Maintaining Persistence and Password Hash Dumping using Meterpreter and Mimikatz

In this post we will exploit a Windows 10 machine using a Meterpreter reverse shell. After exploitation we will maintain persistence in the machine, evade detection, escalate privileges and finally dump passwords of all users of the machine. Finally, we will hunt for evidence of the exploitation using windows logs from the endpoint, Sysmon from the endpoint and Suricata on the network.

Meterpreter is part of the exploitation framework Metasploit. It has a wealth of attacking tools at its disposal and is used by Red Teams. However it can also used by adversaries. The attacker depends on the victim executing the payload [crafted using Meterpreter] and initiating a reverse TCP shell. Once initiated,  attacker can perform privilege escalation, keylogging, etc. We will be using a staged Meterpreter session. Rapid7 has a fantastic deep dive article on this.Microsoft has signatures for the Meterpreter Payloads. In a scenario where the system is patched and the AV is up to date, the victim executing the payload will see a quarantine message as shown below. To circumvent this, we would need to use modules that would avoid AV detection.

But for the scope of this demonstration. We will be executing the payload irrespective of the alert generated by AV.

Scenario: Attacker has managed to send the user of a company an executable claiming to improve system performance. This user proceeds to execute the .exe file. The Windows Laptop alerts the user however the user proceeds to ignore the alert and executes the executable anyway.
Victim’s Set up: DetectionLab and Attacker’s Set up: Kali Linux.

Step 1: (Attacker):
Attacker has created a payload ‘SystemBooster.exe’ using the steps below. Since this process of creating a payload is out of scope, I have only included the screenshots of the steps. Learn more about the different types of payloads that can be created here.

The last step shows that the attacker is ready and waiting for the victim to execute the exe.

Step 2: (Victim Machine)
The attacker has managed to deliver the admin the systembooster.exe file and the admin has executed the .exe file. Attacker has multiple ways to deliver this. Phishing Email, Trusted Contact, Insider Job, etc.

Step 3: (Attacker Machine)
As soon as the victim clicks the executable, the session opens. The user is now infected.

Step 4:
The attacker tries to steal the password but observes that his privileges are not escalated. The ‘getuid’ and ‘sysinfo’ command helps attacker collect information about the user’s system. Next the attacker tries to load Mimikatz and dump passwords. However, they don’t succeed.

Attacker then uses the ‘getsystem’ command to escalate privileges and then runs run post/windows/gather/hashdump again and gathers the hashes. These hashes can be used for lateral movement. Here is a tutorial to use psexec to pass the hash and move laterally. We can also perform pass the hash attack using Mimikatz.

Step 5:
Attacker now knows that his process could be discovered and killed. To evade this, they first switch the PID to notepad.exe. Observe the process PID 104. It says Notepad.exe, however we have our session being controlled by this executable.

Step 6:
 Attacker now wants to maintain persistence. Using Meterpreter’s persistence module, this can be achieved.  Observe the command below. Attacker has set persistence to 5 minutes after restarting the system. This means the session will begin automatically everytime the user restart the PC. They do so by creating an autorun registry file and a script written to an AppData Location.

Now that we have completed out attack. Let us observe the events logged.

Windows Events on Target Machine

1- Event ID 4688 or ‘a new process was created’ when we first execute the systembooster.exe

2- We next see Notepad.exe being launched from systembooster.exe. This is when we changed the PID to evade any defense or to keep our session from dying or raising suspicion. Again this is event ID 4688 or a ‘New process Has been created’

3 – For Privilege escalation, we observe an Event ID 4688 created by wywMChhAmLl.exe immediately followed by an Event 4674 – An operation was attempted on a privilege object.

4 – Lastly to create persistence we loaded a script. Which gets detected by the cscript.exe and event ID 4688.


SysMon events in the target machine.

1- Sysmon shows 199 events for accessing the LSASS.exe driver by our malicious payload. Observe the image below. We see ‘systembooster.exe’ accessing lsass.exe 200 times throughout the process. This makes sense as we used Mimikatz to dump hashes which leverages LSASS.exe.

2 – Similarly, we see Notepad.exe access the lsass.exe. This is from when we moved our PID to notepad.exe

3- Registry value is set by evasive process notepad.exe

4 –Similar to process 4688 we see 17 Connections visa cscipt.exe as we changed registry values by using a script to maintain persistence.

 04/18/2020 08:00:32 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=1 EventType=4 Type=Information ComputerName=win10.windomain.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Process Create (rule: ProcessCreate) OpCode=Info RecordNumber=111743 Keywords=None Message=Process Create: RuleName: technique_id=T1036,technique_name=Masquerading UtcTime: 2020-04-18 20:00:32.895 ProcessGuid: {f26a5612-5c60-5e9b-0000-0010ebf7a100} ProcessId: 3628 Image: C:\Users\vagrant\AppData\Local\Temp\radF4D2A.tmp\wywMChhAmLl.exe FileVersion: 2.2.14 Description: ApacheBench command line utility Product: Apache HTTP Server Company: Apache Software Foundation OriginalFileName: ab.exe CommandLine: “C:\Users\vagrant\AppData\Local\Temp\radF4D2A.tmp\wywMChhAmLl.exe” CurrentDirectory: C:\Users\vagrant\Desktop\ User: WIN10\vagrant LogonGuid: {f26a5612-45d7-5e9b-0000-0020a24c0300} LogonId: 0x34CA2 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=9277C51188E73858A84F2BE7C0ECD9A979B1CFE1,MD5=4617C22F5117557E841872D1A124FFE2,SHA256=1E9C6FBAEB65AC985FE9EE48D2419D411D4A037C1C0B267B4A713AC052DFE596,IMPHASH=481F47BBB2C9C21E108D65F52B04C448 ParentProcessGuid: {f26a5612-5af7-5e9b-0000-0010f03d9d00} ParentProcessId: 896 ParentImage: C:\Windows\SysWOW64\cscript.exe ParentCommandLine: cscript “C:\Users\vagrant\AppData\Local\Temp\jVEFPEU.vbs”

5 –network connection being initiated

 04/18/2020 07:22:19 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=3 EventType=4 Type=Information ComputerName=win10.windomain.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Network connection detected (rule: NetworkConnect) OpCode=Info RecordNumber=110732 Keywords=None Message=Network connection detected: RuleName: technique_id=T1036,technique_name=Masquerading UtcTime: 2020-04-18 19:22:17.220 ProcessGuid: {f26a5612-5369-5e9b-0000-001005068500} ProcessId: 3008 Image: C:\Users\vagrant\Desktop\SystemBooster.exe User: WIN10\vagrant Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: SourceHostname: win10.windomain.local SourcePort: 51701 SourcePortName: DestinationIsIpv6: false DestinationIp: DestinationHostname: DestinationPort: 443 DestinationPortName: https

6- taskschd.dll getting loaded to maintain persistence.

04/18/2020 07:54:36 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=7 EventType=4 Type=Information ComputerName=win10.windomain.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Image loaded (rule: ImageLoad) OpCode=Info RecordNumber=111572 Keywords=None Message=Image loaded: RuleName: technique_id=1053,technique_name=Scheduled Task UtcTime: 2020-04-18 19:54:36.939 ProcessGuid: {f26a5612-5ade-5e9b-0000-0010301e9d00} ProcessId: 4344 Image: C:\Windows\System32\sppsvc.exe ImageLoaded: C:\Windows\System32\taskschd.dll FileVersion: 10.0.18362.1 (WinBuild.160101.0800) Description: Task Scheduler COM API Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: taskschd.dll Hashes: SHA1=46B11170BCD6D40A7D3EB0A17AF6FCB094D78DE5,MD5=2FFE2081F5581CF744D75A2ABE56DBFC,SHA256=E43C1490D017EA4ED1CB725C8943B4C0DEAB2A4EF39BFDB18110268AC91AD836,IMPHASH=A27ED1F1734EB4E97FB4A5CC09A0E126 Signed: true Signature: Microsoft Windows SignatureStatus: Valid

Conclusion: To detect a meterpreter session, we could write rules for the following events.

  1. Monitor for Event 4688 Followed by event ID 4674 to observe privilege escalation from an unknown process.
  2. Monitor for processes being written or launching from AppData.
  3. Monitor for sudden burst in cscript.exe in a short period of time.
  4. Monitor for sudden burst in lsass.exe in a short period of time.
  5. Ensure taskschd.dll gets loaded by a trusted account. Monitor Schedule Tasks on a weekly basis.
  6. Registry values being set by a rare .exe [Here rare would mean bottom 5 executables executed on that given day.]
  7. Outbound network connections being initiated by a rare .exe in the environment.

Leave a Comment

Your email address will not be published. Required fields are marked *