Thursday, 7 February 2019

Threat Huting #9 - Impacket\Secretdump remote execution using EventId 5145 performs various techniques to dump hashes from the remote machine without executing any agent there. If executed against a AD with domain admin privileges, all accounts hashes will be leaked.

For SAM and LSA Secrets (including cached creds) it reads from the registry and then save the hives in the target system (%SYSTEMROOT%\\Temp dir) and read the rest of the data from there.

For NTDS.dit :
a. Get the domain users list and get its hashes and Kerberos keys using [MS-DRDS] DRSGetNCChanges() call, replicating just the attributes we need. [artifact: connect to srvsvc named pipe]
b. Extract NTDS.dit via vssadmin executed  with the smbexec approach.

It's copied on the temp dir and parsed remotely. The script initiates the services required for its working if they are not available (e.g. Remote Registry, even if it is disabled). -> [artifact: connect to winreg named pipe]

Below a summarized view of the traces left at the destination host. We recommend to enable 5145 on you DC and member windows servers.

Detection Logic:

EventId=5145 and count=4 and event.RelativeTargetName is any of {svcctl, winreg, system32\*.tmp) and with different RelativeTargetName and Same AccountName, SourceAddress, SourcePort within 2 min

You can also hunt with the "system32\*.tmp" (quite unique) as a search filter and then confirm manually if it's FP or not by reviewing "winreg" and svcctl" presence from source IP, User and Port.

IBM Qradar AQL hunting query:

select "ShareName", "SharePath", "TargetName" from events where eventid=5145 and TargetName IMATCHES '(?i)(.*system32.*\.tmp)'


No comments:

Post a Comment