4. Windows Log Analysis: Determine Attacker Technique

Difficulty: 🎄🎄

Determine Attacker Technique

Using these normalized Sysmon logs, identify the tool the attacker used to retrieve domain password hashes from the lsass.exe process.
For hints on achieving this objective, please visit Hermey Hall and talk with SugarPlum Mary.

⚡️ Solution

After completing Linux Path Challenge and talk to SugarPlum Mary, He will give you hints which will help you with this objective.

Ross Wolf's work on EQL

Check out some of Ross Wolf's work on EQL.

Event Query Language

EQL Threat Hunting
Look closer the solution is posted in this article by Joshua Wright !

Given the hints, We will eqllib tool to analysis the logs file:

  1. Getting the tool ready:

    • Make sure you have python installed on your device or follow this guide to Install python, then install eqllib package for python.
      pip3 install eql
    • Or You can download and run Slingshot Linux, where EQL is already installed and ready to go!

    • Install jq to pretty-print the output data.

  2. To identify the tool the attacker used to retrieve domain password hashes from the lsass.exe process, We need to understand how this attack work:

    Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights.

    The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.1

    The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes:

    • Volume Shadow Copy
    • secretsdump.py
    • Using the in-built Windows tool, ntdsutil.exe
    • Invoke-NinjaCopy

  3. Let's try to find unexpected processes interacting with lsass.exe as parent process:

    eql query -f sysmon-data.json "process where parent_process_name = 'LSASS.exe'" | jq

      "command_line": "C:\\Windows\\system32\\cmd.exe",
      "event_type": "process",
      "logon_id": 999,
      "parent_process_name": "lsass.exe",
      "parent_process_path": "C:\\Windows\\System32\\lsass.exe",
      "pid": 3440,
      "ppid": 632,
      "process_name": "cmd.exe",
      "process_path": "C:\\Windows\\System32\\cmd.exe",
      "subtype": "create",
      "timestamp": 132186398356220000,
      "unique_pid": "{7431d376-dedb-5dd3-0000-001027be4f00}",
      "unique_ppid": "{7431d376-cd7f-5dd3-0000-001013920000}",
      "user": "NT AUTHORITY\\SYSTEM",
      "user_domain": "NT AUTHORITY",
      "user_name": "SYSTEM"

  4. Search by unique process id as unique parent process id to see other processes started by this process:

    eql query -f sysmon-data.json 'process where ppid == 3440' | jq

      "command_line": "ntdsutil.exe  \"ac i ntds\" ifm \"create full c:\\hive\" q q",
      "event_type": "process",
      "logon_id": 999,
      "parent_process_name": "cmd.exe",
      "parent_process_path": "C:\\Windows\\System32\\cmd.exe",
      "pid": 3556,
      "ppid": 3440,
      "process_name": "ntdsutil.exe",
      "process_path": "C:\\Windows\\System32\\ntdsutil.exe",
      "subtype": "create",
      "timestamp": 132186398470300000,
      "unique_pid": "{7431d376-dee7-5dd3-0000-0010f0c44f00}",
      "unique_ppid": "{7431d376-dedb-5dd3-0000-001027be4f00}",
      "user": "NT AUTHORITY\\SYSTEM",
      "user_domain": "NT AUTHORITY",
      "user_name": "SYSTEM"

    The attacker used ntdsutil to create an accessible backup of the domain password hashes, and we can confirm it further by the create and ifm commands.

The answer:


Congratulations! You have completed the Windows Log Analysis: Determine Attacker Technique challenge! 🎉

🎓 What you've learned

  • Event Query Language (EQL).
  • Threat Hunting using EQL.
  • Credential Dumping techniques & tools.