The Digital Hunt: Tracking LOTL in Your Network

It ‎advocates‏ ‎for ‎regular ‎system ‎inventory ‎audits‏ ‎to ‎catch‏ ‎adversary‏ ‎behavior ‎that ‎might‏ ‎be ‎missed‏ ‎by ‎event ‎logs ‎due‏ ‎to‏ ‎inadequate ‎logging‏ ‎configurations ‎or‏ ‎activities ‎occurring ‎before ‎logging ‎enhancements‏ ‎are‏ ‎deployed. ‎Organizations‏ ‎are ‎encouraged‏ ‎to ‎enable ‎comprehensive ‎logging ‎for‏ ‎all‏ ‎security-related‏ ‎events, ‎including‏ ‎shell ‎activities,‏ ‎system ‎calls,‏ ‎and‏ ‎audit ‎trails‏ ‎across ‎all ‎platforms, ‎to ‎improve‏ ‎the ‎detection‏ ‎of‏ ‎malicious ‎LOTL ‎activity.

Network‏ ‎Logs ‎

The‏ ‎detection ‎of ‎LOTL ‎techniques‏ ‎through‏ ‎network ‎logs‏ ‎presents ‎unique‏ ‎challenges ‎due ‎to ‎the ‎transient‏ ‎nature‏ ‎of ‎network‏ ‎artifacts ‎and‏ ‎the ‎complexity ‎of ‎distinguishing ‎malicious‏ ‎activity‏ ‎from‏ ‎legitimate ‎behavior.‏ ‎Network ‎defenders‏ ‎must ‎be‏ ‎vigilant‏ ‎and ‎proactive‏ ‎in ‎configuring ‎and ‎setting ‎up‏ ‎logs ‎to‏ ‎capture‏ ‎the ‎necessary ‎data‏ ‎for ‎identifying‏ ‎LOTL ‎activities. ‎Unlike ‎host‏ ‎artifacts,‏ ‎which ‎can‏ ‎often ‎be‏ ‎found ‎unless ‎deliberately ‎deleted ‎by‏ ‎a‏ ‎threat ‎actor,‏ ‎network ‎artifacts‏ ‎are ‎derived ‎from ‎network ‎traffic‏ ‎and‏ ‎are‏ ‎inherently ‎more‏ ‎difficult ‎to‏ ‎detect ‎and‏ ‎capture.‏ ‎Network ‎artifacts‏ ‎are ‎significantly ‎harder ‎to ‎detect‏ ‎than ‎host‏ ‎artifacts‏ ‎because ‎they ‎are‏ ‎largely ‎transient‏ ‎and ‎require ‎proper ‎configuration‏ ‎of‏ ‎logging ‎systems‏ ‎to ‎be‏ ‎captured. ‎Without ‎the ‎right ‎sensors‏ ‎in‏ ‎place ‎to‏ ‎record ‎network‏ ‎traffic, ‎there ‎is ‎no ‎way‏ ‎to‏ ‎observe‏ ‎LOTL ‎activity‏ ‎from ‎a‏ ‎network ‎perspective.‏ ‎

Indicators‏ ‎of ‎LOTL‏ ‎Activity

Detecting ‎LOTL ‎activity ‎involves ‎looking‏ ‎for ‎a‏ ‎collection‏ ‎of ‎possible ‎indicators‏ ‎that, ‎together,‏ ‎paint ‎a ‎picture ‎of‏ ‎the‏ ‎behavior ‎of‏ ‎network ‎traffic.

📌 Reviewing‏ ‎Firewall ‎Logs: Blocked ‎access ‎attempts ‎in‏ ‎firewall‏ ‎logs ‎can‏ ‎signal ‎compromise,‏ ‎especially ‎in ‎a ‎properly ‎segmented‏ ‎network.‏ ‎Network‏ ‎discovery ‎and‏ ‎mapping ‎attempts‏ ‎from ‎within‏ ‎the‏ ‎network ‎can‏ ‎also ‎be ‎indicative ‎of ‎LOTL‏ ‎activity. ‎It‏ ‎is‏ ‎crucial ‎to ‎differentiate‏ ‎between ‎normal‏ ‎network ‎management ‎tool ‎behavior‏ ‎and‏ ‎abnormal ‎traffic‏ ‎patterns.

📌 Investigating ‎Unusual‏ ‎Traffic ‎Patterns: ‎Specific ‎types ‎of‏ ‎traffic‏ ‎should ‎be‏ ‎scrutinized, ‎such‏ ‎as ‎LDAP ‎requests ‎from ‎non-domain‏ ‎joined‏ ‎Linux‏ ‎hosts, ‎SMB‏ ‎requests ‎across‏ ‎different ‎network‏ ‎segments,‏ ‎or ‎database‏ ‎access ‎requests ‎from ‎user ‎workstations‏ ‎that ‎should‏ ‎only‏ ‎be ‎made ‎by‏ ‎frontend ‎servers.‏ ‎Establishing ‎baseline ‎noise ‎levels‏ ‎can‏ ‎help ‎in‏ ‎distinguishing ‎between‏ ‎legitimate ‎applications ‎and ‎malicious ‎requests.

📌 Examining‏ ‎Logs‏ ‎from ‎Network‏ ‎Services ‎on‏ ‎Host ‎Machines: ‎Logs ‎from ‎services‏ ‎like‏ ‎Sysmon‏ ‎and ‎IIS‏ ‎on ‎host‏ ‎machines ‎can‏ ‎provide‏ ‎insights ‎into‏ ‎web ‎server ‎interactions, ‎FTP ‎transactions,‏ ‎and ‎other‏ ‎network‏ ‎activities. ‎These ‎logs‏ ‎can ‎offer‏ ‎valuable ‎context ‎and ‎details‏ ‎that‏ ‎may ‎not‏ ‎be ‎captured‏ ‎by ‎traditional ‎network ‎devices.

📌 Combining ‎Network‏ ‎Traffic‏ ‎Logs ‎with‏ ‎Host-based ‎Logs:‏ ‎This ‎approach ‎allows ‎for ‎the‏ ‎inclusion‏ ‎of‏ ‎additional ‎information‏ ‎such ‎as‏ ‎user ‎account‏ ‎and‏ ‎process ‎details.‏ ‎Discrepancies ‎between ‎the ‎destination ‎and‏ ‎on-network ‎artifacts‏ ‎could‏ ‎indicate ‎malicious ‎traffic.

Application,‏ ‎Security, ‎and‏ ‎System ‎Event ‎Logs

Default ‎logging‏ ‎configurations‏ ‎often ‎fail‏ ‎to ‎capture‏ ‎all ‎necessary ‎events, ‎potentially ‎leaving‏ ‎gaps‏ ‎in ‎the‏ ‎visibility ‎of‏ ‎malicious ‎activities. ‎Prioritizing ‎logs ‎and‏ ‎data‏ ‎sources‏ ‎that ‎are‏ ‎more ‎likely‏ ‎to ‎reveal‏ ‎malicious‏ ‎LOTL ‎activities‏ ‎is ‎crucial ‎for ‎effective ‎detection‏ ‎and ‎response.

Authentication‏ ‎Logs

📌Authentication‏ ‎logs ‎play ‎a‏ ‎vital ‎role‏ ‎in ‎identifying ‎unauthorized ‎access‏ ‎attempts‏ ‎and ‎tracking‏ ‎user ‎activities‏ ‎across ‎the ‎network. ‎The ‎guidance‏ ‎recommends‏ ‎ensuring ‎that‏ ‎logging ‎is‏ ‎enabled ‎for ‎all ‎control ‎plane‏ ‎operations,‏ ‎including‏ ‎API ‎calls‏ ‎and ‎end-user‏ ‎logins, ‎through‏ ‎services‏ ‎like ‎Amazon‏ ‎Web ‎Services ‎CloudTrail, ‎Azure ‎Activity‏ ‎Log, ‎and‏ ‎Google‏ ‎Cloud ‎Audit ‎Logs.‏ ‎These ‎logs‏ ‎can ‎provide ‎valuable ‎insights‏ ‎into‏ ‎potential ‎LOTL‏ ‎activities ‎by‏ ‎highlighting ‎unusual ‎access ‎patterns ‎or‏ ‎attempts‏ ‎to ‎exploit‏ ‎authentication ‎mechanisms.

📌A‏ ‎robust ‎strategy ‎for ‎the ‎separation‏ ‎of‏ ‎privileges‏ ‎is ‎essential‏ ‎for ‎identifying‏ ‎LOTL ‎techniques‏ ‎through‏ ‎authentication ‎logs.‏ ‎Practices ‎such ‎as ‎restricting ‎domain‏ ‎administrator ‎accounts‏ ‎to‏ ‎only ‎log ‎into‏ ‎domain ‎controllers‏ ‎and ‎using ‎Privileged ‎Access‏ ‎Workstations‏ ‎(PAWs) ‎in‏ ‎conjunction ‎with‏ ‎bastion ‎hosts ‎can ‎minimize ‎credential‏ ‎exposure‏ ‎and ‎reinforce‏ ‎network ‎segmentation.‏ ‎Multifactor ‎authentication ‎adds ‎an ‎additional‏ ‎layer‏ ‎of‏ ‎security.

Host-based ‎Logs

Sysmon‏ ‎and ‎other‏ ‎host-based ‎logging‏ ‎tools‏ ‎offer ‎granular‏ ‎visibility ‎into ‎system ‎activities ‎that‏ ‎can ‎indicate‏ ‎LOTL‏ ‎exploitation. ‎By ‎capturing‏ ‎detailed ‎information‏ ‎about ‎process ‎creations, ‎network‏ ‎connections,‏ ‎and ‎file‏ ‎system ‎changes,‏ ‎these ‎tools ‎can ‎help ‎organizations‏ ‎detect‏ ‎and ‎investigate‏ ‎suspicious ‎behavior‏ ‎that ‎might ‎otherwise ‎go ‎unnoticed.

Establishing‏ ‎Baselines‏ ‎and‏ ‎Secure ‎Logging

A‏ ‎foundational ‎step‏ ‎in ‎detecting‏ ‎abnormal‏ ‎or ‎potentially‏ ‎malicious ‎behavior ‎is ‎the ‎establishment‏ ‎of ‎baselines‏ ‎for‏ ‎running ‎tools ‎and‏ ‎activities. ‎This‏ ‎involves ‎understanding ‎the ‎normal‏ ‎operational‏ ‎patterns ‎of‏ ‎a ‎system‏ ‎to ‎identify ‎deviations ‎that ‎may‏ ‎indicate‏ ‎a ‎security‏ ‎threat. ‎It's‏ ‎also ‎essential ‎to ‎rely ‎on‏ ‎secure‏ ‎logs‏ ‎that ‎are‏ ‎less ‎susceptible‏ ‎to ‎tampering‏ ‎by‏ ‎adversaries. ‎For‏ ‎instance, ‎while ‎Linux ‎.bash_history ‎files‏ ‎can ‎be‏ ‎modified‏ ‎by ‎nonprivileged ‎users,‏ ‎system-level ‎auditd‏ ‎logs ‎are ‎more ‎secure‏ ‎and‏ ‎provide ‎a‏ ‎reliable ‎record‏ ‎of ‎activities.

Leveraging ‎Sysmon ‎in ‎Windows‏ ‎Environments

📌Sysmon,‏ ‎a ‎Windows‏ ‎system ‎monitoring‏ ‎tool, ‎offers ‎granular ‎insights ‎into‏ ‎activities‏ ‎such‏ ‎as ‎process‏ ‎creations, ‎network‏ ‎connections, ‎and‏ ‎registry‏ ‎modifications. ‎This‏ ‎detailed ‎logging ‎is ‎invaluable ‎for‏ ‎security ‎teams‏ ‎in‏ ‎hunting ‎for ‎and‏ ‎detecting ‎the‏ ‎misuse ‎of ‎legitimate ‎tools‏ ‎and‏ ‎utilities. ‎Key‏ ‎strategies ‎include:

📌Using‏ ‎the ‎OriginalFileName ‎property ‎to ‎identify‏ ‎renamed‏ ‎files, ‎which‏ ‎may ‎indicate‏ ‎malicious ‎activity. ‎For ‎most ‎Microsoft‏ ‎utilities,‏ ‎the‏ ‎original ‎filenames‏ ‎are ‎stored‏ ‎in ‎the‏ ‎PE‏ ‎header, ‎providing‏ ‎a ‎method ‎to ‎detect ‎file‏ ‎tampering.

📌Implementing ‎detection‏ ‎techniques‏ ‎to ‎identify ‎the‏ ‎malicious ‎use‏ ‎of ‎command-line ‎and ‎scripting‏ ‎utilities,‏ ‎especially ‎those‏ ‎exploiting ‎Alternate‏ ‎Data ‎Streams ‎(ADS). ‎Monitoring ‎specific‏ ‎command-line‏ ‎arguments ‎or‏ ‎syntax ‎used‏ ‎to ‎interact ‎with ‎ADS ‎can‏ ‎reveal‏ ‎attempts‏ ‎to ‎execute‏ ‎or ‎interact‏ ‎with ‎hidden‏ ‎payloads.

Targeted‏ ‎Detection ‎Strategies

Enhancing‏ ‎Sysmon ‎configurations ‎to ‎log ‎and‏ ‎scrutinize ‎command-line‏ ‎executions,‏ ‎with ‎a ‎focus‏ ‎on ‎patterns‏ ‎indicative ‎of ‎obfuscation, ‎can‏ ‎help‏ ‎identify ‎attempts‏ ‎by ‎cyber‏ ‎threat ‎actors ‎to ‎bypass ‎security‏ ‎monitoring‏ ‎tools. ‎Examples‏ ‎include ‎the‏ ‎extensive ‎use ‎of ‎escape ‎characters,‏ ‎concatenation‏ ‎of‏ ‎commands, ‎and‏ ‎the ‎employment‏ ‎of ‎Base64‏ ‎encoding.

Monitoring‏ ‎Suspicious ‎Process‏ ‎Chains

Monitoring ‎for ‎suspicious ‎process ‎chains,‏ ‎such ‎as‏ ‎Microsoft‏ ‎Office ‎documents ‎initiating‏ ‎scripting ‎processes,‏ ‎is ‎a ‎key ‎indicator‏ ‎of‏ ‎LOTL ‎activity.‏ ‎It's ‎uncommon‏ ‎for ‎Office ‎applications ‎to ‎launch‏ ‎scripting‏ ‎processes ‎like‏ ‎cmd.exe, ‎PowerShell,‏ ‎wscript.exe, ‎or ‎cscript.exe. ‎Tracking ‎these‏ ‎process‏ ‎creations‏ ‎and ‎the‏ ‎execution ‎of‏ ‎unusual ‎commands‏ ‎from‏ ‎Office ‎applications‏ ‎can ‎signal ‎a ‎red ‎flag‏ ‎and ‎warrants‏ ‎further‏ ‎investigation.

Integrating ‎Logs ‎with‏ ‎SIEM ‎Systems

Integrating‏ ‎Sysmon ‎logs ‎with ‎Security‏ ‎Information‏ ‎and ‎Event‏ ‎Management ‎(SIEM)‏ ‎systems ‎and ‎applying ‎correlation ‎rules‏ ‎can‏ ‎significantly ‎enhance‏ ‎the ‎detection‏ ‎of ‎advanced ‎attack ‎scenarios. ‎This‏ ‎integration‏ ‎allows‏ ‎for ‎the‏ ‎automation ‎of‏ ‎the ‎detection‏ ‎process‏ ‎and ‎the‏ ‎application ‎of ‎analytics ‎to ‎identify‏ ‎complex ‎patterns‏ ‎of‏ ‎malicious ‎activity.

Linux ‎and‏ ‎macOS ‎Considerations

On‏ ‎Linux ‎machines, ‎enabling ‎Auditd‏ ‎or‏ ‎Sysmon ‎for‏ ‎Linux ‎logging‏ ‎and ‎integrating ‎these ‎logs ‎with‏ ‎an‏ ‎SIEM ‎platform‏ ‎can ‎greatly‏ ‎improve ‎the ‎detection ‎of ‎anomalous‏ ‎activities.‏ ‎For‏ ‎macOS, ‎utilizing‏ ‎tools ‎like‏ ‎Santa, ‎an‏ ‎open-source‏ ‎binary ‎authorization‏ ‎system, ‎can ‎help ‎monitor ‎process‏ ‎executions ‎and‏ ‎detect‏ ‎abnormal ‎behavior ‎by‏ ‎productivity ‎applications

Review‏ ‎Configurations

Regularly ‎reviewing ‎and ‎updating‏ ‎system‏ ‎configurations ‎is‏ ‎essential ‎to‏ ‎ensure ‎that ‎security ‎measures ‎remain‏ ‎effective‏ ‎against ‎evolving‏ ‎threats. ‎This‏ ‎includes ‎verifying ‎that ‎logging ‎settings‏ ‎are‏ ‎appropriately‏ ‎configured ‎to‏ ‎capture ‎relevant‏ ‎data ‎and‏ ‎that‏ ‎security ‎controls‏ ‎are ‎aligned ‎with ‎current ‎best‏ ‎practices. ‎Organizations‏ ‎should‏ ‎also ‎assess ‎the‏ ‎use ‎of‏ ‎allowlists ‎and ‎other ‎access‏ ‎control‏ ‎mechanisms ‎to‏ ‎prevent ‎the‏ ‎misuse ‎of ‎legitimate ‎tools ‎by‏ ‎malicious‏ ‎actors.

Regular ‎reviews‏ ‎of ‎host‏ ‎configurations ‎against ‎established ‎baselines ‎are‏ ‎essential‏ ‎for‏ ‎catching ‎indicators‏ ‎of ‎compromise‏ ‎(IOCs) ‎that‏ ‎may‏ ‎not ‎be‏ ‎reverted ‎through ‎regular ‎group ‎policy‏ ‎updates. ‎This‏ ‎includes‏ ‎changes ‎to ‎installed‏ ‎software, ‎firewall‏ ‎configurations, ‎and ‎updates ‎to‏ ‎core‏ ‎files ‎such‏ ‎as ‎the‏ ‎Hosts ‎file, ‎which ‎is ‎used‏ ‎for‏ ‎DNS ‎resolution.‏ ‎Such ‎reviews‏ ‎can ‎reveal ‎discrepancies ‎that ‎signal‏ ‎unauthorized‏ ‎modifications‏ ‎or ‎the‏ ‎presence ‎of‏ ‎malicious ‎software.

📌 Bypassing‏ ‎Standard‏ ‎Event ‎Logs: Cyber‏ ‎threat ‎actors ‎have ‎been ‎known‏ ‎to ‎bypass‏ ‎standard‏ ‎event ‎logs ‎by‏ ‎directly ‎writing‏ ‎to ‎the ‎registry ‎to‏ ‎register‏ ‎services ‎and‏ ‎scheduled ‎tasks.‏ ‎This ‎method ‎does ‎not ‎create‏ ‎standard‏ ‎system ‎events,‏ ‎making ‎it‏ ‎a ‎stealthy ‎way ‎to ‎establish‏ ‎persistence‏ ‎or‏ ‎execute ‎tasks‏ ‎without ‎triggering‏ ‎alerts. ‎

📌 System‏ ‎Inventory‏ ‎Audits: ‎Conducting‏ ‎regular ‎system ‎inventory ‎audits ‎is‏ ‎a ‎proactive‏ ‎measure‏ ‎to ‎catch ‎adversary‏ ‎behavior ‎that‏ ‎may ‎have ‎been ‎missed‏ ‎by‏ ‎event ‎logs,‏ ‎whether ‎due‏ ‎to ‎incorrect ‎event ‎capture ‎or‏ ‎activities‏ ‎that ‎occurred‏ ‎before ‎logging‏ ‎enhancements ‎were ‎deployed. ‎These ‎audits‏ ‎help‏ ‎ensure‏ ‎that ‎any‏ ‎changes ‎to‏ ‎the ‎system‏ ‎are‏ ‎authorized ‎and‏ ‎accounted ‎for.

Behavioral ‎Analysis

Comparing ‎activity ‎against‏ ‎normal ‎user‏ ‎behavior‏ ‎is ‎key ‎to‏ ‎detecting ‎anomalies.‏ ‎Unusual ‎behaviors ‎to ‎look‏ ‎out‏ ‎for ‎include‏ ‎odd ‎login‏ ‎hours, ‎access ‎outside ‎of ‎expected‏ ‎work‏ ‎schedules ‎or‏ ‎holiday ‎breaks,‏ ‎rapid ‎succession ‎or ‎high ‎volume‏ ‎of‏ ‎access‏ ‎attempts, ‎unusual‏ ‎access ‎paths,‏ ‎concurrent ‎sign-ins‏ ‎from‏ ‎multiple ‎locations,‏ ‎and ‎instances ‎of ‎impossible ‎time‏ ‎travel.

NTDSUtil.exe ‎and‏ ‎PSExec.exe

Specific‏ ‎attention ‎is ‎given‏ ‎to ‎detecting‏ ‎misuse ‎of ‎NTDSUtil.exe ‎and‏ ‎PSExec.exe,‏ ‎tools ‎that,‏ ‎while ‎legitimate,‏ ‎are ‎often ‎leveraged ‎by ‎attackers‏ ‎for‏ ‎malicious ‎purposes,‏ ‎such ‎as‏ ‎attempts ‎to ‎dump ‎credentials ‎or‏ ‎move‏ ‎laterally‏ ‎across ‎the‏ ‎network. ‎By‏ ‎focusing ‎on‏ ‎the‏ ‎behavioral ‎context‏ ‎of ‎these ‎tools' ‎usage, ‎organizations‏ ‎can ‎more‏ ‎effectively‏ ‎distinguish ‎between ‎legitimate‏ ‎and ‎malicious‏ ‎activities.

The ‎Exploitation ‎Process

A ‎common‏ ‎tactic‏ ‎involves ‎creating‏ ‎a ‎volume‏ ‎shadow ‎copy ‎of ‎the ‎system‏ ‎drive,‏ ‎typically ‎using‏ ‎vssadmin.exe ‎with‏ ‎commands ‎like ‎Create ‎Shadow ‎/for=C:.‏ ‎This‏ ‎action‏ ‎captures ‎a‏ ‎snapshot ‎of‏ ‎the ‎system's‏ ‎current‏ ‎state, ‎including‏ ‎the ‎Active ‎Directory ‎database. ‎Following‏ ‎this, ‎ntdsutil.exe‏ ‎is‏ ‎employed ‎to ‎interact‏ ‎with ‎this‏ ‎shadow ‎copy ‎through ‎a‏ ‎specific‏ ‎command ‎sequence‏ ‎(ntdsutil ‎snapshot‏ ‎“activate ‎instance ‎ntds” ‎create ‎quit‏ ‎quit).‏ ‎The ‎attackers‏ ‎then ‎access‏ ‎the ‎shadow ‎copy ‎to ‎extract‏ ‎the‏ ‎ntds.dit‏ ‎file ‎from‏ ‎a ‎specified‏ ‎directory. ‎This‏ ‎sequence‏ ‎aims ‎to‏ ‎retrieve ‎sensitive ‎credentials, ‎such ‎as‏ ‎hashed ‎passwords,‏ ‎from‏ ‎the ‎Active ‎Directory,‏ ‎enabling ‎full‏ ‎domain ‎compromise.

Detection ‎and ‎Response

To‏ ‎detect‏ ‎and ‎respond‏ ‎to ‎such‏ ‎exploitation, ‎it's ‎crucial ‎to ‎understand‏ ‎the‏ ‎context ‎of‏ ‎ntdsutil.exe ‎activities‏ ‎and ‎differentiate ‎between ‎legitimate ‎administrative‏ ‎use‏ ‎and‏ ‎potential ‎malicious‏ ‎exploitation. ‎Key‏ ‎log ‎sources‏ ‎and‏ ‎monitoring ‎strategies‏ ‎include:

📌 Command-line ‎and ‎Process ‎Creation ‎Logs:‏ ‎Security ‎logs‏ ‎(Event‏ ‎ID ‎4688) ‎and‏ ‎Sysmon ‎logs‏ ‎(Event ‎ID ‎1) ‎provide‏ ‎insights‏ ‎into ‎the‏ ‎execution ‎of‏ ‎ntdsutil.exe ‎commands. ‎Unusual ‎or ‎infrequent‏ ‎use‏ ‎of ‎ntdsutil.exe‏ ‎for ‎snapshot‏ ‎creation ‎might ‎indicate ‎suspicious ‎activity.

📌 File‏ ‎Creation‏ ‎and‏ ‎Access ‎Logs:‏ ‎Monitoring ‎file‏ ‎creation ‎events‏ ‎(Sysmon’s‏ ‎Event ‎ID‏ ‎11) ‎and ‎attempts ‎to ‎access‏ ‎sensitive ‎files‏ ‎like‏ ‎NTDS.dit ‎(security ‎logs‏ ‎with ‎Event‏ ‎ID ‎4663) ‎can ‎offer‏ ‎additional‏ ‎context ‎to‏ ‎the ‎snapshot‏ ‎creation ‎and ‎access ‎process.

📌 Privilege ‎Use‏ ‎Logs:‏ ‎Event ‎ID‏ ‎4673 ‎in‏ ‎security ‎logs, ‎indicating ‎the ‎use‏ ‎of‏ ‎privileged‏ ‎services, ‎can‏ ‎signal ‎potential‏ ‎misuse ‎when‏ ‎correlated‏ ‎with ‎the‏ ‎execution ‎of ‎ntdsutil.exe ‎commands.

📌 Network ‎Activity‏ ‎and ‎Authentication‏ ‎Logs:‏ ‎These ‎logs ‎can‏ ‎provide ‎context‏ ‎about ‎concurrent ‎remote ‎connections‏ ‎or‏ ‎data ‎transfers,‏ ‎potentially ‎indicating‏ ‎data ‎exfiltration ‎attempts. ‎Authentication ‎logs‏ ‎are‏ ‎also ‎crucial‏ ‎for ‎identifying‏ ‎the ‎executor ‎of ‎the ‎ntdsutil.exe‏ ‎command‏ ‎and‏ ‎assessing ‎whether‏ ‎the ‎usage‏ ‎aligns ‎with‏ ‎typical‏ ‎administrative ‎behavior.

Comprehensive‏ ‎Analysis ‎of ‎PSExec.exe ‎in ‎LOTL‏ ‎Tactics

PSExec.exe, ‎a‏ ‎component‏ ‎of ‎the ‎Microsoft‏ ‎PsTools ‎suite,‏ ‎is ‎a ‎powerful ‎utility‏ ‎for‏ ‎system ‎administrators,‏ ‎offering ‎the‏ ‎capability ‎to ‎remotely ‎execute ‎commands‏ ‎across‏ ‎networked ‎systems,‏ ‎often ‎with‏ ‎elevated ‎SYSTEM ‎privileges. ‎Its ‎versatility,‏ ‎however,‏ ‎also‏ ‎makes ‎it‏ ‎a ‎favored‏ ‎tool ‎in‏ ‎Living‏ ‎Off ‎the‏ ‎Land ‎(LOTL) ‎tactics ‎employed ‎by‏ ‎cyber ‎threat‏ ‎actors.

The‏ ‎Role ‎of ‎PSExec.exe‏ ‎in ‎Cyber‏ ‎Threats

PSExec.exe ‎is ‎commonly ‎utilized‏ ‎for‏ ‎remote ‎administration‏ ‎and ‎the‏ ‎execution ‎of ‎processes ‎across ‎systems,‏ ‎such‏ ‎as ‎execute‏ ‎one-off ‎commands‏ ‎aimed ‎at ‎modifying ‎system ‎configurations,‏ ‎such‏ ‎as‏ ‎removing ‎port‏ ‎proxy ‎configurations‏ ‎on ‎a‏ ‎remote‏ ‎host ‎with‏ ‎commands ‎like:

"C:\pstools\psexec.exe" ‎{REDACTED} ‎-s ‎cmd‏ ‎/c ‎"cmd.exe‏ ‎/c‏ ‎netsh ‎interface ‎portproxy‏ ‎delete ‎v4tov4‏ ‎listenaddress=0.0.0.0 ‎listenport=9999"

Detection ‎and ‎Contextualization‏ ‎Strategies

To‏ ‎effectively ‎counter‏ ‎the ‎malicious‏ ‎use ‎of ‎PSExec.exe, ‎network ‎defenders‏ ‎must‏ ‎leverage ‎a‏ ‎variety ‎of‏ ‎logs ‎that ‎provide ‎insights ‎into‏ ‎the‏ ‎execution‏ ‎of ‎commands‏ ‎and ‎the‏ ‎broader ‎context‏ ‎of‏ ‎the ‎operation:

📌 Command-line‏ ‎and ‎Process ‎Creation ‎Logs: ‎Security‏ ‎logs ‎(Event‏ ‎ID‏ ‎4688) ‎and ‎Sysmon‏ ‎logs ‎(Event‏ ‎ID ‎1) ‎are ‎invaluable‏ ‎for‏ ‎tracking ‎the‏ ‎execution ‎of‏ ‎PSExec.exe ‎and ‎associated ‎commands. ‎These‏ ‎logs‏ ‎detail ‎the‏ ‎command ‎line‏ ‎used, ‎shedding ‎light ‎on ‎the‏ ‎process's‏ ‎nature‏ ‎and ‎intent.

📌 Privilege‏ ‎Use ‎and‏ ‎Explicit ‎Credential‏ ‎Logs:‏ ‎Security ‎logs‏ ‎(Event ‎ID ‎4672) ‎document ‎instances‏ ‎where ‎special‏ ‎privileges‏ ‎are ‎assigned ‎to‏ ‎new ‎logons,‏ ‎crucial ‎when ‎PSExec ‎is‏ ‎executed‏ ‎with ‎the‏ ‎-s ‎switch‏ ‎for ‎SYSTEM ‎privileges. ‎Event ‎ID‏ ‎4648‏ ‎captures ‎explicit‏ ‎credential ‎use,‏ ‎indicating ‎when ‎PSExec ‎is ‎run‏ ‎with‏ ‎specific‏ ‎user ‎credentials.

📌 Sysmon‏ ‎Logs ‎for‏ ‎Network ‎Connections‏ ‎and‏ ‎Registry ‎Changes: Sysmon's‏ ‎Event ‎ID ‎3 ‎logs ‎network‏ ‎connections, ‎central‏ ‎to‏ ‎PSExec’s ‎remote ‎execution‏ ‎functionality. ‎Event‏ ‎IDs ‎12, ‎13, ‎and‏ ‎14‏ ‎track ‎registry‏ ‎changes, ‎including‏ ‎deletions ‎(Event ‎ID ‎14) ‎of‏ ‎registry‏ ‎keys ‎associated‏ ‎with ‎the‏ ‎executed ‎Netsh ‎command, ‎providing ‎evidence‏ ‎of‏ ‎modifications‏ ‎to ‎the‏ ‎system's ‎configuration.

📌 Windows‏ ‎Registry ‎Audit‏ ‎Logs:‏ ‎If ‎enabled,‏ ‎these ‎logs ‎record ‎modifications ‎to‏ ‎registry ‎keys,‏ ‎offering‏ ‎detailed ‎information ‎such‏ ‎as ‎the‏ ‎timestamp ‎of ‎changes, ‎the‏ ‎account‏ ‎under ‎which‏ ‎changes ‎were‏ ‎made ‎(often ‎the ‎SYSTEM ‎account‏ ‎due‏ ‎to ‎PSExec's‏ ‎-s ‎switch),‏ ‎and ‎the ‎specific ‎registry ‎values‏ ‎altered‏ ‎or‏ ‎deleted.

📌 Network ‎and‏ ‎Firewall ‎Logs: Analysis‏ ‎of ‎network‏ ‎traffic,‏ ‎especially ‎SMB‏ ‎traffic ‎characteristic ‎of ‎PSExec ‎use,‏ ‎and ‎firewall‏ ‎logs‏ ‎on ‎the ‎target‏ ‎system ‎can‏ ‎reveal ‎connections ‎to ‎administrative‏ ‎shares‏ ‎and ‎changes‏ ‎to ‎the‏ ‎system's ‎network ‎configuration. ‎These ‎logs‏ ‎can‏ ‎correlate ‎with‏ ‎the ‎timing‏ ‎of ‎command ‎execution, ‎providing ‎further‏ ‎context‏ ‎to‏ ‎the ‎activity.