How to discover traces of a compromised system

Viewing 6 reply threads
  • Author
    • #6090

      He folks,

      I was wondering about this scenario. You are hired to do pentest and while doing your pentest, you have to successfully compromise the target system (Windows or Linux). You started to look around for Windows, you run sc or sc query commands, net and etc sommands.
      How would you know that the target system(s) had been compromised so that you can turn the pentest into investigation/forensic phase, given that fact that you are a pentester pro. not incident handler or forensic invetigator?
      Are there specific skills that you need to have being a pentester in order to find traces of a compromised systems?

      Your turn, any idea/suggestions?

    • #38055

      I’m just a college student so I’m not in a position to give any professional advice, but I do remember these SANS intrusion discovery cheatsheets. Lots of good stuff there 🙂

      Intrusion Discovery Cheat Sheet v1.4 for Linux

      Intrusion Discovery Cheat Sheet v1.4 for Windows

    • #38056
    • #38057

      Thanks to everyone who has responded to this and your links to other sites.
      However, I am thinking here purely on the prospective of a pentester doing his job without any knowledge of a breached on the network.

      Also, when looking around after he compromised the target system, he is looking to further escalate privileges, delve deeper into the system but before doing all of these, he wanted to make sure that he is not contaminating any previous compromised by the real bad guy.

      Is there any commands for him to run to verify previous breach? If rules of engagment allow, what tools could he utilize to determine any previous compromised?

      Does this little explanation help in understanding what I am saying?

      Any idea/suggestions would be appreciated.

    • #38058

      There is nothing that I know of that when you double click it will shout at you that “this system has been compromised.” Your client antivirus would be the closest I can think of. You’re in the realm of investigation here.

      I would start with the basic stuff…. Do a netstat and see what connections there are, do any of them look goofy? IE Do you see an https connection from the domain controller out to an IP in China? Use FPORT to see what processes are making what connections. Do you see any weird processes in taskmanager? Do you see imstealingallyourstuff.exe in taskmgr? Things like this would be a good place to start. Other than that you would have to look at an IDS, packet capture etc. Those links above are really what you want to look at….

      If the system has been compromised well enough……you wont ever know…. muuuahhhaa.

    • #38059

      Check out the paper at the link below. This maybe an interesting read for you

    • #38060

      My thought is that as a pentester, you do not have the knowledge of the system to make a determination as to whether its been compromised and your efforts are better suited to other pursuits.

      Unless someone has left a text file on the Desktop saying “You’ve been pwned.”, I’d say its not in your lane. However, in the rare case that you do come across a system that has obviously been pwned, I’d immediately alert my POC and move on.

      Besides….if you’re on the console of the machine, haven’t you already given proof that the machine has likely been compromised? That’s kinda’ the point of the pentest – to find and exploit vulnerabilities…

Viewing 6 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?