Section 2.4: Intrusion Analysis: Command Line, Powershell, and WMI Analysis

Question 1

It’s not always than an enterprise will enable process tracking in the Security log. What alternative log can analysts use to search it?

Answer 1

System logs. They can trigger Critical, Warning, and Error events for system, reboots and process crashing if malware fails.

Question 2

What are the Application Event log IDs

Answer 2

1000- application errors
1001- Windows Error Reports (WER)(Report.wer)
1002- hangs

Question 3

Where can I find WER files? What can I find inside the files?

Answer 3

C:\Program Data\Microsoft\Windows\WER. Application name, SHA1, and the modules running.

Question 4

Why is process tracking important?

Answer 4

It can track potential malware execution and record the full command line used to launch the process (includes cmd.exe and powershell.exe). It is usually off because it records alot.

Question 5

Process tracking event log IDs

Answer 5

4688- New process created (includes path)
4689- Process exit

Question 6

How do I enable process tracking?

Answer 6

Group Policy Management -> Computer Configuration -> Policies -> Administrative Templates -> System -> Audit Process Creation

Question 7

WMI commands that can be used for Recon

Answer 7

[wmic process get][wmic (useraccount, group, or netuse) list full][wmic qfe get][wmic startup get]

Question 8

How can adversaries do priviledge escalation using WMI?

Answer 8

By using scripts like PowerUp.ps1. The script looks for unquoted paths set to autostart with service binary not present under windows folder. It can also find high privileged processes for attack. Finally, it finds all service paths that aren’t quoted.

Question 9

WMI commands to find and spread to remote shares.

Answer 9

NetEnum & NetAdd

Question 10

What does WMI “Process Call Create” do?

Answer 10

It runs a legitimate process to run code from a different location that benefits the adversary.

Question 11

How can I track WMI commands?

Answer 11

By turning on process tracking 4688 and enabling command line auditing. Download Sysmon as an alternative.

Question 12

WMI persistence event log IDs

Answer 12

[WMI-Activity/Operational log]
5858- query errors on host & username
5857-5860- filter/consumer activity
5861- new permanent event consumer
*Look for commandlineventconsumer or vbseventconsumer if 5861 is logged.

Question 13

Uncommon keywords to identify anomalies inside the WMI%4Operational file

Answer 13

eval, ps1, vbs, scrcons, ActiveScript, ActiveXObject, powershell, CommandLine, and wbemcons.

Question 14

Powershell event log IDs

Answer 14

4103- module logging and pipeline output
4104- script block logging
4105/4106- script start/stop (avoid)

Question 15

Is it possible for adversaries to avoid Powershell logging?

Answer 15

Yes, by downgrading Powershell to v2. Find it in the Windows Powershell.evtx under ID 400 and look at the host/engine versions.

Question 16

What other log should be enabled for Powershell logging?

Answer 16

Transcription logs

Question 17

Where can I enable Powershell logging?

Answer 17

Group Policy Management -> Computer Configuration -> Policies -> Administrative Template -> Windows Components -> Windows Powershell

Question 18

Where can I enable Powershell logging?

Answer 18

Group Policy Management -> Computer Configuration -> Policies -> Administrative Template -> Windows Components -> Windows Powershell. To add all modules, use (*).

Question 19

In log ID 4104, what should analyst do?

Answer 19

Search for words in the command that describe certain actions that are suspicious. Ex: “key.log”.

Question 20

Keywords to search inside Powershell/Operational log

Answer 20

download, IEX, rundll32, http, Start-Process, Invoke-Expression, Invoke-Command, syswow64, FromBase64String, WebClient, bitstransfer, Reflection, powershell -version, Invoke-WmiMethod, and Invoke-CimMethod

Question 21

For what purpose do adversaries obfuscate keywords in Powershell? What tools can be used to counter this?

Answer 21

So that security won’t trigger alarms when certain keywords were used to run a script. Tools to counter obfuscation are: Invoke-Obfuscation & Revoke-Obfuscation

Question 22

Besides Invoke/Revoke-Obfuscation tools, what other alternative tools are there?

Answer 22

CyperChef and PSDecode for decoding scripts.

Question 23

How do I turn on Powershell Transcription logs? Where are the files saved?

Answer 23

Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Powershell -> Turn on Transcription. Files saved at: \Users\ <acct>\Documents</acct>

Question 24

What is one thing to keep in mind when reviewing transcription logs?

Answer 24

The date is set in system local time so they need conversion to UTC to match native event log times.

Question 25

Where can I find ConsoleHost_history_txt?

Answer 25

User\Roaming\Microsoft\Windows\Powershell\PsReadline

Question 26

How are event logs collected and what tools are used in order to do so?

Answer 26

One option is using Event Viewer (right-click log of interest and save log in file extension of choosing. Another option is the PsLogList tool that can dump live logs to text or .csv files. Velociraptor and F-Response are two other options.

Question 27

What tools can be used to forward logs?

Answer 27

Window’s Event Forwarding (WEF) tool is frequently used. Another tool, that’s free, is Winlogbeat. It can send to Elasticsearch.

Question 28

How can I download evtx files from Powershell?

Answer 28

Use Get-WinEvent and use [-ComputerName][-Path][-Logname]. Also use export. Its recommended to use hashtable to be more specific.

Question 29

What is Sysmon by Microsoft?

Answer 29

Its a logging extension to the already set logs inside Windows. It can filter specific logs for investigations. It can scale and be forwarded to a SIEM. Think of it as a lightweight detection endpoint for free.