Link to home
Create AccountLog in
Avatar of Nobuo Miwa
Nobuo Miwa

asked on

Eventlog example related malware attack

I'm looking for Windows Eventlog (in Active Directory DC) related "pass-the-ticket"(Golden/Silver Ticket) for testing my hunter script.
Where can I find out or get example evtx file ?
Avatar of McKnife
McKnife
Flag of Germany image

Create a test domain in hyper-v.
Avatar of btan
btan

This give the baseline and the differential without and with the pass the hash scenario.

You will see events 4648, 4624, and 4672 the same as if I was doing legitimate NTLM authentication.  However, there are a few key differences. 

First, the 4624 event will have a Logon Type of 9.  This is a NewCredential logon type and a very useful way to identify that a pass-the-hash took place. 

 Logon Type 9 is very rare.  However, I was able to generate some false positives running applications that use impersonation.  The main difference to key off of is the Logon Process will always be “seclogo” for pass-the-hash (from my tests), so you can filter on that to reduce false positive rates.  

With Sysmon in place when a pass-the-hash occurs you will see Event ID 10 showing access to the LSASS process from Mimikatz or your pass-the-hash tool of choice.

https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
Avatar of Nobuo Miwa

ASKER

Thank you btan, I've already checked out your blog.
I want to test my program to detect PTH with real evx file with noise (that I need not to detect).
My question is where to find out evtx file that includes PTH attack and other normal event(noise).
The events of Windows event log are stored in .evtx files, and you can usually find them in C:\windows\system32\winevt\Logs . You can extract the events using FullEventLogView from .evtx files stored in your local system (As long as they are not locked and you have read permission) and from .evtx files stored on external drive.

Export all events stored in .evtx files with the specified Event IDs (like say 7000,7036,3005,4001,4002).
 '/DataSource 3' requests to load events from a folder with .evtx files,
 '/TimeFilter 0' requests to load without time filter, and 
'/EventIDFilter 2' means - don't load the events with the Event IDs specified in /EventIDFilterStr e.g  

FullEventLogView.exe /scomma "c:\temp\events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "C:\Shared\Logs" /LogFolderWildcard "*" /EventIDFilter 2 /EventIDFilterStr "7000,7036,3005,4001,4002"
Thank you btan,
In you blog PtH and normal situation, PtH has only 4776 and normal has 4768,4769,4776.
So can I detect PTh 4776 without 4768,4769 ?
I will reproduce PTh with mimikatz though.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Nobuo, I will ask since you did not react to my suggestion: are you able to use a test domain? It would be best to do so in order to do live testing and detecting.
Thanks Experts.

I built my own network with DC,WS and run mimikatz.
I could see several eventlog for test.

Thank you.