What's PsLoggedOn?
PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on.
PsLoggedOn's definition of a locally logged on user is one that has their profile loaded into the Registry, so PsLoggedOn determines who is logged on by scanning the keys under the HKEY_USERS key. For each key that has a name that is a user SID (security Identifier), PsLoggedOn looks up the corresponding user name and displays it. To determine who is logged onto a computer via resource shares, PsLoggedOn uses the NetSessionEnum API. Note that PsLoggedOn will show you as logged on via resource share to remote computers that you query because a logon is required for PsLoggedOn to access the Registry of a remote system.
Why we care about PsLoggedOn detection?
PsLoggedOn is used by hackers to perform proper & targeted internal reconnaissance (less noise than other internal AD recon tools) of the users's sessions and target the interesting ones.
To detect PsLoggedon we will be using the following things:
- Traces of remote registry access (connection to winreg named pipe exposed via the IPC$ SMB share)
- Traces of NetSessionEnum API (connection to srvsvc named pipe exposed via the IPC$ SMB share)
- Same source account, source IP and source port number, all within 1 minute
Both remote access to winreg & srvsvc can be obtained from the Windows Security Event Log 5145: A network share object was checked to see whether client can be granted desired access [Object Access>Detailed File Share need to be enabled].
Below a graphical representation of the idea:
We recommend to enable 5145 on all your Windows network file shares as well as all Domain Controllers, he will be our friend for detecting other reconnaissance & lateral movement techniques [Extremely Useful].
Detection Logic:
Look for 2 occurrences of the event 5145 with RelativeTargetName in {winreg,srvsvc} AND same [SourceP, Account Name, SourcePort] AND Not SAME RelativeTargetName within 1min.
References:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145
https://docs.microsoft.com/en-us/sysinternals/downloads/psloggedon
No comments:
Post a comment