SANS Holiday Hack 2019 - Objective 3: Windows Log Analysis: Evaluate Attack Outcome

Objective 3: Windows Log Analysis:  Evaluate Attack Outcome

The hints for this challenge are given by Bushy Evergreen in the Train Station (the area you first arrive in, south of the Quad.  For this one, it gives a link to a file that must be downloaded and examined: https://downloads.elfu.org/Security.evtx.zip. (Remember, you can click on each image to make it larger.

The first hint from Bushy Evergreen regarding this objective is a link:  https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html.  The second is the DeepBlue CLI GitHub project, here:  https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html

I used a Windows machine to do this one because Powershell is a good tool to parse Windows logs.  First thing I did was to download Deep Blue CLI from the GitHub repository.  Simply click the Green button labeled “Clone or download”.  Next, Click on “Download Zip”.

Once the Zip file is downloaded, unzip it using your favorite tool.  Windows 10 natively extracts the files from the zip file if you simply Double-Click on it or Right-Click and select “Extract All” from the menu.

Once the file is unzipped, Navigate into the directory structure by double-clicking on the DeepBlueCLI-master, and the next DeepBlueCLI-master sub-directory.  Read the README.md file to understand how to use Deep Blue CLI.  The ReadMe file, even though it ends with .md is a plain text file.  Right-Click and click “Open With”, then choose Notepad.  A popup may show up on the screen asking which program to open it with.  Choose Notepad from the popup.  You may have to click on the “More Apps” link and choose Notepad there.  Be sure to check the box to “Always use this app to open .md files. 

If the previous instructions don’t seem to work as instructed when you navigate to “Open With”, sometimes it’s because Windows has other menus.  It may show a menu to the right-hand side, select Notepad from there.  If you don’t see it, select the Choose Another app menu item listed.  Notepad should be listed there.  I have Notepad++ which opens it automatically.

There are a couple of versions of Deep Blue CLI in the github repository that was downloaded.  One is a python version, named DeepBlue.py, which you can use natively on Linux.  It can also be used on Windows if you have python installed.  I believe later versions of Windows 10 come with python installed natively.  Read your OS documentation to see if it’s installed.  If you have other versions of Windows, python can be found here:  https://www.python.org/downloads/windows/.  There is also a Powershell version of Deep Blue CLI in the github repository that was downloaded.  It is named:  DeepBlue.ps1.  Powershell is native for Windows 7 and above.  If you don’t have Windows, you may choose to use a Windows VM that would have Powershell installed.  I chose to use the Powershell version of Deep Blue CLI on a Windows host.

Open Powershell.  On Windows 10, you can search for it.  On the bottom left hand corner, in the search bar, type Powershell.  There are a couple of different versions.  One is the simple powershell.exe which is the interactive powershell command prompt.  The other is Powershell ISE.  I prefer the ISE because it’s helpful with navigating and typing in commands. 

Deep Blue CLI is fairly easy to use.  It can automatically detect things without any parameters except the name of the event log.  Simply type:

<path to Deep Blue CLI>\DeepBlue.ps1 <name of event log>

The tool detects a password spray attack in the event log given for this objective.  

More information regarding this attack can be found here: 
https://www.us-cert.gov/ncas/current-activity/2019/08/08/acsc-releases-advisory-password-spraying-attacks

Notable symptoms of a Password Spray attack:

• Many failed logins spread across a lot of users on one or more system(s).  Note:  DCs will typically see a lot of failed logins.
• Usually the failed logins are about 2-5 per user because they’re trying to not get locked out so they attempt to stay under the lockout threshold.
• The failed logins are usually done very quickly.  Many attackers use a script to do this.  Note:  This is not always the case.
• They usually use one easy-to-guess password.  Like Spring2019.  Sadly this works because users typically use this unless they have proper training.

Note the Event ID 4648 is the event ID that is logged when explicit credentials are used.  This event notes when a user attempts to login with explicit credentials.  This can be indicative of a password spraying attack because the credentials may be used on one or more computers.  It's usually many users with less than 2-5 attempts per user so that they don't trigger account lockouts.  The explicit credentials may be used on computers in which the users don't usually logon, because attackers may not be familiar with the normal activities of the users.

Later in the list, it notes that there were some admin logins.  Usually an attacker has the goal to escalate privileges.  Not always, but a lot of the time that they do.  So looking for unusual admin logins may lead to finding an attacker.  Sometimes it can lead to false positives.  People have to manage systems.  They key to spot users that may have been compromised in this specific attack is to see if any of these users had a bunch of failed logons then a successful logon around the same time as the suspected password spraying attempt.

Sure enough, one user did have a successful login right about the same time as a bunch of failed logins.  The following image was the output from Deep Blue CLI.  Event ID 4672 is used to give special privileges to a new logon  You see an admin assistant suddenly getting new privs, you might want to look into that.  Notice the time stamp?  Right around the time of the successful admin logins.

Another way to see these failed logins is with Powershell.  Here is the Powershell command and output from when I looked up pminstix.  (The following path is whatever path you have the security log in, and whatever you named it.)

Get-WinEvent -FilterHashtable @{Path='.\SecurityKK.evtx';id=4625} | Select -Expand Message | ?{$_ -like "*pminstix*"}

Checked on pminstix because she was noted as one of the admin logons.  No output - ie no failed logons.  Lucky for us.  The syntax for Powershell is strange, but very useful when one adapts to it.  This uses the Get-WinEvent cmdlet to find events in the Kringle Con Security Event Logs with an id of 4625 (failed logons) where the message contains the word “pminstix”, which is the username I’m looking for.  Message is one of the titles of the hash table that the first part of the command, Get-WinEvent -FilterHashTable @{Path=‘<event log path>;id=4625}, makes.  A hash table is a special object in Powershell that stores key=value pairs.  In this case, the keys are the Path and ID.  This displays a grid on the screen with Timestamps of the events and the Messages for each event.  Unfortunately, when we simply run "Get-WinEvent -FilterHashtable @{Path='.\SecurityKK.evtx';id=4625}", each Message is truncated, so the next part, "Select -Expand Message" shows only the messages.  This isn’t ideal if you want timestamps, but is ok in this challenge because I only wanted to make sure pminstix didn't have failed logons.  The last part of the command simply filters out everything except what I’m looking for.  ? is an alias for Where-Object.  $_ are all the objects from the piped commands from before (so all the 4625 (failed logon) messages). Then it says to only grab any messages that contain (look like) pminstix.  You try this same command with super tree in the end in place of {$_ -like “*pminstix*”}, like this, {$_ -like “*supatree*”}, and your screen will fill up with failed logons.  Look at the timestamps though - password spraying failed logons will usually be very close to each other.  The answer to this Objective is supatree.