Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

8.C) Windows Admin Shares, Service Execution, Valid Accounts #20

Open
Cyb3rWard0g opened this issue May 2, 2020 · 9 comments
Open

8.C) Windows Admin Shares, Service Execution, Valid Accounts #20

Cyb3rWard0g opened this issue May 2, 2020 · 9 comments

Comments

@Cyb3rWard0g
Copy link
Contributor

Description

This new payload is executed on the secondary victim via the PSExec utility (T1077, T1035) using the previously stolen credentials (T1078).
@Cyb3rWard0g
Copy link
Contributor Author

This logic seems to catch or gives you visibility over services being created over the network:

SELECT o.`@timestamp`, o.LogonType, o.TargetLogonId, o.TargetUserName, a.ServiceFileName
FROM apt29Table o
INNER JOIN (
    SELECT SubjectLogonId, ServiceFileName
    FROM apt29Table
    WHERE Channel = "Security"
        AND EventID = 4697
    ) a
ON o.TargetLogonId = a.SubjectLogonId
WHERE Channel = "Security"
        AND EventID = 4624

Results

 @timestamp      | 2020-05-02T03:11:20.086Z  
 LogonType       | 3                         
 TargetLogonId   | 0x866b2c                  
 TargetUserName  | pbeesly                   
 ServiceFileName | %SystemRoot%\PSEXESVC.exe 
-RECORD 1------------------------------------
 @timestamp      | 2020-05-02T03:12:26.674Z  
 LogonType       | 3                         
 TargetLogonId   | 0x86a8df                  
 TargetUserName  | pbeesly                   
 ServiceFileName | %SystemRoot%\PSEXESVC.exe 
-RECORD 2------------------------------------
 @timestamp      | 2020-05-02T03:13:30.158Z  
 LogonType       | 3                         
 TargetLogonId   | 0x86d84f                  
 TargetUserName  | pbeesly                   
 ServiceFileName | %SystemRoot%\PSEXESVC.exe 
-RECORD 3------------------------------------
 @timestamp      | 2020-05-02T03:14:44.395Z  
 LogonType       | 3                         
 TargetLogonId   | 0x890aef                  
 TargetUserName  | pbeesly                   
 ServiceFileName | %SystemRoot%\PSEXESVC.exe

@sevickson
Copy link

Working on a translation to OSQuery query based on Windows event logs like above.

@DarthRaki
Copy link
Contributor

All of my analytics are using this tool set (https://github.com/idaholab/Malcolm)

the first query I used was SMB.FN (SMB filename) == EXISTS!, This shows me all sessions that contain SMB files. ( with a small data set like this its quick way to ID things that stand out)

SMB FILENAMES

We notice a few stand out items rather quickly, using the unique with counts we can see any we may have missed
UNQI-Count-FN

Opening up the /temp/python session we can see the share they are using (Newer moloch parses the share being used bettter)

Python ADMIN$

We can also see the same type of behavior with the PSEXE into admin$
PSEXE ADMIN$

@Cyb3rWard0g
Copy link
Contributor Author

I love that @DarthRaki ! I have never used that tool. looks great!

Do you think that it would possible to translate that to a rule following some of the examples from @neu5ron and @patrickjohn ??

  1. 20.B) Pass the Ticket, Windows Remote Management, Create Account #48
  2. 16.A) Remote System Discovery #37

Thank you in advance!!

@Cyb3rWard0g
Copy link
Contributor Author

8.C.1 Valid Accounts

Procedure: Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria: Successful logon as user Pam on Scranton (10.0.1.4)

Security Event Logs

SELECT Hostname, a.Message
FROM apt29Host b
INNER JOIN (
    SELECT TargetLogonId, Message
    FROM apt29Host
    WHERE LOWER(Channel) = "security"
        AND EventID = 4624
        AND LogonType = 3
        AND TargetUserName NOT LIKE '%$'
) a
ON b.SubjectLogonId = a.TargetLogonId
WHERE LOWER(b.Channel) = "security"
  AND b.EventID = 5145
  AND b.RelativeTargetName LIKE '%python.exe'

Results

Hostname | NASHUA.dmevals.local                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
 Message  | An account was successfully logged on.

Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Information:
	Logon Type:		3
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		Yes

Impersonation Level:		Impersonation

New Logon:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS.LOCAL
	Logon ID:		0x861A79
	Linked Logon ID:		0x0
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{d2e3bf90-d0c7-9b80-942b-c7b9cbec384a}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	-
	Source Network Address:	10.0.1.4
	Source Port:		59967

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

@Cyb3rWard0g
Copy link
Contributor Author

8.C.2 Windows Admin Shares

Procedure: Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
Criteria: SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share

@Cyb3rWard0g
Copy link
Contributor Author

Security Logs

SELECT EventTime, Hostname, ShareName, RelativeTargetName, SubjectUserName
FROM apt29Host
WHERE LOWER(Channel) = "security"
  AND EventID = 5145
  AND ShareName LIKE '%IPC%'
  AND RelativeTargetName LIKE '%PSEXESVC%'

Results

-RECORD 0-------------------------------------------
 EventTime          | 2020-05-01 23:11:40           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC                      
 SubjectUserName    | pbeesly                       
-RECORD 1-------------------------------------------
 EventTime          | 2020-05-01 23:11:40           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-2668-stdin  
 SubjectUserName    | pbeesly                       
-RECORD 2-------------------------------------------
 EventTime          | 2020-05-01 23:11:40           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-2668-stdout 
 SubjectUserName    | pbeesly                       
-RECORD 3-------------------------------------------
 EventTime          | 2020-05-01 23:11:40           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-2668-stderr 
 SubjectUserName    | pbeesly                       
-RECORD 4-------------------------------------------
 EventTime          | 2020-05-01 23:12:46           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC                      
 SubjectUserName    | pbeesly                       
-RECORD 5-------------------------------------------
 EventTime          | 2020-05-01 23:12:46           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-5924-stdin  
 SubjectUserName    | pbeesly                       
-RECORD 6-------------------------------------------
 EventTime          | 2020-05-01 23:12:46           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-5924-stdout 
 SubjectUserName    | pbeesly                       
-RECORD 7-------------------------------------------
 EventTime          | 2020-05-01 23:12:46           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-5924-stderr 
 SubjectUserName    | pbeesly                       
-RECORD 8-------------------------------------------
 EventTime          | 2020-05-01 23:13:49           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC                      
 SubjectUserName    | pbeesly                       
-RECORD 9-------------------------------------------
 EventTime          | 2020-05-01 23:13:49           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-1412-stdin  
 SubjectUserName    | pbeesly                       
-RECORD 10------------------------------------------
 EventTime          | 2020-05-01 23:13:49           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-1412-stdout 
 SubjectUserName    | pbeesly                       
-RECORD 11------------------------------------------
 EventTime          | 2020-05-01 23:13:49           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-1412-stderr 
 SubjectUserName    | pbeesly                       
-RECORD 12------------------------------------------
 EventTime          | 2020-05-01 23:15:03           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC                      
 SubjectUserName    | pbeesly                       
-RECORD 13------------------------------------------
 EventTime          | 2020-05-01 23:15:03           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-8928-stdin  
 SubjectUserName    | pbeesly                       
-RECORD 14------------------------------------------
 EventTime          | 2020-05-01 23:15:03           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-8928-stdout 
 SubjectUserName    | pbeesly                       
-RECORD 15------------------------------------------
 EventTime          | 2020-05-01 23:15:03           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-8928-stderr 
 SubjectUserName    | pbeesly

@Cyb3rWard0g
Copy link
Contributor Author

8.C.3 Service Execution

Procedure: Executed python.exe using PSExec
Criteria: python.exe spawned by PSEXESVC.exe

Security Logs

SELECT Message
FROM apt29Host b
INNER JOIN (
    SELECT NewProcessId
    FROM apt29Host
    WHERE LOWER(Channel) = "security"
        AND EventID = 4688
        AND ParentProcessName LIKE '%services.exe'
) a
ON b.ProcessId = a.NewProcessId
WHERE LOWER(Channel) = "security"
    AND NewProcessName LIKE '%python.exe

Results

A new process has been created.

Creator Subject:
	Security ID:		S-1-5-18
	Account Name:		NASHUA$
	Account Domain:		DMEVALS
	Logon ID:		0x3E7

Target Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x867825

Process Information:
	New Process ID:		0xae8
	New Process Name:	C:\Windows\Temp\python.exe
	Token Elevation Type:	%%1938
	Mandatory Label:		S-1-16-8192
	Creator Process ID:	0x23f4
	Creator Process Name:	C:\Windows\PSEXESVC.exe
	Process Command Line:	"C:\Windows\Temp\python.exe"

@Cyb3rWard0g
Copy link
Contributor Author

Sysmon

SELECT Message
FROM apt29Host b
INNER JOIN (
    SELECT ProcessGuid
    FROM apt29Host
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
        AND EventID = 1
        AND ParentImage LIKE '%services.exe'
) a
ON b.ParentProcessGuid = a.ProcessGuid
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND Image LIKE '%python.exe'

Results

Process Create:
RuleName: -
UtcTime: 2020-05-02 03:11:40.213
ProcessGuid: {5aa8ec29-e4ec-5eac-6803-000000000400}
ProcessId: 2792
Image: C:\Windows\Temp\python.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: "C:\Windows\Temp\python.exe" 
CurrentDirectory: C:\windows\system32\
User: DMEVALS\pbeesly
LogonGuid: {5aa8ec29-e4ec-5eac-2578-860000000000}
LogonId: 0x867825
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: SHA1=585EB59D12A111E9291518C5CF5D3FD296C2B581,MD5=57292CE8714E2D221D9D97C9D061D332,SHA256=43782EC4337D8F3DDB7EA0C451B3BC4F212F84C8D5571BD0A842001C859A02AE,IMPHASH=00000000000000000000000000000000
ParentProcessGuid: {5aa8ec29-e4eb-5eac-6703-000000000400}
ParentProcessId: 9204
ParentImage: C:\Windows\PSEXESVC.exe
ParentCommandLine: C:\windows\PSEXESVC.exe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Cyb3rWard0g @sevickson @DarthRaki