We help IT Professionals succeed at work.

Eventlog example related malware attack

Nobuo Miwa
Nobuo Miwa asked
on
I'm looking for Windows Eventlog (in Active Directory DC) related "pass-the-ticket"(Golden/Silver Ticket) for testing my hunter script.
Where can I find out or get example evtx file ?
Comment
Watch Question

View Solution Only

McKnife
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Create a test domain in hyper-v.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
This give the baseline and the differential without and with the pass the hash scenario.

You will see events 4648, 4624, and 4672 the same as if I was doing legitimate NTLM authentication.  However, there are a few key differences. 

First, the 4624 event will have a Logon Type of 9.  This is a NewCredential logon type and a very useful way to identify that a pass-the-hash took place. 

 Logon Type 9 is very rare.  However, I was able to generate some false positives running applications that use impersonation.  The main difference to key off of is the Logon Process will always be “seclogo” for pass-the-hash (from my tests), so you can filter on that to reduce false positive rates.  

With Sysmon in place when a pass-the-hash occurs you will see Event ID 10 showing access to the LSASS process from Mimikatz or your pass-the-hash tool of choice.

https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
Nobuo MiwaSecurity Engineer

Author

Commented:
Thank you btan, I've already checked out your blog.
I want to test my program to detect PTH with real evx file with noise (that I need not to detect).
My question is where to find out evtx file that includes PTH attack and other normal event(noise).
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The events of Windows event log are stored in .evtx files, and you can usually find them in C:\windows\system32\winevt\Logs . You can extract the events using FullEventLogView from .evtx files stored in your local system (As long as they are not locked and you have read permission) and from .evtx files stored on external drive.

Export all events stored in .evtx files with the specified Event IDs (like say 7000,7036,3005,4001,4002).
 '/DataSource 3' requests to load events from a folder with .evtx files,
 '/TimeFilter 0' requests to load without time filter, and 
'/EventIDFilter 2' means - don't load the events with the Event IDs specified in /EventIDFilterStr e.g  

FullEventLogView.exe /scomma "c:\temp\events_list.csv" /TimeFilter 0 /DataSource 3 /LogFolder "C:\Shared\Logs" /LogFolderWildcard "*" /EventIDFilter 2 /EventIDFilterStr "7000,7036,3005,4001,4002"
Nobuo MiwaSecurity Engineer

Author

Commented:
Thank you btan,
In you blog PtH and normal situation, PtH has only 4776 and normal has 4768,4769,4776.
So can I detect PTh 4776 without 4768,4769 ?
I will reproduce PTh with mimikatz though.
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
You should be able as  4776 is specific to account login while others are on kerberos. Another similar blog that you may be interested that doesn't need 4776. 
https://blog.stealthbits.com/how-to-detect-overpass-the-hash-attacks/
McKnife
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Nobuo, I will ask since you did not react to my suggestion: are you able to use a test domain? It would be best to do so in order to do live testing and detecting.
Nobuo MiwaSecurity Engineer

Author

Commented:
Thanks Experts.

I built my own network with DC,WS and run mimikatz.
I could see several eventlog for test.

Thank you.