4. Windows Log Analysis: Determine Attacker Technique¶
Difficulty: 🎄🎄
Determine Attacker Technique
Using these normalized Sysmon logs, identify the tool the attacker used to retrieve domain password hashes from the lsass.exe process.
For hints on achieving this objective, please visit Hermey Hall and talk with SugarPlum Mary.
⚡️ Solution¶
After completing Linux Path Challenge and talk to SugarPlum Mary, He will give you hints which will help you with this objective.
Ross Wolf's work on EQL
Check out some of Ross Wolf's work on EQL.
Sysmon
Event Query Language
EQL Threat Hunting
Look closer the solution is posted in this article by Joshua Wright !
Given the hints, We will eqllib tool to analysis the logs file:
-
Getting the tool ready:
- Make sure you have python installed on your device or follow this guide to Install python,
then install
eqllibpackage for python.pip3 install eql
-
Or You can download and run Slingshot Linux, where EQL is already installed and ready to go!
-
Install
jqto pretty-print the output data.
- Make sure you have python installed on your device or follow this guide to Install python,
then install
-
To identify the tool the attacker used to retrieve domain password hashes from the
lsass.exeprocess, We need to understand how this attack work:
Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights.The Active Directory domain database is stored in the
NTDS.ditfile. By default the NTDS file will be located in%SystemRoot%\NTDS\Ntds.ditof a domain controller.1The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes:
- Volume Shadow Copy
- secretsdump.py
- Using the in-built Windows tool, ntdsutil.exe
- Invoke-NinjaCopy
-
Let's try to find unexpected processes interacting with
lsass.exeas parent process:eql query -f sysmon-data.json "process where parent_process_name = 'LSASS.exe'" | jq
{ "command_line": "C:\\Windows\\system32\\cmd.exe", "event_type": "process", "logon_id": 999, "parent_process_name": "lsass.exe", "parent_process_path": "C:\\Windows\\System32\\lsass.exe", "pid": 3440, "ppid": 632, "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "subtype": "create", "timestamp": 132186398356220000, "unique_pid": "{7431d376-dedb-5dd3-0000-001027be4f00}", "unique_ppid": "{7431d376-cd7f-5dd3-0000-001013920000}", "user": "NT AUTHORITY\\SYSTEM", "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }
-
Search by unique process id as unique parent process id to see other processes started by this process:
eql query -f sysmon-data.json 'process where ppid == 3440' | jq
{ "command_line": "ntdsutil.exe \"ac i ntds\" ifm \"create full c:\\hive\" q q", "event_type": "process", "logon_id": 999, "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "pid": 3556, "ppid": 3440, "process_name": "ntdsutil.exe", "process_path": "C:\\Windows\\System32\\ntdsutil.exe", "subtype": "create", "timestamp": 132186398470300000, "unique_pid": "{7431d376-dee7-5dd3-0000-0010f0c44f00}", "unique_ppid": "{7431d376-dedb-5dd3-0000-001027be4f00}", "user": "NT AUTHORITY\\SYSTEM", "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }
The attacker used
ntdsutilto create an accessible backup of the domain password hashes, and we can confirm it further by thecreateandifmcommands.
The answer:
ntdsutil
Congratulations! You have completed the Windows Log Analysis: Determine Attacker Technique challenge! 🎉
🎓 What you've learned¶
- Event Query Language (EQL).
- Threat Hunting using EQL.
- Credential Dumping techniques & tools.
-
Credential dumping techniques, tools & detection:
https://attack.mitre.org/techniques/T1003/
https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md ↩