Thursday, May 28, 2015

Windows 7 Events Generated when exploit/windows/smb/psexec is used by Metasploit

With this walkthrough I wanted to note the events that are recorded by the event viewer of Windows 7 when you use exploit/windows/smb/psexec.  To setup the environment to record the necessary events the local policy was modified to the following settings in the below screenshot:


We are going to make the assumption that the hash for the Administrator account with SID 500 is compromised and is being used as shown in the below screenshot:



Also it can be observed that port 3389 is being used for payload.  This is because by default port 3389 TCP outbound is open on Windows 7.  With the above settings configured the exploit is then executed and successfully connects.  Below are the event logs that are generated on Windows 7 when the above actions are taken.

Event ID 4776 is created to identify the connecting computer.  The monitoring of this event for a non-standard workstation name provided as the "Source Workstation" could assist in identifying the intrusion.


Event ID 4672 identifies the account name and special privileges assigned to the new logon.  


Event ID 4624 records that a successful logon occurred and the source of the logon.  The source of the logon displayed below is the IP Address where the connection came from.  To correlate it back to the previous event you can use the "Logon ID".


Event ID 5140 is for a network share being accessed.  The correlation of the event can be done again through the Logon ID.  You can also tell which share on the workstation was accessed.  Depending on which "Share Name" is accessed this could be monitored, especially if what is being accessed is an administrative share like C$ or ADMIN$.


Event ID 5145 identifies if the account that authenticated has the appropriate rights to add or write a file to the network share.  The the file "HoUGhAVh.exe" was written to the c:\windows directory.


Event ID 4688 identifies that a new process was created by the above executable that was saved in c:\windows.  Then a new process is created with the rundll32.exe file in c:\windows\system32.  This event can also be observed when a command shell is opened from the meterpreter.  Inside of the command shell any commands that are executed can be observed by event ID 4688.


Event ID 4689 shows the process exits that has the random executable name in the windows directory.


Event ID 5156 is generated by the windows firewall from the rundll32.exe.  This then connects back for the meterpreter reverse shell on port 3389 on the attacking computer.  After this event are additional events showing that the randomly generated executable is deleted.


Event ID 4634 shows the logoff of the administrator account from the initial logon that occurred.  This can be correlated by the "Logon ID".



No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...