Spoofing Commands - Can You Trust Process Creation Logs?

right now we have a great talk by Tristen sping commands can you trust process creation logs let's welcome him to the stage thank you um thanks for jumping into the talk this morning um hopefully it's interesting um and we we'll basically go through can you trust process creation logs and the the short answer actually is in some circumstances absolutely not um it's not the end of the world as we'll go through but it could present quite a challenge uh in incident response and and other areas where we're relying on what's logged in Windows to be accurate um tiny bit about me my name's Tristan I work at seamless intelligence and we run a sock um we do a lot of

research uh and it's all aimed at can we detect uh attacker tools new techniques um that sort of stuff and so we've actually had bug bounties from crowdstrike and Microsoft awarded um for testing various tools and techniques and and either getting around EDR or finding something in Windows that needed to be fixed uh and then for all of our research we try and tie everything we do back to the um Moder attack framework and we've actually got three technique attributions there um and what we do there is just try and find um and submit a technique that might be more specific uh and go from there uh there is a GitHub repository and I'll add in all of

the um compos XIs from the demo um and as we'll go through um you can compile them yourself off the GitHub repository for command line spoofer um but I've got some pre-compiled ones as well uh and you can always look at them with DOT Peak which we'll have a quick look at to see what's in the code so it's a 3-year-old technique it's a 3-year-old tool and it's actually even older than that um when I was looking into where command line spoofing first came about uh it looks like it might have been a Cobalt strike um addition that was written by someone to go and change what's in the logs after execution um but this this repository

came out about 3 years ago and it really improved upon that um and the code is is really quite elegant it's not many lines at all to to pull off this technique um you might be wondering why we're talking about something that's 3 years old and as we go through we'll see that nothing much has changed in Windows and the technique still works today um and in addition other tools are beginning to implement this command line spoofing um to throw off detections that are based on command line uh and also um IR response if we're grabbing logs off a system uh they won't have the detail that we need so what it is it it's a pretty

novel technique it's pretty cool um it's going to be really annoying when you're looking at logs and they don't match what you think has happened um and as we'll show we've got some examples where we'll have a Defender alert and then what's logged in the process uh command line is actually completely different to what we run um which could lead to incorrect assessments uh and we'll go through what that looks like um and then we pair it with newer techniques such as EDR bypasses privilege escalation uh and we might find it extremely difficult to understand uh what was actually run uh nothing is is logged as we'll see about the malicious command itself the way

that we might uh find out what was actually run is if the executable is left on the system um but that's often not the case either it's not prives so we don't get any privilege escalation through this technique uh so we're not being able to run as a normal user and get local admin using this technique um and as we'll see it doesn't hide all commands um some commands are going to produce logs that we can detect on uh and some command types are going to produce absolutely nothing and it doesn't stop EDR being able to inspect what is happening uh so you can't just go and sort of call mimic cats in Powershell and EDR will do

nothing uh it's still able to um see what it's doing uh although it might not be able to detect based on the command line Alone um Pro process creation for anyone that works in a sock or looks at logs uh you probably would have seen millions of process creation logs there's various types um and this is what it is effectively uh me running Powershell running an encoded command and the encoded command is just a who am I all output um you'd be surprised in the background how many um things Windows is doing just to create a very simple process and run this um but ultimately it's going going to create one or two process creation logs and some

Powershell logs in the background usually when people start to to argue and and have to fall back to the specific definition of a of a word or something I kind of lose interest it seems a bit too pedantic to me but in this case it's quite important um and you you'll see the logs are process creation are not what is run there is no this process ran X Y and Z login windows um Powershell comes close with what it does um but the very definition is Windows logs what happens when the process is created and nothing more and as we'll see that poses quite a big problem that could potentially be fixed um but as of today 3 years later uh it

works on all versions of Windows still so it's process creation not what runs um as far as all of the the screenshots and all the logging um just a tiny bit of sort of housekeeping is I've just gotten rid of the top part um while it's important in in logging it in a sock and in a seam to have the the host is coming from time stamps and all that doesn't really matter for us and it just cleans the Pres up so all of that gets uh removed for all of the um demo slides and and all that and then we're just left with what's below uh the good part of the log really when we look at process creation

there's a number of different tools that will log a process creation event in Windows this is the native Windows security event uh called a process creation uh which is an event ID of 4688 uh there's a 4689 for process uh termination as well or process ending um but this is this is the big one um because it's native to Windows we can turn it on we do need to turn on command line logging there that's not default um and as we'll see through all of this hardly anything in Windows is actually on by default um but we can see here that Powershell is the new process name and we're passing it a in encoded string

just to run it's the who am I all it's nothing nothing too malicious there but you can see within that command line we get the full detail of what was run um and as we'll see later without command line that that data doesn't exist at all command line has all sorts of good stuff uh an example here is the encoded command where we can go and grab it we can decode it we can see that it's a uh who am I all uh and one thing to note when uh decoding and encoding Powershell is it uses utf16 Le which is um it's it's special po shell is just special um but it does mean if you don't do that

text conversion you'll get funny characters especially when you're encoding stuff and it just won't work if we have something like Sentinel and we're using kql we can just do all of this in line uh we can pull out the encoded command uh and actually add them at the bottom here the encoded command and the decoded command in um in line in kql and this means for an analyst when we're looking at process command um command line logs uh we can pull out all the really uh interesting information and we don't need to go and grab that information put it into another website it's all just there and it does mean that we can um within

Central and seams that allow for this type of manipulation we can detect based on those things too so we can detect the who am I being run even though it's an encoded po shell command there's another piece of software called cismon which can be installed on a Windows Server which will create process creation logs as well they're called uh with their event ID ones uh these are almost identical to the native Windows security logs uh but they've got it's got more information you get a number of hashes down there you'll get a lot of metadata that's related to the executable such as the author um we can see it up here file version we get the original file name

which can be interesting as a comparison sometimes when we drop stuff out of um uh sort of recompile or rename things such as items within the CIS internals tool set and someone just renames them um but yeah in cismon itself you'll get the original file name so they're pretty cool this is the only overlap we're going to loging a little bit later but this is the only overlap between cismon and Native Windows logging is the process creation events everything else in cismon is unique to cismon or device logs if we have Defender hdr on an asset you see there's lots of information there um for us to to use uh and lucky last I couldn't get a really nice

screenshot because there's no Ro log for a Defender device log uh but these are device process events um once again Microsoft in its infinite W wisdom names the field something different so we can't just look at command line as a field um this is process command line has the same information the really cool thing with this log is if I IDP onto a server and then execute a command my original IP will actually be in this log so it it ties together those Network hops um to show that Tristan logged in from this workstation onto this server and that's where they executed the command which is really cool but it all means nothing cuz all of these logs uh

logging mechanisms are vulnerable to what we what we're about to go through the command line spoofing as explained before they're good for lots of things um they're great for IR to see what was run on a system they're good for detections um and and we use them a lot we've we've got hundreds of rules that look for process creation logs and look what's on the command line um and a really quick example would be something like rubius we can go and run KB roasting by rubius with that uh command there and um we really want to know what the command line parameters are that are passed um cuz it's really easy to go and do

something like this where we change the exi name to nobius so if we're looking for the process name which will put in a detection for insurance I mean you'd be stupid not to look for rubious on the command line um but you'd hope it would never fire um so then we just go and change it and we might laugh at file name changes but recently we we removed the string potatoes from an exe name and it wouldn't run on a a really modern EDR and after we remove the string potatoes I didn't think it would work um it ran it ran fine and I couldn't believe it so changing uh metadata is the first thing I would do if we we get stuck by

EDR and obviously changing the file name is extremely easy but if we work through the can I even be bothered doing this sort of um flow to change all of the parameters that rubius uses you could the source code is there and you absolutely could go and change every single parameter but we very rarely see that um we don't even often see rubius change if someone's running rubius in an environment to Cur I don't think they care about getting caught or they're in an environment and they're probably not going to get caught anyway so we can see here there's a lot of information on the command line we can see exactly what module they're using an attack is using

within rubius and that can be quite um quite valuable to know cuz there's so many things these tools can do so this one is just silver tickets uh impersonating the admin account um to go and get us and then passing that hash into the current session which is really cool to know and so we can have a detection looking for some of those command line parameters such as the Kross encryption type um we probably wouldn't look for L up on the command line bit too common um but some of the other ones do stand out so there's lots we can do with it so I did not record any videos because we should be able to

demo yep perfect okay so what we'll do here on these are just two 2016 servers um and what we'll do very quickly is run rubius which I'll just reconnect to this one hope it reconnects awesome so in the folder um and this is there'll be I'll demo later on but we've got CLS they're the command line spoofer um and so I've compiled into those exactly what I want to happen and we've got rubius and nobius there so so I I'm terrible at typing so I'm going to copy and paste so we'll go and run rubius kber

roasting quite simple it goes in curb roasts I've only got one account in this environment within service principal name but it'll go and uh grab tickets for anything with a service principal name now we had rubius on the command line and so we'll have a look now at what detections we can do very quickly and the sort of time frames we're looking at them coming through I tested this morning it should work um yep there we go awesome so we we can detect rubius exe is it a good detection not really uh would you put it in a Sim absolutely because you'd be stupid to miss it um and then we get another one and we we'll

ignore that one for now that doesn't rely on the command line at all and that becomes important later on um when we try and hide the command but this one here um suspicious commands rubius same for MIM cats there's a lots of tools out there that are probably indicating someone's doing something they shouldn't be doing but now what we'll do is I I'll close all of those to clear this all up and we'll go and do our nobius

Command and we'll see what gets logged here so so nobius um we've got our ticket we've got all that sort of good stuff um and we won't now get a detection for rubius but because the full command line is logged there'll be a detection in there looking for command line parameters that line up with uh with what we know rubius would would call or what someone might call and you can you can add counts to those so you might look for a few of the different command line parameters uh and there we go so that's suspicious command line parameters and we we're associating it with Rubi is rather than just looking for ru. exe um same MIM cats you can

pass MIM cats full command line parameters and get it to do what you want rather than going in and then executing things one by one um if you do that you actually do for any red team is out there then you do hide it from us same with something like vsss admin if you want to create sh Shadow copies on Windows you can do it in a oneliner easy to detect but if you're actually interactive and go into vsss admin and then execute your commands then we can't see anything so just do it in one line so we can detect it it's a bit easier for us so we got that one um and it that sort of hopefully

that shows the value there of command line logging there's lots in it there's lots in command line logging um and it's really valuable in Windows and and sysmon device logs and security all play a part in that unfortunately process creation is what Windows logs not process running and so when we create a process the first thing that's constructed is a process environment block a a PE and I wish I wish it looked like this I love ai's view of what computers are um but unfortunately it's it's that structure there it's pretty boring um but the important bits to note on the PEB the PEB is it it's a user mode structure that gets created and all of the memory

addresses referenced by it can be overwritten by by the user that that starts the process they own it so I don't know if there's a misconception about Windows but even low privileged users or or medium privileged users can overwrite memory because they don't need to be local admin it's their process they own it and and that's why this technique is so effective because you don't need local admin to do it any user can do it and it means as we'll see later you can run a heap of commands that will not log anything of value before you start and progress the attack into something um more interesting and the contents are initialized when we call the NT create

um create user process so it's all in user land if any slide sums up the entire talk it's this one so this is the source code for command line spoofer uh and what we can see at the top here is uh a militia's command we specify this is a Powershell Empire Beacon a C2 Beacon just encoded um and then in the middle there we have the spoof command and you'll notice uh it's just poers shell so it's got to match what we're going to eventually execute and then we're just going to Pat it out with spaces the reason that we need to do that is for the memory allocation for the command line to be the size we need

we can't change it afterwards when we create the process if spaces count um if we have a th000 characters that we need we're just going to pad that um to the to the right um length and then we can overwrite that later and the key to all this um is is this bottom part so when we create the process we create it suspended so it doesn't run um if there's devs out there that know why you would want to create a process and suspend it at at the at the windows level and not debug it and and um do it in code I'd love to know I don't know why they allow this the other really

interesting um part of command line sper and I don't know how they've done it is I could not drop I could not dump the process memory when it was in the suspended state to have a look at the PB and those other things um I don't think there's anything specific in there to stop dumping I think it might be an artifact but no matter what I tried with proc dump task manager or process Explorer and I I didn't delve too much deeper than those three tools I could not dump the process memory which I found quite interesting so these three things combined are what allow us really to get away with um making windows log

something that is incorrect this is it running is a gif should auto start yep so it's real quick and and these these are just examples this is in debug mode as well so when you run it you you you generally won't get this level of output but compile it in debug mode and you'll get uh all of these not break points but these these comments so I added in the second one uh when we're waiting to see what windows logs uh and at this point we've created the process with our spaces and windows has logged what we've created it then goes through and as we'll see just reading the PEB address so it gets that then it reads most of

the code in command line spoofer is reading it's reading memory locations then we get process parameters then within that we get the command line area we overwrite it and we we set it to resume and it goes in and runs so from an execution uh flow point of view we have our process Creation in a suspended State and we've we've got the spaces to pad that we read the PEB the process environment block to get our memory locations we overwrite the M directly we just go n this is now the command you're going to run Windows for me when I uh resume the the thread and we resume it and command line spoof is maybe 80 lines

of code in in in um outside of all the other things it needs to include it's quite elegant and it works really well so logging so trying to detect this so we got this tool 3 years ago and there's been other tools with it and our primary purpose in the research is to find out what it logs can I detect it um and what EDR do which we'll go through later as well um unfortunately as discussed it gets logged there so Windows logs the process creation even though it's suspended at this point which means nothing that happens when we read write and resume uh impacts the log it's already been written and the problem with it is all the subsequent logs for

that process execution flow will refer back to the incorrect process creation log data so even though we change it later even in in something like process monitor procmon all you'll ever see is the original command which is incorrect and padded so windows can choose basically sort of where's it going to log what's it going to log um and it chooses wrong it chooses what's in the PB at process creation which makes sense for what the log is but until this came along it was kind of my understanding and a misunderstanding that it's going to log what is run and I think a lot of people think the 4688 the evid ones and the device process is what's run on Windows

um and this this sort of stuff throws that out the window unfortunately cuz then we write the process memory and it doesn't care what's in there proon shows the padded spaces so we can see um to go from process creation to Powershell to call who am I it's about 40,000 lines in proon the it's amazing what Windows does under the hood uh and even now we're here at the very bottom where po shell calling who am I uh into the chain the command line is still the padded spaces so then I thought easy I'll just look for I'll just look for padded spaces this is going to be an easy detection not great but why would I have 100 spaces at the

end of a command line um had a look in Windows this is just the raw Windows log had a look at this yep spaces are there had a look at the log when it came into the seam spaces aren't there anymore so most of the time when we exporting the security logs out of Windows it'll be an XML format I initially thought it was a problem with Windows like in the 80s maybe they were saving space by removing trailing spaces there's been stupider things done to save bites of memory or bites of disc but it looks like it might just be an XML uh issue where it strips out the trailing spaces which is actually an

issue um so I did Google it the other day um and yeah it looks like it's a problem with trailing spaces which then affects loging cuz we can't see those when they come across into Sentinel or whatever seam you have um and that's what it looks like in the logs po shell exe ran um and our our command line spoofer was the one that initiated that process but all the spaces are gone um there's a good reason to use spaces as well um is I'm not sure the author of The Tool realized that they would be truncated maybe they did um and and that's why it works so well if we paded it with any the thing is if we paded it

with any other character it's still not real that detectable you might know this tool had been used but are you I don't even know what the detection would look like for X characters after a command line it's doesn't really work so why this came back onto our radar was a tool called multi- dump um I don't know if we got a bug Bounty for this one but whenever I read a GitHub GitHub repo that says without triggering Defender alerts or EDR alerts or or something big big claim um I always have a look into them excuse me always have a look into them now multi dump absolutely triggered Defender alerts uh I think part of the

problem is that they authors of these test on the either the home version or the non E5 version uh and Defender xdr is completely different um not that I encourage Microsoft to keep changing names but that the defender name has a massive Legacy uh and Defender xdr is a completely different Beast so we like to have a look at these tools uh where they say they can bypass EDR and do something like dumping LSS and when we had a look at the source code uh couple of Classics popped up which is the thread the process is created in a suspended State um and immediately I thought oh they looks like they're going to use command line

spoofing um and that's exactly what this tool does it bakes it in the cool thing this tool does is it makes it look like a normal Windows operation so we've got we're we're using a classic run dll um 32 technique to create a mini dump of Elsas which is so easy to detect EDR is going to do it logs are going to do it um but the spoof command is the one at the bottom here which is just it's just made up um open optimization panel clean up temp files blah blah blah at first glance it just looks like Windows doing Windows stuff and it hides it hides an Elsas dump and that's the main thing about this this tool is

EDR still detected this tool doing its lsas dump but when it reported what the process was that had run it's incorrect and were fault is an absolute classic and it will dump Elsas in a corporate environment more than zero times and so for me personally my dummy command if I was trying to dump Elsas would be related to woral and it would be really easy for an analyst or an EDR detection to be uh falsely attributed to it's just word fol again or it's just Windows doing something when actually it's an attacker running a a specific tool that's hiding the command and and here's I couldn't get a great screenshot cuz it's too long but

here is multi- dump running and here is what Defender xdr logs as the process the command line and it's incorrect so this affects EDR products because they rely on the way Windows logs and I've yet to see EDR there may be one out there that does its own logging on process creation events but all the ones that we have tested are relying on Windows and report back the incorrect process we can see here the dummy commands at the top which is our defrag all drives optimized blah blah blah and at the bottom is the actual very very common way to dump lsas um using run 32 so I can I can absolutely see how this would

potentially confuse or put enough doubt in or make it really difficult to work out was it a was it a user who did it what were they trying to do which command line is usually really really good for so then we started doing our testing um and this was across both logging and EDR products to see where we are 3 years later what we did was create a number of composite commands so for for us for me composite commands would be where po shell calls who am I where command calls po shell calls who am I the the chain um to see where we can detect that and then we have po shell just straight po shell

commands and we see if we can detect those uh and then we use buil-in tools in Windows uh to see if we can detect the use of those um bit of deception as well we tried so this is my environment um and I've just used uh Defenders like Advanced hunting with kql just to uh give me the top process command lines um and the top one if you've ever looked at process creation logs you'll know this conhost one is just constant it's just always there and makes up a huge amount um but what what we really want is we can't change the XC name in the boo command it does have to match so we just

want some very common parameters that are going to blend in um and so we can get them there now for an attacker who doesn't have access to these sorts of logs to go and uh pick out the parameters we can just Google common services in Windows and have a look or we just make it up I mean there's so much in Windows you can hide just by pretending it's a doing anything an edge update teams update doesn't really matter so in the end as well I didn't even use any of those I just made one up as well so it wasn't that useful for a composite command it's it's the who am I that we had a look at

earlier um it's going to be poell um running an encoded command which is a who am I um the spoof string is going to be just po shell Ms teams update just something that looks Microsoft and then we'll pad that out with our spaces again so what we get in the uh logs is the fact that who am I was run and that's what we're looking for so in this case we are actually able to detect the even with command Lin sper running this command we can detect what was run we're missing the very middle step where po shell calls who am I so it's still a little bit annoying but ultimately we are able to detect the end result which

is just in this case it's just a who am I if we look at where we our logging works here with process creation alone we can't detect this it would be who am I without the parameters now most of the time we're going to want parameters in detections not just the process name but when we turn on command line logging and and those are a combination that make the log much better then we can detect it the other way we can detect it is in Powershell module logging uh which are event ID 800s um they're not default either so both of the command line logging and the power module logging are not on by default um they're relatively

easy in group policy to turn on but neither are on by default and when we have command line logging as as we've shown we get so much data and when we don't have it in default and this was my I had to rebuild my domain controllers yesterday um we get nothing absolutely nothing it just doesn't even populate and so if we if we just go back to this one this is us running uh CSC to compile code from hack. CS and run it inline uh and it's really important to understand what parameters get passed to Ms build or CSC or JSC CU it makes a huge difference as to whether it's likely suspicious or it's just normal Windows

operating when of course here all we can see is CSC was run makes it really difficult and once again if you disable or don't configure the policy you don't get the command line and the default is not configured so it's definitely worth a check to see what command line logging is on in the environment because without it the 4688 the process creation logs in windows are almost worthless it doesn't add heap of extra processing we get asked that all the time um if you're already logging the 4688 to add the command line stuff is is negligible you wouldn't even notice we move on to the PO shell commands now so just running native po shell not getting poers shell to call

anything else um and this is using commandlets so this is at MP pref so we're attempting to exclude all exe's from Windows Defender it won't work when I run it um but if you had local admin and under certain circumstances you'd be able to add these exclusions um and then Defender would honor them U and I was lazy so I used the same spoof command but realistically if you were doing this youd just change these up a bit um or keep them all the same so when you're searching you've got no idea you might have five 10 of these all the same commands and they're all doing something different so in this case in our uh

command line log we have the fact that CLS bsides po shell called MST teams update with poell and that's all we get for this one um so we can't really detect the use of the ad MP pref preference in command line logging for this one so process creation command line logging don't help us here but Powershell module logging does detect this so an attacker still can't run Powershell if we have po shell module logging on without um without us being able to see the full command which is which is really good um and this is what the 800 looks like uh it's it's a horrible log from a structural point of view so Microsoft just dump all the data here into this

data tag in XML and we can see in here that we get the full command um that was run we'll also get and we'll see it later but you'll get if something's encoded you'll get the actual real command that's run too so these are fantastic there are other P shell logging options around script block logging and things like that um but the 800s are are really good one of the problems with them is they will log the entire contents of the of a script if it's run um and so for some seams where you're paying for ingestion and have high volumes of Powershell usage they can be uh an absolute monstrous amount of of logs going in but they're really

useful um you can still bypass power shell logging by downgrading power shell po shell core logging is trash um so yeah use those if you don't want the 800s to be logged um but yeah if they are logged they're very very valuable so if we look at pure Powershell Windows security doesn't log it we don't get anything cismon nothing uh even if it's deployed has nothing uh logging wise in Powershell and Defender device logs have nothing in Powershell either only Powershell module loging will get us power shell logging which is slightly annoying I'd love it if it was in Defender uh but no not yet but it might be so back to Kerbal roasting so

we can use rubius to Kerbal roast and it's a oneliner but Kerbal roasting is actually really simple just to do in Powershell this is uh po shell encoded command with me just encoding up a one liner to ker Ro a single account and get its hash um and what happens is the 800 will will execute the encoded command and the 800 will be generated saying that encoded command was run but then P shell needs to decode that command to run it and you get the decoded command as well and this is where the the size of poers shell logs and their frequency starts to um to ramp up so you can see already that's quite a

big log um and it's a very small script um it's a oneliner uh you can imagine for some really big poers shell logs uh they can these logs can get very very big but we get at the top there the fully decoded po shell that run so we can detect on that for certain things curb roasting if done in this way is quite difficult to detect in on on the command line we we go and grab logs from the domain controller instead for this on to buil-in tools something like netsh um we go through some others vsss admin registry key changes all those sorts of things are built-in tools so it means we can create the command like we have at the

top to add a firewall rule to the Windows Firewall and then we can just add uh a spoof command as well with absolute like yeah just made up stuff once again uh and Pad it out so the One requirement with this is if you're calling netsh in the malicious command you need to call you need to use netsh as your spoed command cuz the PEB will hold the image of the process and the process name and the exit it's going to run and those have to match so you do get a little idea of what an attacker has used because they can't go a malicious command of netsh but a spof command of command or Powershell or or

registry so those do need to match up and what we get here in the logs is the spoof command um and the spoof command alone that's it because this never touches Powershell that doesn't come into it because it doesn't need to go and call something else the process execution is is one one set and so the PB the PEB is wrong for the entire execution chain and it will go and add that firewall rule in so this we can't detect um in in logging there are things for something like registry changes where you could use cismon and you'll see the registry change itself there are often an alternative to just detecting in command line but they're often take way more

effort to get that logging in place and monitoring the entire well it's not that monitor the entire registry windows in sysmon you need to pick the bits that you want to Monitor and it's almost a guarantee that you'll set all of your monitoring a new tool will come out and it it will hit somewhere else in the registry so we have now a a command which is using rund dll to execute Powershell in line and this is where I thought this will be cool I reckon this will will get past all the uh the detections um and what we'll do is I'll demo this one um because it's a really interesting one um to go

through so if you're if you're on the red team or or testing these are great tools to abuse I can't detect these so netsh fiddle with the firewall allow access in allow access out that sort of good stuff if it's even on um a lot of Orcs just turn the Windows Firewall off so don't even need to do this SE util uh first certificate abuse you can do a lot of the uh an numeration and the Recon using cert util and I can't see anything I will just see that cert util was run and I have no idea what you did with it um and you can actually execute stuff from the web using certainer util as

well as well as encoding and decoding which is a really common use for it Ms build the possibilities here are kind of endless because you can just use Ms build to compile and execute code in line from a project file um we've seen a lot of tools do this uh and I can't see anything I just know that MSB build was run and Ms build does run fairly often in a Windows environment so picking out the one that was uh malicious could be really difficult vsss admin this is to create volume Shadow copies so just create a whole volume Shadow copy of c x that and then look at that to your hearts content and I can't see any of

this um where we might get it is actually no not for VSS admin it's it's really difficult to detect these if we hide them uh and lucky last is registry modifications using reg uh this is a classic changing W digest uh just waiting for a reboot uh and then plain text passwords uh are going to be stored back in Elsas again um kind of bypassing all the modern controls in Elsas to keep plain text passwords out the W digest registry key is um is a classic and and as I said what we do is we we'd have cismon monitoring the key itself um but without cismon to set registry monitoring up native Lim Windows is is extremely painful so these

are all great tools to abuse and I can't detect them from a logging point of view I just threw this one in if anyone ever has a look at the slides later this is where you do create um or the settings for turning on process creation which will be on by default but command line logging won't be and po shell module logging won't be on by default either problem with po shell logging is neither cismon nor uh Defender xdr currently have any Powershell so if we go on deploy cismon everywhere we need to deploy cismon and then keep it up to date if we want the new uh EV we also need a config file they're not

simple there are a few good examples out there ASD do have one um there are a few that are maintained well um but you need to specify what cismon is going to log it's not the simplest of tasks to roll out and then device process event if you're running Defender xdr you will get these into advanced hunting in Defender but once again if you're relying on those solely they don't have any po shell logging at all so you still need to bring in power shell logs if power shell logging is a concern EDR this is where I thought we're a chance to all the research is useless because EDR will catch it every time and

nope the first EDR summary is just encoding Powershell to run who am I so we tested six I have a seventh now um and they they're they're top tier edrs um so the first three no no one got the file right and I'm not too concerned about EDR getting the file right on something like this because the code is pretty minimal and I could see the false positive rate would be quite high the first three got the execution straight away and this is with a command that is not malicious and that's why we tested it we wanted to know does it get the technique the underlying process starts suspended I'm overriding memory and I'm resuming that thread and and they got

that the first three got that with just a who am I then we did vsss admin create create a volume Shadow copy for C drive once again not too malicious but the way we're calling it is is not very common and it was the same set the last three did nothing I got my volume Shadow copy for C created and the first three knocked it off at execution um which I would expect which is pretty cool so but we're at a 50% hit rate for the technique after 3 years so I expected them to do better but I really wasn't surprised EDI can't do everything it's it's a layered approach here um the problem with it is you generally our

fallback our insurance to EDR not doing something is logging and this one affects the logs um so that's why it's such an interesting technique to me so I we at seamless have work integrated learning students from Edith count University with us for 10 weeks and I ran through this with them just as a a high level overview of command line spoofer and one of the students decided they could probably do it better and they kind of kind of did they wrote that over a weekend um like way smarter than me so I asked if I could add invis run is what they called it uh and the GitHub repo will be linked in the slides and

they just rewrote it completely using a slightly different way to overwrite the memory and a slightly different way to use the pad uh to do the padding and it was a really unex unexpected results so the first EDR killed this on file right now uh we couldn't get around it he he tried a few different things and and nothing worked number three EDR which had been consistent in the um in the other test knocked it off at the technique level so I think that's a really strong detection um based on the the technique itself not strings and not not the file name of things like that um and then he managed to bypass EDI number two with

this so now I can run this um to do testing around EDR where it doesn't fire which is really cool so um he was pretty happy with being able to to bypass an EDR product um while he was with us just by rewriting this and changing a few things um and yeah it it was Defender um so Defender is the only one that I have full access to and control and so command line spoofer gets detected as Rosina malware and invis run V2 doesn't get detected at all in uh defend xdr it's in full remediation mode I've got almost everything turned on um and it just doesn't detect it which is interesting and then when I looked at Rosen it's a

Trojan family and I think the detection even for command line spoofer is probably pretty weak and I think the usuals of stripping metadata changing some function names may actually get command line spoofer to work around Defender as well we haven't looked into that yet um but yeah I I think it's anytime I see a very generic detection on my side um I'm I'm usually able to get around it pretty easily and I don't put a lot of work into it because we other boxes without EDR I'm not an EDR evasion specialist I try a few basic things and move on really quickly okay do we have yep we got time demo so back to our uh demo system

here what I wanted to show very well quickly is what we can do here with our uh CLS Kerber roast and the net sh stuff so I'll go and get down the sh stuff which will be in notes okay so firstly what we're going to do is just have a look

at so we have one rule in there called allow remote desktop hacka I just added those in um earlier just to test so we do have a rule we can create multiples of the same rule so that's not a problem and what I'll do is the usual way where we would just go and get a command sh copy we run that says okay we've now put a Windows Firewall rule in uh and what we'll see is hopefully close out our rubius alarm hopefully we'll now see uh netsh usage come through uh and it will give us the full command line so we we can do netsh we can we can understand the direction of the rule we can understand

the ports and all that and we can add that into the detection uh so we've got here now abnormal net sh usage and we can see here the full command is passed out nice and easy but if we go and abuse CLS there's a few in here built-in tools it'll go and do what it does and we won't go and sit in the alarm panel cuz an alarm will never fire um we've successfully executed that one and because it's a built-in tool the command line is the teams update one and I'll say just for a sec if it pops an alarm I'll be really surprised um but that that just that's under the radar and you can you can imagine from

an attacker and a red teamer point of view being able to execute a heap of the discovery commands without ever triggering anything even lowlevel detections could be really useful so you can run your h anything built in registry queries just to to um uh find the state of that Windows machine uh NS or NL test um any utils that you can use on the box to go on query active directory you can kind of do this all without any log ever being generated and one of the things we do rely on is lots of Discovery commands are very abnormal for normal users and and all of that can be hidden away and it's one of the blind spots of EDR and I

understand why from a false positive point of view but no EDI in the world's ever told me someone run a who am I and I wouldn't expect it to either uh it's just too you need too much context and it would be two false positive prone for an EDR piece of software to do that but that will never trigger an alarm now so what we can also do is run uh CLS Kerberos which has the encoded Powershell to do our um could roasting for us so you can see there that's that's the encoded command uh and if it ran yep there's curb yep it's 1148 there's the ticket so uh curb roasting we we just

pulled the PO shell um out of Empire to do curb roasting tweaked it a little bit and we're able to curb roast in po shell the interesting thing is Windows uh Defender for identity doesn't pick this up when you do a single account I think it's more looking for where you do every account or you do high prived accounts like Das but doing single accounts I've never been uh detected in identity um the defender for identity and then of course we don't get a command line detection but what we might get fortunately that one's this one is actually related um and so what happens when we run that cerbo roasting is um Powershell needs to import a particular

net um library or assembly name and you can see it there it's called the system. identity model so we have a detection sorry that highlighted it all but the system. identity model is quite unique to for a normal user to have in a Powershell script um there may be other ways to C Ro without needing um to import that and that's how we can get that um we also have the other detection that we saw earlier which is looking for Honeypot accounts domain admins High prived accounts being cbal roasted because it's quite easy to see um but it won't fire again because the ticket is actually cased on that machine um and we could Purge it using klist and go on

from there um but as you can see it's really limited what we can detect on and the ad type usage in Powershell it's a good indicator but it's not it's not as um it's not as high confidence as some of the other other indicators we have if we had full command line

logging so more than happy after to go through any any more of the demos all of those XS will be in the GitHub repository as well um and you can always dot Peak them uh actually I've got that here so you can always dot Peak them because they're net uh and this is the dot Peak View of an net XE and you can see my command in there is the Powershell um encoded command so if you're ever on a GitHub repository that only has a releases page or or you can't be bo can't be bothered um uh compiling the source code and it's net you can just reverse it in Peak and have a look

see any

so logging fixes ultimately it's a logging problem um EDR is sitting at that 50% I've got one more to test and I'm not confident um so really it needs to be fixed at the logging stage uh so I added Mar m rosovich who authored the CIS internals and is quite high up in Microsoft and I said any chance you could log the flags cuz if we can see the process creation is logged in a suspended State then there's a chance that it's a nice thre to pull on to understand someone's using this technique he actually responded I was really surprised and he said that process tampering will detect the manipulations and and you can go and

detect it that way and I I didn't know how to respond without sounding like a dick but it doesn't work but it doesn't cuz I can get that event to trigger and it does not trigger on command line spoofing and then he ghosted me he didn't want to talk anymore so cismon still doesn't log the flags which I think it could but I don't know the inner workings of Sison so we submitted to msrc uh this is where you submit um for bug bounties and things like that uh because multi- dump used it and it was able to dump lsas successfully even on some systems with Ed Arts fix now um and so we said look

we we're running this tool and it is outputting an incorrect log uh in Windows and I got the CL absolute classic I got two out of the three I did get it doesn't uh cross a security boundary but I got it doesn't meet the current bar for immediate servicing and this was in February this year so they have admitted the pock appears they always use wishy-washy terms it appears valid it is valid but it appears valid uh but it doesn't meet the bar for servicing so still in Windows going spin up a server 22 might be out now or 20 um and it will work on this and loggings off by default so we got a nice little mixture of um uh

elements that mean there'll be a there'll be a nonzero amount of organizations who don't have the logging and then this would be used and you can't see anything at all across any of the even the composite ones won't log properly so where we're at today with this is EDR coverage is mixed um the top three got all the techniques that's fine and they got the new version inis run except for defender in the middle which we bypassed um so EDR coverage isn't complete and and it really isn't and I think even the EDR vendors will admit that they're not there to do everything but there's a bit of a gap there because the logs the insurance

doesn't work either the detections aren't there so for the most part we're relying on um the Composites the poers shell logs the other artifacts that come after the process creation because that process creation log is wrong 100% of the time using this technique I I think this this will this will help maybe attack a mistakes I think based on our testing it would be it would be common for an attacker maybe I'm hoping to just think they can hide any command in command line spoofer and no matter what they put in there it will be hidden uh and as we've seen it's not the case there are certain combinations that are completely hidden but most of

the combinations we would have a a detection opportunity so I'm hoping that Tacker stuff up and do silly things in in command line spoofing and we can get them there but none none of these are ideal the ideal would be either a fix so either making sure that what body's run out of that memory location matches the PEB at any point would stop this I don't know the inner workings of the OS of Windows um but it does seem to me purely just from a a programmatic point of view this could probably be fixed um but like anything with Microsoft it would probably break something that was coded in the80s and I haven't heard back from

msrc on this so really at the end of the day today it's still a relevant technique it can still hide what an attack is doing it's very effective and if I was uh on a testing engagement I'd be using it so that's end of my preso I just want to thank camber bsides for uh having me present here um and all of you for attending the talk today um if there's any questions