DCsync | Network | Security | Pass The Hash | SIEM | Splunk
Scenario:
As a SOC analyst, you aim to investigate a security breach in an Active Directory network using Splunk SIEM (Security information and event management) solution to uncover the attacker’s steps and techniques while creating a timeline of their activities. The investigation begins with network enumeration to identify potential vulnerabilities. Using a specialized privilege escalation tool, the attacker exploited an unquoted service path vulnerability in a specific process.
Once the attacker had elevated access, the attacker launched a DCsync attack to extract sensitive data from the Active Directory domain controller, compromising user accounts. The attacker employed evasion techniques to avoid detection and utilized a pass-the-hash (pth) attack to gain unauthorized access to user accounts. Pivoting through the network, the attacker explored different systems and established persistence.
Details:
Category: Threat Hunting
Difficulty: Medium
What is the name of the compromised account?
I used this query, which gave me the answer right away.
EventID=4625: “will search for failed logins”
Status=0x000006d: “This is either due to a bad username or incorrect authentication information”
host=client02: “Because there were many failed attempts against this host” (see next question)
What is the name of the compromised machine?
The query was explained in the previous question.
What tool did the attacker use to enumerate the environment?
I knew that maybe Bloodhound (as it is common in active directory attacks) is what we are looking for, so I searched for it in the logs, and I have found it.
But if you are looking for the logical way, just search in PowerShell operational, with event id 4104 as it is an id for PowerShell execution, then go to PowerShell block text, and boom, you will see Bloodhound with the invoke command.
The attacker used an unquoted service path to escalate privileges. What is the name of the vulnerable service?
That question was enjoyable.
Let’s start using our brains. It says that the attacker used an unquoted service path to escalate his privileges, at first, I didn’t know what he meant by unquoted service. I searched it, and it seems like if you have a service that is by default going to execute a file in C:\Program Files\
he will just create the executable like this: C:\programfiles.exe and the service will execute the executable with the high privilege that it does have as the service is owned by a high privilege user.
For more details check this Privilege Escalation — Unquoted Service Path (Windows) | VK9 Security (vk9-sec.com).)
Then, let’s see the steps attackers go through to generate such an attack.
They normally grant write permissions to the vulnerable directory. What I did was just search for the GRANT keyword.
and That command popped up, so we know now that Basic Monitoring directory is the target for the attacker, Filtering for it, you're going to get this handsome boy.
What is the SHA256 of the executable that escalates the attacker's privileges?
Filtering for the process, you will see the process running and also the process used to run C:\Program.exe
which seems malicious.
Submitting the hash of program.exe
, and it was right.
You can get the hashes from hashes field or expanding the record and see the details.
When did the attacker download fun.exe? (24H-UTC)
Just by searching for the file name, you will find that Windows Defender has caught the process for us, along with the creation time.
What is the command line used to launch the DCSync attack?
After searching for DCSync, you'll find that it is a command for fun.exe LOL
What is the original name of fun.exe?
Getting more details from the command line above, you will find this.
Note: if you know the commands of mimikatz, right after seeing dcsync you are going to know that the process fun is actually mimikatz, without getting more context.
Mimikatz provides a variety of ways to extract and manipulate credentials, but one of the most alarming is the DCSync command
The attacker performed the Over-Pass-The-Hash technique. What is the AES256 hash of the account he attacked?
Searching with the hash name “aes256”, you will get this output:
You will notice that he passed the hash to get access to multiple accounts, I tried to submit the AES hash for Administrator, but it was wrong Then I tried Mohamed AES, and it was the right one :”
I genuinely don’t know why Mohamed and not Administrator, maybe because of the time, idk but it is what it is 😃
What service did the attacker abuse to access the Client03 machine as an administrator?
In the same search result from above, you will notice this:
You will know that this is the service because of the answer template.
The Client03 machine spawned a new process when the attacker logged on remotely. What is the process name?
I have spent so much time on this one because I don’t understand the question.
So, he is asking for the process name, which you can find using this simple query.host=client03 logged
whoami.exe
Easy right, Well, that’s the naughty part, he meant the parent process for Whoami, not Whoami itself. which is
The attacker compromises the it-support account. What was the logon type?
I just did my research for logon types
So it’s either a service or newCredentials logon, I can just try both of them, but let’s try something better
After searching for logon-type fields, you will find this guy
Checking 9 and 5, you will notice that 9 is the closest to the answer.
What ticket name did the attacker generate to access the parent DC as Administrator?
Filter for Administrator and ticket, and you will get the sauce in the first result.
Anyway, Cya geeks