asked on
Eventlog example related malware attack
I'm looking for Windows Eventlog (in Active Directory DC) related "pass-the-ticket"(Golden/S
Where can I find out or get example evtx file ?
Where can I find out or get example evtx file ?
Windows Server 2016Windows OSSecurity* malware
Last Comment
Nobuo Miwa
Create a test domain in hyper-v.
This give the baseline and the differential without and with the pass the hash scenario.
https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
You will see events 4648, 4624, and 4672 the same as if I was doing legitimate NTLM authentication. However, there are a few key differences.
First, the 4624 event will have a Logon Type of 9. This is a NewCredential logon type and a very useful way to identify that a pass-the-hash took place.
Logon Type 9 is very rare. However, I was able to generate some false positives running applications that use impersonation. The main difference to key off of is the Logon Process will always be “seclogo” for pass-the-hash (from my tests), so you can filter on that to reduce false positive rates.
With Sysmon in place when a pass-the-hash occurs you will see Event ID 10 showing access to the LSASS process from Mimikatz or your pass-the-hash tool of choice.
https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
ASKER
Thank you btan, I've already checked out your blog.
I want to test my program to detect PTH with real evx file with noise (that I need not to detect).
My question is where to find out evtx file that includes PTH attack and other normal event(noise).
I want to test my program to detect PTH with real evx file with noise (that I need not to detect).
My question is where to find out evtx file that includes PTH attack and other normal event(noise).
The events of Windows event log are stored in .evtx files, and you can usually find them in C:\windows\system32\winevt\Logs . You can extract the events using FullEventLogView from .evtx files stored in your local system (As long as they are not locked and you have read permission) and from .evtx files stored on external drive.
Export all events stored in .evtx files with the specified Event IDs (like say 7000,7036,3005,4001,4002).
'/DataSource 3' requests to load events from a folder with .evtx files,
'/TimeFilter 0' requests to load without time filter, and
'/EventIDFilter 2' means - don't load the events with the Event IDs specified in /EventIDFilterStr e.g
FullEventLogView.exe /scomma "c:\temp\events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "C:\Shared\Logs" /LogFolderWildcard "*" /EventIDFilter 2 /EventIDFilterStr "7000,7036,3005,4001,4002"
Export all events stored in .evtx files with the specified Event IDs (like say 7000,7036,3005,4001,4002).
'/DataSource 3' requests to load events from a folder with .evtx files,
'/TimeFilter 0' requests to load without time filter, and
'/EventIDFilter 2' means - don't load the events with the Event IDs specified in /EventIDFilterStr e.g
FullEventLogView.exe /scomma "c:\temp\events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "C:\Shared\Logs" /LogFolderWildcard "*" /EventIDFilter 2 /EventIDFilterStr "7000,7036,3005,4001,4002"
ASKER
Thank you btan,
In you blog PtH and normal situation, PtH has only 4776 and normal has 4768,4769,4776.
So can I detect PTh 4776 without 4768,4769 ?
I will reproduce PTh with mimikatz though.
In you blog PtH and normal situation, PtH has only 4776 and normal has 4768,4769,4776.
So can I detect PTh 4776 without 4768,4769 ?
I will reproduce PTh with mimikatz though.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Nobuo, I will ask since you did not react to my suggestion: are you able to use a test domain? It would be best to do so in order to do live testing and detecting.
ASKER
Thanks Experts.
I built my own network with DC,WS and run mimikatz.
I could see several eventlog for test.
Thank you.
I built my own network with DC,WS and run mimikatz.
I could see several eventlog for test.
Thank you.