Share this page!

Vadim Khrykov Profile picture
Twitter logo
17 Jul, 13 tweets, 4 min read
Thanks to everyone for participating in the 5th detection Quiz!
I'd like to mention @Cyb3rSn0rlax @Antonlovesdnb and @atn1ght1 - great answers folks👏
I'm starting posting answers. If you want to participate, don't look at the answers and go straight to the tweet below:
1. The detailed events sequence was published here:
1. Looking at the events sequence we see that "Medium" IL Powershell.exe spawns "Medium" IL Wusa.exe, then we see consent.exe and "High" IL Wusa start. Finally the most strange event appears - "Medium" powershell starts "High" cmd.exe🤔 What's happening here?
1. Many of you found consent.exe and guessed that activity is connected with UAC bypass. Yes, you were right. Next, what do we know about Wusa? Wusa.exe contains "autoElevate" == TRUE in it's binary manifest, therefore it is often abused for various UAC bypass techs.
1. There are currently about 70 UAC bypasses, you can find them here (for example):
github.com/hfiref0x/UACME
You ask - how can we find the right one used in the Quiz?
1. The events sequence was specially prepared for you, to avoid any other possible bypasses. So, we have powershell + Wusa + some tricky UAC bypass which lead to "High" IL process creation by "Medium" IL parent. It turns out only "Token Manipulations" bypass generates such events
1. The purpose of spawning Wusa was to further dublicate it's access token (DuplicateTokenEx), lower it to "Medium" IL (NtSetInformationToken), create filtered token (NtFilterToken), impersonate context (ImpersonateLoggedOnUser) and finally spawn the new "High" IL process.
1. The technique is also known as "Token Magic", you can find Powershell script I used here:
gist.github.com/Cr4sh/f1bebaa4…
2. Considering the 1st answer, we should map our activity to these @MITREattack techniques:
T1548.002 - Bypass UAC
T1134.001 - Token Impersonation
T1134.002 - Create Process with Token
and as PS was used:
T1059.001 - PowerShell
3. As I've already said the tool was UAC-TokenMagic:
gist.github.com/Cr4sh/f1bebaa4…
4.1 Monitor specific Powershell cmdlets execution, use EID 4104, all this token manipulation stuff will be there on Warning log level. The technique is easily detectable when powershell is used.
4.2 And what if an attacker used PE binary?
First, if you have EDR, you can look for specific to this attack API functions calls in user mode.
Second, again EDR, because there is no "parent process IL" field in EID 4688 nor in Sysmon EID 1, unfortunately☹️
4.2 Look for "High" IL powershell/cmd/LOLBins/cscript/wscript process creation by "Medium" IL parent powershell/cmd/scripts. This pattern works, I've checked in a real envs, but you need to profile your particular env, to eliminate possible FPs.
I wish you Good hunting!🎯🕸️

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Vadim Khrykov

Vadim Khrykov Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @BlackMatter23

Vadim Khrykov Profile picture
15 Jul
I've recently consulted one company about #NTLM-family protocols. They had various monitoring & hardening questions.
So, I decided to post some of their questions with the answers:
1. LM protocol is old and weak - how can we monitor its usage?
1. In general, you can monitor it using "Package Name" field of 4624/4625 events. But, keep in mind that LM is disabled by default starting with Win7/WS2008R2.
So, if you still have some old machines using it, LM is definitely not the biggest problem for you😵
2. Can we block NTLM protocols on our Firewall?
No. NTLM-family don't have default transport protocol, so there is no default associated ports with these protocols. Most common transports are SMB, HTTP and SMTP.
Other mechanisms exist for disabling them, see below.
Read 6 tweets
Vadim Khrykov Profile picture
14 Jul
I see the Quiz is not easy for many, so let's look at particular events together and learn a little bit.
Let's try to think like an analysts!
1. "Medim" IL powershell.exe spawns "Medium" IL Wusa.exe, UAC is enabled on machine, so this is an expected behaviour: Image
1.1 As we know, Wusa.exe has "autoElevate" = TRUE in its manifest, that means it will be automatically elevated by UAC without consent prompt (except "AlwaysNotify" mode). So, svchost.exe spawns consent.exe: Image
1.2 The next part is very interesting. You say - powershell.exe spawns "High" IL wusa.exe. Of course it's not! The real parent of wusa is "System" IL svchost.exe which then replaces the parent process with powershell.exe (as initiator). Look at the event below: Image
Read 5 tweets
Vadim Khrykov Profile picture
13 Jul
Detection Quiz!💡
Look at the process creation events depicted below:
1. Can you recognise the technique?
2. Map it to the @MITREattack
3. Which tool was most likely used?
4. Detection ideas?

#ThreatHunting Image
Columns: Time, Parent, ParentIntegrityLevel, Child, ChildIntegrityLevel
Please, provide your answers in form of 1..2..3..4..
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @BlackMatter23 has new unrolls!

Check out other threads from @BlackMatter23!

Read all threads by @BlackMatter23

:(