I see the Quiz is not easy for many, so let's look at particular events together and learn a little bit.
Let's try to think like an analysts! 1. "Medim" IL powershell.exe spawns "Medium" IL Wusa.exe, UAC is enabled on machine, so this is an expected behaviour:
1.1 As we know, Wusa.exe has "autoElevate" = TRUE in its manifest, that means it will be automatically elevated by UAC without consent prompt (except "AlwaysNotify" mode). So, svchost.exe spawns consent.exe:
1.2 The next part is very interesting. You say - powershell.exe spawns "High" IL wusa.exe. Of course it's not! The real parent of wusa is "System" IL svchost.exe which then replaces the parent process with powershell.exe (as initiator). Look at the event below:
1.3 And the last event we have in this magic attack - "Medium" IL powershell.exe spawns "High" IL cmd.exe. Is cmd.exe "autoelevated" binary? No, it's not. But how it is possible at all, where is the normal UAC events - consent.exe etc?
1.4 That's all events we have. There're no other events. And now, having all this information, think again and find the 1st answer, find the right technique used by an attacker. The rest should be easier😉
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I've recently consulted one company about #NTLM-family protocols. They had various monitoring & hardening questions.
So, I decided to post some of their questions with the answers: 1. LM protocol is old and weak - how can we monitor its usage?
1. In general, you can monitor it using "Package Name" field of 4624/4625 events. But, keep in mind that LM is disabled by default starting with Win7/WS2008R2.
So, if you still have some old machines using it, LM is definitely not the biggest problem for you😵
2. Can we block NTLM protocols on our Firewall?
No. NTLM-family don't have default transport protocol, so there is no default associated ports with these protocols. Most common transports are SMB, HTTP and SMTP.
Other mechanisms exist for disabling them, see below.