- Introduction
- Approach
- Findings Summary
- Cobalt Strike remote-exec winrm
- 4.1. Sysmon Events
- 4.2. Findings
- 4.3. Conclusion
- 4.4. Detection Rule Example
- Cobalt Strike remote-exec wmi
- 5.1. Sysmon Events
- 5.2. Findings
- 5.3. Conclusion
- 5.4. Detection Rule Example
- Cobalt Strike remote-exec psexec
- 6.1. Sysmon Events
- 6.2. Findings
- 6.3. Conclusion
- 6.4. Detection Rule Example
- Part 1 – Conclusion
Introduction
Although it was not originally designed for this use, Cobalt Strike has become one of the most frequently used tools for lateral movements and it is not uncommon to observe traces of its use during digital forensic.
This article aims to analyze the different Cobalt Strike commands to find evidence that the tools could drop behind him. Several blogs have already explained how to detect Cobalt Strike, but for this analysis we choose to let the Windows log levels by default without activating special « Windows Audit Policies » and we used post-compromising tools to extract artifacts.
In this first part, we will focus on the Cobalt Strike built-in remote-exec command and its different methods of remote code execution:
A second blogpost will focus on the persistent Cobalt Strike session using Beacon and the built-in jump commands with different methods such as « psexec64 », « winrm64 » or « psexec_psh ».
Approach
The aim here is to provide basic information on what kinds of logs and other artefacts could be generated from Cobalt Strike on a default Windows 10 host. To get a better context and understanding, we enabled Sysmon on the victim Workstation, so that we get a based line to compare with.
The tests have been done with Cobalt Strike version 4.4 with the default configuration without any kind of customization. It’is important to note that Cobalt Strike allow users to change various settings (pipes names, service name, default temporary process, etc.) to customize its footprint. Depending on Cobalt Strike settings used by the attackers, the events generated may be slightly different and detection rule may fail.
Each command has been executed twice to avoid false positive. This short analysis can be later on used as a reference to build rules to detect Cobalt Strike movements during a forensics incident response (without Sysmon or Audit Policies).
The Lab is composed of the following elements:
- Windows 10 workstations with Sysmon installed;
- Windows Server 2016 Domain Controller.
The different steps and tools used to extract and analyze the artifacts post compromise are:
- Run DFIR_ORC to extract artifacts on the Windows 10 machine
- Run log2timeline/plaso combined with Logstash on the extracted data to build a clear timeline
- Analyze data using Splunk
By using DFIR_Orc and Plaso, we were able to process the most important artifacts:
- Event log (
*.evtx), including PowerShell command history; - Prefetch files;
- USNjrnl;
- MFT;
- User and System hives (userassist, appcompatcache, etc.).
Findings Summary
A summary of the most important findings (excluding Sysmon events) is available on the timeline below:
| Cobalt Strike Commands | Description |
|---|---|
| remote-exec winrm | [prefetch] Prefetch [WSMPROVHOST.EXE] was executed – run count 2 path hints: \WINDOWS\SYSTEM32\WSMPROVHOST.EXE hash: 0xEF06207C volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] |
| remote-exec winrm | [evtx/winrm/91] Creating WSMan shell on server with ResourceURI: ‘http://schemas.microsoft.com/powershell/Microsoft.PowerShell‘ |
| remote-exec winrm | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘-‘ (‘-‘) (logon_id=0x0000000000483901) with ‘-‘ |
| remote-exec winrm | [evtx/powershell/400] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line ‘-‘ is changed from ‘None’ to ‘Available’. |
| remote-exec winrm | [evtx/powershell/403] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line ‘-‘ is changed from ‘Available’ to ‘Stopped’. |
| remote-exec winrm | [evtx/powershell/600] the PowerShell provider ‘Alias’ hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line ‘-‘ is Started. |
| remote-exec winrm | [evtx/powershell/600] the PowerShell provider ‘Environment’ hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line ‘-‘ is Started. |
| remote-exec winrm | [evtx/powershell/600] the PowerShell provider ‘FileSystem’ hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line ‘-‘ is Started. |
| remote-exec winrm | [evtx/powershell/600] the PowerShell provider ‘Function’ hosted by application ¨C12C with command line ‘-‘ is Started. |
| remote-exec winrm | [evtx/powershell/600] the PowerShell provider ‘Registry’ hosted by application ¨C13C with command line ‘-‘ is Started. |
| remote-exec winrm | [evtx/powershell/600] the PowerShell provider ‘Variable’ hosted by application ¨C14C with command line ‘-‘ is Started. |
| …. | |
| remote-exec wmi | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘192.168.56.119’ (‘-‘) (logon_id=0x00000000004d811f) with ‘-‘ |
| remote-exec wmi | [evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable |
| remote-exec wmi | [prefetch] Prefetch [OPENWITH.EXE] was executed – run count 3 path hints: ¨C15C hash: ¨C16C volume: 1 [serial number: ¨C17C device path: ¨C18C] |
| …. | |
| remote-exec psexec | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘192.168.56.119’ (‘-‘) (logon_id=0x00000000005eda88) with ‘-‘ |
| remote-exec psexec | [evtx/sys/scm/7045] service ‘d8041e9’ (notepad.exe) was installed by user ‘LocalSystem’ (type: user mode service, start: demand start) |
Cobalt Strike remote-exec winrm
The Cobalt Strike remote-exec winrm command allows the user to execute a command using WinRM on the remote host without creating a persistent session with a Beacon. For this example, the executed command is ipconfig.
Sysmon Events
As explained earlier, System Monitor (Sysmon) was installed on the Windows 10 workstation to have reference events on which to base our analyses. We therefore first reviewed the events recorded by Sysmon to get a based line to compare with extracted artifacts. The Sysmon events below has been filtered to the most useful.
Event ID 1 – Process Creation
The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.
The process chain created by the remote-exec winrm commands on the victim workstation is svchost.exe -> wsmprovhost.exe -> ipconfig.exe.
| Time | Description |
|---|---|
| 14:24:01.884 | [evtx/sysmon/1] process created with command C:\Windows\system32\wsmprovhost.exe -Embedding (id 9040) by user ‘CORP\alice’ via C:\Windows\System32\svchost.exe (id 728) |
| 14:24:05.631 | [evtx/sysmon/1] process created with command "C:\Windows\system32\ipconfig.exe" (id 9384) by user ‘CORP\alice’ via C:\Windows\System32\wsmprovhost.exe (id 9040) |
| 14:24:05.653 | [evtx/sysmon/1] process created with command \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 (id 8268) by user ‘CORP\alice’ via C:\Windows\System32\ipconfig.exe (id 9384) |
Event ID 3 – Network Connection Detected
The network connection event logs TCP/UDP connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.
The execution of the remote-exec winrm commands leads to the creation of 3 network connections made to the victim workstation on the port 5985. The ports 5985 (HTTP) and 5986 (HTTPS) are the default TCP ports used by WinRM:
| Time | Description |
|---|---|
| 14:24:04.015 | [evtx/sysmon/3] tcp network connection from host ‘-‘ (192.168.56.119:54074) to host ‘-‘ (192.168.56.117:5985) (pid=4) |
| 14:24:05.430 | [evtx/sysmon/3] tcp network connection from host ‘-‘ (192.168.56.119:54075) to host ‘-‘ (192.168.56.117:5985) (pid=4) |
| 14:24:06.461 | [evtx/sysmon/3] tcp network connection from host ‘-‘ (192.168.56.119:54076) to host ‘-‘ (192.168.56.117:5985) (pid=4) |
Event ID 7 – Image Loaded
The image loaded event logs when a module is loaded in a specific process. It indicates the process in which the module is loaded, hashes and signature information.
Without Sysmon installed on the victim workstation, it is hard to get the same information from other artifacts. Nevertheless, and this will be discussed later in the article, MFT provides similar evidence and this is why we have chosen to include these events.
| Time | Description |
|---|---|
| 14:24:01.896 | [evtx/sysmon/7] image C:\Windows\System32\wsmprovhost.exe loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user ‘CORP\alice’ |
| 14:24:01.976 | [evtx/sysmon/7] image C:\Windows\System32\WsmSvc.dll loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user ‘CORP\alice’ |
| 14:24:02.023 | [evtx/sysmon/7] image C:\Windows\System32\wsmplpxy.dll loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user ‘CORP\alice’ |
| 14:24:04.425 | [evtx/sysmon/7] image C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user ‘CORP\alice’ |
| … | … |
Event ID 11 – File created
File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
On the disk, two PowerShell scripts, generated by Microsoft, are created (__PSScriptPolicyTest_<random_number>.ps1) to test against AppLocker. If the test file executes, then it assumed that AppLocker is disabled. Two Prefetch files for ipconfig, and wsmprovhost.exe binaries are also created, as well as a log file.
| Time | Description |
|---|---|
| 14:24:03.978 | [evtx/sysmon/11] process C:\Windows\system32\wsmprovhost.exe (pid=9040) created file C:\Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_3yycbqb2.1vu.psm1 with user ‘CORP\alice’ |
| 14:24:03.978 | [evtx/sysmon/11] process C:\Windows\system32\wsmprovhost.exe (pid=9040) created file C:\Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_jcfqwafa.032.ps1 with user ‘CORP\alice’ |
| 14:24:05.722 | [evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\IPCONFIG.EXE-912F3D5B.pf with user ‘NT AUTHORITY\SYSTEM’ |
| 14:24:05.724 | [evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf with user ‘NT AUTHORITY\SYSTEM’ |
| 14:24:06.872 | [evtx/sysmon/11] process C:\Windows\system32\wsmprovhost.exe (pid=9040) created file ¨C50C with user ‘CORP\alice’ |
| 14:24:06.947 | [evtx/sysmon/11] process ¨C51C (pid=1860) created file ¨C52C with user ‘NT AUTHORITY\SYSTEM’ |
Findings
Now that we have seen the events and other artifacts generated by the execution of the remote-exec winrm commands, let’s dwell on the evidence present natively on a Windows 10 system out of the box.
Winevtx – Microsoft-Windows-Security-Auditing
Without the audit policies enabled, there are not much events generated. However, in both tests, Windows recorded 5 successful logons (event ID 4624) with the logon type ‘3’ (Network) from the compromised account « CORP.LOCAL\alice ». If correlated, this behavior may help during the investigation to support a hypothesis.
| Time | Description |
|---|---|
| 14:24:01.836 | [evtx/sec/4672] special privileges assigned to ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000483901): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
| 14:24:01.836 | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘-‘ (‘-‘) (logon_id=0x0000000000483901) with ‘-‘ |
| 14:24:03.395 | [evtx/sec/4672] special privileges assigned to ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000485580): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
| 14:24:03.395 | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘-‘ (‘-‘) (logon_id=0x0000000000485580) with ‘-‘ |
| 14:24:05.436 | [evtx/sec/4672] special privileges assigned to ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000487c94): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
| 14:24:05.436 | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘-‘ (‘-‘) (logon_id=0x0000000000487c94) with ‘-‘ |
| 14:24:06.843 | [evtx/sec/4634] user logged off ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000487c94) from logon type=3 |
| 14:24:06.844 | [evtx/sec/4672] special privileges assigned to ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891b0): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
| 14:24:06.844 | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘-‘ (‘-‘) (logon_id=0x00000000004891b0) with ‘-‘ |
| 14:24:06.868 | [evtx/sec/4634] user logged off ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000485580) from logon type=3 |
| 14:24:06.869 | [evtx/sec/4672] special privileges assigned to ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891fe): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
| 14:24:06.869 | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘-‘ (‘-‘) (logon_id=0x00000000004891fe) with ‘-‘ |
| 14:24:06.871 | [evtx/sec/4634] user logged off ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891b0) from logon type=3 |
| 14:24:06.905 | [evtx/sec/4634] user logged off ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891fe) from logon type=3 |
Winevtx – Microsoft Windows WinRM
When executed, a successful remote WinRM connection will log an event ID 91 (Creating WSMan shell on servers) within the WinRM event log on the targeted host. Another good indicator to detect WinRM lateral movements is the event ID 6 on the source host:
| Time | Description |
|---|---|
| 14:24:02.586 | [evtx/winrm/91] Creating WSMan shell on server with ResourceURI: ‘http://schemas.microsoft.com/powershell/Microsoft.PowerShell‘ |
Winevtx – Microsoft Windows Powershell
Cobalt Strike WinRM cmdlets run over PowerShell script, so the PowerShell events ID 600, 400 and 403 are recorded and display the hosted application (C:\Windows\system32\wsmprovhost.exe -Embedding).
| time | Description |
|---|---|
| 14:24:04.560 | [evtx/powershell/53504] Windows PowerShell has started an IPC listening thread on process: 9040 in AppDomain: ‘DefaultAppDomain |
| 14:24:05.124 | [evtx/powershell/600] the PowerShell provider ‘Environment’ hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line » is Started. |
| 14:24:05.124 | [evtx/powershell/600] the PowerShell provider ‘Alias’ hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line » is Started. |
| 14:24:05.124 | [evtx/powershell/600] the PowerShell provider ‘Registry’ hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line » is Started. |
| 14:24:05.186 | [evtx/powershell/600] the PowerShell provider ‘Variable’ hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line » is Started. |
| 14:24:05.186 | [evtx/powershell/600] the PowerShell provider ‘Function’ hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line » is Started. |
| 14:24:05.186 | [evtx/powershell/600] the PowerShell provider ‘FileSystem’ hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line » is Started. |
| 14:24:05.249 | [evtx/powershell/400] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line » is changed from ‘None’ to ‘Available’. |
| 14:24:06.827 | [evtx/powershell/403] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line » is changed from ‘Available’ to ‘Stopped’. |
Prefetch
Prefetch files allow to recover the process chain created and find out that wsrmprovhost has executed the ipconfig programs.
| Time | Description |
|---|---|
| 14:24:01.877 | [prefetch] Prefetch [WSMPROVHOST.EXE] was executed – run count 2 path hints: \WINDOWS\SYSTEM32\WSMPROVHOST.EXE hash: 0xEF06207C volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] |
| 14:24:05.624 | [prefetch] Prefetch [IPCONFIG.EXE] was executed – run count 8 path hints: \WINDOWS\SYSTEM32\IPCONFIG.EXE hash: 0x912F3D5B volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] |
USN journal
As with Sysmon which showed the creation of Prefetch files (event ID 11 – File Create), the USN journal gives a good overview of what’s happened, from the wsmprovhost.exe execution to the final commands (ipconfig) and the PowerShell execution.
| Time | Description |
|---|---|
| 14:24:03.968 | [fs/usnjrnl] file \Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_3yycbqb2.1vu.psm1 CLOSE/DATA_EXTEND/FILE_CREATE |
| 14:24:03.968 | [fs/usnjrnl] file \Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_jcfqwafa.032.ps1 CLOSE/DATA_EXTEND/FILE_CREATE |
| 14:24:04.249 | [fs/usnjrnl] file \Archive\6AB83620379FC69F80C0242105DDFFD7D98D5D9DD17FE0A3F47BE24A6453E9EF58C9464196AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF700000000000000000000000000000000.ps1 CLOSE/RENAME_NEW_NAME |
| 14:24:04.281 | [fs/usnjrnl] file \Archive\6AB83620379FC69F80C0242105DDFFD7D98D5D9DD17FE0A3F47BE24A6453E9EF58C9464196AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF700000000000000000000000000000000.psm1 CLOSE/RENAME_NEW_NAME |
| 14:24:05.718 | [fs/usnjrnl] file \Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CLOSE/DATA_EXTEND/DATA_TRUNCATION |
| 14:24:05.718 | [fs/usnjrnl] file \Windows\Prefetch\IPCONFIG.EXE-912F3D5B.pf CLOSE/DATA_EXTEND/DATA_TRUNCATION |
| 14:24:06.843 | [fs/usnjrnl] file \Users\alice\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wsmprovhost.exe.log CLOSE/DATA_EXTEND/FILE_CREATE |
| 14:24:06.938 | [fs/usnjrnl] file \Windows\Prefetch\WSMPROVHOST.EXE-EF06207C.pf CLOSE/DATA_EXTEND/FILE_CREATE |
MFT
As we saw earlier with Sysmon (event ID 7 – Image Loaded), in that case the MFT can be used to get information on the image loaded by the wsmprovhost.exe program. Indeed, the collection of evidence having been carried out very shortly after the execution, the DLLs accessed by the wsmprovhost.exe program have not (yet) been accessed by other programs, and the timestamps present in the MFT coincide with the binary access.
| Time | Description |
|---|---|
| 14:24:01.859 | [fs/mft][.a..] file \Windows\SysWOW64\wsmprovhost.exe |
| 14:24:01.921 | [fs/mft][.a..] file \Windows\System32\WsmSvc.dll |
| 14:24:01.999 | [fs/mft][.a..] file \Windows\System32\wsmplpxy.dll |
| 14:24:04.201 | [fs/mft][.a..] file \Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll |
| 14:24:06.843 | [fs/mft][..c.] file wsmprovhost.exe.log |
| 14:24:06.938 | [fs/mft][.a..] file \Windows\Prefetch\WSMPROVHOST.EXE-EF06207C.pf |
Conclusion
Reliable artifacts can lead us to the conclusion that WinRM has been used to execute remote commands using Cobalt Strike on the victim workstation:
- A PowerShell execution (Microsoft Windows Powershell, event ID 600, 400, 403) host by the application
C:\Windows\system32\wsmprovhost.exe -Embedding; - A WinRM connection received (Microsoft Windows WinRM, event ID 91);
- Execution traces of the
\Windows\SysWOW64\wsmprovhost.exebinary, visible in the MFT, the USN journal or even the Prefetch files.
These events can be accompanied by network authentication as we have seen with the logon type 3 of the user « CORP\alice », as well as other events related to actions performed using WinRM. In our case, the execution of the ipconfig.exe command generated openings of TCP connections as well as the creation/modifications of the Prefetch files.
Detection Rule Example
Splunk queries
To make the detection rule query, for each span time of 15 seconds, we can:
- Search for the events ID 91 and event ID 400 where the PowerShell host application name contains the strings
wsmprovhost.exe. - Count distinctly the number of event ID (this avoid to trigger the rule if two events with the same « eid » occur).
host="*" index="*" parser=winevtx eid=91 OR (eid=400 AND host_application="*wsmprovhost.exe*")
| bin span=15s _time
| eventstats distinct_count(eid) as dis_count by _time
| where dis_count==2
| table _time eid report_desc dis_count
Both tests are displayed successfully by this requests:
| _time | report_desc | dis_count |
| 14:24:00 | **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\Windows\system32\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 2 |
| 14:24:00 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell' | 2 |
| 14:26:00 | **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\Windows\system32\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 2 |
| 14:26:00 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell' | 2 |
Another way to do it, is by using the Splunk transaction command. This command allow to find transaction that meet various constraints. In our example, the first event transaction must contains the event ID 91, the last event must contains the event ID 400 and the events in the transaction must span less than 5 seconds.
host="*" index="*" sourcetype="lexhunt_json" eid=91 OR (eid=400 AND host_application="*wsmprovhost.exe*")
| transaction parser startswith=eid=91 endswith=eid=400 maxspan=5s
| table _time report_desc duration
| sort _time
| _time | report_desc | duration |
| ---- | ----- | ------ |
| 14:24:02.586 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell'. **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\\Windows\\system32\\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 2.663 |
| 14:26:02.828 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell'. **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\\Windows\\system32\\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 1.234 |
Sigma rules
A Sigma rule already exists for this event (sigma/posh_pc_remote_powershell_session.yml at master · SigmaHQ/sigma).
sigma-cli >>> sigma convert -t splunk -p sysmon ../sigma/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml
Parsing Sigma rules [####################################] 100%
HostName="ServerRemoteHost" HostApplication="*wsmprovhost.exe*"
Cobalt Strike remote-exec wmi
The Cobalt Strike remote-exec wmi command allows the user to execute a command using WMI on the remote host without creating a persistent session with a Beacon. For this test, the command executed is calc.exe.
Sysmon Events
Just like in the case above, we start by observing what Sysmon logs so that we can later compare with extracted artifacts. The Sysmon events below have been filtered to the most useful.
Event ID 1 – Process Create
The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.
The process chain created by the remote-exec wmi commands is WmiPrvSE.exe -> <cmd>. In both of our tests, the program OpenWith.exe is also triggered a moment after by the parent process svchost.exe.
| Time | Description |
|---|---|
| 14:28:02.523 | [evtx/sysmon/1] process created with command calc.exe (id 8180) by user ‘CORP\alice’ via C:\Windows\System32\wbem\WmiPrvSE.exe (id 10652) |
| 14:28:03.017 | [evtx/sysmon/1] process created with command C:\Windows\system32\OpenWith.exe -Embedding (id 8624) by user ‘CORP\alice’ via C:\Windows\System32\svchost.exe (id 728) |
Event ID 3 – Network Connection Detected
The network connection event logs TCP/UDP connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.
By default, WMI uses a randomly selected dynamic port range for TCP between 49152 and 65535.
| Time | Description |
|---|---|
| 14:28:03.331 | [evtx/sysmon/3] tcp network connection from host ‘-‘ (192.168.56.119:54136) to host ‘-‘ (192.168.56.117:135) (pid=832) |
| 14:28:03.332 | [evtx/sysmon/3] tcp network connection from host ‘-‘ (192.168.56.119:54138) to host ‘-‘ (192.168.56.117:49799) (pid=1760) |
| 14:28:03.583 | [evtx/sysmon/3] tcp network connection from host ‘-‘ (192.168.56.117:49800) to host ‘-‘ (192.168.56.119:135) (pid=604) |
Event ID 11 – File Create
File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
The only interesting files created on the file system are the Preftech files.
| Time | Description |
|---|---|
| 14:28:03.430 | [evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\CALC.EXE-77FDF17F.pf with user ‘NT AUTHORITY\SYSTEM’ |
| 14:28:03.435 | [evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\OPENWITH.EXE-5C93E816.pf with user ‘NT AUTHORITY\SYSTEM’ |
Findings
Winevtx – Microsoft-Windows-Security-Auditing
Without the audit policies enabled, there are not much events generated. However, in both tests, Windows recorded 4 short connections (event ID 4624) with the logon type ‘3’ (Network) from the compromised account « CORP.LOCAL\alice ». If correlated, this behavior may help during the investigation to support a hypothesis.
| Time | Description |
|---|---|
| 14:28:02.083 | [evtx/sec/4672] special privileges assigned to ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d811f): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
| 14:28:02.084 | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘192.168.56.119’ (‘-‘) (logon_id=0x00000000004d811f) with ‘-‘ |
| 14:28:02.232 | [evtx/sec/4672] special privileges assigned to ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8957): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
| 14:28:02.233 | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘192.168.56.119’ (‘-‘) (logon_id=0x00000000004d8957) with ‘-‘ |
| 14:28:02.244 | [evtx/sec/4672] special privileges assigned to ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d89bb): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
| 14:28:02.248 | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘192.168.56.119’ (‘-‘) (logon_id=0x00000000004d89bb) with ‘-‘ |
| 14:28:02.481 | [evtx/sec/4672] special privileges assigned to ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8bb6): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
| 14:28:02.481 | [evtx/sec/4624] user ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘192.168.56.119’ (‘DC01’) (logon_id=0x00000000004d8bb6) with ‘-‘ |
| 14:28:17.079 | [evtx/sec/4634] user logged off ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d811f) from logon type=3 |
| 14:28:41.727 | [evtx/sec/4634] user logged off ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8957) from logon type=3 |
| 14:28:41.728 | [evtx/sec/4634] user logged off ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8bb6) from logon type=3 |
| 14:28:41.728 | [evtx/sec/4634] user logged off ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d89bb) from logon type=3 |
Winevtx – DCOM
Because WMI uses DCOM to handle remote calls, related events may be generated. In our case we get an error about the permission for the COM server with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} (ShellServiceHostBrokerProvider). This error may be specific to the labs, even if the configuration is almost by default.
| time | Description |
|---|---|
| 14:28:02.595 | [evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable |
| 14:28:03.342 | [evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable |
| 14:28:03.359 | [evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable |
Prefetch files, USNjrnl and MFT
The Prefetch, USNjrnl and MFT artifacts shows that the calc.exe and openwith.exe programs have been executed.
| Time | Description |
|---|---|
| 14:28:02.530 | [prefetch] Prefetch [CALC.EXE] was executed – run count 2 path hints: \WINDOWS\SYSTEM32\CALC.EXE hash: 0x77FDF17F volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] |
| 14:28:03.013 | [prefetch] Prefetch [OPENWITH.EXE] was executed – run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] |
| 14:28:03.326 | [fs/mft][.a..] file \Windows\System32\en-US\OpenWith.exe.mui ($STANDARD_INFORMATION), MFT:46904-1, PARENT: |
| 14:28:03.373 | [fs/mft][…b] file \Windows\Prefetch\CALC.EXE-77FDF17F.pf ($STANDARD_INFORMATION), MFT:108924-1, PARENT: |
| 14:28:03.373 | [fs/mft][..c.] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2 |
| 14:28:03.373 | [fs/mft][m…] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2 |
| 14:28:03.373 | [fs/mft][…b] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2 |
| 14:28:03.373 | [fs/mft][.a..] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2 |
| 14:28:03.423 | [fs/usnjrnl] file \Windows\Prefetch\CALC.EXE-77FDF17F.pf FILE_CREATE |
| 14:28:03.434 | [fs/usnjrnl] file ¨C119C CLOSE/DATA_EXTEND/DATA_TRUNCATION |
Conclusion
This is probably the hardest Cobalt Strike command to detect because not many events are generated. The most accurate artifacts to know that the command remote-exec wmi has been executed are:
- The
openwith.exeobservable among Prefetch files; - Many short successful logons (Microsoft Windows Security Auditing, event ID 4624) with logon type ‘3’ (Network);
- Some DCOM events, such as warnings (DCOM, event ID 10016).
Detection Rule Example
Splunk queries
To make the detection rule query, for each span time of 10 seconds, we can:
- Search 1 event where the Prefetch executable name is
openwith.exe - Search 4 logon connection (with logon type 3).
We cannot reuse the previous query because Prefetch events has no field « eid ». The first attempt was this query:
host="*" index="*" (parser=prefetch AND executable="OPENWITH.EXE") OR (parser=winevtx AND eid=4624 AND logon_type=3)
| bin span=10s _time
| eventstats count by _time
| where count>=5
| table _time parser report_desc count
| sort _time
But it generates multiple false positives because 5 events with eid 4624 may occur in 10 seconds without the needed Prefetch events:
| _time | parser | report_desc | count |
| 14:26:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004ae65c) with '-' | 5 |
| 14:26:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004ae638) with '-' | 5 |
| 14:26:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004ad37e) with '-' | 5 |
| 14:26:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004acafc) with '-' | 5 |
| 14:26:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004abf4b) with '-' | 5 |
| 14:28:00 | prefetch | **[prefetch]** Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] | 5 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('DC01') (logon_id=0x00000000004d8bb6) with '-' | 5 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d89bb) with '-' | 5 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d8957) with '-' | 5 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d811f) with '-' | 5 |
So, we need to count distinctly by parser as well:
host="*" index="*" (parser=prefetch AND executable="OPENWITH.EXE") OR (parser=winevtx AND eid=4624 AND logon_type=3)
| bin span=10s _time
| eventstats count by _time
| eventstats distinct_count(parser) as parser_dis_count by _time
| where parser_dis_count > 1 AND count >= 4
| table _time parser report_desc count parser_dis_count
| sort _time
The results:
| _time | parser | report_desc | count | parser_dis_count |
| 14:28:00 | prefetch | **[prefetch]** Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] | 5 | 2 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('DC01') (logon_id=0x00000000004d8bb6) with '-' | 5 | 2 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d89bb) with '-' | 5 | 2 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d8957) with '-' | 5 | 2 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d811f) with '-' | 5 | 2 |
| 14:30:00 | prefetch | **[prefetch]** Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] | 5 | 2 |
| 14:30:00 | winevtx | **[evtx/sec/4624]** user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('DC01') (logon_id=0x0000000000598fa4) with '-' | 5 | 2 |
| 14:30:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x0000000000598ee4) with '-' | 5 | 2 |
| 14:30:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x0000000000598ed0) with '-' | 5 | 2 |
| 14:30:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x0000000000598e96) with '-' | 5 | 2 |
Other rules can be created by adding the DCOM events.
Cobalt Strike remote-exec psexec
The Cobalt Strike remote-exec psexec command allows the user to execute a command using PsExec on the remote host without creating a persistent session with a Beacon. It creates and start a service remotely with random Service Name1 and then passed on command as Service File Name. For this test, the command executed is notepad.exe.
Sysmon Events
One last time, as in the two previous cases, the Sysmon events are recorded in order to serve as elements of comparison with the other artifacts collected on the workstation. The Sysmon events below has been filtered to the most useful.
Event ID 1 – Process Creation
The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.
Cobalt Strike creates a service to run the arbitrary command with the SYSTEM rights so the process chain is services.exe -> notepad.exe.
| Time | Description |
|---|---|
| 14:32:05.936 | [evtx/sysmon/1] process created with command notepad.exe (id 8516) by user ‘NT AUTHORITY\SYSTEM’ via C:\Windows\System32\services.exe (id 596) |
Event ID 3 – Network Connection Detected
The network connection event logs TCP/UDP connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.
Two connections are recorded, one to the TCP port 135 and the second to a random TCP port.
| Time | Description |
|---|---|
| 14:32:06.749 | [evtx/sysmon/3] tcp network connection from host ‘-‘ (192.168.56.119:54206) to host ‘-‘ (192.168.56.117:135) (pid=832) |
| 14:32:06.750 | [evtx/sysmon/3] tcp network connection from host ‘-‘ (192.168.56.119:54207) to host ‘-‘ (192.168.56.117:49692) (pid=596) |
Event ID 11 – File Create
File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
Because the process services.exe is already running, only one Prefetch file is generated.
| Time | Description |
|---|---|
| 14:32:16.064 | [evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf with user ‘NT AUTHORITY\SYSTEM’ |
Event ID 13 – Registry Value Set
Registry key and value create and delete operations map to this event type.
Cobalt Strike creates a service to run the arbitrary command, so a registry key with a random name is created under HKLM\System\CurrentControlSet\Services\d8041e9 by the Services.exe process and the ImagePath is set to the arbitrary commands to execute.
| Time | Description |
|---|---|
| 14:32:05.923 | [evtx/sysmon/13] registry event : user ‘NT AUTHORITY\SYSTEM’ process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\ErrorControl value to DWORD (0x00000000) |
| 14:32:05.923 | [evtx/sysmon/13] registry event : user ‘NT AUTHORITY\SYSTEM’ process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\Start value to DWORD (0x00000003) |
| 14:32:05.923 | [evtx/sysmon/13] registry event : user ‘NT AUTHORITY\SYSTEM’ process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\Type value to DWORD (0x00000010) |
| 14:32:05.925 | [evtx/sysmon/13] registry event : user ‘NT AUTHORITY\SYSTEM’ process ¨C147C (pid 596) has set ¨C148C value to ¨C149C |
| 14:32:05.925 | [evtx/sysmon/13] registry event : user ‘NT AUTHORITY\SYSTEM’ process ¨C150C (pid 596) has set ¨C151C value to ¨C152C |
Findings
Winevtx – Microsoft Windows Security Auditing
Without the audit policies enabled, there are not much events generated. Only one successful logons (event ID 4624) is recorded, with the logon type ‘3’ (Network) from the compromised account « CORP.LOCAL\alice ». If correlate, this behavior may help during the investigation to support an hypothesis.
| Time | Description |
|---|---|
| 14:32:05.736 | [evtx/sec/4672] special privileges assigned to ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000005eda88): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
| 14:32:05.819 | [evtx/sec/4624] user ‘CORP.LOCAL\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from ‘192.168.56.119’ (‘-‘) (logon_id=0x00000000005eda88) with ‘-‘ |
| 14:36:11.728 | [evtx/sec/4634] user logged off ‘CORP\alice’ (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000005eda88) from logon type=3 |
Winevtx – Service Control Manager
In that particular case, the most useful Windows logs generated is the event ID 7045 (a service randomly named was installed by user ‘LocalSystem’). In this case, we choose to run notpad.exe, but it would be interesting to monitor services.exe child process for malicious behavior like spawning system shells using cmd.exe and powershell.exe or some discovery behavior like whoami.exe, systeminfo.exe, net.exe, etc.
| Time | Description |
|---|---|
| 14:32:05.920 | [evtx/sys/scm/7045] service ‘d8041e9’ (notepad.exe) was installed by user ‘LocalSystem’ (type: user mode service, start: demand start) |
Prefetch and USNjrnl
The Prefetch files shows only the binary called by services.exe, and the only activity recorded by the USN journal is access to the Prefetch file.
| Time | Description |
|---|---|
| 14:32:05.950 | [prefetch] Prefetch [NOTEPAD.EXE] was executed – run count 4 path hints: \WINDOWS\SYSTEM32\NOTEPAD.EXE hash: 0xD8414F97 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] |
| 14:32:16.061 | [fs/usnjrnl] file \Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf CLOSE/DATA_EXTEND/DATA_TRUNCATION |
Conclusion
The use of remote-exec psexec causes the installation of a randomly named service on the targeted host, which is particularly visible in the logs of the Service Control Manager: the 7045 event records the creation of the service as well as the name of the child process which is executed. Other artifacts may be correlated with the creation of this service, in particular the creation of Prefetch files associated with the child process, or the successful logon (event ID 4624) of the account used to create the malicious service.
Detection Rule Example
Splunk queries
In a forensics context, a simple query enumerating the services installed (Service Control Manager, event ID 7045) should be enough, the randomness of the service name and the child process visually identifying illegitimate services. However, you can also add to the query the successful logons (event ID 4624):
host="*" index="*" (parser=winevtx AND eid=7045) OR (parser=winevtx AND eid=4624 AND logon_type=3)
| bin span=1m _time
| eventstats distinct_count(eid) as dis_count by _time
| where dis_count==2
| table _time eid report_desc dis_count
| sort _time
| _time | eid | report_desc | dis_count |
| 14:32:00 | 7045 | **[evtx/sys/scm/7045]** service 'd8041e9' (notepad.exe) was installed by user 'LocalSystem' (type: user mode service, start: demand start) | 2 |
| 14:32:00 | 4624 | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000005eda88) with '-' | 2 |
Or you can select only the events where the service name is only 7 characters long:
host="*" index="blog" sourcetype="lexhunt_json" eid=7045
| eval service_name_len=len(service_name)
| where service_name_len==7
| table _time service_name
| sort _time
| _time | service_name |
| 14:32:05.920 | d8041e9 |
| 14:34:07.311 | 8f0c55c |
Part 1 – Conclusion
The hardest Cobalt Strike command to detect is probably the remote-exec wmi because it does not create a service like remote-exec psexec or use PowerShell like remote-exec winrm. We can notice that each remote-exec commands generated a specific number of successful logons to the victim (event id 4624). As a reminder, remote-exec commands can be triggered detecting the following behavior:
remote-exec winrm- A PowerShell execution (Microsoft Windows Powershell, event ID 600, 400, 403) host by the application
C:\Windows\system32\wsmprovhost.exe -Embedding; - A WinRM connection received (Microsoft Windows WinRM, event ID 91);
- Execution traces of the
\Windows\SysWOW64\wsmprovhost.exebinary, visible in the MFT, the USN journal or even the Prefetch files; - Many successful logons (Microsoft Windows Security Auditing, event ID 4624) with logon type ‘3’ (Network).
remote-exec wmi- The
openwith.exeobservable among Prefetch files; - Many short successful logons (Microsoft Windows Security Auditing, event ID 4624) with logon type ‘3’ (Network);
- Some DCOM events, such as warnings (DCOM, event ID 10016).
remote-exec psexec- The installation of a randomly named service (Service Control Manager, event ID 7045) running suspicious binaries;
- One successful logon (Microsoft Windows Security Auditing, event ID 4624) with logon type ‘3’ (Network).
To detect lateral movements more efficiently, we advise installing Sysmon with a custom configuration and/or to activate more audit policies.
References:
- Detecting CONTI Cobalt Strike Lateral Movement Techniques – Part 1 – CYB3RSN0RLAX
- Tool Analysis Result Sheet
- SigmaHQ/sigma: Generic Signature Format for SIEM Systems
- SigmaHQ/sigma-cli: The Sigma command line interface based on pySigma
- Detecting Lateral Movement via WinRM Using KQL – In.Security – Cyber Security Technical Services & Training
- Sysmon – Windows Sysinternals | Microsoft Docs
- By default the command elevate svc-exe, jump psexec, jump psexec64, jump psexec_psh and remote-exec psexec use a service name that consists of random letters and numbers. The Cobalt Strike Aggressor Script PSEXEC_SERVICE hook allows you to change this behavior. ↩
