This site con­tains links to tools / tech­niques which can run in the back­ground dur­ing an engagement.

Linux

• Pspy — Shows the activ­i­ty on a system.

Windows

• Respon­der — Waits for oth­er Win­dows sys­tems to con­nect to third-par­ty sys­tems and says “YES, I am this sys­tem!”. Win­dows sys­tems then reveal cre­den­tials of the user who start­ed the query. Sup­ports SMB, HTTP, DNS, LLMNR, FTP, IMAP, POP3, SMTP, LDAP, RDP, WPAD, Kerberos, …
• When a user is avail­able and a RDP con­nec­tion, sys­mon­tools can be used to analyse the behav­iour of the system. 
  • Down­load Sys­mon from microsoft
  • Down­load Sys­mon config
  • Adapt the con­fig evtl. (e.g. for Domain­Con­trollers, there are some com­ments that things could be activated)
  • Upload both files to the victim
  • On the vic­tim in a ter­mi­na, start sys­mon with 
    1. Sysmon64.exe ‑i
  • Apply the con­fig with 
    1. Sysmon64.exe ‑c sysmonconfig-export.xml
  • The logs can be seen in the LogView­er in Conesole Root > Event View­er > Appli­ca­tions and Ser­vices Logs > Microsoft > Win­dows > Sys­mon > Operational