search menu S.O.S.
Top Categories
Spotlight

todayMay 10, 2021

Digital Forensics + Malware Analysis Ahmed Elmayyah

Catch the IEX if You Can: PowerShell De-Obfuscation

Introduction A lot of the time when working with malware or when investigating an incident, you may encounter PowerShell executing obfuscated commands which may look like gibberish. These commands are usually obfuscated to make it harder for the analyst to understand, as well as making it harder for detection solutions [...]

Week News
Top Voted

Event Log service – Between Offensive and defensive

Digital Forensics Kareem Ali todayOctober 1, 2020 490

Background
share close

Event Log Service

Event viewer is the preinstalled application in windows to view windows logs, it depends on a event log service to function

 

EventLog Service

Service configuration:

  • STOPPABLE, AcceptPause, AcceptStop

  • Binary path : svchost.exe -k LocalServiceNetworkRestricted -p

  • ProcessId: 1732

 

Anti-Forensics

One of the primary anti forensics techniques is clearing logs, and disable logging, attacker can approach this by many methods

 

Clearing Logs: I just need to say that only security and system logs that have an event for event clear

  •  1102 for clearing security logs
  • 104 for clearing system logs

 

To Test:

1- run the following command to clear all events

for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

2- check what logs have more than 0 log

Get-WinEvent -ListLog *

All methods require administration privileges

Method 1 (Terminate Event log process)

as we say the process responsible for logging events is

svchost -k LocalServiceNetworkRestricted -p -s eventlog

if we suspend this process, the event viewer will be paused, also you will not be able to open new CMD or PowerShell, but you can use the shell you already open.

event viewer will be paused but logs will appear just after resuming the process, the same if you kill the process then start the services again

so if an attacker tried to stop logs like that, you just have to restart the service and everything will be there

Detection

  • Live analysis

    • Windows Event Log service is not running (service will be stopped automatically after killing the process )

    • Svchost -k LocalServiceNetworkRestricted -p -s eventlog is not running

  • Sysmon

    • Sysmon exit process doesn’t provide a command line. and monitoring for all svchost process exit will be noisy and not useful as we will not be able to distinguish between svchost processes

  • Killing the Process like this will pause the service of the event log but will not generate 6006 EID

 

Method 2 (Invoke-Phant0m)

This is PowerShell script that is used to kill thread of the svchost process that responsible for event logging

this technique is good for stopping a lot of security controls not just event viewer

 

Download: Invoke-Phat0m

Test Environment: Win 10 1909, build 18363.1016

of course any AV will detect Invoke-Phant0m as malware, so as attacker you have to find your way to bypass detection

. ./Invoke-Phant0m
Invoke-Phant0m

as you see in the above image: Invoke phant0m find the PID for svchost responsible for event logging

and killed its threads and this caused total of 20 events that we will rely on for detection

after killing the threads: No log entries are logged

Detection

  • PowerShell Logs (EID 4104 – Script Block log — not enabled by default)

    • manual: it’s very easy to recognize the code for Invoke-Phant0m if no obfuscation occurs

      • but of course attacker can also clear PowerShell logs

    • if we have SIEM then it would

    • Automatic: we will catch any of the strings of the code

      title: Detect Invoke-Phant0m
id: 1f44f2ab-20bc-7234-93cc-d8ffbc93eadf
status: experimental
description: Detects part of the code of Invoke-Phant0m
date: 2020/09/16
author: Karem Ali
references:
    - https://github.com/hlldz/Invoke-Phant0m
    - https://github.com/karemfaisal/SMUC/tree/master/eventvwr
tags:
    - attack.DefenseEvasion
    - attack.T1070.001
logsource:
    product: windows
    service: powershell
    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104'
detection:
    selection:
        EventLog: powershell
        EventID: 4104
    keywords:
        Command:
            - "*$ContextRecord.ContextFlags = 0x10003B*"
            
    condition: selection and keywords 
falsepositives:
    - Penetration tests
level: high

  • Live Analysis

    • Process svchost with command line -k LocalServiceNetworkRestricted -p -s eventlog would have no threads related to eventlog service

Important notice about Invoke-Phant0m that although it will prevent any log from being created but clear logs (1102,104) will be created

 

Method 3 (Mimikatz event::drop)

Mimikatz is wide used tool for dumping credentials but it also have other usages like stopping the event logging in windows

you can check more details about mimikatz and credential dumping from here Mimikatz

 

this technique patch the service so it stops logging windows clear event (1102, 104)

Event Log service still logging all other logs.

THE following GIF shows that 1102 is no more generated but logs in PowerShell still be generated, the same as security events ..etc

Detection

First of all, if SIEM exists, then clearing logs is not important, we always can find the logs in the SIEM

  • Sysmon

    • Process Access

      • Mimikatz will access svchost

        • correlate PID of svchost with PID of process creation in SIEM if it’s svchost of event log then you know

    • Module Loading (Detect Mimikatz not necessary to be event::drop)

    • bcryptprimitives.dll

    • vaultsvc.dll

    • all DLLs for SSPs like [schannel.dll, credssp.dll, gpapi.dll, wdigest.dll, tspkg.dll, samsrv.dll]

    • If the process loaded all the modules in sysmon then it’s highly likely to be mimikatz, but if only one or two modules then it’s could be a regular process

      •   <Sysmon schemaversion="4.00">
  <HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
    <EventFiltering>
        <ProcessAccess onmatch="include">
            <TargetImage condition="is">C:\Windows\System32\svchost.exe</TargetImage>
        </ProcessAccess>
        
        
        <ImageLoad onmatch="include"> 
              <ImageLoaded condition="contains">schannel.dll</ImageLoaded>
              <ImageLoaded condition="contains">credssp.dll</ImageLoaded>
              <ImageLoaded condition="contains">gpapi.dll</ImageLoaded>
              <ImageLoaded condition="contains">wdigest.dll</ImageLoaded>
              <ImageLoaded condition="contains">tspkg.dll</ImageLoaded>
              <ImageLoaded condition="contains">samsrv.dll</ImageLoaded>
        </ImageLoad>
        
        
    </EventFiltering>
  </Sysmon>

      • Process Access: x1438 which is

        • PROCESS_SUSPEND_RESUME (0x800) | PROCESS_SET_INFORMATION (0x200) | PROCESS_QUERY_INFORMATION (0x400) | PROCESS_VM_WRITE (0x20) | PROCESS_VM_READ (0x10) | PROCESS_VM_OPERATION (0x8)

          Which is sufficient access to do the patching

         Patching svchost in on run time on disk, so restarting the service or computer will remove the effect of mimikatz

Written by: Kareem Ali

Rate it

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *

Cyber Castle Footer Logo
Company

Cyber Castle is an Egyptian cyber security company founded in 2020. specializes in the cyber security services & solutions with the aim to detect, protect and mitigate from sophisticated cyber threats in a timely manner.

Where We Are

92 Omar Ibn El-Khattab, Almazah, Heliopolis, Cairo Governorate

Phone

Mobile: (02) 01018233755

Email

info@cybercastle.io

Follow us