πŸ€” How Do I Audit Management Tools?

Created: 26.06.2023

Admins on payroll and those “magnanimous volunteers” often tread the very same path, albeit guided by different compasses of motivation. Once our cunning adversary ascends to the lofty heights of respect usually reserved for the admin on payroll, the misuse of these management tools becomes bound only by the limits of their mischievous imagination.

Windows

Services

❗️Doesn’t require admin privileges to pull off.

πŸ“• sc \\host create service_name binpath="path/to/service"
🏺 Artefact 🚰 Source 🎯 Target
πŸ—„οΈ Registry ShimCache, BAM/DAM and AmCache for sc.exe traces πŸ”‘ CurrentControlSet\ServicesShimCache and AmCache
πŸ“‘ File system Prefetch Image file of the exePrefetch
πŸͺ΅ Event logs πŸ›‘οΈ 4624 type 3 (sIP, sname), 4697 (service installed) βš™οΈ 7034 (service terminated unexpectedly), 7035 (start/stop request sent), 7036 (service started/stopped), 7040 (start type changed), 7045 (service installed)

Tasks

πŸ“• at \\host time "path\to\exe"
πŸ“• schtasks /CREATE /TN taskname /TR C:\path\to\evil.exe /SC once /RU "SYSTEM" /ST 15:00 /S host /u uname

# RU - run as user
# TR - what to do
# S - remote system to connect to

For the below artefacts watch out for at.exe and schtasks.exe.

πŸ›‘οΈSecurity and πŸ₯€ Task logs

🏺 Artefact 🚰 Source 🎯 Target
πŸͺ΅ Event logs 4648 (alternate creds) πŸ›‘οΈ 4698 (created), 4702 (updated), 4699 (deleted), 4700 (enabled), 4701 (disabled), πŸ₯€ 106 (created), 140 (updated), 141 (deleted), 200 (executed), 201 (completed)
πŸ—„οΈ Registry ShimCache, BAM/DAM πŸ”‘ Microsoft\Windows NT\CurrentVersion\Schedule\TasksCache\TasksShimCache, AmCache
πŸ“‘ File System Prefetch PrefetchπŸ“‚ C:\Windows\System32\Tasks (newer) and πŸ“‚ C:\Windows\Tasks containing .job (binary) or .xml files

WMI

✍🏻 T1047 MITRE ATTACK

✍🏻 Whitelisted Event Consumers: SCM Event Log, RmAssistEventFilter , WSCEAA.exe, BVTFilter, TsLogonEvent.vbs, TsLogonFilter, RAevent.vbs, RmAssistEventFilter, NTEventLogConsumer and KernCap.vbs (?)

This tool’s artefacts usually reside mostly in RAM. Also, it uses WBEM protocol, and thus, it’s tricky to eavesdrop on this connection. If no WinRM - network forensics is an option.

✍🏻 CIM - common info model, shows object-relationships information.

πŸ“• wmic /node:host /user uname process call create "path\to\exe"

# Reconnaissance with WMI
πŸ“• wmic useraccount list full
πŸ“• wmic group list full
πŸ“• wmic netuse list full
πŸ“• wmic qfe get Caption, Description, HotFixID, InstalledOn
πŸ“• wmic startup get Caption, Command, Location, User

# Escalation with WMI
# Show services that are set to autostart, have no quotes in the path and are NOT in Windows folder
πŸ“• wmic service get name, displayname, path, startmode | findstr /:"Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

# get the owners of the processes running in order to spot a high privileged user
πŸ“• $Owners = @{}
Get-WmiObject -Class Win32_Process | Where-Object {$_} | For-Each {&Owners[$_.handle] = $_.getowner().user}

πŸ“• $VulnerableServives = Get-WmiObject -Class Win32_service | Where-Object {$_} | Where-Object {($_.pathname -ne $null) -and ($_.pathname.trim() -ne " ")} | Where-Object {-not $_.pathname.StartsWith("`")} | Where-Object {-not $_.pathmname.StartsWith(" ")} 

# Lateral Movement
πŸ“• wmic process call create "path\to\rundll32.exe path\to\dll, #opcode"
# Alternative to wmic is good old PowerShell, Invoke-WmiMethod and Get-WmiObject
πŸ“• Invoke-WmiMethod -Computer host -Class Win32_Process -Name create -Argument "better\be\a\good\argument.exe"

Look out for the following executables wmic being invoked (on the source), along with srccons, mofcomp, wmiprvse and some custom names limited to the attacker’s quirky whims (on the target).

πŸ›‘οΈSecurity, πŸ‰ Microsoft-Windows-WMI-Activity%4Operational (Win10+ enabled by default), πŸ‡ Sysmon (πŸ“‘ Microsoft-Windows-Sysmon/Operational)

🏺 Artefact 🚰 Source 🎯 Target
πŸͺ΅ Event logs πŸ›‘οΈ 4648 (alternate creds) πŸ›‘οΈ4624 type 3, 4672 (admin), 4688, Sysmon and EDR can help track the processes created, πŸ‰ 5857 (start or stop, path to provider DLL), 5860/5861 (temp/permanent Event Consumer created), 5857-5861 (filter and consumer), 5858 - query error or insufficient permissions (host and uname), 5859 -find corresponding filter. πŸ‡ 1 - mof compiled, 20 - Consumer added
πŸ—„οΈ Registry ShimCache, BAM/DAM, AmCache ShimCache, AmCache
πŸ“‘ File System Prefetch Prefetchmof files, unauthorised changes to C:\Windows\System32\wbem\Repository

✍️ Suspicious strings: ps1, eval, vbs, ActiveXObject (when screens process is run)

PowerShell Remote

✍️ Close to SSH, traffic is also encrypted.

✍️ WSMan stands for “Web Services for Management.” It’s a term used in the context of Microsoft’s implementation of the WS-Management protocol, which is a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems from different vendors to interoperate. WSMan provides a common way for systems to access and exchange management information across an IT infrastructure. It allows IT administrators to remotely manage the system settings of devices that support the WS-Management protocol, which can include desktops, servers, or any other devices that have embedded systems. In the context of PowerShell, the WS-Management service is used by the “WinRM” (Windows Remote Management) service to provide remote management capabilities. PowerShell uses WinRM and WS-Management to enable administrators to run management shell commands and scripts on remote computers. For example, you might use the Enter-PSSession cmdlet in PowerShell to start an interactive session with a remote computer, and this would be facilitated by WinRM and WS-Management. Or you might use the Invoke-Command cmdlet to run a command on a remote computer, and this would also be facilitated by WinRM and WS-Management. Remember, like any remote management tool, WinRM and WS-Management should be used securely to prevent unauthorized access or other security risks. Always follow best practices for authentication and encryption when using these tools.

πŸ“• Enter-PSSession -ComputerName host -Credential uname
πŸ“• Invoke-Command -ComputerName host -ScriptBlock { Start-Process \path\to\process}

πŸͺ΅ Logs: πŸ›‘οΈ Security, 🍌 Microsoft-Windows-PowerShell%4Operational, πŸ’ Windows-PowerShell.evtx and πŸ₯ Microsoft-Windows-WinRM.

βš™οΈ Processes: powershell.exe (source, dest), wsmprovhost.exe (dest)

🏺 Artefact 🚰 Source 🎯 Target
πŸͺ΅ Event logs πŸ›‘οΈ 4648πŸ₯ 6 -WSMan Session init (dhost, dIP, c_user, timestamp), 8, 15, 16, 33 - deinit 🍌 40691, 40692 (Records the local initiation of powershell.exe and associated user account), 8193, 8194 (session created), 8197 (session closed) πŸ›‘οΈ 4624 type 3, 4672 | 🍌 4103 & 4104 (script block logging, suspicious or all), 53504 (the auth-ing user) | πŸ’ 400/403 (start/end of remote session), 800 (contains partial script) | πŸ₯ 91 (session created), 168 (auth-ing user)
πŸ—„οΈ Registry ShimCache, BAM/DAM, AmCache ShimCache, SOFTWARE (πŸ”‘ Microsoft\ PowerShell\1 \ShellIds\Microsoft. PowerShell \ExecutionPolicy set to Bypass or less permissive)
πŸ“‘ File System Prefetch (will also show *.ps1 files accessed during the first 10 seconds)Command history at C:\Users\uname\AppData\Roaming\Microsoft\<br />Windows\PowerShell\PSReadLine\ConsoleHost_history.txt - files moved- Prefetch- User profile

❓EID 4096 is referenced in the poster, but no information on the Internet.

Registry

❗️ Requires authentication.

πŸ“• reg add \some\reg\key /v data /t REG_SZ /d "path\to\whatever"

winrs

πŸ“• winrs -r:host -u:user command_to_run
🏺 Artefact 🚰 Source 🎯 Target
πŸ’­ RAM winrshost.exe

References

Expand… https://share.ialab.dsu.edu/CAE_Workshops/2019/Incident%20Response/Supplementary%20Material/SANS_Poster_2018_Hunt_Evil_FINAL.pdf