Launching HTB CWEE: Certified Web Exploitation Expert Learn More

Detecting Windows Attacks with Splunk

This Hack The Box Academy module is focused on pinpointing attacks on Windows and Active Directory. Utilizing Splunk as the cornerstone for investigation, this training will arm participants with the expertise to adeptly identify Windows-based threats leveraging Windows Event Logs and Zeek network logs. Furthermore, participants will benefit from actual PCAP files associated with the discussed Windows and Active Directory attacks, enhancing their understanding of the respective attack patterns and techniques.

4.71

Created by Volfar
Co-Authors: leoleg97

Medium Defensive

Summary

This module is centered on detecting intrusions targeting Windows and Active Directory. With Splunk as the foundational tool for probing, this module is designed to endow learners with the knowledge to proficiently spot Windows-centric threats, tapping into the insights of Windows Event Logs and Zeek network logs. Additionally, participants will have access to genuine PCAP files related to the explored Windows and Active Directory incursions, further amplifying their grasp on specific attack trajectories and tactics.

This module will provide proficiency in detecting:

  • User/domain reconnaissance
    • Via native tools
    • Using BloodHound/SharpHound
  • Password spraying
  • LLMNR poisoning
  • Techniques like Kerberoasting and AS-REProasting
  • Methods like Pass-the-hash and Overpass-the-Hash
  • Pass-the-Ticket
  • Golden and Silver tickets
  • Unconstrained and Constrained delegation attacks
  • DCSync and DCShadow attacks
  • RDP Brute Force Attacks
  • Beaconing Malware
  • Nmap Port Scanning
  • Kerberos Brute Force Attacks
  • Cobalt Strike's PSExec
  • Zerologon
  • Exfiltration via HTTP(S) and DNS
  • Ransomware

Key Learning Areas:

  1. Insight into Windows Event Logs:

    • Delve into the essence of Windows Event Logs and their significance in safeguarding Active Directory.
    • Bolster analytical prowess to spot anomalies and possible security compromises within the logs.
  2. Understanding Zeek Network Logs:

    • Traverse the landscape of network threats targeting Active Directory, facilitated by Zeek logs.
    • Cultivate the ability to distinguish between harmless network flows and suspicious activities.
  3. Analysis of PCAP Files:

    • Engage with authentic PCAP files extracted from documented Windows & Active Directory attacks.
    • Thoroughly examine these data to discern prevalent intrusion paths and techniques.

This module is broken into sections with accompanying hands-on exercises to practice the techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

As you work through the module, you will see detection examples for the topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the target host provided in the interactive sections or your virtual machine.

You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "medium" and assumes basic knowledge of Windows event logs, Zeek logs, and common attack principles

A firm grasp of the following modules can be considered prerequisites for successful completion of this module:

  • Windows Event Logs & Finding Evil
  • Understanding Log Sources & Investigating with Splunk
  • Working with IDS/IPS

Detecting Common User/Domain Recon

Domain Reconnaissance

Active Directory (AD) domain reconnaissance represents a pivotal stage in the cyberattack lifecycle. During this phase, adversaries endeavor to gather information about the target environment, seeking to comprehend its architecture, network topology, security measures, and potential vulnerabilities.

While conducting AD domain reconnaissance, attackers focus on identifying crucial components such as Domain Controllers, user accounts, groups, trust relationships, organizational units (OUs), group policies, and other vital objects. By gaining insights into the AD environment, attackers can potentially pinpoint high-value targets, escalate their privileges, and move laterally within the network.

User/Domain Reconnaissance Using Native Windows Executables

An example of AD domain reconnaissance is when an adversary executes the net group command to obtain a list of Domain Administrators.

Common native tools/commands utilized for domain reconnaissance include:

  • whoami /all
  • wmic computersystem get domain
  • net user /domain
  • net group "Domain Admins" /domain
  • arp -a
  • nltest /domain_trusts

For detection, administrators can employ PowerShell to monitor for unusual scripts or cmdlets and process command-line monitoring.

User/Domain Reconnaissance Using BloodHound/SharpHound

BloodHound is an open-source domain reconnaissance tool created to analyze and visualize the Active Directory (AD) environment. It is frequently employed by attackers to discern attack paths and potential security risks within an organization's AD infrastructure. BloodHound leverages graph theory and relationship mapping to elucidate trust relationships, permissions, and group memberships within the AD domain.

Sharphound is a C# data collector for BloodHound. An example of usage includes an adversary running Sharphound with all collection methods (-c all).

BloodHound Detection Opportunities

Under the hood, the BloodHound collector executes numerous LDAP queries directed at the Domain Controller, aiming to amass information about the domain.

However, monitoring LDAP queries can be a challenge. By default, the Windows Event Log does not record them. The best option Windows can suggest is employing Event 1644 - the LDAP performance monitoring log. Even with it enabled, BloodHound may not generate many of the expected events.

A more reliable approach is to utilize the Windows ETW provider Microsoft-Windows-LDAP-Client. As showcased previously in the SOC Analyst path, SilkETW & SilkService are versatile C# wrappers for ETW, designed to simplify the intricacies of ETW, providing an accessible interface for research and introspection. SilkService supports output to the Windows Event Log, which streamlines log digestion. Another useful feature is the ability to employ Yara rules for hunting suspicious LDAP queries.

In addition, Microsoft's ATP team has compiled a list of LDAP filters frequently used by reconnaissance tools.

Armed with this list of LDAP filters, BloodHound activity can be detected more efficiently.

Let's now navigate to the bottom of this section and click on "Click here to spawn the target system!". Then, access the Splunk interface at http://[Target IP]:8000 and launch the Search & Reporting Splunk application. The vast majority of searches covered from this point up to end of this section can be replicated inside the target, offering a more comprehensive grasp of the topics presented.

Detecting User/Domain Recon With Splunk

You'll observe that a specific timeframe is given when identifying each attack. This is done to concentrate on the relevant events, avoiding the overwhelming volume of unrelated events.

Now let's explore how we can identify the recon techniques previously discussed, using Splunk.

Detecting Recon By Targeting Native Windows Executables

Timeframe: earliest=1690447949 latest=1690450687

index=main source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventID=1 earliest=1690447949 latest=1690450687
| search process_name IN (arp.exe,chcp.com,ipconfig.exe,net.exe,net1.exe,nltest.exe,ping.exe,systeminfo.exe,whoami.exe) OR (process_name IN (cmd.exe,powershell.exe) AND process IN (*arp*,*chcp*,*ipconfig*,*net*,*net1*,*nltest*,*ping*,*systeminfo*,*whoami*))
| stats values(process) as process, min(_time) as _time by parent_process, parent_process_id, dest, user
| where mvcount(process) > 3

Search Breakdown:

  • Filtering by Index and Source: The search begins by selecting events from the main index where the source is XmlWinEventLog:Microsoft-Windows-Sysmon/Operational, which is the XML-formatted Windows Event Log for Sysmon (System Monitor) events. Sysmon is a service and device driver that logs system activity to the event log.
  • EventID Filter: The search is further filtered to only select events with an Event ID of 1. In Sysmon, Event ID 1 corresponds to Process Creation events, which log data about newly created processes.
  • Time Range Filter: The search restricts the time range of events to those occurring between the Unix timestamps 1690447949 and 1690450687. These timestamps represent the earliest and latest times in which the events occurred.
  • Process Name Filter: The search then filters events to only include those where the process_name field is one of a list of specific process names (e.g., arp.exe, chcp.com, ipconfig.exe, etc.) or where the process_name field is cmd.exe or powershell.exe and the process field contains certain substrings. This step is looking for events that involve certain system or network-related commands, as well as events where these commands were run from a Command Prompt or PowerShell session.
  • Statistics: The stats command is used to aggregate events based on the fields parent_process, parent_process_id, dest, and user. For each unique combination of these fields, the search calculates the following statistics:
    • values(process) as process: This captures all unique values of the process field as a multivalue field named process.
    • min(_time) as _time: This captures the earliest time (_time) that an event occurred within each group.
  • Filtering by Process Count: The where command is used to filter the results to only include those where the count of the process field is greater than 3. This step is looking for instances where multiple processes (more than three) were executed by the same parent process.

Detecting Recon By Targeting BloodHound

Timeframe: earliest=1690195896 latest=1690285475

index=main earliest=1690195896 latest=1690285475 source="WinEventLog:SilkService-Log"
| spath input=Message 
| rename XmlEventData.* as * 
| table _time, ComputerName, ProcessName, ProcessId, DistinguishedName, SearchFilter
| sort 0 _time
| search SearchFilter="*(samAccountType=805306368)*"
| stats min(_time) as _time, max(_time) as maxTime, count, values(SearchFilter) as SearchFilter by ComputerName, ProcessName, ProcessId
| where count > 10
| convert ctime(maxTime)

Search Breakdown:

  • Filtering by Index and Source: The search starts by selecting events from the main index where the source is WinEventLog:SilkService-Log. This source represents Windows Event Log data gathered by SilkETW.
  • Time Range Filter: The search restricts the time range of events to those occurring between the Unix timestamps 1690195896 and 1690285475. These timestamps represent the earliest and latest times in which the events occurred.
  • Path Extraction: The spath command is used to extract fields from the Message field, which likely contains structured data such as XML or JSON. The spath command automatically identifies and extracts fields based on the data structure.
  • Field Renaming: The rename command is used to rename fields that start with XmlEventData. to the equivalent field names without the XmlEventData. prefix. This is done for easier reference to the fields in later stages of the search.
  • Tabulating Results: The table command is used to display the results in a tabular format with the following columns: _time, ComputerName, ProcessName, ProcessId, DistinguishedName, and SearchFilter. The table command only includes these fields in the output.
  • Sorting: The sort command is used to sort the results based on the _time field in ascending order (from oldest to newest). The 0 argument means that there is no limit on the number of results to sort.
  • Search Filter: The search command is used to filter the results to only include events where the SearchFilter field contains the string *(samAccountType=805306368)*. This step is looking for events related to LDAP queries with a specific filter condition.
  • Statistics: The stats command is used to aggregate events based on the fields ComputerName, ProcessName, and ProcessId. For each unique combination of these fields, the search calculates the following statistics:
    • min(_time) as _time: The earliest time (_time) that an event occurred within each group.
    • max(_time) as maxTime: The latest time (_time) that an event occurred within each group.
    • count: The number of events within each group.
    • values(SearchFilter) as SearchFilter: All unique values of the SearchFilter field within each group.
  • Filtering by Event Count: The where command is used to filter the results to only include those where the count field is greater than 10. This step is looking for instances where the same process on the same computer made more than ten search queries with the specified filter condition.
  • Time Conversion: The convert command is used to convert the maxTime field from Unix timestamp format to human-readable format (ctime).

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Relevant Paths

This module progresses you towards the following Paths

SOC Analyst

The SOC Analyst Job Role Path is for newcomers to information security who aspire to become professional SOC analysts. This path covers core security monitoring and security analysis concepts and provides a deep understanding of the specialized tools, attack tactics, and methodology used by adversaries. Armed with the necessary theoretical background and multiple practical exercises, students will go through all security analysis stages, from traffic analysis and SIEM monitoring to DFIR activities and reporting. Upon completing this job role path, you will have obtained the practical skills and mindset necessary to monitor enterprise-level infrastructure and detect intrusions at an intermediate level. The SOC Analyst Prerequisites skill path can be considered prerequisite knowledge to be successful while working through this job role path.

Medium Path Sections 165 Sections
Required: 1220
Reward: +260
Path Modules
Fundamental
Path Sections 9 Sections
Reward: +10
Security Incident handling has become a vital part of each organization's defensive strategy, as attacks constantly evolve and successful compromises are becoming a daily occurrence. In this module, we will review the process of handling an incident from the very early stage of detecting a suspicious event, to confirming a compromise and responding to it.
Easy
Path Sections 11 Sections
Reward: +20
This module provides a concise yet comprehensive overview of Security Information and Event Management (SIEM) and the Elastic Stack. It demystifies the essential workings of a Security Operation Center (SOC), explores the application of the MITRE ATT&CK framework within SOCs, and introduces SIEM (KQL) query development. With a focus on practical skills, students will learn how to develop SIEM use cases and visualizations using the Elastic Stack.
Medium
Path Sections 6 Sections
Reward: +20
This module covers the exploration of Windows Event Logs and their significance in uncovering suspicious activities. Throughout the course, we delve into the anatomy of Windows Event Logs and highlight the logs that hold the most valuable information for investigations. The module also focuses on utilizing Sysmon and Event Logs for detecting and analyzing malicious behavior. Additionally, we delve into Event Tracing for Windows (ETW), explaining its architecture and components, and provide ETW-based detection examples. To streamline the analysis process, we introduce the powerful Get-WinEvent cmdlet.
Medium
Path Sections 6 Sections
Reward: +20
This module initially lays the groundwork for understanding Threat Hunting, ranging from its basic definition, to the structure of a threat hunting team. The module also dives into the threat hunting process, highlighting the interrelationships between threat hunting, risk assessment, and incident handling. Furthermore, the module elucidates the fundamentals of Cyber Threat Intelligence (CTI). It expands on the different types of threat intelligence and offers guidance on effectively interpreting a threat intelligence report. Finally, the module puts theory into practice, showcasing how to conduct threat hunting using the Elastic stack. This practical segment uses real-world logs to provide learners with hands-on experience.
Medium
Path Sections 6 Sections
Reward: +20
This module provides a comprehensive introduction to Splunk, focusing on its architecture and the creation of effective detection-related SPL (Search Processing Language) searches. We will learn to investigate with Splunk as a SIEM tool and develop TTP-driven and analytics-driven SPL searches for enhanced threat detection and response. Through hands-on exercises, we will learn to identify and understand the ingested data and available fields within Splunk. We will also gain practical experience in leveraging Splunk's powerful features for security monitoring and incident investigation.
Medium
Path Sections 16 Sections
Reward: +20
Microsoft Active Directory (AD) has been, for the past 20+ years, the leading enterprise domain management suite, providing identity and access management, centralized domain administration, authentication, and much more. Throughout those years, the more integrated our applications and data have become with AD, the more exposed to a large-scale compromise we have become. In this module, we will walk through the most commonly abused and fruitful attacks against Active Directory environments that allow threat actors to perform horizontal and vertical privilege escalations in addition to lateral movement. One of the module's core goals is to showcase prevention and detection methods against the covered Active Directory attacks.
Medium
Path Sections 15 Sections
Reward: +10
Network traffic analysis is used by security teams to monitor network activity and look for anomalies that could indicate security and operational issues. Offensive security practitioners can use network traffic analysis to search for sensitive data such as credentials, hidden applications, reachable network segments, or other potentially sensitive information "on the wire." Network traffic analysis has many uses for attackers and defenders alike.
Easy
Path Sections 18 Sections
Reward: +20
Through network traffic analysis, this module sharpens skills in detecting link layer attacks such as ARP anomalies and rogue access points, identifying network abnormalities like IP spoofing and TCP handshake irregularities, and uncovering application layer threats from web-based vulnerabilities to peculiar DNS activities.
Medium
Path Sections 11 Sections
Reward: +20
This module offers an in-depth exploration of Suricata, Snort, and Zeek, covering both rule development and intrusion detection. We'll guide you through signature-based and analytics-based rule development, and you'll learn to tackle encrypted traffic. The module features numerous hands-on examples, focusing on the detection of prevalent malware such as PowerShell Empire, Covenant, Sliver, Cerber, Dridex, Ursnif, and Patchwork. We also dive into detecting attacking techniques like DNS exfiltration, TLS/HTTP Exfiltration, PsExec lateral movement, and beaconing through IDS/IPS.
Hard
Path Sections 9 Sections
Reward: +20
This module offers an exploration of malware analysis, specifically targeting Windows-based threats. The module covers Static Analysis utilizing Linux and Windows tools, Malware Unpacking, Dynamic Analysis (including malware traffic analysis), Reverse Engineering for Code Analysis, and Debugging using x64dbg. Real-world malware examples such as WannaCry, DoomJuice, Brbbot, Dharma, and Meterpreter are analyzed to provide practical experience.
Easy
Path Sections 11 Sections
Reward: +10
This module will take you step-by-step through the fundamentals of JavaScript Deobfuscation until you can deobfuscate basic JavaScript code and understand its purpose.
Easy
Path Sections 11 Sections
Reward: +20
This Hack The Box Academy module covers how to create YARA rules both manually and automatically and apply them to hunt threats on disk, live processes, memory, and online databases. Then, the module switches gears to Sigma rules covering how to build Sigma rules, translate them into SIEM queries using "sigmac", and hunt threats in both event logs and SIEM solutions. It's all hands-on, using real-world malware and techniques.
Medium
Path Sections 8 Sections
Reward: +20
Dive into Windows digital forensics with Hack The Box Academy's "Introduction to Digital Forensics" module. Gain mastery over core forensic concepts and tools such as FTK Imager, KAPE, Velociraptor, and Volatility. Dive deep into memory forensics, disk image analysis, and rapid triaging procedures. Learn to construct timelines from MFT, USN Journals, and Windows event logs while getting hands-on with key artifacts like MFT, USN Journal, Registry Hives, Prefetch Files, ShimCache, Amcache, BAM, and SRUM data.
Medium
Path Sections 23 Sections
Reward: +20
This Hack The Box Academy module is focused on pinpointing attacks on Windows and Active Directory. Utilizing Splunk as the cornerstone for investigation, this training will arm participants with the expertise to adeptly identify Windows-based threats leveraging Windows Event Logs and Zeek network logs. Furthermore, participants will benefit from actual PCAP files associated with the discussed Windows and Active Directory attacks, enhancing their understanding of the respective attack patterns and techniques.
Easy
Path Sections 5 Sections
Reward: +10
Tailored to provide a holistic understanding, this Hack The Box Academy module ensures participants are adept at identifying, categorizing, and documenting security incidents with utmost accuracy and professionalism. The module meticulously breaks down the elements of a robust incident report and then presents participants with a real-world incident report, offering practical insights into the application of the concepts discussed.