.ipynb .pdf

repository open issue suggest edit

Binder Colab Live Code

Contents

Remote Service creation

Metadata

collaborators	[‘@Cyb3rWard0g’, ‘@Cyb3rPandaH’]
creation date	2019/08/15
modification date	2020/09/20
playbook related	[‘WIN-190813181020’]

Hypothesis

Adversaries might be creating new services remotely to execute code and move laterally in my environment

Technical Context

None

Offensive Tradecraft

Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by by adversaries creating a new service. Adversaries can create services remotely to execute code and move lateraly across the environment.

Mordor Test Data

metadata	https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-190518210652.html
link	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_psexec_dcerpc_tcp_svcctl.zip

Analytics

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor Dataset

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_psexec_dcerpc_tcp_svcctl.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Analytic I

Look for new services being created in your environment under a network logon session (3). That is a sign that the service creation was performed from another endpoint in the environment

Data source	Event Provider	Relationship	Event
Service	Microsoft-Windows-Security-Auditing	User created Service	4697
Authentication log	Microsoft-Windows-Security-Auditing	User authenticated Host	4624

df = spark.sql(
'''
SELECT o.`@timestamp`, o.Hostname, o.SubjectUserName, o.SubjectUserName, o.ServiceName, a.IpAddress
FROM mordorTable o
INNER JOIN (
    SELECT Hostname,TargetUserName,TargetLogonId,IpAddress
    FROM mordorTable
    WHERE LOWER(Channel) = "security"
        AND EventID = 4624
        AND LogonType = 3            
        AND NOT TargetUserName LIKE "%$"
    ) a
ON o.SubjectLogonId = a.TargetLogonId
WHERE LOWER(o.Channel) = "security"
    AND o.EventID = 4697
'''
)
df.show(10,False)

+-----------------------+---------------------------+---------------+---------------+-----------+-----------+
|@timestamp             |Hostname                   |SubjectUserName|SubjectUserName|ServiceName|IpAddress  |
+-----------------------+---------------------------+---------------+---------------+-----------+-----------+
|2020-09-20 12:16:58.214|WORKSTATION6.theshire.local|pgustavo       |pgustavo       |Updater    |172.18.39.5|
+-----------------------+---------------------------+---------------+---------------+-----------+-----------+

Known Bypasses

Idea	Playbook

False Positives

None

Hunter Notes

• If there are a lot of unique services being created in your environment, try to categorize the data based on the bussiness unit.

• Identify the source of unique services being created everyday. I have seen Microsoft applications doing this.

• Stack the values of the service file name associated with the new service.

• Document what users create new services across your environment on a daily basis

Hunt Output

Type	Link

References

• https://www.powershellempire.com/?page_id=523

Execution WMI Win32_Process Class and Create Method for Remote Execution