Add Windows.Registry.PortProxy artifact (Velocidex#140)

usmanaa10 · Oct 26, 2019 · c64d8cd · c64d8cd
1 parent a22e898
commit c64d8cd
Show file tree

Hide file tree

Showing 7 changed files with 136 additions and 33 deletions.
diff --git a/artifacts/definitions/Windows/EventLogs/Kerbroasting.yaml b/artifacts/definitions/Windows/EventLogs/Kerbroasting.yaml
@@ -1,31 +1,31 @@
 name: Windows.EventLogs.Kerbroasting
 description: |
-
-  This Artifact will return all successful Kerberos TGS Ticket events for
-  Service Accounts (SPN attribute) implemented with weak encryption. These
-  tickets are vulnerable to brute force attack and this event is an indicator
-  of a Kerbroasting attack.
-
-  **ATT&CK**: [T1208 - Kerbroasting](https://attack.mitre.org/techniques/T1208/)
-  Typical attacker methodology is to firstly request accounts in the domain
-  with SPN attributes, then request an insecure TGS ticket for brute forcing.
-  This attack is particularly effective as any domain credentials can be used
-  to implement the attack and service accounts often have elevated privileges.
-  Kerbroasting can be used for privilege escalation or persistence by adding a
-  SPN attribute to an unexpected account.
-
-  **Reference**: [The Art of Detecting Kerberoast Attacks](https://www.trustedsec.com/2018/05/art_of_kerberoast/)
-  **Log Source**: Windows Security Event Log (Domain Controllers)
-  **Event ID**: 4769
-  **Status**: 0x0 (Audit Success)
-  **Ticket Encryption**: 0x17 (RC4)
-  **Service Name**: NOT krbtgt or NOT a system account (account name ends in $)
-  **TargetUserName**: NOT a system account (*$@*)
-
-
-  Monitor and alert on unusual events with these conditions from an unexpected
-  IP.
-  Note: There are potential false positives so whitelist normal source IPs and
+  **Description**: 
+  This Artifact will return all successful Kerberos TGS Ticket events for 
+  Service Accounts (SPN attribute) implemented with weak encryption. These 
+  tickets are vulnerable to brute force attack and this event is an indicator 
+  of a Kerbroasting attack.  
+  
+  **ATT&CK**: [T1208 - Kerbroasting](https://attack.mitre.org/techniques/T1208/)  
+  Typical attacker methodology is to firstly request accounts in the domain 
+  with SPN attributes, then request an insecure TGS ticket for brute forcing. 
+  This attack is particularly effective as any domain credentials can be used 
+  to implement the attack and service accounts often have elevated privileges. 
+  Kerbroasting can be used for privilege escalation or persistence by adding a 
+  SPN attribute to an unexpected account.  
+  
+  **Reference**: [The Art of Detecting Kerberoast Attacks](https://www.trustedsec.com/2018/05/art_of_kerberoast/)  
+  **Log Source**: Windows Security Event Log (Domain Controllers)  
+  **Event ID**: 4769  
+  **Status**: 0x0 (Audit Success)  
+  **Ticket Encryption**: 0x17 (RC4)  
+  **Service Name**: NOT krbtgt or NOT a system account (account name ends in $)  
+  **TargetUserName**: NOT a system account (*$@*)  
+  
+  
+  Monitor and alert on unusual events with these conditions from an unexpected 
+  IP.  
+  Note: There are potential false positives so whitelist normal source IPs and 
   manage risk of insecure ticket generation.
 
 
@@ -34,8 +34,6 @@ author: Matt Green - @mgreen27
 parameters:
   - name: eventLog
     default: C:\Windows\system32\winevt\logs\Security.evtx
-  - name: accessor
-    default: file
 
 sources:
   - name: Kerbroasting
@@ -64,10 +62,10 @@ sources:
             SELECT *
             FROM parse_evtx(filename=FullPath)
             WHERE System.EventID.Value = 4769
-                AND EventData.TicketEncryptionType = 23
+                AND EventData.TicketEncryptionType = 23 
                 AND EventData.Status = 0
                 AND NOT EventData.ServiceName =~ "krbtgt|\\$$"
-                AND NOT EventData.TargetUserName =~ "\\$@"
+                AND NOT EventData.TargetUserName =~ "\\$@"    
         })
 
 reports:
@@ -79,3 +77,12 @@ reports:
 
       {{ .Description }}
       {{ Query "SELECT EventTime, Computer, ServiceName, TargetUserName, TargetDomainName, IpAddress FROM source(source='Kerbroasting')" | Table }}
+
+  - type: HUNT
+    template: |
+
+      Kerbroasting: TGS Ticket events.
+      ===============================
+
+      {{ .Description }}
+      {{ Query "SELECT EventTime, Computer, ServiceName, TargetUserName, TargetDomainName, IpAddress FROM source(source='Kerbroasting')" | Table }}
diff --git a/artifacts/definitions/Windows/Events/Kerbroasting.yaml b/artifacts/definitions/Windows/Events/Kerbroasting.yaml
@@ -1,6 +1,6 @@
 name: Windows.Events.Kerbroasting
 description: |
-
+  **Description**: 
   This Artifact will monitor all successful Kerberos TGS Ticket events for 
   Service Accounts (SPN attribute) implemented with weak encryption. These 
   tickets are vulnerable to brute force attack and this event is an indicator 

diff --git a/artifacts/definitions/Windows/Registry/PortProxy.yaml b/artifacts/definitions/Windows/Registry/PortProxy.yaml
@@ -0,0 +1,79 @@
+name: Windows.Registry.PortProxy
+description: |
+    **Description**: 
+    This artifact will return any items in the Windows PortProxy service 
+    registry path. The most common configuration of this service is via the
+    lolbin netsh.exe; Metaspoit and other common attack tools also have 
+    configuration modules.
+
+    **Reference**: [Port Proxy detection]
+    (http://www.dfirnotes.net/portproxy_detection/)  
+
+    **ATT&CK**: [T1090 - Connection Proxy](https://attack.mitre.org/techniques/T1090/)  
+    Adversaries may use a connection proxy to direct network traffic between
+    systems or act as an intermediary for network communications to a command 
+    and control server to avoid direct connections to their infrastructure.
+    
+author: Matt Green - @mgreen27
+
+precondition: SELECT OS From info() where OS = 'windows'
+
+parameters:
+ - name: KeyGlob
+   default: HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\services\PortProxy\**
+
+sources:
+ - name: PortProxy
+   queries:
+     - SELECT FullPath,
+         basename(path=dirname(path=dirname(path=FullPath))) as ProxyType,
+         basename(path=dirname(path=FullPath)) as Protocol,
+         regex_replace(source=basename(path=FullPath),re="/",replace=":") as Listening,
+         regex_replace(source=Data.value,re="/",replace=":") as Destination,
+         timestamp(epoch=Mtime.sec) as ModifiedTime,
+         Type
+       FROM glob(globs=KeyGlob, accessor="reg")
+       WHERE Type
+
+
+reports:
+  - type: CLIENT
+    template: |
+
+      Port Forwarding: PortProxy
+      ==========================
+      {{ .Description }}
+      
+      {{ define "report" }}
+         LET report = SELECT Protocol, 
+            ProxyType, 
+            Listening, 
+            Destination, 
+            ModifiedTime,
+            ProxyType + Protocol + Listening + Destination as ServiceKey
+         FROM source(source='PortProxy')
+         GROUP BY ServiceKey
+      {{ end }}
+      
+      {{ Query "report"  "SELECT ProxyType, Protocol, Listening, Destination, ModifiedTime FROM report" | Table }}
+      
+  - type: HUNT
+    template: |
+
+      Port Forwarding: PortProxy
+      ==========================
+      {{ .Description }}
+      
+      {{ define "report" }}
+         LET report = SELECT Fqdn,
+            Protocol, 
+            ProxyType, 
+            Listening, 
+            Destination, 
+            ModifiedTime,
+            ProxyType + Protocol + Listening + Destination as ServiceKey
+         FROM source(source='PortProxy')
+         GROUP BY ServiceKey
+      {{ end }}
+      
+      {{ Query "report"  "SELECT Fqdn, ProxyType, Protocol, Listening, Destination, ModifiedTime FROM report" | Table }}
diff --git a/artifacts/testdata/windows/init.cmd b/artifacts/testdata/windows/init.cmd
@@ -1 +1 @@
-mklink "c:\users\link" "c:\Windows"
+mklink "c:\users\link" "c:\Windows"
diff --git a/artifacts/testdata/windows/init.reg b/artifacts/testdata/windows/init.reg
@@ -8,4 +8,7 @@ Windows Registry Editor Version 5.00
   00,00,00,b7,51,72,01,ff,ff,ff,7f
 
 [HKEY_CURRENT_USER\Software\Sysinternals\PsExec]
-"EulaAccepted"=1
+"EulaAccepted"=1
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp]
+"0.0.0.0/3389"="192.168.1.27/443"
diff --git a/artifacts/testdata/windows/registry.in.yaml b/artifacts/testdata/windows/registry.in.yaml
@@ -26,3 +26,10 @@ Queries:
 
   # Check for sysinternal eula
   - SELECT User, ProgramName FROM Artifact.Windows.Registry.Sysinternals.Eulacheck()
+
+  # Check for PortProxy glob test parsing of fields and limit on type
+  - SELECT FullPath
+    FROM glob(globs='HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\services\\PortProxy\\**', 
+        accessor='reg')
+    WHERE Type
+
diff --git a/artifacts/testdata/windows/registry.out.yaml b/artifacts/testdata/windows/registry.out.yaml
@@ -172,4 +172,11 @@ SELECT FullPath FROM glob(globs="/*", accessor="reg")[
   "ProgramName": "PsExec",
   "User": "appveyor"
  }
+]SELECT FullPath FROM glob(globs='HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\services\\PortProxy\\**', accessor='reg') WHERE Type[
+ {
+  "FullPath": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\PortProxy\\v4tov4\\tcp\\\"0.0.0.0/3389\""
+ },
+ {
+  "FullPath": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp\\\"0.0.0.0/3389\""
+ }
 ]
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		mklink "c:\users\link" "c:\Windows"
		mklink "c:\users\link" "c:\Windows"