Section 2.4: Intrusion Analysis: Command Line, Powershell, and WMI Analysis Flashcards
It’s not always than an enterprise will enable process tracking in the Security log. What alternative log can analysts use to search it?
System logs. They can trigger Critical, Warning, and Error events for system, reboots and process crashing if malware fails.
What are the Application Event log IDs
1000- application errors
1001- Windows Error Reports (WER)(Report.wer)
1002- hangs
Where can I find WER files? What can I find inside the files?
C:\Program Data\Microsoft\Windows\WER. Application name, SHA1, and the modules running.
Why is process tracking important?
It can track potential malware execution and record the full command line used to launch the process (includes cmd.exe and powershell.exe). It is usually off because it records alot.
Process tracking event log IDs
4688- New process created (includes path)
4689- Process exit
How do I enable process tracking?
Group Policy Management -> Computer Configuration -> Policies -> Administrative Templates -> System -> Audit Process Creation
WMI commands that can be used for Recon
[wmic process get][wmic (useraccount, group, or netuse) list full][wmic qfe get][wmic startup get]
How can adversaries do priviledge escalation using WMI?
By using scripts like PowerUp.ps1. The script looks for unquoted paths set to autostart with service binary not present under windows folder. It can also find high privileged processes for attack. Finally, it finds all service paths that aren’t quoted.
WMI commands to find and spread to remote shares.
NetEnum & NetAdd
What does WMI “Process Call Create” do?
It runs a legitimate process to run code from a different location that benefits the adversary.
How can I track WMI commands?
By turning on process tracking 4688 and enabling command line auditing. Download Sysmon as an alternative.
WMI persistence event log IDs
[WMI-Activity/Operational log]
5858- query errors on host & username
5857-5860- filter/consumer activity
5861- new permanent event consumer
*Look for commandlineventconsumer or vbseventconsumer if 5861 is logged.
Uncommon keywords to identify anomalies inside the WMI%4Operational file
eval, ps1, vbs, scrcons, ActiveScript, ActiveXObject, powershell, CommandLine, and wbemcons.
Powershell event log IDs
4103- module logging and pipeline output
4104- script block logging
4105/4106- script start/stop (avoid)
Is it possible for adversaries to avoid Powershell logging?
Yes, by downgrading Powershell to v2. Find it in the Windows Powershell.evtx under ID 400 and look at the host/engine versions.
What other log should be enabled for Powershell logging?
Transcription logs
Where can I enable Powershell logging?
Group Policy Management -> Computer Configuration -> Policies -> Administrative Template -> Windows Components -> Windows Powershell
Where can I enable Powershell logging?
Group Policy Management -> Computer Configuration -> Policies -> Administrative Template -> Windows Components -> Windows Powershell. To add all modules, use (*).
In log ID 4104, what should analyst do?
Search for words in the command that describe certain actions that are suspicious. Ex: “key.log”.
Keywords to search inside Powershell/Operational log
download, IEX, rundll32, http, Start-Process, Invoke-Expression, Invoke-Command, syswow64, FromBase64String, WebClient, bitstransfer, Reflection, powershell -version, Invoke-WmiMethod, and Invoke-CimMethod
For what purpose do adversaries obfuscate keywords in Powershell? What tools can be used to counter this?
So that security won’t trigger alarms when certain keywords were used to run a script. Tools to counter obfuscation are: Invoke-Obfuscation & Revoke-Obfuscation
Besides Invoke/Revoke-Obfuscation tools, what other alternative tools are there?
CyperChef and PSDecode for decoding scripts.
How do I turn on Powershell Transcription logs? Where are the files saved?
Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Powershell -> Turn on Transcription. Files saved at: \Users\ <acct>\Documents</acct>
What is one thing to keep in mind when reviewing transcription logs?
The date is set in system local time so they need conversion to UTC to match native event log times.
Where can I find ConsoleHost_history_txt?
User\Roaming\Microsoft\Windows\Powershell\PsReadline
How are event logs collected and what tools are used in order to do so?
One option is using Event Viewer (right-click log of interest and save log in file extension of choosing. Another option is the PsLogList tool that can dump live logs to text or .csv files. Velociraptor and F-Response are two other options.
What tools can be used to forward logs?
Window’s Event Forwarding (WEF) tool is frequently used. Another tool, that’s free, is Winlogbeat. It can send to Elasticsearch.
How can I download evtx files from Powershell?
Use Get-WinEvent and use [-ComputerName][-Path][-Logname]. Also use export. Its recommended to use hashtable to be more specific.
What is Sysmon by Microsoft?
Its a logging extension to the already set logs inside Windows. It can filter specific logs for investigations. It can scale and be forwarded to a SIEM. Think of it as a lightweight detection endpoint for free.