Admins on payroll and those “magnanimous volunteers” often tread the very same path, albeit guided by different compasses of motivation. Once our cunning adversary ascends to the lofty heights of respect usually reserved for the admin on payroll, the misuse of these management tools becomes bound only by the limits of their mischievous imagination.
Windows
Services
βοΈDoesn’t require admin privileges to pull off.
π sc \\host create service_name binpath="path/to/service"
| πΊ Artefact | π° Source | π― Target |
|---|---|---|
| ποΈ Registry | ShimCache, BAM/DAM and AmCache for sc.exe traces |
π CurrentControlSet\ServicesShimCache and AmCache |
| π File system | Prefetch | Image file of the exePrefetch |
| πͺ΅ Event logs | π‘οΈ 4624 type 3 (sIP, sname), 4697 (service installed) βοΈ 7034 (service terminated unexpectedly), 7035 (start/stop request sent), 7036 (service started/stopped), 7040 (start type changed), 7045 (service installed) |
|
Tasks
π at \\host time "path\to\exe"
π schtasks /CREATE /TN taskname /TR C:\path\to\evil.exe /SC once /RU "SYSTEM" /ST 15:00 /S host /u uname
# RU - run as user
# TR - what to do
# S - remote system to connect to
For the below artefacts watch out for at.exe and schtasks.exe.
π‘οΈSecurity and π₯ Task logs
| πΊ Artefact | π° Source | π― Target |
|---|---|---|
| πͺ΅ Event logs | 4648 (alternate creds) | π‘οΈ 4698 (created), 4702 (updated), 4699 (deleted), 4700 (enabled), 4701 (disabled), π₯ 106 (created), 140 (updated), 141 (deleted), 200 (executed), 201 (completed) |
| ποΈ Registry | ShimCache, BAM/DAM | π Microsoft\Windows NT\CurrentVersion\Schedule\TasksCache\TasksShimCache, AmCache |
| π File System | Prefetch | Prefetchπ C:\Windows\System32\Tasks (newer) and π C:\Windows\Tasks containing .job (binary) or .xml files |
WMI
βπ» T1047 MITRE ATTACK
βπ» Whitelisted Event Consumers: SCM Event Log, RmAssistEventFilter , WSCEAA.exe, BVTFilter, TsLogonEvent.vbs, TsLogonFilter, RAevent.vbs, RmAssistEventFilter, NTEventLogConsumer and KernCap.vbs (?)
This tool’s artefacts usually reside mostly in RAM. Also, it uses WBEM protocol, and thus, it’s tricky to eavesdrop on this connection. If no WinRM - network forensics is an option.
βπ» CIM - common info model, shows object-relationships information.
π wmic /node:host /user uname process call create "path\to\exe"
# Reconnaissance with WMI
π wmic useraccount list full
π wmic group list full
π wmic netuse list full
π wmic qfe get Caption, Description, HotFixID, InstalledOn
π wmic startup get Caption, Command, Location, User
# Escalation with WMI
# Show services that are set to autostart, have no quotes in the path and are NOT in Windows folder
π wmic service get name, displayname, path, startmode | findstr /:"Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
# get the owners of the processes running in order to spot a high privileged user
π $Owners = @{}
Get-WmiObject -Class Win32_Process | Where-Object {$_} | For-Each {&Owners[$_.handle] = $_.getowner().user}
π $VulnerableServives = Get-WmiObject -Class Win32_service | Where-Object {$_} | Where-Object {($_.pathname -ne $null) -and ($_.pathname.trim() -ne " ")} | Where-Object {-not $_.pathname.StartsWith("`")} | Where-Object {-not $_.pathmname.StartsWith(" ")}
# Lateral Movement
π wmic process call create "path\to\rundll32.exe path\to\dll, #opcode"
# Alternative to wmic is good old PowerShell, Invoke-WmiMethod and Get-WmiObject
π Invoke-WmiMethod -Computer host -Class Win32_Process -Name create -Argument "better\be\a\good\argument.exe"
Look out for the following executables wmic being invoked (on the source), along with srccons, mofcomp, wmiprvse and some custom names limited to the attacker’s quirky whims (on the target).
π‘οΈSecurity, π Microsoft-Windows-WMI-Activity%4Operational (Win10+ enabled by default), π Sysmon (π Microsoft-Windows-Sysmon/Operational)
| πΊ Artefact | π° Source | π― Target |
|---|---|---|
| πͺ΅ Event logs | π‘οΈ 4648 (alternate creds) |
π‘οΈ4624 type 3, 4672 (admin), 4688, Sysmon and EDR can help track the processes created, π 5857 (start or stop, path to provider DLL), 5860/5861 (temp/permanent Event Consumer created), 5857-5861 (filter and consumer), 5858 - query error or insufficient permissions (host and uname), 5859 -find corresponding filter. π 1 - mof compiled, 20 - Consumer added |
| ποΈ Registry | ShimCache, BAM/DAM, AmCache | ShimCache, AmCache |
| π File System | Prefetch | Prefetchmof files, unauthorised changes to C:\Windows\System32\wbem\Repository |
βοΈ Suspicious strings: ps1, eval, vbs, ActiveXObject (when screens process is run)
PowerShell Remote
βοΈ Close to SSH, traffic is also encrypted.
βοΈ WSMan stands for “Web Services for Management.” It’s a term used in the context of Microsoft’s implementation of the WS-Management protocol, which is a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems from different vendors to interoperate. WSMan provides a common way for systems to access and exchange management information across an IT infrastructure. It allows IT administrators to remotely manage the system settings of devices that support the WS-Management protocol, which can include desktops, servers, or any other devices that have embedded systems. In the context of PowerShell, the WS-Management service is used by the “WinRM” (Windows Remote Management) service to provide remote management capabilities. PowerShell uses WinRM and WS-Management to enable administrators to run management shell commands and scripts on remote computers. For example, you might use the
Enter-PSSessioncmdlet in PowerShell to start an interactive session with a remote computer, and this would be facilitated by WinRM and WS-Management. Or you might use theInvoke-Commandcmdlet to run a command on a remote computer, and this would also be facilitated by WinRM and WS-Management. Remember, like any remote management tool, WinRM and WS-Management should be used securely to prevent unauthorized access or other security risks. Always follow best practices for authentication and encryption when using these tools.
π Enter-PSSession -ComputerName host -Credential uname
π Invoke-Command -ComputerName host -ScriptBlock { Start-Process \path\to\process}
πͺ΅ Logs: π‘οΈ Security, π Microsoft-Windows-PowerShell%4Operational, π Windows-PowerShell.evtx and π₯ Microsoft-Windows-WinRM.
βοΈ Processes: powershell.exe (source, dest), wsmprovhost.exe (dest)
| πΊ Artefact | π° Source | π― Target |
|---|---|---|
| πͺ΅ Event logs | π‘οΈ 4648π₯ 6 -WSMan Session init (dhost, dIP, c_user, timestamp), 8, 15, 16, 33 - deinit π 40691, 40692 (Records the local initiation of powershell.exe and associated user account), 8193, 8194 (session created), 8197 (session closed) |
π‘οΈ 4624 type 3, 4672 | π 4103 & 4104 (script block logging, suspicious or all), 53504 (the auth-ing user) | π 400/403 (start/end of remote session), 800 (contains partial script) | π₯ 91 (session created), 168 (auth-ing user) |
| ποΈ Registry | ShimCache, BAM/DAM, AmCache | ShimCache, SOFTWARE (π Microsoft\ PowerShell\1 \ShellIds\Microsoft. PowerShell \ExecutionPolicy set to Bypass or less permissive) |
| π File System | Prefetch (will also show *.ps1 files accessed during the first 10 seconds)Command history at C:\Users\uname\AppData\Roaming\Microsoft\<br />Windows\PowerShell\PSReadLine\ConsoleHost_history.txt |
- files moved- Prefetch- User profile |
βEID 4096 is referenced in the poster, but no information on the Internet.
Registry
βοΈ Requires authentication.
π reg add \some\reg\key /v data /t REG_SZ /d "path\to\whatever"
winrs
π winrs -r:host -u:user command_to_run
| πΊ Artefact | π° Source | π― Target |
|---|---|---|
| π RAM | winrshost.exe |