search

OTRF / detection-hackathon-apt29

Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets
GNU General Public License v3.0
133 stars 41 forks source link

8.C) Windows Admin Shares, Service Execution, Valid Accounts #20

Open Cyb3rWard0g opened 4 years ago

Cyb3rWard0g commented 4 years ago

Description

This new payload is executed on the secondary victim via the PSExec utility (T1077, T1035) using the previously stolen credentials (T1078).

Cyb3rWard0g commented 4 years ago

This logic seems to catch or gives you visibility over services being created over the network:

SELECT o.`@timestamp`, o.LogonType, o.TargetLogonId, o.TargetUserName, a.ServiceFileName
FROM apt29Table o
INNER JOIN (
    SELECT SubjectLogonId, ServiceFileName
    FROM apt29Table
    WHERE Channel = "Security"
        AND EventID = 4697
    ) a
ON o.TargetLogonId = a.SubjectLogonId
WHERE Channel = "Security"
        AND EventID = 4624

Results

 @timestamp      | 2020-05-02T03:11:20.086Z  
 LogonType       | 3                         
 TargetLogonId   | 0x866b2c                  
 TargetUserName  | pbeesly                   
 ServiceFileName | %SystemRoot%\PSEXESVC.exe 
-RECORD 1------------------------------------
 @timestamp      | 2020-05-02T03:12:26.674Z  
 LogonType       | 3                         
 TargetLogonId   | 0x86a8df                  
 TargetUserName  | pbeesly                   
 ServiceFileName | %SystemRoot%\PSEXESVC.exe 
-RECORD 2------------------------------------
 @timestamp      | 2020-05-02T03:13:30.158Z  
 LogonType       | 3                         
 TargetLogonId   | 0x86d84f                  
 TargetUserName  | pbeesly                   
 ServiceFileName | %SystemRoot%\PSEXESVC.exe 
-RECORD 3------------------------------------
 @timestamp      | 2020-05-02T03:14:44.395Z  
 LogonType       | 3                         
 TargetLogonId   | 0x890aef                  
 TargetUserName  | pbeesly                   
 ServiceFileName | %SystemRoot%\PSEXESVC.exe
sevickson commented 4 years ago

Working on a translation to OSQuery query based on Windows event logs like above.

DarthRaki commented 4 years ago

All of my analytics are using this tool set (https://github.com/idaholab/Malcolm)

the first query I used was SMB.FN (SMB filename) == EXISTS!, This shows me all sessions that contain SMB files. ( with a small data set like this its quick way to ID things that stand out)

SMB FILENAMES

We notice a few stand out items rather quickly, using the unique with counts we can see any we may have missed UNQI-Count-FN

Opening up the /temp/python session we can see the share they are using (Newer moloch parses the share being used bettter)

Python ADMIN$

We can also see the same type of behavior with the PSEXE into admin$ PSEXE ADMIN$

Cyb3rWard0g commented 4 years ago

I love that @DarthRaki ! I have never used that tool. looks great!

Do you think that it would possible to translate that to a rule following some of the examples from @neu5ron and @patrickjohn ??

1) https://github.com/OTRF/detection-hackathon-apt29/issues/48 2) https://github.com/OTRF/detection-hackathon-apt29/issues/37

Thank you in advance!!

Cyb3rWard0g commented 4 years ago

8.C.1 Valid Accounts

Procedure: Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Criteria: Successful logon as user Pam on Scranton (10.0.1.4)

Security Event Logs

SELECT Hostname, a.Message
FROM apt29Host b
INNER JOIN (
    SELECT TargetLogonId, Message
    FROM apt29Host
    WHERE LOWER(Channel) = "security"
        AND EventID = 4624
        AND LogonType = 3
        AND TargetUserName NOT LIKE '%$'
) a
ON b.SubjectLogonId = a.TargetLogonId
WHERE LOWER(b.Channel) = "security"
  AND b.EventID = 5145
  AND b.RelativeTargetName LIKE '%python.exe'

Results

Hostname | NASHUA.dmevals.local                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
 Message  | An account was successfully logged on.

Subject:
    Security ID:        S-1-0-0
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Information:
    Logon Type:     3
    Restricted Admin Mode:  -
    Virtual Account:        No
    Elevated Token:     Yes

Impersonation Level:        Impersonation

New Logon:
    Security ID:        S-1-5-21-1830255721-3727074217-2423397540-1107
    Account Name:       pbeesly
    Account Domain:     DMEVALS.LOCAL
    Logon ID:       0x861A79
    Linked Logon ID:        0x0
    Network Account Name:   -
    Network Account Domain: -
    Logon GUID:     {d2e3bf90-d0c7-9b80-942b-c7b9cbec384a}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   -
    Source Network Address: 10.0.1.4
    Source Port:        59967

Detailed Authentication Information:
    Logon Process:      Kerberos
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0
Cyb3rWard0g commented 4 years ago

8.C.2 Windows Admin Shares

Procedure: Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec Criteria: SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share

Cyb3rWard0g commented 4 years ago

Security Logs

SELECT EventTime, Hostname, ShareName, RelativeTargetName, SubjectUserName
FROM apt29Host
WHERE LOWER(Channel) = "security"
  AND EventID = 5145
  AND ShareName LIKE '%IPC%'
  AND RelativeTargetName LIKE '%PSEXESVC%'

Results

-RECORD 0-------------------------------------------
 EventTime          | 2020-05-01 23:11:40           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC                      
 SubjectUserName    | pbeesly                       
-RECORD 1-------------------------------------------
 EventTime          | 2020-05-01 23:11:40           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-2668-stdin  
 SubjectUserName    | pbeesly                       
-RECORD 2-------------------------------------------
 EventTime          | 2020-05-01 23:11:40           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-2668-stdout 
 SubjectUserName    | pbeesly                       
-RECORD 3-------------------------------------------
 EventTime          | 2020-05-01 23:11:40           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-2668-stderr 
 SubjectUserName    | pbeesly                       
-RECORD 4-------------------------------------------
 EventTime          | 2020-05-01 23:12:46           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC                      
 SubjectUserName    | pbeesly                       
-RECORD 5-------------------------------------------
 EventTime          | 2020-05-01 23:12:46           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-5924-stdin  
 SubjectUserName    | pbeesly                       
-RECORD 6-------------------------------------------
 EventTime          | 2020-05-01 23:12:46           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-5924-stdout 
 SubjectUserName    | pbeesly                       
-RECORD 7-------------------------------------------
 EventTime          | 2020-05-01 23:12:46           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-5924-stderr 
 SubjectUserName    | pbeesly                       
-RECORD 8-------------------------------------------
 EventTime          | 2020-05-01 23:13:49           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC                      
 SubjectUserName    | pbeesly                       
-RECORD 9-------------------------------------------
 EventTime          | 2020-05-01 23:13:49           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-1412-stdin  
 SubjectUserName    | pbeesly                       
-RECORD 10------------------------------------------
 EventTime          | 2020-05-01 23:13:49           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-1412-stdout 
 SubjectUserName    | pbeesly                       
-RECORD 11------------------------------------------
 EventTime          | 2020-05-01 23:13:49           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-1412-stderr 
 SubjectUserName    | pbeesly                       
-RECORD 12------------------------------------------
 EventTime          | 2020-05-01 23:15:03           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC                      
 SubjectUserName    | pbeesly                       
-RECORD 13------------------------------------------
 EventTime          | 2020-05-01 23:15:03           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-8928-stdin  
 SubjectUserName    | pbeesly                       
-RECORD 14------------------------------------------
 EventTime          | 2020-05-01 23:15:03           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-8928-stdout 
 SubjectUserName    | pbeesly                       
-RECORD 15------------------------------------------
 EventTime          | 2020-05-01 23:15:03           
 Hostname           | NASHUA.dmevals.local          
 ShareName          | \\*\IPC$                      
 RelativeTargetName | PSEXESVC-SCRANTON-8928-stderr 
 SubjectUserName    | pbeesly
Cyb3rWard0g commented 4 years ago

8.C.3 Service Execution

Procedure: Executed python.exe using PSExec Criteria: python.exe spawned by PSEXESVC.exe

Security Logs

SELECT Message
FROM apt29Host b
INNER JOIN (
    SELECT NewProcessId
    FROM apt29Host
    WHERE LOWER(Channel) = "security"
        AND EventID = 4688
        AND ParentProcessName LIKE '%services.exe'
) a
ON b.ProcessId = a.NewProcessId
WHERE LOWER(Channel) = "security"
    AND NewProcessName LIKE '%python.exe

Results

A new process has been created.

Creator Subject:
    Security ID:        S-1-5-18
    Account Name:       NASHUA$
    Account Domain:     DMEVALS
    Logon ID:       0x3E7

Target Subject:
    Security ID:        S-1-5-21-1830255721-3727074217-2423397540-1107
    Account Name:       pbeesly
    Account Domain:     DMEVALS
    Logon ID:       0x867825

Process Information:
    New Process ID:     0xae8
    New Process Name:   C:\Windows\Temp\python.exe
    Token Elevation Type:   %%1938
    Mandatory Label:        S-1-16-8192
    Creator Process ID: 0x23f4
    Creator Process Name:   C:\Windows\PSEXESVC.exe
    Process Command Line:   "C:\Windows\Temp\python.exe"
Cyb3rWard0g commented 4 years ago

Sysmon

SELECT Message
FROM apt29Host b
INNER JOIN (
    SELECT ProcessGuid
    FROM apt29Host
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
        AND EventID = 1
        AND ParentImage LIKE '%services.exe'
) a
ON b.ParentProcessGuid = a.ProcessGuid
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND Image LIKE '%python.exe'

Results

Process Create:
RuleName: -
UtcTime: 2020-05-02 03:11:40.213
ProcessGuid: {5aa8ec29-e4ec-5eac-6803-000000000400}
ProcessId: 2792
Image: C:\Windows\Temp\python.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: "C:\Windows\Temp\python.exe" 
CurrentDirectory: C:\windows\system32\
User: DMEVALS\pbeesly
LogonGuid: {5aa8ec29-e4ec-5eac-2578-860000000000}
LogonId: 0x867825
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: SHA1=585EB59D12A111E9291518C5CF5D3FD296C2B581,MD5=57292CE8714E2D221D9D97C9D061D332,SHA256=43782EC4337D8F3DDB7EA0C451B3BC4F212F84C8D5571BD0A842001C859A02AE,IMPHASH=00000000000000000000000000000000
ParentProcessGuid: {5aa8ec29-e4eb-5eac-6703-000000000400}
ParentProcessId: 9204
ParentImage: C:\Windows\PSEXESVC.exe
ParentCommandLine: C:\windows\PSEXESVC.exe