Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

10.B) Registry Run Keys / Startup Folder #25

Open
Cyb3rWard0g opened this issue May 2, 2020 · 3 comments
Open

10.B) Registry Run Keys / Startup Folder #25

Cyb3rWard0g opened this issue May 2, 2020 · 3 comments

Comments

@Cyb3rWard0g
Copy link
Contributor

Description

The payload in the Startup folder executes a follow-on payload using a stolen token (T1106, T1134).
@Cyb3rWard0g
Copy link
Contributor Author

10.B.1 Registry Run Keys / Startup Folder

Procedure: Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria: Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder

@Cyb3rWard0g
Copy link
Contributor Author

Cyb3rWard0g commented May 17, 2020
edited
Loading

10.B.2 Execution through API

Procedure: Executed PowerShell payload via the CreateProcessWithToken API
Criteria: hostui.exe executing the CreateProcessWithToken API

No Evidence showing that specific API. However, we can see a few events around the secondary logon service

SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational" 
    AND LOWER(Message) LIKE '%seclogon%'

Results

 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:19:49.376
ProcessGuid: {47ab858c-e6ad-5eac-0b00-000000000500}
ProcessId: 736
Image: C:\windows\system32\services.exe
TargetObject: HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\4\52C64B7E\@%SystemRoot%\system32\seclogon.dll,-7001
Details: Secondary Logon                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
---------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 03:21:27.646
ProcessGuid: {47ab858c-e737-5eac-fd00-000000000500}
ProcessId: 8552
Image: C:\Windows\System32\svchost.exe
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: svchost.exe
CommandLine: C:\windows\system32\svchost.exe -k netsvcs -p -s seclogon
CurrentDirectory: C:\windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {47ab858c-e6ad-5eac-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69
ParentProcessGuid: {47ab858c-e6ad-5eac-0b00-000000000500}
ParentProcessId: 736
ParentImage: C:\Windows\System32\services.exe
ParentCommandLine: C:\windows\system32\services.exe                                                                                                                                                                               
---------
 Message | Image loaded:
RuleName: -
UtcTime: 2020-05-02 03:21:27.728
ProcessGuid: {47ab858c-e737-5eac-fd00-000000000500}
ProcessId: 8552
Image: C:\Windows\System32\svchost.exe
ImageLoaded: C:\Windows\System32\seclogon.dll
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Secondary Logon Service DLL
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: SECLOGON.EXE
Hashes: SHA1=727438B3F418A35750711DAE7E067F1281B7A2D5,MD5=512FD6039A256324A745DF4FA01D5D02,SHA256=5EDDB6B714C2D35085D09BFDA3FED3365385B949DD62C6A405EC161C9F9AC2EA,IMPHASH=B4CC945C4478763CC6A46E35E4598994
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
---------
 Message | Process accessed:
RuleName: -
UtcTime: 2020-05-02 03:21:27.837
SourceProcessGUID: {47ab858c-e737-5eac-fd00-000000000500}
SourceProcessId: 8552
SourceThreadId: 8580
SourceImage: C:\windows\system32\svchost.exe
TargetProcessGUID: {47ab858c-e737-5eac-fa00-000000000500}
TargetProcessId: 8452
TargetImage: C:\Windows\System32\hostui.exe
GrantedAccess: 0x14C0
CallTrace: C:\windows\SYSTEM32\ntdll.dll+9c584|C:\windows\System32\KERNELBASE.dll+2732e|c:\windows\system32\seclogon.dll+128f|c:\windows\system32\seclogon.dll+10a0|C:\windows\System32\RPCRT4.dll+76953|C:\windows\System32\RPCRT4.dll+da036|C:\windows\System32\RPCRT4.dll+37a4c|C:\windows\System32\RPCRT4.dll+548c8|C:\windows\System32\RPCRT4.dll+2c921|C:\windows\System32\RPCRT4.dll+2c1db|C:\windows\System32\RPCRT4.dll+1a86f|C:\windows\System32\RPCRT4.dll+19d1a|C:\windows\System32\RPCRT4.dll+19301|C:\windows\System32\RPCRT4.dll+18d6e|C:\windows\System32\RPCRT4.dll+169a5|C:\windows\SYSTEM32\ntdll.dll+3346d|C:\windows\SYSTEM32\ntdll.dll+341c2|C:\windows\System32\KERNEL32.DLL+17bd4|C:\windows\SYSTEM32\ntdll.dll+6ced1                                                                                                              
------
 Message | Process accessed:
RuleName: -
UtcTime: 2020-05-02 03:21:27.853
SourceProcessGUID: {47ab858c-e737-5eac-fd00-000000000500}
SourceProcessId: 8552
SourceThreadId: 8580
SourceImage: C:\windows\system32\svchost.exe
TargetProcessGUID: {47ab858c-e737-5eac-fe00-000000000500}
TargetProcessId: 8588
TargetImage: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
GrantedAccess: 0x1FFFFF
CallTrace: C:\windows\SYSTEM32\ntdll.dll+9d934|C:\windows\System32\KERNELBASE.dll+5f42a|C:\windows\System32\KERNELBASE.dll+5b4d3|C:\windows\System32\KERNEL32.DLL+1c9af|c:\windows\system32\seclogon.dll+17fd|c:\windows\system32\seclogon.dll+10a0|C:\windows\System32\RPCRT4.dll+76953|C:\windows\System32\RPCRT4.dll+da036|C:\windows\System32\RPCRT4.dll+37a4c|C:\windows\System32\RPCRT4.dll+548c8|C:\windows\System32\RPCRT4.dll+2c921|C:\windows\System32\RPCRT4.dll+2c1db|C:\windows\System32\RPCRT4.dll+1a86f|C:\windows\System32\RPCRT4.dll+19d1a|C:\windows\System32\RPCRT4.dll+19301|C:\windows\System32\RPCRT4.dll+18d6e|C:\windows\System32\RPCRT4.dll+169a5|C:\windows\SYSTEM32\ntdll.dll+3346d|C:\windows\SYSTEM32\ntdll.dll+341c2|C:\windows\System32\KERNEL32.DLL+17bd4|C:\windows\SYSTEM32\ntdll.dll+6ced1

@Cyb3rWard0g
Copy link
Contributor Author

10.B.3 Access Token Manipulation

Procedure: Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria: hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Cyb3rWard0g