Идентификатор события windows power shells

Approach

The aim here is to provide basic information on the kinds of logs and other artefacts that could be generated from Cobalt Strike on a default Windows 10 host. To get a better context and understanding, we enabled Sysmon on the victim workstation, in order to get a baseline to compare with.

Each command was executed twice to avoid false positives, and the investigations were conducted on one of these two executions. This short analysis can be later on used as a reference to build rules to detect Cobalt Strike movements during a forensics incident response (without Sysmon or Audit Policies).

• Windows 10 workstations with Sysmon installed,
• Windows Server 2016 Domain Controller.

The different steps and tools used to extract and analyze the artefacts post compromise are:

1. Run DFIR-Orc to extract artefacts on the Windows 10 machine;
2. Run log2timeline/plaso on the extracted data to build a clear timeline;
3. Analyze data using Splunk or Kibana (ELK fullstack with custom Logstash configuration).

By using DFIR-Orc and Plaso, we were able to process the most important artefacts:

• Event logs (*.evtx), including PowerShell command history;
• Prefetch files among other execution evidence;
• NTFS artefacts, such as USNjrnl and MFT;
• User and System hives (userassist, appcompatcache, etc.).

Findings Summary

Cobalt Strike « jump psexec64 »

The Cobalt Strike jump psexec64 command allows the attacker to use the PsExec utility to execute a command or payload on a remote Windows system. When the jump psexec64 command is executed, it will use the active beacon to establish a connection to the specified Windows system, and then use the PsExec utility to run the malicious payload on the remote system. The command uses the psexec64 executable that is included in the Cobalt Strike package to run the command on x64 architectures. The Beacon type used for this test is smb.

Microsoft-Windows-Sysmon

As explained earlier, System Monitor (Sysmon) was installed on the Windows 10 workstation to have reference events on which to base our analyses. We therefore first reviewed the events recorded by Sysmon to get a baseline to compare with the extracted artefacts. The Sysmon events below have been filtered to keep the most useful ones.

Event ID 1 – Process Create

The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.

Event ID 3 – Network Connection Detected

The network connection event logs TCP/UDP connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names, IP addresses, port numbers and IPv6 status.

In both of our tests, 3 connections using IPv4 are made to the victim. The first one on port 445, the second one on port 135 and the last one to a random port. Then, two IPv6 connections are recorded to port 445.

Event ID 7 – Image Loaded

The image loaded event logs when a module is loaded in a specific process. It indicates the process in which the module is loaded, hashes and signature information.

The libraries loaded by the beacon are not very fancy. This information will not be useful without Sysmon installed on the victim workstation.

Event ID 11 – File Create

A randomly named Beacon¹ was created on the file system to the C:\Windows directory by the System process. The two created Prefetch files related to rundll32.exe and the Beacon will be useful to identify Cobalt Strike execution.

Event ID 13 – Registry Value Set

Registry key and value create and delete operations map to this event type.

Cobalt Strike creates a service to run the Beacon as SYSTEM. So a registry key with a random name² is created under HKLM\\System\\CurrentControlSet\\Services\\4542843 by the Services.exe executable and the ImagePath is set to the Beacon path.

Event ID 17 – Pipe Created

Pipe creation operations map to this event type.

Event ID 25 – Process Tampering

Since Sysmon version 13, a new type of event is recorded, called process tampering. This event is generated when a process uses hiding techniques such as hollow or herpaderp. The injection of Cobalt Strike was successfully detected by Sysmon:

Findings

Now that we have seen the events and other artefacts generated by the execution of the jump psexec64 command, let us dwell on the evidence present natively on a Windows 10 system out of the box.

Winevtx – Microsoft-Windows-Security-Auditing

Without the audit policies enabled, not many events are generated. Only two successful logons (event ID 4624) are recorded, with the logon type ‘3’ (Network), from the compromised account « CORP\alice ». If correlated, this behavior may help during the investigation to support a hypothesis. The source hostnames are not always recorded, nor is the logon process name.

Winevtx – Service Control Manager

Prefecth – Program execution

File System – MFT

In our case, since the system has been freshly installed, rundll32.exe has run for the first time and the birth of the Prefetch file can be observed in the MFT (here in both $FILE_NAME and $STANDARD_INFORMATION of the RUNDLL32.EXE-64292FC9.pf file), otherwise only its modification would be visible.

File System – USN journal

Just like the MFT, and as observed in the SysMon logs (event ID 11), the USN journal can also detect the malicious executable and its Prefetch file. The location of the beacon in the C:\Windows directory makes it easy to spot. The activity of the Prefetch file of rundll32.exe is also recorded. The C:\Windows\4542843.exe binary is deleted immediately after its execution.

Conclusion

The default Cobal Strike jump psexec64 command is fairly easy to detect because it creates a service with a random name² and uses the rundll32.exe³ program without any arguments to host the payload. Even if the malicious binary is deleted immediately after its execution, the location of the beacon in the C:\Windows directory makes it even easier to spot.

Detection Rule Example

The timeline is processed using plaso (https://plaso.readthedocs.io/) on data collected with DFIR-Orc (https://dfir-orc.github.io/). The available fields and their names may vary depending on how you use log2timeline and psort.

Kibana

The various KQL queries correspond to each aspect of the conclusion stated above and can of course be grouped together. The most important is the SCM record (event ID 7045). Note that all these events occur in a short period of time. The name of the beacon can be spotted with the SCM record (event ID 7045) and then used to improve the queries on the MFT and USN journal events.

parser : "winevtx" and source_name : "Service Control Manager" and eid : 7045
parser : "winevtx" and source_name : "Microsoft-Windows-Security-Auditing" and eid : (4624 or 4672 or 4634)
parser : "usnjrnl" and message : \\Windows\\*.exe
parser : ( "prefetch" or "mft" ) and message : *RUNDLL32.EXE*

Splunk

host="*" index="*" parser=winevtx eid=7045 service_path="*ADMIN$*"
| table _time host message
| sort _time

Sigma

A Sigma rule already exists for this event (sigma/win_cobaltstrike_service_installs.yml at master · SigmaHQ/sigma).

sigma-cli >>> sigma convert -t splunk -p sysmon ../sigma/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml
Parsing Sigma rules  [####################################]  100%
Provider_Name="Service Control Manager" EventID=7045 (ImagePath="*ADMIN$*" ImagePath="*.exe*" OR ImagePath="*%COMSPEC%*" ImagePath="*start*" ImagePath="*powershell*" OR ImagePath="*powershell -nop -w hidden -encodedcommand*" OR ImagePath="*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*" OR ImagePath="*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*" OR ImagePath="*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*")

Cobalt Strike « jump winrm64 »

The Cobalt Strike jump winrm64 command allows using the Windows Remote Management (WinRM) service to execute a command or payload on a remote Windows system. When the jump winrm64 command is executed, it will use the active beacon to establish a connection to the specified Windows system and then use the WinRM service to run the malicious payload on the remote system. The Beacon type used for this test is smb.

Microsoft-Windows-Sysmon

Event ID 1 – Process Create

The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier. The hash is a full hash of the file with the algorithms in the HashType field.

Over the period of time during which the jump winrm64 command is executed, one of the created processes is wsmprovhost.exe by the svchost.exe process. Indeed, since the jump winrm64 command uses the Windows Remote Management (WinRM) service, the wsmprovhost.exe process is started to handle the incoming connection and execute the command or payload.

Event ID 3 – Network Connection Detected

The network connection event logs TCP/UDP connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names, IP addresses, port numbers and IPv6 status.

Sysmon recorded 4 network connections to the victim workstation on port TCP\5985 (HTTP default WinRM port) and, since the beacon type used for this test is smb, one more to TCP port TCP\445 (SMB).

Event ID 7 – Image Loaded

The image loaded event logs when a module is loaded in a specific process. It indicates the process in which the module is loaded, hashes and signature information.

This event records the libraries loaded by a process during its execution. Without Sysmon installed on the victim workstation, it is hard to get the same information from other artefacts. However, because in that particular case the MFT artefact was able to get close information, this event is displayed here. The wsmprovhost.exe process (PID 9724) loads 88 DLL and we chose to list only two because of their records in the MFT (see below).

Event ID 11 – File Create

Our malicious wsmprovhost.exe process has the PID 9724. The Cobalt Strike Beacon runs under the context of PowerShell, this is why two PowerShell script files are generated by Microsoft to test against Applocker. If the test file executes, then it assumed that Applocker is disabled.

Event ID 17 / 18 – Pipe Created or Accessed

Pipe creation operations map to these event types when a named pipe is created (event ID 17) and when a named pipe is created or accessed (event ID 18).

The previous spotted processes with PID 4 and 9724 used several names pipes. The created pipe \\msagend_bd is made by the SMB beacon (by default) for the communication with the C2.

Похожее:

Скачать Все официальные темы Windows с сайта Microsoft 28.11.2019 Power shell и его возможности в уходящем году IT – это “жизнь”: Аудит удаления и доступа к файлам и запись событий (отслеживание изменений файлов на файловом сервере) Kill task by name