Avatar of Nobuo Miwa
Nobuo Miwa
 asked on

Eventlog example related malware attack

I'm looking for Windows Eventlog (in Active Directory DC) related "pass-the-ticket"(Golden/Silver Ticket) for testing my hunter script.
Where can I find out or get example evtx file ?
Windows Server 2016Windows OSSecurity* malware

Avatar of undefined
Last Comment
Nobuo Miwa

8/22/2022 - Mon
McKnife

Create a test domain in hyper-v.
btan

This give the baseline and the differential without and with the pass the hash scenario.

You will see events 4648, 4624, and 4672 the same as if I was doing legitimate NTLM authentication.  However, there are a few key differences. 

First, the 4624 event will have a Logon Type of 9.  This is a NewCredential logon type and a very useful way to identify that a pass-the-hash took place. 

 Logon Type 9 is very rare.  However, I was able to generate some false positives running applications that use impersonation.  The main difference to key off of is the Logon Process will always be “seclogo” for pass-the-hash (from my tests), so you can filter on that to reduce false positive rates.  

With Sysmon in place when a pass-the-hash occurs you will see Event ID 10 showing access to the LSASS process from Mimikatz or your pass-the-hash tool of choice.

https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
Nobuo Miwa

ASKER
Thank you btan, I've already checked out your blog.
I want to test my program to detect PTH with real evx file with noise (that I need not to detect).
My question is where to find out evtx file that includes PTH attack and other normal event(noise).
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
btan

The events of Windows event log are stored in .evtx files, and you can usually find them in C:\windows\system32\winevt\Logs . You can extract the events using FullEventLogView from .evtx files stored in your local system (As long as they are not locked and you have read permission) and from .evtx files stored on external drive.

Export all events stored in .evtx files with the specified Event IDs (like say 7000,7036,3005,4001,4002).
 '/DataSource 3' requests to load events from a folder with .evtx files,
 '/TimeFilter 0' requests to load without time filter, and 
'/EventIDFilter 2' means - don't load the events with the Event IDs specified in /EventIDFilterStr e.g  

FullEventLogView.exe /scomma "c:\temp\events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "C:\Shared\Logs" /LogFolderWildcard "*" /EventIDFilter 2 /EventIDFilterStr "7000,7036,3005,4001,4002"
Nobuo Miwa

ASKER
Thank you btan,
In you blog PtH and normal situation, PtH has only 4776 and normal has 4768,4769,4776.
So can I detect PTh 4776 without 4768,4769 ?
I will reproduce PTh with mimikatz though.
ASKER CERTIFIED SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
McKnife

Nobuo, I will ask since you did not react to my suggestion: are you able to use a test domain? It would be best to do so in order to do live testing and detecting.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Nobuo Miwa

ASKER
Thanks Experts.

I built my own network with DC,WS and run mimikatz.
I could see several eventlog for test.

Thank you.