Although it was not originally designed for this use, Cobalt Strike has become one of the most frequently used tools for lateral movements and it is not uncommon to observe traces of its use during digital forensic.
This article aims to analyze the different Cobalt Strike commands to find evidence that the tools could drop behind him. Several blogs have already explained how to detect Cobalt Strike, but for this analysis we choose to let the Windows log levels by default without activating special "Windows Audit Policies" and we used post-compromising tools to extract artifacts.
In this first part, we will focus on the Cobalt Strike built-in remote-exec
command and its different methods of remote code execution:
A second blogpost will focus on the persistent Cobalt Strike session using Beacon and the built-in jump
commands with different methods such as "psexec64", "winrm64" or "psexec_psh".
The aim here is to provide basic information on what kinds of logs and other artefacts could be generated from Cobalt Strike on a default Windows 10 host. To get a better context and understanding, we enabled Sysmon on the victim Workstation, so that we get a based line to compare with.
The tests have been done with Cobalt Strike version 4.4 with the default configuration without any kind of customization. It'is important to note that Cobalt Strike allow users to change various settings (pipes names, service name, default temporary process, etc.) to customize its footprint. Depending on Cobalt Strike settings used by the attackers, the events generated may be slightly different and detection rule may fail.
Each command has been executed twice to avoid false positive. This short analysis can be later on used as a reference to build rules to detect Cobalt Strike movements during a forensics incident response (without Sysmon or Audit Policies).
The Lab is composed of the following elements:
The different steps and tools used to extract and analyze the artifacts post compromise are:
By using DFIR_Orc and Plaso, we were able to process the most important artifacts:
*.evtx
), including PowerShell command history;A summary of the most important findings (excluding Sysmon events) is available on the timeline below:
Cobalt Strike Commands | Description |
---|---|
remote-exec winrm | [prefetch] Prefetch [WSMPROVHOST.EXE] was executed - run count 2 path hints: \WINDOWS\SYSTEM32\WSMPROVHOST.EXE hash: 0xEF06207C volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd} ] |
remote-exec winrm | [evtx/winrm/91] Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell' |
remote-exec winrm | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x0000000000483901) with '-' |
remote-exec winrm | [evtx/powershell/400] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is changed from 'None' to 'Available'. |
remote-exec winrm | [evtx/powershell/403] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is changed from 'Available' to 'Stopped'. |
remote-exec winrm | [evtx/powershell/600] the PowerShell provider 'Alias' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started. |
remote-exec winrm | [evtx/powershell/600] the PowerShell provider 'Environment' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started. |
remote-exec winrm | [evtx/powershell/600] the PowerShell provider 'FileSystem' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started. |
remote-exec winrm | [evtx/powershell/600] the PowerShell provider 'Function' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started. |
remote-exec winrm | [evtx/powershell/600] the PowerShell provider 'Registry' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started. |
remote-exec winrm | [evtx/powershell/600] the PowerShell provider 'Variable' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started. |
.... | |
remote-exec wmi | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d811f) with '-' |
remote-exec wmi | [evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable |
remote-exec wmi | [prefetch] Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd} ] |
.... | |
remote-exec psexec | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000005eda88) with '-' |
remote-exec psexec | [evtx/sys/scm/7045] service 'd8041e9' (notepad.exe) was installed by user 'LocalSystem' (type: user mode service, start: demand start) |
The Cobalt Strike remote-exec winrm
command allows the user to execute a command using WinRM on the remote host without creating a persistent session with a Beacon. For this example, the executed command is ipconfig
.
As explained earlier, System Monitor (Sysmon) was installed on the Windows 10 workstation to have reference events on which to base our analyses. We therefore first reviewed the events recorded by Sysmon to get a based line to compare with extracted artifacts. The Sysmon events below has been filtered to the most useful.
The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.
The process chain created by the remote-exec winrm
commands on the victim workstation is svchost.exe -> wsmprovhost.exe -> ipconfig.exe
.
Time | Description |
---|---|
14:24:01.884 | [evtx/sysmon/1] process created with command C:\Windows\system32\wsmprovhost.exe -Embedding (id 9040) by user 'CORP\alice' via C:\Windows\System32\svchost.exe (id 728) |
14:24:05.631 | [evtx/sysmon/1] process created with command "C:\Windows\system32\ipconfig.exe" (id 9384) by user 'CORP\alice' via C:\Windows\System32\wsmprovhost.exe (id 9040) |
14:24:05.653 | [evtx/sysmon/1] process created with command \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 (id 8268) by user 'CORP\alice' via C:\Windows\System32\ipconfig.exe (id 9384) |
The network connection event logs TCP/UDP connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.
The execution of the remote-exec winrm
commands leads to the creation of 3 network connections made to the victim workstation on the port 5985. The ports 5985 (HTTP) and 5986 (HTTPS) are the default TCP ports used by WinRM:
Time | Description |
---|---|
14:24:04.015 | [evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54074) to host '-' (192.168.56.117:5985) (pid=4) |
14:24:05.430 | [evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54075) to host '-' (192.168.56.117:5985) (pid=4) |
14:24:06.461 | [evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54076) to host '-' (192.168.56.117:5985) (pid=4) |
The image loaded event logs when a module is loaded in a specific process. It indicates the process in which the module is loaded, hashes and signature information.
Without Sysmon installed on the victim workstation, it is hard to get the same information from other artifacts. Nevertheless, and this will be discussed later in the article, MFT provides similar evidence and this is why we have chosen to include these events.
Time | Description |
---|---|
14:24:01.896 | [evtx/sysmon/7] image C:\Windows\System32\wsmprovhost.exe loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user 'CORP\alice' |
14:24:01.976 | [evtx/sysmon/7] image C:\Windows\System32\WsmSvc.dll loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user 'CORP\alice' |
14:24:02.023 | [evtx/sysmon/7] image C:\Windows\System32\wsmplpxy.dll loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user 'CORP\alice' |
14:24:04.425 | [evtx/sysmon/7] image C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user 'CORP\alice' |
... | ... |
File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
On the disk, two PowerShell scripts, generated by Microsoft, are created (__PSScriptPolicyTest_<random_number>.ps1
) to test against AppLocker. If the test file executes, then it assumed that AppLocker is disabled. Two Prefetch files for ipconfig
, and wsmprovhost.exe
binaries are also created, as well as a log file.
Time | Description |
---|---|
14:24:03.978 | [evtx/sysmon/11] process C:\Windows\system32\wsmprovhost.exe (pid=9040) created file C:\Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_3yycbqb2.1vu.psm1 with user 'CORP\alice' |
14:24:03.978 | [evtx/sysmon/11] process C:\Windows\system32\wsmprovhost.exe (pid=9040) created file C:\Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_jcfqwafa.032.ps1 with user 'CORP\alice' |
14:24:05.722 | [evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\IPCONFIG.EXE-912F3D5B.pf with user 'NT AUTHORITY\SYSTEM' |
14:24:05.724 | [evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf with user 'NT AUTHORITY\SYSTEM' |
14:24:06.872 | [evtx/sysmon/11] process C:\Windows\system32\wsmprovhost.exe (pid=9040) created file C:\Users\alice\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wsmprovhost.exe.log with user 'CORP\alice' |
14:24:06.947 | [evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\WSMPROVHOST.EXE-EF06207C.pf with user 'NT AUTHORITY\SYSTEM' |
Now that we have seen the events and other artifacts generated by the execution of the remote-exec winrm
commands, let's dwell on the evidence present natively on a Windows 10 system out of the box.
Without the audit policies enabled, there are not much events generated. However, in both tests, Windows recorded 5 successful logons (event ID 4624) with the logon type '3' (Network) from the compromised account "CORP.LOCAL\alice". If correlated, this behavior may help during the investigation to support a hypothesis.
Time | Description |
---|---|
14:24:01.836 | [evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000483901): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
14:24:01.836 | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x0000000000483901) with '-' |
14:24:03.395 | [evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000485580): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
14:24:03.395 | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x0000000000485580) with '-' |
14:24:05.436 | [evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000487c94): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
14:24:05.436 | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x0000000000487c94) with '-' |
14:24:06.843 | [evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000487c94) from logon type=3 |
14:24:06.844 | [evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891b0): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
14:24:06.844 | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004891b0) with '-' |
14:24:06.868 | [evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000485580) from logon type=3 |
14:24:06.869 | [evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891fe): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
14:24:06.869 | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004891fe) with '-' |
14:24:06.871 | [evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891b0) from logon type=3 |
14:24:06.905 | [evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891fe) from logon type=3 |
When executed, a successful remote WinRM connection will log an event ID 91 (Creating WSMan shell on servers) within the WinRM event log on the targeted host. Another good indicator to detect WinRM lateral movements is the event ID 6 on the source host:
Time | Description |
---|---|
14:24:02.586 | [evtx/winrm/91] Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell' |
Cobalt Strike WinRM cmdlets run over PowerShell script, so the PowerShell events ID 600, 400 and 403 are recorded and display the hosted application (C:\Windows\system32\wsmprovhost.exe -Embedding
).
time | Description |
---|---|
14:24:04.560 | [evtx/powershell/53504] Windows PowerShell has started an IPC listening thread on process: 9040 in AppDomain: 'DefaultAppDomain |
14:24:05.124 | [evtx/powershell/600] the PowerShell provider 'Environment' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started. |
14:24:05.124 | [evtx/powershell/600] the PowerShell provider 'Alias' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started. |
14:24:05.124 | [evtx/powershell/600] the PowerShell provider 'Registry' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started. |
14:24:05.186 | [evtx/powershell/600] the PowerShell provider 'Variable' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started. |
14:24:05.186 | [evtx/powershell/600] the PowerShell provider 'Function' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started. |
14:24:05.186 | [evtx/powershell/600] the PowerShell provider 'FileSystem' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started. |
14:24:05.249 | [evtx/powershell/400] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is changed from 'None' to 'Available'. |
14:24:06.827 | [evtx/powershell/403] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is changed from 'Available' to 'Stopped'. |
Prefetch files allow to recover the process chain created and find out that wsrmprovhost
has executed the ipconfig
programs.
Time | Description |
---|---|
14:24:01.877 | [prefetch] Prefetch [WSMPROVHOST.EXE] was executed - run count 2 path hints: \WINDOWS\SYSTEM32\WSMPROVHOST.EXE hash: 0xEF06207C volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] |
14:24:05.624 | [prefetch] Prefetch [IPCONFIG.EXE] was executed - run count 8 path hints: \WINDOWS\SYSTEM32\IPCONFIG.EXE hash: 0x912F3D5B volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] |
As with Sysmon which showed the creation of Prefetch files (event ID 11 - File Create), the USN journal gives a good overview of what’s happened, from the wsmprovhost.exe
execution to the final commands (ipconfig
) and the PowerShell execution.
Time | Description |
---|---|
14:24:03.968 | [fs/usnjrnl] file \Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_3yycbqb2.1vu.psm1 CLOSE/DATA_EXTEND/FILE_CREATE |
14:24:03.968 | [fs/usnjrnl] file \Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_jcfqwafa.032.ps1 CLOSE/DATA_EXTEND/FILE_CREATE |
14:24:04.249 | [fs/usnjrnl] file \Archive\6AB83620379FC69F80C0242105DDFFD7D98D5D9DD17FE0A3F47BE24A6453E9EF58C9464196AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF700000000000000000000000000000000.ps1 CLOSE/RENAME_NEW_NAME |
14:24:04.281 | [fs/usnjrnl] file \Archive\6AB83620379FC69F80C0242105DDFFD7D98D5D9DD17FE0A3F47BE24A6453E9EF58C9464196AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF700000000000000000000000000000000.psm1 CLOSE/RENAME_NEW_NAME |
14:24:05.718 | [fs/usnjrnl] file \Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CLOSE/DATA_EXTEND/DATA_TRUNCATION |
14:24:05.718 | [fs/usnjrnl] file \Windows\Prefetch\IPCONFIG.EXE-912F3D5B.pf CLOSE/DATA_EXTEND/DATA_TRUNCATION |
14:24:06.843 | [fs/usnjrnl] file \Users\alice\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wsmprovhost.exe.log CLOSE/DATA_EXTEND/FILE_CREATE |
14:24:06.938 | [fs/usnjrnl] file \Windows\Prefetch\WSMPROVHOST.EXE-EF06207C.pf CLOSE/DATA_EXTEND/FILE_CREATE |
As we saw earlier with Sysmon (event ID 7 - Image Loaded), in that case the MFT can be used to get information on the image loaded by the wsmprovhost.exe
program. Indeed, the collection of evidence having been carried out very shortly after the execution, the DLLs accessed by the wsmprovhost.exe
program have not (yet) been accessed by other programs, and the timestamps present in the MFT coincide with the binary access.
Time | Description |
---|---|
14:24:01.859 | [fs/mft][.a..] file \Windows\SysWOW64\wsmprovhost.exe |
14:24:01.921 | [fs/mft][.a..] file \Windows\System32\WsmSvc.dll |
14:24:01.999 | [fs/mft][.a..] file \Windows\System32\wsmplpxy.dll |
14:24:04.201 | [fs/mft][.a..] file \Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll |
14:24:06.843 | [fs/mft][..c.] file wsmprovhost.exe.log |
14:24:06.938 | [fs/mft][.a..] file \Windows\Prefetch\WSMPROVHOST.EXE-EF06207C.pf |
Reliable artifacts can lead us to the conclusion that WinRM has been used to execute remote commands using Cobalt Strike on the victim workstation:
C:\Windows\system32\wsmprovhost.exe -Embedding
;\Windows\SysWOW64\wsmprovhost.exe
binary, visible in the MFT, the USN journal or even the Prefetch files.These events can be accompanied by network authentication as we have seen with the logon type 3 of the user "CORP\alice", as well as other events related to actions performed using WinRM. In our case, the execution of the ipconfig.exe
command generated openings of TCP connections as well as the creation/modifications of the Prefetch files.
To make the detection rule query, for each span time of 15 seconds, we can:
wsmprovhost.exe
.host="*" index="*" parser=winevtx eid=91 OR (eid=400 AND host_application="*wsmprovhost.exe*")
| bin span=15s _time
| eventstats distinct_count(eid) as dis_count by _time
| where dis_count==2
| table _time eid report_desc dis_count
Both tests are displayed successfully by this requests:
| _time | report_desc | dis_count |
| 14:24:00 | **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\Windows\system32\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 2 |
| 14:24:00 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell' | 2 |
| 14:26:00 | **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\Windows\system32\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 2 |
| 14:26:00 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell' | 2 |
Another way to do it, is by using the Splunk transaction command. This command allow to find transaction that meet various constraints. In our example, the first event transaction must contains the event ID 91, the last event must contains the event ID 400 and the events in the transaction must span less than 5 seconds.
host="*" index="*" sourcetype="lexhunt_json" eid=91 OR (eid=400 AND host_application="*wsmprovhost.exe*")
| transaction parser startswith=eid=91 endswith=eid=400 maxspan=5s
| table _time report_desc duration
| sort _time
| _time | report_desc | duration |
| ---- | ----- | ------ |
| 14:24:02.586 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell'. **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\\Windows\\system32\\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 2.663 |
| 14:26:02.828 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell'. **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\\Windows\\system32\\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 1.234 |
A Sigma rule already exists for this event (sigma/posh_pc_remote_powershell_session.yml at master · SigmaHQ/sigma).
sigma-cli >>> sigma convert -t splunk -p sysmon ../sigma/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml
Parsing Sigma rules [####################################] 100%
HostName="ServerRemoteHost" HostApplication="*wsmprovhost.exe*"
The Cobalt Strike remote-exec wmi
command allows the user to execute a command using WMI on the remote host without creating a persistent session with a Beacon. For this test, the command executed is calc.exe
.
Just like in the case above, we start by observing what Sysmon logs so that we can later compare with extracted artifacts. The Sysmon events below have been filtered to the most useful.
The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.
The process chain created by the remote-exec wmi
commands is WmiPrvSE.exe -> <cmd>
. In both of our tests, the program OpenWith.exe
is also triggered a moment after by the parent process svchost.exe
.
Time | Description |
---|---|
14:28:02.523 | [evtx/sysmon/1] process created with command calc.exe (id 8180) by user 'CORP\alice' via C:\Windows\System32\wbem\WmiPrvSE.exe (id 10652) |
14:28:03.017 | [evtx/sysmon/1] process created with command C:\Windows\system32\OpenWith.exe -Embedding (id 8624) by user 'CORP\alice' via C:\Windows\System32\svchost.exe (id 728) |
The network connection event logs TCP/UDP connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.
By default, WMI uses a randomly selected dynamic port range for TCP between 49152 and 65535.
Time | Description |
---|---|
14:28:03.331 | [evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54136) to host '-' (192.168.56.117:135) (pid=832) |
14:28:03.332 | [evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54138) to host '-' (192.168.56.117:49799) (pid=1760) |
14:28:03.583 | [evtx/sysmon/3] tcp network connection from host '-' (192.168.56.117:49800) to host '-' (192.168.56.119:135) (pid=604) |
File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
The only interesting files created on the file system are the Preftech files.
Time | Description |
---|---|
14:28:03.430 | [evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\CALC.EXE-77FDF17F.pf with user 'NT AUTHORITY\SYSTEM' |
14:28:03.435 | [evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\OPENWITH.EXE-5C93E816.pf with user 'NT AUTHORITY\SYSTEM' |
Without the audit policies enabled, there are not much events generated. However, in both tests, Windows recorded 4 short connections (event ID 4624) with the logon type '3' (Network) from the compromised account "CORP.LOCAL\alice". If correlated, this behavior may help during the investigation to support a hypothesis.
Time | Description |
---|---|
14:28:02.083 | [evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d811f): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
14:28:02.084 | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d811f) with '-' |
14:28:02.232 | [evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8957): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
14:28:02.233 | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d8957) with '-' |
14:28:02.244 | [evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d89bb): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
14:28:02.248 | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d89bb) with '-' |
14:28:02.481 | [evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8bb6): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
14:28:02.481 | [evtx/sec/4624] user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('DC01') (logon_id=0x00000000004d8bb6) with '-' |
14:28:17.079 | [evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d811f) from logon type=3 |
14:28:41.727 | [evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8957) from logon type=3 |
14:28:41.728 | [evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8bb6) from logon type=3 |
14:28:41.728 | [evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d89bb) from logon type=3 |
Because WMI uses DCOM to handle remote calls, related events may be generated. In our case we get an error about the permission for the COM server with CLSID {3480A401-BDE9-4407-BC02-798A866AC051}
(ShellServiceHostBrokerProvider). This error may be specific to the labs, even if the configuration is almost by default.
time | Description |
---|---|
14:28:02.595 | [evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable |
14:28:03.342 | [evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable |
14:28:03.359 | [evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable |
The Prefetch, USNjrnl and MFT artifacts shows that the calc.exe
and openwith.exe
programs have been executed.
Time | Description |
---|---|
14:28:02.530 | [prefetch] Prefetch [CALC.EXE] was executed - run count 2 path hints: \WINDOWS\SYSTEM32\CALC.EXE hash: 0x77FDF17F volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] |
14:28:03.013 | [prefetch] Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] |
14:28:03.326 | [fs/mft][.a..] file \Windows\System32\en-US\OpenWith.exe.mui ($STANDARD_INFORMATION), MFT:46904-1, PARENT: |
14:28:03.373 | [fs/mft][...b] file \Windows\Prefetch\CALC.EXE-77FDF17F.pf ($STANDARD_INFORMATION), MFT:108924-1, PARENT: |
14:28:03.373 | [fs/mft][..c.] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2 |
14:28:03.373 | [fs/mft][m...] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2 |
14:28:03.373 | [fs/mft][...b] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2 |
14:28:03.373 | [fs/mft][.a..] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2 |
14:28:03.423 | [fs/usnjrnl] file \Windows\Prefetch\CALC.EXE-77FDF17F.pf FILE_CREATE |
14:28:03.434 | [fs/usnjrnl] file \Windows\Prefetch\OPENWITH.EXE-5C93E816.pf CLOSE/DATA_EXTEND/DATA_TRUNCATION |
This is probably the hardest Cobalt Strike command to detect because not many events are generated. The most accurate artifacts to know that the command remote-exec wmi
has been executed are:
openwith.exe
observable among Prefetch files;To make the detection rule query, for each span time of 10 seconds, we can:
openwith.exe
We cannot reuse the previous query because Prefetch events has no field "eid". The first attempt was this query:
host="*" index="*" (parser=prefetch AND executable="OPENWITH.EXE") OR (parser=winevtx AND eid=4624 AND logon_type=3)
| bin span=10s _time
| eventstats count by _time
| where count>=5
| table _time parser report_desc count
| sort _time
But it generates multiple false positives because 5 events with eid 4624 may occur in 10 seconds without the needed Prefetch events:
| _time | parser | report_desc | count |
| 14:26:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004ae65c) with '-' | 5 |
| 14:26:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004ae638) with '-' | 5 |
| 14:26:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004ad37e) with '-' | 5 |
| 14:26:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004acafc) with '-' | 5 |
| 14:26:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004abf4b) with '-' | 5 |
| 14:28:00 | prefetch | **[prefetch]** Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] | 5 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('DC01') (logon_id=0x00000000004d8bb6) with '-' | 5 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d89bb) with '-' | 5 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d8957) with '-' | 5 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d811f) with '-' | 5 |
So, we need to count distinctly by parser as well:
host="*" index="*" (parser=prefetch AND executable="OPENWITH.EXE") OR (parser=winevtx AND eid=4624 AND logon_type=3)
| bin span=10s _time
| eventstats count by _time
| eventstats distinct_count(parser) as parser_dis_count by _time
| where parser_dis_count > 1 AND count >= 4
| table _time parser report_desc count parser_dis_count
| sort _time
The results:
| _time | parser | report_desc | count | parser_dis_count |
| 14:28:00 | prefetch | **[prefetch]** Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] | 5 | 2 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('DC01') (logon_id=0x00000000004d8bb6) with '-' | 5 | 2 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d89bb) with '-' | 5 | 2 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d8957) with '-' | 5 | 2 |
| 14:28:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d811f) with '-' | 5 | 2 |
| 14:30:00 | prefetch | **[prefetch]** Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}] | 5 | 2 |
| 14:30:00 | winevtx | **[evtx/sec/4624]** user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('DC01') (logon_id=0x0000000000598fa4) with '-' | 5 | 2 |
| 14:30:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x0000000000598ee4) with '-' | 5 | 2 |
| 14:30:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x0000000000598ed0) with '-' | 5 | 2 |
| 14:30:00 | winevtx | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x0000000000598e96) with '-' | 5 | 2 |
Other rules can be created by adding the DCOM events.
The Cobalt Strike remote-exec psexec
command allows the user to execute a command using PsExec on the remote host without creating a persistent session with a Beacon. It creates and start a service remotely with random Service Name1 and then passed on command as Service File Name. For this test, the command executed is notepad.exe
.
One last time, as in the two previous cases, the Sysmon events are recorded in order to serve as elements of comparison with the other artifacts collected on the workstation. The Sysmon events below has been filtered to the most useful.
The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.
Cobalt Strike creates a service to run the arbitrary command with the SYSTEM rights so the process chain is services.exe -> notepad.exe
.
Time | Description |
---|---|
14:32:05.936 | [evtx/sysmon/1] process created with command notepad.exe (id 8516) by user 'NT AUTHORITY\SYSTEM' via C:\Windows\System32\services.exe (id 596) |
The network connection event logs TCP/UDP connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.
Two connections are recorded, one to the TCP port 135 and the second to a random TCP port.
Time | Description |
---|---|
14:32:06.749 | [evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54206) to host '-' (192.168.56.117:135) (pid=832) |
14:32:06.750 | [evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54207) to host '-' (192.168.56.117:49692) (pid=596) |
File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
Because the process services.exe
is already running, only one Prefetch file is generated.
Time | Description |
---|---|
14:32:16.064 | [evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf with user 'NT AUTHORITY\SYSTEM' |
Registry key and value create and delete operations map to this event type.
Cobalt Strike creates a service to run the arbitrary command, so a registry key with a random name is created under HKLM\System\CurrentControlSet\Services\d8041e9
by the Services.exe
process and the ImagePath
is set to the arbitrary commands to execute.
Time | Description |
---|---|
14:32:05.923 | [evtx/sysmon/13] registry event : user 'NT AUTHORITY\SYSTEM' process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\ErrorControl value to DWORD (0x00000000) |
14:32:05.923 | [evtx/sysmon/13] registry event : user 'NT AUTHORITY\SYSTEM' process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\Start value to DWORD (0x00000003) |
14:32:05.923 | [evtx/sysmon/13] registry event : user 'NT AUTHORITY\SYSTEM' process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\Type value to DWORD (0x00000010) |
14:32:05.925 | [evtx/sysmon/13] registry event : user 'NT AUTHORITY\SYSTEM' process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\ObjectName value to LocalSystem |
14:32:05.925 | [evtx/sysmon/13] registry event : user 'NT AUTHORITY\SYSTEM' process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\ImagePath value to notepad.exe |
Without the audit policies enabled, there are not much events generated. Only one successful logons (event ID 4624) is recorded, with the logon type '3' (Network) from the compromised account "CORP.LOCAL\alice". If correlate, this behavior may help during the investigation to support an hypothesis.
Time | Description |
---|---|
14:32:05.736 | [evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000005eda88): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege |
14:32:05.819 | [evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000005eda88) with '-' |
14:36:11.728 | [evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000005eda88) from logon type=3 |
In that particular case, the most useful Windows logs generated is the event ID 7045 (a service randomly named was installed by user 'LocalSystem'). In this case, we choose to run notpad.exe
, but it would be interesting to monitor services.exe
child process for malicious behavior like spawning system shells using cmd.exe
and powershell.exe
or some discovery behavior like whoami.exe
, systeminfo.exe
, net.exe
, etc.
Time | Description |
---|---|
14:32:05.920 | [evtx/sys/scm/7045] service 'd8041e9' (notepad.exe ) was installed by user 'LocalSystem' (type: user mode service, start: demand start) |
The Prefetch files shows only the binary called by services.exe
, and the only activity recorded by the USN journal is access to the Prefetch file.
Time | Description |
---|---|
14:32:05.950 | [prefetch] Prefetch [NOTEPAD.EXE] was executed - run count 4 path hints: \WINDOWS\SYSTEM32\NOTEPAD.EXE hash: 0xD8414F97 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd} ] |
14:32:16.061 | [fs/usnjrnl] file \Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf CLOSE/DATA_EXTEND/DATA_TRUNCATION |
The use of remote-exec psexec
causes the installation of a randomly named service on the targeted host, which is particularly visible in the logs of the Service Control Manager: the 7045 event records the creation of the service as well as the name of the child process which is executed. Other artifacts may be correlated with the creation of this service, in particular the creation of Prefetch files associated with the child process, or the successful logon (event ID 4624) of the account used to create the malicious service.
In a forensics context, a simple query enumerating the services installed (Service Control Manager, event ID 7045) should be enough, the randomness of the service name and the child process visually identifying illegitimate services. However, you can also add to the query the successful logons (event ID 4624):
host="*" index="*" (parser=winevtx AND eid=7045) OR (parser=winevtx AND eid=4624 AND logon_type=3)
| bin span=1m _time
| eventstats distinct_count(eid) as dis_count by _time
| where dis_count==2
| table _time eid report_desc dis_count
| sort _time
| _time | eid | report_desc | dis_count |
| 14:32:00 | 7045 | **[evtx/sys/scm/7045]** service 'd8041e9' (notepad.exe) was installed by user 'LocalSystem' (type: user mode service, start: demand start) | 2 |
| 14:32:00 | 4624 | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000005eda88) with '-' | 2 |
Or you can select only the events where the service name is only 7 characters long:
host="*" index="blog" sourcetype="lexhunt_json" eid=7045
| eval service_name_len=len(service_name)
| where service_name_len==7
| table _time service_name
| sort _time
| _time | service_name |
| 14:32:05.920 | d8041e9 |
| 14:34:07.311 | 8f0c55c |
The hardest Cobalt Strike command to detect is probably the remote-exec wmi
because it does not create a service like remote-exec psexec
or use PowerShell like remote-exec winrm
. We can notice that each remote-exec
commands generated a specific number of successful logons to the victim (event id 4624). As a reminder, remote-exec
commands can be triggered detecting the following behavior:
remote-exec winrm
C:\Windows\system32\wsmprovhost.exe -Embedding
;\Windows\SysWOW64\wsmprovhost.exe
binary, visible in the MFT, the USN journal or even the Prefetch files;remote-exec wmi
openwith.exe
observable among Prefetch files;remote-exec psexec
To detect lateral movements more efficiently, we advise installing Sysmon with a custom configuration and/or to activate more audit policies.
References:
- Detecting CONTI Cobalt Strike Lateral Movement Techniques - Part 1 - CYB3RSN0RLAX
- Tool Analysis Result Sheet
- SigmaHQ/sigma: Generic Signature Format for SIEM Systems
- SigmaHQ/sigma-cli: The Sigma command line interface based on pySigma
- Detecting Lateral Movement via WinRM Using KQL - In.Security - Cyber Security Technical Services & Training
- Sysmon - Windows Sysinternals | Microsoft Docs