Noirchapeau's Gitbook
Noirchapeau
NoirchapeauEsau
Noirchapeau
NoirchapeauEsau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Monitoring Active Shells
  • Establishing Network Visibility
  • End Device Protection
  • Mitigation Strategies
  1. Shells & Payloads: Shell Overview

Shells & Payloads: Detection & Prevention

Monitoring Active Shells

  • Utilize the MITRE ATT&CK Framework to identify tactics and techniques:

    • Initial Access: Exploiting public-facing services (e.g., web apps, SMB).

    • Execution: Executing commands on the victim system via exploits, shells, or payloads.

    • Command & Control (C2): Maintaining interactive access, often over encrypted channels.

  • Events to Monitor:

    • File uploads: Logs can reveal malicious file uploads; pair with AV/firewall for detection.

    • User anomalies: Look for unexpected CLI usage (e.g., whoami, SMB access).

    • Network traffic: Unusual patterns (e.g., port 4444, new sites, bulk requests). Use tools like SIEMs and NetFlow.

Establishing Network Visibility

  • Maintain updated network topology diagrams using tools like NetBrain.

  • Leverage Layer 7 firewalls for application-level traffic monitoring.

  • Establish traffic baselines to spot deviations quickly.

  • Use deep packet inspection to analyze cleartext and encrypted traffic.

End Device Protection

  • Key Devices: Workstations, servers, printers, NAS, IoT devices.

  • Ensure anti-virus and Windows Defender are active with firewalls enabled.

  • Implement patch management to secure devices against exploits.

Mitigation Strategies

  • Application Sandboxing: Limit damage from compromised apps.

  • Least Privilege Access: Grant minimum permissions needed for tasks.

  • Host Segmentation & Hardening: Place exposed systems (e.g., web servers) in a DMZ.

  • Firewall Policies: Block unauthorized ports and traffic; enforce NAT to disrupt reverse shells.

  • A defense-in-depth strategy incorporating monitoring, mitigation, and visibility strengthens security posture.

PreviousShells & Payloads: Web Shells OverviewNextMetasploit