier-2 infrastructure šŸ‘‰šŸ½ Access to Tier-2 infrastructure can lead to dumping credentials and gaining Domain Admin access šŸ‘‰šŸ½ Logging and alerting important to quickly triage incidents šŸ‘‰šŸ½ Program can be a powerful tool for security teams šŸ‘‰šŸ½ Implementation and monitoring key to success šŸ‘‰šŸ½ Overall, useful for luring attackers and ensuring incident response is efficient.

šŸ”— source link: https://github.com/Sq00ky/SMB-Session-Spoofing

šŸ”— summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/sq00ky-smb-sessionspoofing

#UtilityProgram #HoneyDevice #SMBSession #SharpHound #SecurityTeams

LinkedIn

ThreatHunterz.com