Wednesday, 6 February 2019

Threat Hunting #2 - Detecting PsLoggedOn exec using EID 5145

What's PsLoggedOn?

PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on.

PsLoggedOn's definition of a locally logged on user is one that has their profile loaded into the Registry, so PsLoggedOn determines who is logged on by scanning the keys under the HKEY_USERS key. For each key that has a name that is a user SID (security Identifier), PsLoggedOn looks up the corresponding user name and displays it. To determine who is logged onto a computer via resource shares, PsLoggedOn uses the NetSessionEnum API. Note that PsLoggedOn will show you as logged on via resource share to remote computers that you query because a logon is required for PsLoggedOn to access the Registry of a remote system.

Why we care about PsLoggedOn detection?

PsLoggedOn is used by hackers to perform proper & targeted internal reconnaissance (less noise than other internal AD recon tools) of the users's sessions and target the interesting ones.

To detect PsLoggedon we will be using the following things:

  • Traces of remote registry access (connection to winreg named pipe exposed via the IPC$ SMB share)
  • Traces of NetSessionEnum API (connection to srvsvc named pipe exposed via the IPC$ SMB share)
  • Same source account, source IP and source port number, all within 1 minute

Both remote access to winreg & srvsvc can be obtained from the Windows Security Event Log 5145: A network share object was checked to see whether client can be granted desired access [Object Access>Detailed File Share need to be enabled].

Below a graphical representation of the idea:

We recommend to enable 5145 on all your Windows network file shares as well as all Domain Controllers, he will be our friend for detecting other reconnaissance & lateral movement techniques [Extremely Useful].

Detection Logic:

Look for 2 occurrences of the event 5145 with RelativeTargetName in {winreg,srvsvc} AND same [SourceP,  Account Name, SourcePort] AND Not SAME RelativeTargetName within 1min.


No comments:

Post a Comment