The binary dropped on the file system depends on the tool used, but it can be changed to anything by the attacker. As a consequence, it may be interesting to seek for this entry on the Windows computer originating the compromise. For instance, this is the event ID 7045 content for the execution of the psexec.py command: ServiceName IcsJĮvery SysInternals tools require the user to accept the End-User License Agreement (EULA), and stores the acceptance in value EulaAccepted within the registry key HKCU\Software\Sysinternals\TOOLNAME where TOOLNAME is the name of the executed tool. The SysInternals PsExec starts a service that is named PsExeSvc by default 4 whereas Impacket’s psexec.py tool spawns a process with a randomly generated 4-characters name. Note that the MFT may not contain tracks of this file because the entry is reallocated x:\> DFIR-Orc.exe USNInfo /out=x:\usn.cvs /logfile=x:\usn.log c:\ The USN (Update Sequence Number) 3 journal contains entries for the executable that is dropped on the disk. ![]() As such, it is interesting to get the list of running processes and their arguments. However, depending on the closure of the tool, the service and/or the executable may be incorrectly removed. Please note that there is no event when the PsExec tool removes the service. Several other states can be recorded, and are listed in. Once the attack is completed (shell terminated), the same event with %2 valuing “stopped” is issued. The latest event is generally followed by the following event once the service has started: Provider When the service is created, the following event is generated : ProviderĬontains the Service Name, the executable name and account running the service User must have SC_MANAGER_CREATE_SERVICE or SC_MANAGER_ALL_ACCESS on SCM (Service Control Manager), which is the case by default for Administrators and SYSTEM accounts 2 The following events are generated at user logon: Provider Several artifacts are linked to the operation mode of the attack: ![]() Several tools implementing PsExec techniques exist and some specific artifacts can be retrieved, even with a default event log policy. All rights reserved.Ĭ:\Windows\system32 Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0 Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation These differences are explained in the next paragraph. There are slight differences between the two implementations hereafter.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |