BSidesCharm 2025 - Think You’re Stealthy? How to Detect Attacks in AD

[Music]

So, uh, hi guys. Uh today we're going to present to you a presentation about think you're stealthy how to detect attacks in AD and I have two of my friends with me. I'm Rajat currently a student at University of Maryland and I'll let these two introduce themselves and we'll move on to the presentation. Uh hello all my name is Satic. I'm currently a graduate student at Carnegi Milan University. Hello all uh my name is Akash Shaman. I'm a University of Maryland alumni and associate detection engineer at a large financial firm in the DMB area. So yeah before we start uh presentation I just want to let you know you know how you can think like a detection engineer

and so if if there's like any malicious activity and you have to understand it how it works from the ground up and you know instead of like take a more naive approach just try to understand what the binary or the thread actor is doing from the ground up and start doing the things you know could be a technique you know if it's like a lateral movement or credential dumping uh what are the tools involved is it like blood hound mimic cats what are the APIs being loaded by the binary any system artifacts or network indicators you know you have to try to figure out you know which is the normal activity and what seems to be

kind of malicious and and then move on forward with your detection engineering so blood hound uh by what I mean by det detection of bloodound. It's blood hound is just you know it maps a hidden relationships in ad and everything is actually done by sharp hound uh which creates all the zip files and you can pass that into blood hound it's going to give you a cool map and it it's only as powerful as the data it receives. So without the data, blood hound is nothing. There's nothing to analyze and this is what it looks like. If you know you run sharp hound you'll have all these cool uh graphs and you can you can look at this and uh a red

teamer you know can see what what are the privilege escalation parts and even blue teamers can use this to uh find gaps in in in the infrastructure and a bit about sharound uh this is the core um so whenever sharpound is run uh the it's going to gather all the information from the domain controller using LDAP and DNS and all the domain join endpoints via RPCO SMB and all these data is packed into a zip file and you can put that into blood hound and visualize it. So yeah u whenever sharp hound is loaded it's going to load net api32dll uh again there are like different variations of sharp hound u but the ones which are run from on disk uh it's going

to load this DL and it's going to call another DL which is srv cli dl and finally it's going to call net session enim and net session enim is responsible for someation uh in in the 80 network. But I just want to point out a cool thing is bloodhound. py uh it's like another variation of uh sharp hound and it it doesn't load these DLS. It directly like uh throws away some network calls and it's going to do that using net r session enum. So it you know kind of bypasses even if there's like edr in place it's going to bypass those common detections. And this was very interesting when I uh learned about this. And these are some like quick wins

for Blood Hound. I'll I'll take it any day. Um like you know it covers like 80% of the detection and the rest 20% is you know where you have to go and try to reverse engineer what's what's actually taking place. And in the left image you can see uh you know some blood hound.zip and all the zip file names.json and everything is there. And on the right hand there's collection method all which is very specific to the default version of sharp hound. So yeah I mean this is probably the easiest way you can detect blood hound uh and sharp hound but I'd rather do some reverse engineering figure out the rest 20%. And coming back to blood hound. py uh

this is another interesting. So uh on the left image you can see uh whenever you run u sharp hound and any any like on disk version it's going to throw net session enum call and you can see uh on the left side highlighted version but if you're using blood hound. py uh it's it's going to use the encrypted SMB3 version and we cannot see that in wireshark. So it's going to again you know bypass all these network detections but uh you can create your you have to figure out how to uh analyze this and how you can detect this. Now I'm going to pass it to uh Akash who's going to take it further. So um another popular tool

that's normally used in many AD environments for lateral movement specifically is PS exec. So um it's it's mainly a CIS internals utility tool to run remote Windows commands uh that administrators use if they want to remotely access a system. So when psex is used laterally you know miter creates a miter attack ID of s0029. So it's also used by many of the C2 frameworks out there like cobalt strike as well as many of the offensive security tools like masloit and impact. Um also psex when working under the hood uh it's important to understand uh the main process that it runs the main services that it's creating and the binaries that it drops. So in a nutshell

uh psex uses SMB um you will authenticate using SMB with credentials. Uh it creates a pseex svc.exe exe file uh which specifically targets the admin dollar share under system 32 and it uses named pipes to kind of execute the command that you want on the remote machine and once the commands executed both the service and the binary that it's created creates a random binary both are like deleted so the first time when you run psexc you have to accept the end user license agreement that's what's shown in the flag except ula Um you also give a host name for the machine you're trying to remotely access and then the command that you want to run. Um normally in lateral movement

specifically when psex is used uh the tac r flag is used for creating a custom service the default service is pseexvc.exe and uh the tac i is for interactive mode. So this is just a simple meme trying to show that uh when psex drops a binary for lateral movement it's not a good sign. So now one of the most interesting artifacts I came across when trying to detect PSXC specifically from a response point of view is that for PSXC versions 230 and above that's like a current version of PSX um there are two detection artifacts that are very unique which can be found in the USN journal and the prefetch files. So USN journal you can think of it it's known as the

update sequence number journal or change log. So any type of file modifications that take place, configuration management that takes place on your NTFS drive volume, it will be mapped in USN journal and the default location is it's in the dollar extend/doll USN journal uh share in a Windows machine. So um Eric Zimmerman really a great guy uh has uh you know developed a command called mftcmd uh.exe which actually parses the master file table. You can think of it like an address book um extracts the USN journal and then outputs that u output in a CSV format. So the unique thing in this case is um when psex is run from the attacker's machine to the victim

machine, it generates a key file that's really unique because you have the psex that's a service uh hyphen the source host name of your attacking machine and an eight unique characters that's also present dotkey file and the location of that is in your C windows directory. So this way um you know I had extra used mcmd.exe to extract the the output. So in this image you can see that um along with logs uh we managed to like correlate the timestamp when ps exec was run it generates an event ID of 7045 which is like service creation. The timestamp that was logged here and on the right um it's there's another tool called timeline explorer by Eric

Zimmerman. the timestamps actually matched which show proves the fact that you know PS exec was detected or can be detected using just the USN journal alone rather than relying on just the logs. It's a similar case goes for handling prefetch files as well. So um prefetch files are nothing but uh PF files that are created whenever uh you know applications that are recently run you want to load them very fast. So um Windows kind of helps you load the uh applications quickly from memory to disk um using these prefetch files and they are common in Windows forensics that their default location is C windows prefetch and when psex was run you can see that apf file was created with this

you know unique uh number. So we can use pcmd.exe exe which is also a great Eric Zimmerman tool uh to parse prefetch files and when like you run the above command here with the tac f argument and you just find any key file that actually matches the the results when we passed u when we passed the prefetch files from us journal this is like a common detection that's out there I just wanted to throw this in uh to also show that you know log analysis is equally important Um and most of the event ids with respect to PS exec are both in the system log and the security log. You can also leverage sysmon uh you know specifically file

creation event ID 11 uh registry value setting event ID 13 and process execution event ID of one. Um now I'll just pass it on to Satic. So one of the covert way to actually laterally move within an an active directory network is through win vinrm protocol. So vinrm is like a windows version of uh ssh like it allows you to remotely manage uh u windows machine using powershell. So evil vinrm is one such tool which actually helps you do that and uh the cool part is it even allows you to perform pass the hash attack. So first of all it can authenticate using a PL blink credentials or NLM hash or keys as well. And the vinar actually runs on two ports

which is 5985 and 5986. One for HTTP and one for HTTPS. And once actually logged in, it gives you a valid uh a very good PowerShell uh session and where you can run the commands and it is very simple to upload and do a lot of crazy things and u most in many companies it's a very good policy to have a strong password and all but you know pass the hash attack is one way even though your password is pretty strong you know you can just pass the NLM hash and you can still gain the access and pass the hash attack can be performed even using PSX and all but uh as you know PSXX tries to upload some

kind of a binary but evil vinrm doesn't it just uses an already existing uh service to get in. So the exploitation uh like how it actually works is like once you identify the valid port which is 5985 or 5986 then uh you can actually login using a valid credentials or also the NLM hash using a normal option like this and there is also an option to login through certificates. Uh this only works in on port 5986 because this is h uh https right so and upload and download and something like that. So this is like a sample screenshots of how it actually works. I mean uh of the results and all and this uh when you have a valid

credential and this if you just have the hash. So how it actually works? So first it tries able vinrm tries to connect to the vinrm protocol and vinrm protocol uses soap uh soap request for uh it's like a request and responses to the WS man endpoint and after successful authentication it starts WSMP ROV host which actually u is a Windows PowerShell host process used for managing remote connections and executing PowerShell commands and uh command execution and then once a session is actually created It uses PSRP uh is like PowerShell remoting protocol just to send and receive the commands and receive the output and mechanism as we are discussing as VINRM works on SOAP. So SOAP actually uses XL XML um payloads to

uh request to get requests as well as responses and it is very stealthy because it it is not creating any kind of new service, not opening new ports, not uploading any binaries. So it is very covert and this is a sample SOP request of u what happens when you actually try to run ip config command on a valid evil vin rm session. So you can see uh an command line here it is trying to load powershell and you can see the endpoint as 5985 and /wsman. So these are some cool artifacts. Since this is like a remote login, you should always keep an eye on 4624 or 464. And this is very vague because there are like so many log on

happening on Windows machine. And there are some other event ids like 4103 and 4104. Um so these are not enabled by default but 4103 is for like module logging like for example if you run a PowerShell script uh it tries to log all the uh variables that are initialized and some kind of PowerShell commandlets. And whereas 4104 event ID locks everything the whole part of the script. So make sure you are uh make sure you enable them. and also the process evidence when you see the WSMP host running then you should also be more aware of what things happen and since we are running everything on PowerShell it's always good way to see PowerShell history uh at this particular location

and also network logs since every traffic is going to the network on port 5985 and 5986 um having an eye on the network logs will al will also help so this is a sample 4103 uh event ID where um uh it is trying to load WSMP OV host as an embedding process and trying to run a time command and this is a simple sigma rule. Um uh here I'll try to give a quick overview here. So it is actually loading a PS module of event ID 4103 and it is either checking for a powershell or a powershell operational or powershell core operational and uh it is looking for a process either uh uh I mean it's

the same process but it could be in either of those locations as well as there are three selection payloads uh it is trying to look for some kind of powershell commandlets and um some kind of registry changes that are being made. You can see it's a service registry. So if it's trying to see any service like related to WSMP who host is running or not and coming to the condition it is specifically checking for u any one of the PS module it could be uh this one or that and u the process the process is the key point here without this process uh this attack we can't actually prove that this attack actually worked or

something like that and also any one of the selection payload so that is actually what's going on here and also a certificate authenticate if ation if you're uh if you're uh if you're actually using VINRM uh for um on HTTPS like 5986 uh by default certificate authentication is on so try to disable that if you still want to use it and some other ways some other key points are like VIN RM actually uses NLM or KROS authentication you can't actually disable uh you can't actually disable any kind of u um on the settings and all so it's like it depends completely on that and if you actually don't want to use VRM stop it off you

know don't use it and coming to the key takeaways like there is no one single rule to catch everything you know attackers keep updating and you know u the binaries they might use some extra binaries which are undetectable and try to get in and also uh look beyond the logs as well like PSX it could be uh could be easily bypassed like if an attacker actually knows the kind of rules that you already implemented they could actually go and try to bypass that so one of the uh attack was so there was actually a rule for evil vin. So evil vinar when you try to connect it uses a specific user agent. Uh but that's the

only log that the company is actually using. So and it is very easy to change the user agent because this evil vinar is open source and you know you can actually bypass that. And uh uh also look for processes that if you don't need them just try to disable them and no if you're not using any ports which are not required just try to disable them. And uh these are some of the references that we used. And uh thank you so much for attending our talk. Uh if you have any questions, please feel free to reach out to us. And thank you.