The Digital Hunt: Tracking LOTL in Your Network - Part IV
Detection and Response
To detect and respond to such exploitation, it's crucial to understand the context of ntdsutil.exe activities and differentiate between legitimate administrative use and potential malicious exploitation. Key log sources and monitoring strategies include:
📌 Command-line and Process Creation Logs: Security logs (Event ID 4688) and Sysmon logs (Event ID 1) provide insights into the execution of ntdsutil.exe commands. Unusual or infrequent use of ntdsutil.exe for snapshot creation might indicate suspicious activity.
📌 File Creation and Access Logs: Monitoring file creation events (Sysmon’s Event ID 11) and attempts to access sensitive files like NTDS.dit (security logs with Event ID 4663) can offer additional context to the snapshot creation and access process.
📌 Privilege Use Logs: Event ID 4673 in security logs, indicating the use of privileged services, can signal potential misuse when correlated with the execution of ntdsutil.exe commands.
📌 Network Activity and Authentication Logs: These logs can provide context about concurrent remote connections or data transfers, potentially indicating data exfiltration attempts. Authentication logs are also crucial for identifying the executor of the ntdsutil.exe command and assessing whether the usage aligns with typical administrative behavior.
Comprehensive Analysis of PSExec.exe in LOTL Tactics
PSExec.exe, a component of the Microsoft PsTools suite, is a powerful utility for system administrators, offering the capability to remotely execute commands across networked systems, often with elevated SYSTEM privileges. Its versatility, however, also makes it a favored tool in Living Off the Land (LOTL) tactics employed by cyber threat actors.
The Role of PSExec.exe in Cyber Threats
PSExec.exe is commonly utilized for remote administration and the execution of processes across systems, such as execute one-off commands aimed at modifying system configurations, such as removing port proxy configurations on a remote host with commands like:
"C:\pstools\psexec.exe" {REDACTED} -s cmd /c "cmd.exe /c netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999"
Detection and Contextualization Strategies
To effectively counter the malicious use of PSExec.exe, network defenders must leverage a variety of logs that provide insights into the execution of commands and the broader context of the operation:
📌 Command-line and Process Creation Logs: Security logs (Event ID 4688) and Sysmon logs (Event ID 1) are invaluable for tracking the execution of PSExec.exe and associated commands. These logs detail the command line used, shedding light on the process's nature and intent.
📌 Privilege Use and Explicit Credential Logs: Security logs (Event ID 4672) document instances where special privileges are assigned to new logons, crucial when PSExec is executed with the -s switch for SYSTEM privileges. Event ID 4648 captures explicit credential use, indicating when PSExec is run with specific user credentials.
📌 Sysmon Logs for Network Connections and Registry Changes: Sysmon's Event ID 3 logs network connections, central to PSExec’s remote execution functionality. Event IDs 12, 13, and 14 track registry changes, including deletions (Event ID 14) of registry keys associated with the executed Netsh command, providing evidence of modifications to the system's configuration.
📌 Windows Registry Audit Logs: If enabled, these logs record modifications to registry keys, offering detailed information such as the timestamp of changes, the account under which changes were made (often the SYSTEM account due to PSExec's -s switch), and the specific registry values altered or deleted.
📌 Network and Firewall Logs: Analysis of network traffic, especially SMB traffic characteristic of PSExec use, and firewall logs on the target system can reveal connections to administrative shares and changes to the system's network configuration. These logs can correlate with the timing of command execution providing further context
3 минуты
10 августа 2024