Cobalt Strike Investigation Part 1

Cobalt Strike Investigation - Part 1

  1. Introduction
  2. Approach
  3. Findings Summary
  4. Cobalt Strike remote-exec winrm
  5. Cobalt Strike remote-exec wmi
  6. Cobalt Strike remote-exec psexec
  7. Part 1 - Conclusion

Introduction

Although it was not originally designed for this use, Cobalt Strike has become one of the most frequently used tools for lateral movements and it is not uncommon to observe traces of its use during digital forensic.

This article aims to analyze the different Cobalt Strike commands to find evidence that the tools could drop behind him. Several blogs have already explained how to detect Cobalt Strike, but for this analysis we choose to let the Windows log levels by default without activating special "Windows Audit Policies" and we used post-compromising tools to extract artifacts.

In this first part, we will focus on the Cobalt Strike built-in remote-exec command and its different methods of remote code execution:

A second blogpost will focus on the persistent Cobalt Strike session using Beacon and the built-in jump commands with different methods such as "psexec64", "winrm64" or "psexec_psh".

Approach

The aim here is to provide basic information on what kinds of logs and other artefacts could be generated from Cobalt Strike on a default Windows 10 host. To get a better context and understanding, we enabled Sysmon on the victim Workstation, so that we get a based line to compare with.

The tests have been done with Cobalt Strike version 4.4 with the default configuration without any kind of customization. It'is important to note that Cobalt Strike allow users to change various settings (pipes names, service name, default temporary process, etc.) to customize its footprint. Depending on Cobalt Strike settings used by the attackers, the events generated may be slightly different and detection rule may fail.

Each command has been executed twice to avoid false positive. This short analysis can be later on used as a reference to build rules to detect Cobalt Strike movements during a forensics incident response (without Sysmon or Audit Policies).

The Lab is composed of the following elements:

  • Windows 10 workstations with Sysmon installed;
  • Windows Server 2016 Domain Controller.

The different steps and tools used to extract and analyze the artifacts post compromise are:

  1. Run DFIR_ORC to extract artifacts on the Windows 10 machine
  2. Run log2timeline/plaso combined with Logstash on the extracted data to build a clear timeline
  3. Analyze data using Splunk

By using DFIR_Orc and Plaso, we were able to process the most important artifacts:

  • Event log (*.evtx), including PowerShell command history;
  • Prefetch files;
  • USNjrnl;
  • MFT;
  • User and System hives (userassist, appcompatcache, etc.).

Findings Summary

A summary of the most important findings (excluding Sysmon events) is available on the timeline below:

Cobalt Strike CommandsDescription
remote-exec winrm[prefetch] Prefetch [WSMPROVHOST.EXE] was executed - run count 2 path hints: \WINDOWS\SYSTEM32\WSMPROVHOST.EXE hash: 0xEF06207C volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}]
remote-exec winrm[evtx/winrm/91] Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell'
remote-exec winrm[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x0000000000483901) with '-'
remote-exec winrm[evtx/powershell/400] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is changed from 'None' to 'Available'.
remote-exec winrm[evtx/powershell/403] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is changed from 'Available' to 'Stopped'.
remote-exec winrm[evtx/powershell/600] the PowerShell provider 'Alias' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started.
remote-exec winrm[evtx/powershell/600] the PowerShell provider 'Environment' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started.
remote-exec winrm[evtx/powershell/600] the PowerShell provider 'FileSystem' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started.
remote-exec winrm[evtx/powershell/600] the PowerShell provider 'Function' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started.
remote-exec winrm[evtx/powershell/600] the PowerShell provider 'Registry' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started.
remote-exec winrm[evtx/powershell/600] the PowerShell provider 'Variable' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '-' is Started.
....
remote-exec wmi[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d811f) with '-'
remote-exec wmi[evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable
remote-exec wmi[prefetch] Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}]
....
remote-exec psexec[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000005eda88) with '-'
remote-exec psexec[evtx/sys/scm/7045] service 'd8041e9' (notepad.exe) was installed by user 'LocalSystem' (type: user mode service, start: demand start)

Cobalt Strike remote-exec winrm

The Cobalt Strike remote-exec winrm command allows the user to execute a command using WinRM on the remote host without creating a persistent session with a Beacon. For this example, the executed command is ipconfig.

Sysmon Events

As explained earlier, System Monitor (Sysmon) was installed on the Windows 10 workstation to have reference events on which to base our analyses. We therefore first reviewed the events recorded by Sysmon to get a based line to compare with extracted artifacts. The Sysmon events below has been filtered to the most useful.

Event ID 1 - Process Creation

The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.

The process chain created by the remote-exec winrm commands on the victim workstation is svchost.exe -> wsmprovhost.exe -> ipconfig.exe.

TimeDescription
14:24:01.884[evtx/sysmon/1] process created with command C:\Windows\system32\wsmprovhost.exe -Embedding (id 9040) by user 'CORP\alice' via C:\Windows\System32\svchost.exe (id 728)
14:24:05.631[evtx/sysmon/1] process created with command "C:\Windows\system32\ipconfig.exe" (id 9384) by user 'CORP\alice' via C:\Windows\System32\wsmprovhost.exe (id 9040)
14:24:05.653[evtx/sysmon/1] process created with command \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 (id 8268) by user 'CORP\alice' via C:\Windows\System32\ipconfig.exe (id 9384)

Event ID 3 - Network Connection Detected

The network connection event logs TCP/UDP connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.

The execution of the remote-exec winrm commands leads to the creation of 3 network connections made to the victim workstation on the port 5985. The ports 5985 (HTTP) and 5986 (HTTPS) are the default TCP ports used by WinRM:

TimeDescription
14:24:04.015[evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54074) to host '-' (192.168.56.117:5985) (pid=4)
14:24:05.430[evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54075) to host '-' (192.168.56.117:5985) (pid=4)
14:24:06.461[evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54076) to host '-' (192.168.56.117:5985) (pid=4)

Event ID 7 - Image Loaded

The image loaded event logs when a module is loaded in a specific process. It indicates the process in which the module is loaded, hashes and signature information.

Without Sysmon installed on the victim workstation, it is hard to get the same information from other artifacts. Nevertheless, and this will be discussed later in the article, MFT provides similar evidence and this is why we have chosen to include these events.

TimeDescription
14:24:01.896[evtx/sysmon/7] image C:\Windows\System32\wsmprovhost.exe loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user 'CORP\alice'
14:24:01.976[evtx/sysmon/7] image C:\Windows\System32\WsmSvc.dll loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user 'CORP\alice'
14:24:02.023[evtx/sysmon/7] image C:\Windows\System32\wsmplpxy.dll loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user 'CORP\alice'
14:24:04.425[evtx/sysmon/7] image C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll loaded from process C:\Windows\System32\wsmprovhost.exe (pid=9040) with user 'CORP\alice'
......

Event ID 11 - File created

File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.

On the disk, two PowerShell scripts, generated by Microsoft, are created (__PSScriptPolicyTest_<random_number>.ps1) to test against AppLocker. If the test file executes, then it assumed that AppLocker is disabled. Two Prefetch files for ipconfig, and wsmprovhost.exe binaries are also created, as well as a log file.

TimeDescription
14:24:03.978[evtx/sysmon/11] process C:\Windows\system32\wsmprovhost.exe (pid=9040) created file C:\Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_3yycbqb2.1vu.psm1 with user 'CORP\alice'
14:24:03.978[evtx/sysmon/11] process C:\Windows\system32\wsmprovhost.exe (pid=9040) created file C:\Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_jcfqwafa.032.ps1 with user 'CORP\alice'
14:24:05.722[evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\IPCONFIG.EXE-912F3D5B.pf with user 'NT AUTHORITY\SYSTEM'
14:24:05.724[evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf with user 'NT AUTHORITY\SYSTEM'
14:24:06.872[evtx/sysmon/11] process C:\Windows\system32\wsmprovhost.exe (pid=9040) created file C:\Users\alice\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wsmprovhost.exe.log with user 'CORP\alice'
14:24:06.947[evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\WSMPROVHOST.EXE-EF06207C.pf with user 'NT AUTHORITY\SYSTEM'

Findings

Now that we have seen the events and other artifacts generated by the execution of the remote-exec winrm commands, let's dwell on the evidence present natively on a Windows 10 system out of the box.

Winevtx - Microsoft-Windows-Security-Auditing

Without the audit policies enabled, there are not much events generated. However, in both tests, Windows recorded 5 successful logons (event ID 4624) with the logon type '3' (Network) from the compromised account "CORP.LOCAL\alice". If correlated, this behavior may help during the investigation to support a hypothesis.

TimeDescription
14:24:01.836[evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000483901): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
14:24:01.836[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x0000000000483901) with '-'
14:24:03.395[evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000485580): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
14:24:03.395[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x0000000000485580) with '-'
14:24:05.436[evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000487c94): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
14:24:05.436[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x0000000000487c94) with '-'
14:24:06.843[evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000487c94) from logon type=3
14:24:06.844[evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891b0): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
14:24:06.844[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004891b0) with '-'
14:24:06.868[evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x0000000000485580) from logon type=3
14:24:06.869[evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891fe): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
14:24:06.869[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004891fe) with '-'
14:24:06.871[evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891b0) from logon type=3
14:24:06.905[evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004891fe) from logon type=3

Winevtx - Microsoft Windows WinRM

When executed, a successful remote WinRM connection will log an event ID 91 (Creating WSMan shell on servers) within the WinRM event log on the targeted host. Another good indicator to detect WinRM lateral movements is the event ID 6 on the source host:

TimeDescription
14:24:02.586[evtx/winrm/91] Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell'

Winevtx - Microsoft Windows Powershell

Cobalt Strike WinRM cmdlets run over PowerShell script, so the PowerShell events ID 600, 400 and 403 are recorded and display the hosted application (C:\Windows\system32\wsmprovhost.exe -Embedding).

timeDescription
14:24:04.560[evtx/powershell/53504] Windows PowerShell has started an IPC listening thread on process: 9040 in AppDomain: 'DefaultAppDomain
14:24:05.124[evtx/powershell/600] the PowerShell provider 'Environment' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started.
14:24:05.124[evtx/powershell/600] the PowerShell provider 'Alias' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started.
14:24:05.124[evtx/powershell/600] the PowerShell provider 'Registry' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started.
14:24:05.186[evtx/powershell/600] the PowerShell provider 'Variable' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started.
14:24:05.186[evtx/powershell/600] the PowerShell provider 'Function' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started.
14:24:05.186[evtx/powershell/600] the PowerShell provider 'FileSystem' hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is Started.
14:24:05.249[evtx/powershell/400] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is changed from 'None' to 'Available'.
14:24:06.827[evtx/powershell/403] the PowerShell engine state hosted by application C:\Windows\system32\wsmprovhost.exe -Embedding with command line '' is changed from 'Available' to 'Stopped'.

Prefetch

Prefetch files allow to recover the process chain created and find out that wsrmprovhost has executed the ipconfig programs.

TimeDescription
14:24:01.877[prefetch] Prefetch [WSMPROVHOST.EXE] was executed - run count 2 path hints: \WINDOWS\SYSTEM32\WSMPROVHOST.EXE hash: 0xEF06207C volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}]
14:24:05.624[prefetch] Prefetch [IPCONFIG.EXE] was executed - run count 8 path hints: \WINDOWS\SYSTEM32\IPCONFIG.EXE hash: 0x912F3D5B volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}]

USN journal

As with Sysmon which showed the creation of Prefetch files (event ID 11 - File Create), the USN journal gives a good overview of what’s happened, from the wsmprovhost.exe execution to the final commands (ipconfig) and the PowerShell execution.

TimeDescription
14:24:03.968[fs/usnjrnl] file \Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_3yycbqb2.1vu.psm1 CLOSE/DATA_EXTEND/FILE_CREATE
14:24:03.968[fs/usnjrnl] file \Users\alice\AppData\Local\Temp\__PSScriptPolicyTest_jcfqwafa.032.ps1 CLOSE/DATA_EXTEND/FILE_CREATE
14:24:04.249[fs/usnjrnl] file \Archive\6AB83620379FC69F80C0242105DDFFD7D98D5D9DD17FE0A3F47BE24A6453E9EF58C9464196AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF700000000000000000000000000000000.ps1 CLOSE/RENAME_NEW_NAME
14:24:04.281[fs/usnjrnl] file \Archive\6AB83620379FC69F80C0242105DDFFD7D98D5D9DD17FE0A3F47BE24A6453E9EF58C9464196AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF700000000000000000000000000000000.psm1 CLOSE/RENAME_NEW_NAME
14:24:05.718[fs/usnjrnl] file \Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CLOSE/DATA_EXTEND/DATA_TRUNCATION
14:24:05.718[fs/usnjrnl] file \Windows\Prefetch\IPCONFIG.EXE-912F3D5B.pf CLOSE/DATA_EXTEND/DATA_TRUNCATION
14:24:06.843[fs/usnjrnl] file \Users\alice\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wsmprovhost.exe.log CLOSE/DATA_EXTEND/FILE_CREATE
14:24:06.938[fs/usnjrnl] file \Windows\Prefetch\WSMPROVHOST.EXE-EF06207C.pf CLOSE/DATA_EXTEND/FILE_CREATE

MFT

As we saw earlier with Sysmon (event ID 7 - Image Loaded), in that case the MFT can be used to get information on the image loaded by the wsmprovhost.exe program. Indeed, the collection of evidence having been carried out very shortly after the execution, the DLLs accessed by the wsmprovhost.exe program have not (yet) been accessed by other programs, and the timestamps present in the MFT coincide with the binary access.

TimeDescription
14:24:01.859[fs/mft][.a..] file \Windows\SysWOW64\wsmprovhost.exe
14:24:01.921[fs/mft][.a..] file \Windows\System32\WsmSvc.dll
14:24:01.999[fs/mft][.a..] file \Windows\System32\wsmplpxy.dll
14:24:04.201[fs/mft][.a..] file \Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
14:24:06.843[fs/mft][..c.] file wsmprovhost.exe.log
14:24:06.938[fs/mft][.a..] file \Windows\Prefetch\WSMPROVHOST.EXE-EF06207C.pf

Conclusion

Reliable artifacts can lead us to the conclusion that WinRM has been used to execute remote commands using Cobalt Strike on the victim workstation:

  • A PowerShell execution (Microsoft Windows Powershell, event ID 600, 400, 403) host by the application C:\Windows\system32\wsmprovhost.exe -Embedding;
  • A WinRM connection received (Microsoft Windows WinRM, event ID 91);
  • Execution traces of the \Windows\SysWOW64\wsmprovhost.exe binary, visible in the MFT, the USN journal or even the Prefetch files.

These events can be accompanied by network authentication as we have seen with the logon type 3 of the user "CORP\alice", as well as other events related to actions performed using WinRM. In our case, the execution of the ipconfig.exe command generated openings of TCP connections as well as the creation/modifications of the Prefetch files.

Detection Rule Example

Splunk queries

To make the detection rule query, for each span time of 15 seconds, we can:

  • Search for the events ID 91 and event ID 400 where the PowerShell host application name contains the strings wsmprovhost.exe.
  • Count distinctly the number of event ID (this avoid to trigger the rule if two events with the same "eid" occur).
host="*" index="*" parser=winevtx eid=91 OR (eid=400 AND  host_application="*wsmprovhost.exe*")
| bin span=15s _time
| eventstats distinct_count(eid) as dis_count by _time
| where dis_count==2
| table _time eid report_desc dis_count

Both tests are displayed successfully by this requests:

| _time    | report_desc                                                                                                                                                                            | dis_count |
| 14:24:00 | **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\Windows\system32\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 2         |
| 14:24:00 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell'                                                        | 2         |
| 14:26:00 | **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\Windows\system32\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 2         |
| 14:26:00 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell'                                                        | 2         |

Another way to do it, is by using the Splunk transaction command. This command allow to find transaction that meet various constraints. In our example, the first event transaction must contains the event ID 91, the last event must contains the event ID 400 and the events in the transaction must span less than 5 seconds.

host="*" index="*" sourcetype="lexhunt_json" eid=91 OR (eid=400 AND  host_application="*wsmprovhost.exe*")
| transaction parser startswith=eid=91 endswith=eid=400 maxspan=5s
| table _time report_desc duration
| sort _time

| _time        | report_desc                                                                                                                                                                                                                                                                                                                      | duration |
| ----         | -----                                                                                                                                                                                                                                                                                                                            | ------   |
| 14:24:02.586 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell'.  **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\\Windows\\system32\\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 2.663    |
| 14:26:02.828 | **[evtx/winrm/91]** Creating WSMan shell on server with ResourceURI: 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell'.  **[evtx/powershell/400]** the PowerShell engine state hosted by application 'C:\\Windows\\system32\\wsmprovhost.exe -Embedding' with command line ''is changed from 'None' to 'Available'. | 1.234    |

Sigma rules

A Sigma rule already exists for this event (sigma/posh_pc_remote_powershell_session.yml at master · SigmaHQ/sigma).

sigma-cli >>> sigma convert -t splunk -p sysmon ../sigma/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml
Parsing Sigma rules  [####################################]  100%
HostName="ServerRemoteHost" HostApplication="*wsmprovhost.exe*"

Cobalt Strike remote-exec wmi

The Cobalt Strike remote-exec wmi command allows the user to execute a command using WMI on the remote host without creating a persistent session with a Beacon. For this test, the command executed is calc.exe.

Sysmon Events

Just like in the case above, we start by observing what Sysmon logs so that we can later compare with extracted artifacts. The Sysmon events below have been filtered to the most useful.

Event ID 1 - Process Create

The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.

The process chain created by the remote-exec wmi commands is WmiPrvSE.exe -> <cmd>. In both of our tests, the program OpenWith.exe is also triggered a moment after by the parent process svchost.exe.

TimeDescription
14:28:02.523[evtx/sysmon/1] process created with command calc.exe (id 8180) by user 'CORP\alice' via C:\Windows\System32\wbem\WmiPrvSE.exe (id 10652)
14:28:03.017[evtx/sysmon/1] process created with command C:\Windows\system32\OpenWith.exe -Embedding (id 8624) by user 'CORP\alice' via C:\Windows\System32\svchost.exe (id 728)

Event ID 3 - Network Connection Detected

The network connection event logs TCP/UDP connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.

By default, WMI uses a randomly selected dynamic port range for TCP between 49152 and 65535.

TimeDescription
14:28:03.331[evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54136) to host '-' (192.168.56.117:135) (pid=832)
14:28:03.332[evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54138) to host '-' (192.168.56.117:49799) (pid=1760)
14:28:03.583[evtx/sysmon/3] tcp network connection from host '-' (192.168.56.117:49800) to host '-' (192.168.56.119:135) (pid=604)

Event ID 11 - File Create

File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.

The only interesting files created on the file system are the Preftech files.

TimeDescription
14:28:03.430[evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\CALC.EXE-77FDF17F.pf with user 'NT AUTHORITY\SYSTEM'
14:28:03.435[evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\OPENWITH.EXE-5C93E816.pf with user 'NT AUTHORITY\SYSTEM'

Findings

Winevtx - Microsoft-Windows-Security-Auditing

Without the audit policies enabled, there are not much events generated. However, in both tests, Windows recorded 4 short connections (event ID 4624) with the logon type '3' (Network) from the compromised account "CORP.LOCAL\alice". If correlated, this behavior may help during the investigation to support a hypothesis.

TimeDescription
14:28:02.083[evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d811f): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
14:28:02.084[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d811f) with '-'
14:28:02.232[evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8957): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
14:28:02.233[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d8957) with '-'
14:28:02.244[evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d89bb): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
14:28:02.248[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d89bb) with '-'
14:28:02.481[evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8bb6): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
14:28:02.481[evtx/sec/4624] user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('DC01') (logon_id=0x00000000004d8bb6) with '-'
14:28:17.079[evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d811f) from logon type=3
14:28:41.727[evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8957) from logon type=3
14:28:41.728[evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d8bb6) from logon type=3
14:28:41.728[evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000004d89bb) from logon type=3

Winevtx - DCOM

Because WMI uses DCOM to handle remote calls, related events may be generated. In our case we get an error about the permission for the COM server with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} (ShellServiceHostBrokerProvider). This error may be specific to the labs, even if the configuration is almost by default.

timeDescription
14:28:02.595[evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable
14:28:03.342[evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable
14:28:03.359[evtx/dcom/10016] the application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3480A401-BDE9-4407-BC02-798A866AC051} and APPID {30AD8C8E-AE85-42FA-B9E8-7E99E3DFBFC5} to the user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) from address LocalHost (Using LRPC) running in the application container Unavailable SID Unavailable

Prefetch files, USNjrnl and MFT

The Prefetch, USNjrnl and MFT artifacts shows that the calc.exe and openwith.exe programs have been executed.

TimeDescription
14:28:02.530[prefetch] Prefetch [CALC.EXE] was executed - run count 2 path hints: \WINDOWS\SYSTEM32\CALC.EXE hash: 0x77FDF17F volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}]
14:28:03.013[prefetch] Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}]
14:28:03.326[fs/mft][.a..] file \Windows\System32\en-US\OpenWith.exe.mui ($STANDARD_INFORMATION), MFT:46904-1, PARENT:
14:28:03.373[fs/mft][...b] file \Windows\Prefetch\CALC.EXE-77FDF17F.pf ($STANDARD_INFORMATION), MFT:108924-1, PARENT:
14:28:03.373[fs/mft][..c.] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2
14:28:03.373[fs/mft][m...] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2
14:28:03.373[fs/mft][...b] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2
14:28:03.373[fs/mft][.a..] file CALC.EXE-77FDF17F.pf ($FILE_NAME), MFT:108924-1, PARENT: 93711-2
14:28:03.423[fs/usnjrnl] file \Windows\Prefetch\CALC.EXE-77FDF17F.pf FILE_CREATE
14:28:03.434[fs/usnjrnl] file \Windows\Prefetch\OPENWITH.EXE-5C93E816.pf CLOSE/DATA_EXTEND/DATA_TRUNCATION

Conclusion

This is probably the hardest Cobalt Strike command to detect because not many events are generated. The most accurate artifacts to know that the command remote-exec wmi has been executed are:

  • The openwith.exe observable among Prefetch files;
  • Many short successful logons (Microsoft Windows Security Auditing, event ID 4624) with logon type '3' (Network);
  • Some DCOM events, such as warnings (DCOM, event ID 10016).

Detection Rule Example

Splunk queries

To make the detection rule query, for each span time of 10 seconds, we can:

  • Search 1 event where the Prefetch executable name is openwith.exe
  • Search 4 logon connection (with logon type 3).

We cannot reuse the previous query because Prefetch events has no field "eid". The first attempt was this query:

host="*" index="*" (parser=prefetch AND executable="OPENWITH.EXE") OR (parser=winevtx AND eid=4624 AND logon_type=3)
| bin span=10s _time
| eventstats count by _time
| where count>=5
| table _time parser report_desc count
| sort _time

But it generates multiple false positives because 5 events with eid 4624 may occur in 10 seconds without the needed Prefetch events:

| _time    | parser   | report_desc                                                                                                                                                                                                      | count |
| 14:26:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004ae65c) with '-'                                       | 5     |
| 14:26:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004ae638) with '-'                                       | 5     |
| 14:26:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004ad37e) with '-'                                       | 5     |
| 14:26:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004acafc) with '-'                                       | 5     |
| 14:26:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '-' ('-') (logon_id=0x00000000004abf4b) with '-'                                       | 5     |
| 14:28:00 | prefetch | **[prefetch]** Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD  device path: \VOLUME{01d80e8a80662822-228095fd}] | 5     |
| 14:28:00 | winevtx  | **[evtx/sec/4624]** user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('DC01') (logon_id=0x00000000004d8bb6) with '-'                             | 5     |
| 14:28:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d89bb) with '-'                          | 5     |
| 14:28:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d8957) with '-'                          | 5     |
| 14:28:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d811f) with '-'                          | 5     |

So, we need to count distinctly by parser as well:

host="*" index="*" (parser=prefetch AND executable="OPENWITH.EXE") OR (parser=winevtx AND eid=4624 AND logon_type=3)
| bin span=10s _time
| eventstats count by _time
| eventstats distinct_count(parser) as parser_dis_count by _time
| where parser_dis_count > 1 AND count >= 4
| table _time parser report_desc count parser_dis_count
| sort _time

The results:

| _time    | parser   | report_desc                                                                                                                                                                                                      | count | parser_dis_count |
| 14:28:00 | prefetch | **[prefetch]** Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD  device path: \VOLUME{01d80e8a80662822-228095fd}] | 5     | 2                |
| 14:28:00 | winevtx  | **[evtx/sec/4624]** user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('DC01') (logon_id=0x00000000004d8bb6) with '-'                             | 5     | 2                |
| 14:28:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d89bb) with '-'                          | 5     | 2                |
| 14:28:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d8957) with '-'                          | 5     | 2                |
| 14:28:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000004d811f) with '-'                          | 5     | 2                |
| 14:30:00 | prefetch | **[prefetch]** Prefetch [OPENWITH.EXE] was executed - run count 3 path hints: \WINDOWS\SYSTEM32\OPENWITH.EXE hash: 0x5C93E816 volume: 1 [serial number: 0x228095FD  device path: \VOLUME{01d80e8a80662822-228095fd}] | 5     | 2                |
| 14:30:00 | winevtx  | **[evtx/sec/4624]** user 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('DC01') (logon_id=0x0000000000598fa4) with '-'                             | 5     | 2                |
| 14:30:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x0000000000598ee4) with '-'                          | 5     | 2                |
| 14:30:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x0000000000598ed0) with '-'                          | 5     | 2                |
| 14:30:00 | winevtx  | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x0000000000598e96) with '-'                          | 5     | 2                |

Other rules can be created by adding the DCOM events.

Cobalt Strike remote-exec psexec

The Cobalt Strike remote-exec psexec command allows the user to execute a command using PsExec on the remote host without creating a persistent session with a Beacon. It creates and start a service remotely with random Service Name1 and then passed on command as Service File Name. For this test, the command executed is notepad.exe.

Sysmon Events

One last time, as in the two previous cases, the Sysmon events are recorded in order to serve as elements of comparison with the other artifacts collected on the workstation. The Sysmon events below has been filtered to the most useful.

Event ID 1 - Process Creation

The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.

Cobalt Strike creates a service to run the arbitrary command with the SYSTEM rights so the process chain is services.exe -> notepad.exe.

TimeDescription
14:32:05.936[evtx/sysmon/1] process created with command notepad.exe (id 8516) by user 'NT AUTHORITY\SYSTEM' via C:\Windows\System32\services.exe (id 596)

Event ID 3 - Network Connection Detected

The network connection event logs TCP/UDP connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.

Two connections are recorded, one to the TCP port 135 and the second to a random TCP port.

TimeDescription
14:32:06.749[evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54206) to host '-' (192.168.56.117:135) (pid=832)
14:32:06.750[evtx/sysmon/3] tcp network connection from host '-' (192.168.56.119:54207) to host '-' (192.168.56.117:49692) (pid=596)

Event ID 11 - File Create

File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.

Because the process services.exe is already running, only one Prefetch file is generated.

TimeDescription
14:32:16.064[evtx/sysmon/11] process C:\Windows\system32\svchost.exe (pid=1860) created file C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf with user 'NT AUTHORITY\SYSTEM'

Event ID 13 - Registry Value Set

Registry key and value create and delete operations map to this event type.

Cobalt Strike creates a service to run the arbitrary command, so a registry key with a random name is created under HKLM\System\CurrentControlSet\Services\d8041e9 by the Services.exe process and the ImagePath is set to the arbitrary commands to execute.

TimeDescription
14:32:05.923[evtx/sysmon/13] registry event : user 'NT AUTHORITY\SYSTEM' process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\ErrorControl value to DWORD (0x00000000)
14:32:05.923[evtx/sysmon/13] registry event : user 'NT AUTHORITY\SYSTEM' process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\Start value to DWORD (0x00000003)
14:32:05.923[evtx/sysmon/13] registry event : user 'NT AUTHORITY\SYSTEM' process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\Type value to DWORD (0x00000010)
14:32:05.925[evtx/sysmon/13] registry event : user 'NT AUTHORITY\SYSTEM' process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\ObjectName value to LocalSystem
14:32:05.925[evtx/sysmon/13] registry event : user 'NT AUTHORITY\SYSTEM' process C:\Windows\system32\services.exe (pid 596) has set HKLM\System\CurrentControlSet\Services\d8041e9\ImagePath value to notepad.exe

Findings

Winevtx - Microsoft Windows Security Auditing

Without the audit policies enabled, there are not much events generated. Only one successful logons (event ID 4624) is recorded, with the logon type '3' (Network) from the compromised account "CORP.LOCAL\alice". If correlate, this behavior may help during the investigation to support an hypothesis.

TimeDescription
14:32:05.736[evtx/sec/4672] special privileges assigned to 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000005eda88): SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
14:32:05.819[evtx/sec/4624] user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000005eda88) with '-'
14:36:11.728[evtx/sec/4634] user logged off 'CORP\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) (logon_id=0x00000000005eda88) from logon type=3

Winevtx - Service Control Manager

In that particular case, the most useful Windows logs generated is the event ID 7045 (a service randomly named was installed by user 'LocalSystem'). In this case, we choose to run notpad.exe, but it would be interesting to monitor services.exe child process for malicious behavior like spawning system shells using cmd.exe and powershell.exe or some discovery behavior like whoami.exe, systeminfo.exe, net.exe, etc.

TimeDescription
14:32:05.920[evtx/sys/scm/7045] service 'd8041e9' (notepad.exe) was installed by user 'LocalSystem' (type: user mode service, start: demand start)

Prefetch and USNjrnl

The Prefetch files shows only the binary called by services.exe, and the only activity recorded by the USN journal is access to the Prefetch file.

TimeDescription
14:32:05.950[prefetch] Prefetch [NOTEPAD.EXE] was executed - run count 4 path hints: \WINDOWS\SYSTEM32\NOTEPAD.EXE hash: 0xD8414F97 volume: 1 [serial number: 0x228095FD device path: \VOLUME{01d80e8a80662822-228095fd}]
14:32:16.061[fs/usnjrnl] file \Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf CLOSE/DATA_EXTEND/DATA_TRUNCATION

Conclusion

The use of remote-exec psexec causes the installation of a randomly named service on the targeted host, which is particularly visible in the logs of the Service Control Manager: the 7045 event records the creation of the service as well as the name of the child process which is executed. Other artifacts may be correlated with the creation of this service, in particular the creation of Prefetch files associated with the child process, or the successful logon (event ID 4624) of the account used to create the malicious service.

Detection Rule Example

Splunk queries

In a forensics context, a simple query enumerating the services installed (Service Control Manager, event ID 7045) should be enough, the randomness of the service name and the child process visually identifying illegitimate services. However, you can also add to the query the successful logons (event ID 4624):

host="*" index="*" (parser=winevtx AND eid=7045) OR (parser=winevtx AND eid=4624 AND logon_type=3)
| bin span=1m _time
| eventstats distinct_count(eid) as dis_count by _time
| where dis_count==2
| table _time eid report_desc dis_count
| sort _time
| _time    | eid  | report_desc                                                                                                                                                                             | dis_count |
| 14:32:00 | 7045 | **[evtx/sys/scm/7045]** service 'd8041e9' (notepad.exe) was installed by user 'LocalSystem' (type: user mode service, start: demand start)                                                  | 2         |
| 14:32:00 | 4624 | **[evtx/sec/4624]** user 'CORP.LOCAL\alice' (S-1-5-21-1155457554-2149841727-2293290625-1108) successfully logon (type=3) from '192.168.56.119' ('-') (logon_id=0x00000000005eda88) with '-' | 2         |

Or you can select only the events where the service name is only 7 characters long:

host="*" index="blog" sourcetype="lexhunt_json" eid=7045
| eval service_name_len=len(service_name)
| where service_name_len==7
| table _time service_name
| sort _time
| _time        | service_name |
| 14:32:05.920 | d8041e9      |
| 14:34:07.311 | 8f0c55c      |

Part 1 - Conclusion

The hardest Cobalt Strike command to detect is probably the remote-exec wmi because it does not create a service like remote-exec psexec or use PowerShell like remote-exec winrm. We can notice that each remote-exec commands generated a specific number of successful logons to the victim (event id 4624). As a reminder, remote-exec commands can be triggered detecting the following behavior:

  • remote-exec winrm
  • A PowerShell execution (Microsoft Windows Powershell, event ID 600, 400, 403) host by the application C:\Windows\system32\wsmprovhost.exe -Embedding;
  • A WinRM connection received (Microsoft Windows WinRM, event ID 91);
  • Execution traces of the \Windows\SysWOW64\wsmprovhost.exe binary, visible in the MFT, the USN journal or even the Prefetch files;
  • Many successful logons (Microsoft Windows Security Auditing, event ID 4624) with logon type '3' (Network).
  • remote-exec wmi
  • The openwith.exe observable among Prefetch files;
  • Many short successful logons (Microsoft Windows Security Auditing, event ID 4624) with logon type '3' (Network);
  • Some DCOM events, such as warnings (DCOM, event ID 10016).
  • remote-exec psexec
  • The installation of a randomly named service (Service Control Manager, event ID 7045) running suspicious binaries;
  • One successful logon (Microsoft Windows Security Auditing, event ID 4624) with logon type '3' (Network).

To detect lateral movements more efficiently, we advise installing Sysmon with a custom configuration and/or to activate more audit policies.

References:


  1. By default the command elevate svc-exe, jump psexec, jump psexec64, jump psexec_psh and remote-exec psexec use a service name that consists of random letters and numbers. The Cobalt Strike Aggressor Script PSEXEC_SERVICE hook allows you to change this behavior.