Detect persistence

Velociraptor Persistence Exercise

1. Introduction and Tasks

Scheduled tasks are used to schedule the launch of programs or scripts. But adversaries also use them to persist themselves after they initially access the target system. In this challenge, you will solve tasks to detect malicious scheduled tasks using Velociraptor.

In the previous challenge Lateral Movement we found that the adversary used PsExec and Mimikatz to become Domain Administrator. Before doing that the adversary persists himself, because he wants to regain access, when he loses the connection to the target. Now you are going to solve some tasks to check what persistence mechanism the adversary used.

1. Write an Artifact that displays events containing Windows event ID 4698. Include the rows TaskName and LogonTime.

2. Do a temporal correlation with the results from task 1 and the result from task 1 in the challenge Lateral movement. Can you detect a relation between the two results? Which task could therefore be the malicious one?

3. Find more information about the malicious scheduled task you found in task 2 by using a built in Artifact from Velociraptor. Specifically, find out what is executed when the scheduled task is run.

4. Besides the one from tasks 1-3, the adversary used another technique for persistence. You might

2. Windows EventID 4698

If a sheduled task was created we will also find a log with EventID 4698

Let's modify and create an artifact for this

name: Custom.Windows.EventLogs.AlternateLogon4698
description: |
  Logon specifying alternate credentials - if NLA enabled on
  destination Current logged-on User Name Alternate User Name
  Destination Host Name/IP Process Name

reference:
  - https://digital-forensics.sans.org/media/SANS_Poster_2018_Hunt_Evil_FINAL.pdf

precondition: SELECT OS From info() where OS = 'windows'

parameters:
  - name: securityLogFile
    default: C:/Windows/System32/Winevt/Logs/Security.evtx

sources:
  - queries:
      - SELECT EventData.IpAddress AS IpAddress,
               EventData.IpPort AS Port,
               EventData.ProcessName AS ProcessName,
               EventData.SubjectUserSid AS SubjectUserSid,
               EventData.SubjectUserName AS SubjectUserName,
               EventData.TargetUserName AS TargetUserName,
               EventData.TargetServerName AS TargetServerName,
               timestamp(epoch=System.TimeCreated.SystemTime ) as Time
        FROM parse_evtx(filename=securityLogFile)
        WHERE System.EventID.Value = 4698
        ORDER BY Time

Ladmin did create a sheduled task on FS1:

Timestamp: 2022-05-25T20:15:29.66072154Z

3. Correlation

I did use the built in artifact windows.system.tasksheduler and windows.eventlogs.sheduledtasks to get further informations about this event.

If I compare the timestamps with the last exercise they are very close to each other:

Psexec was executed: 2022-05-25T20:15:28 Sheduled Task was created: 2022-05-25T20:15:29 Mimikatz was executed: 2022-05-25T20:15:32

4. Further techniques

I guess the attacker did create a new Domainadmin:

I did check EventID 4720 against the DC and there we can see that the compromised user ffast did create a new user qwert which has domain admin privileges!