From 3fae5dbef680a4b25152d721d315fdf14aabab9a Mon Sep 17 00:00:00 2001 From: Joshua Wright Date: Mon, 14 Sep 2020 16:37:59 -0400 Subject: [PATCH] Update to catch services.exe DAC permission change to hide services --- DeepBlue.ps1 | 55 ++++++++++++++++++++++++++++++++++++++--- evtx/eventlog-dac.evtx | Bin 0 -> 69632 bytes 2 files changed, 51 insertions(+), 4 deletions(-) create mode 100755 evtx/eventlog-dac.evtx diff --git a/DeepBlue.ps1 b/DeepBlue.ps1 index 77c0ca5..bb26c51 100644 --- a/DeepBlue.ps1 +++ b/DeepBlue.ps1 @@ -178,11 +178,11 @@ function Main { # Write-Output($obj) # } } - ElseIf ($event.id -eq 4720){ + ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0]."#text" $securityid=$eventXML.Event.EventData.Data[2]."#text" - $obj.Message = "New User Created" + $obj.Message = "New User Created" $obj.Results = "Username: $username`n" $obj.Results += "User SID: $securityid`n" Write-Output $obj @@ -216,7 +216,7 @@ function Main { } Else{ $failedlogons.Set_Item($username,1) - $totalfailedaccounts+=1 + $totalfailedaccounts+=1 } } ElseIf($event.id -eq 4673){ @@ -235,6 +235,53 @@ function Main { Write-Output $obj } } + ElseIf($event.id -eq 4674){ + # An operation was attempted on a privileged object. + if ($event.Message){ + # Message is a blob of text that looks like this: + ######################################################### + # An operation was attempted on a privileged object. + # + # Subject: + # Security ID: SEC504STUDENT\Sec504 + # Account Name: Sec504 + # Account Domain: SEC504STUDENT + # Logon ID: + # + # Object: + # Object Server: SC Manager + # Object Type: SERVICE OBJECT + # Object Name: nginx + # Object Handle: + # + # Process Information: + # Process ID: 0x21c + # Process Name: C:\Windows\System32\services.exe + # + # Requested Operation: + # Desired Access: WRITE_DAC + # + # Privileges: SeSecurityPrivilege + $array = $event.message -split '\n' # Split each line of the message into an array + $text = $array[0] + $application = Remove-Spaces($array[3]) + $user = Remove-Spaces(($array[4] -split ':')[1]) + $service = Remove-Spaces(($array[11] -split ':')[1]) + $application = Remove-Spaces(($array[16] -split ': ')[1]) + $accessreq = Remove-Spaces(($array[19] -split ':')[1]) + + if ($application.ToUpper() -Eq "C:\WINDOWS\SYSTEM32\SERVICES.EXE" ` + -And $accessreq.ToUpper() -Match "WRITE_DAC") { + $obj.Message="Possible Hidden Service Attempt" + $obj.Command = "" + $obj.Results = "User requested to modify the Dynamic Access Control (DAC) permissions of a sevice, possibly to hide it from view.`n" + $obj.Results += "User: $user`n" + $obj.Results += "Target service: $service`n" + $obj.Results += "Desired Access: $accessreq`n" + Write-Output $obj + } + } + } ElseIf($event.id -eq 4648){ # A logon was attempted using explicit credentials. $username=$eventXML.Event.EventData.Data[1]."#text" @@ -587,7 +634,7 @@ function Create-Filter($file, $logname) # Return the Get-Winevent filter # $sys_events="7030,7036,7045,7040,104" - $sec_events="4688,4672,4720,4728,4732,4756,4625,4673,4648,1102" + $sec_events="4688,4672,4720,4728,4732,4756,4625,4673,4674,4648,1102" $app_events="2" $applocker_events="8003,8004,8006,8007" $powershell_events="4103,4104" diff --git a/evtx/eventlog-dac.evtx b/evtx/eventlog-dac.evtx new file mode 100755 index 0000000000000000000000000000000000000000..d6b125b79c0e7770b2c13fa15bdf4407fb8828f5 GIT binary patch literal 69632 zcmeI5349IL_rULac`uu+mKH^$f}kQ2AwkGaBw`D#UqeM!5)oMlO4C$+N)@Hn+WuM< zYF|pxDr*0wC}P*vR@IiDwY0_moSA#_UM4U7Jx?+b^Cq9k%$u1z_sqH9d(OFc?tL#L zB_VWBN<5P;)%k%O*s7QXV@@jRB~ShN?%9zSp86){8<;g<)__?9W(}A%VAgIbQfe}^@x`SY-%3B{!14UHj4f)<*rnkEm*ChHe!LCb6PNAq`Mz4*uPu=)UN3DEcotl`!nM&LV_V5{;kmr3_}}!U z5!|~I=tsIZaasG=>dp*lqua;5rcD|1fa|EdTW)h2w`5|W%2B0acB<{aT+hI}*%iIVelk)RlwuNez1!Vh|3l`Eem18Sv*T+necf$td@iM$!(5Wmd%E+ z6gZgyC$uVWmIRk&vNYC~wSd1277It>;hGrOcZcmDIFinW!l$7u0j_k1&qLvO3pN7I zrNY*edB9&Q*z;gM@ISsN`;20r)T+mi6ZFb$Xp|-E#YV!NGld)(Q^UiY0=cL}Z;rNR z-G$tTLtb%kRXUvg0@hH1F?@!GMS`$H;3Pg!ZPvAf$j#Ynf~avI_z1|Zxt@kn;8-HF zoWvPwQbWT!u`D4syj>$U8lF0qwPxOsKmPeZ@;LY$567FsQ~SccC+zt!FF5WEdw9+p z(j>sv7q;=NC0ysj#xRQj3lNX7KY4C&c(_zJr*^2qG#X&69()5{h6bJVc!E7-|PCtD%8n?+%wb1IM_un_LAl9VC=#5L_A$ z0w5xBa86JU)?#G3{b<`_1W_VTk0o=qP}u^lI$IWMVXvp{o^V4H86^=luXeCywkS&; zBqD>f_*NAbBwU7aqzICbTBG5*&^=se+ncs50PdIxf+MY&@TB5>9jut6lb-j~{#D^K--bE+85NSH=KHse;^4zFL(v=pFT! z1-B5NRRak-K*B;uhy~d$)ml*85I_Tk73(e}wdYB_1*6dmPGx}>M0`Zets3k zF3#aeMN1#OsQ*Ut7r5_Vt1!xXXY&7b&bxGSAyiy$>8Hakxxf_x4p4v5dWAv}q<{i~ zg#R%@sbXDu8&<*gYgO$)7=1gB_B|Dnp^ZZOYpSgmeE=C&ecLY@RMe-HuV zH}v=~ff(rVF$@#@x`P8#2_D(O5sjb)dlAl{@kDh9zOk71!|)2dUy+x?1L)<{4&0;R z0W^C>{tFMF|0?oScmO?Bkv~FV(2NOLqQ4=Jf>&a6T;wfKeDoHA_-KKP?7f4%Xv6Ue zwBf=PXr~>>7K;|w2`q|ean%k^B8IMT0Qoh-UgBNRUJ8<;Rdf*SpMx`4HX%z>4O=LH z?8F>lRWUD3eaMD+1!8Wnxa3fz3QA)+FEDnA44N_Vm(+PQ2QP?T09^@I%tY33=D4Wr zsE@*yZ0XR>!fltmG=*q3EjPV?ghFrJZ_sRc-@T`9S?}Ckckdp+3$Fr;umyIpWrIs_ zE;>;RdN4rNa|J+R2%N{34wlixp&Grj4dIL>#++J})Fu=+V50egdwKJFHP)s4Up7p% zV35|Ar){Q7Ym6CF+oKVK^jGH5;Z)D==@uw+PKE#AK+zkdVW{q2Q7N(|@Fzb3*O0eqsvRNLE#>6-9#SjoA@ zN(NvknXM>UbAG)L#E3*ykpyhIXRiWzXuzwK^e)w*Qr3YLV-fT=HDTL`@B72H?7UAe z@J=q!Y{7sbM$kbz_^%L%V*7v>41zruDCZatlH$ZwWmpIP8MokManV+Te-U5{ zg20;7G6!rmN%?{*S(N19V zU2J}qv>Oq%1*wd-8!ZFFIuYVVa)NF#WKvpk|KDg;vJaio3Nu2ON_jV3%tP49T%I7=)bW)TI>Zz zFQ*@GMnGxD2tB+Q1!KwMSzT)jEe^^ccFnr6CPMlsI5N;cYr`K9!NpkSQiR;G(^tn^ z6mo{V4S+3Yn0f5&{CD~B)>|d|FI{f|@r}G;Z^17W!5j4!RND5`vPtWnrS=qmF^F7| zJ>%WHZ27>R<;Yh_dqzByJ-b#Bd{KLf;v=&?leXo{!k(p&J;N=k8kgxmjxmM6R`D{sU%@%EdUx963&A^N<*n_^-4sN>?7 zWVLUcZ{qEDGjGo;ZyCfJ#&H-LQ~ZKs+N~NznehQ4xHZ+Xr&=cT^>NhFcf`A}njGN4`>i_N*jt z#5eKwUo&sdtN%>b=gpDxrs_S!RZiZBZ{!X8*KV45dtQ0VBHkF-Hz&^9sG}p_EI;1v zvf}R}opOk8;_X&N^ClgAN$;uY{ekeFT6_!l6eBX<;3F~(zpE~-7yk|v6fVa0;%C4p z0Yh(&w8vD8`Paa5r}v8D&}0~W7yd>@`IUdk_lm?DmOqYPxn0raZ|Hq=<#?}HX5$p_ zJu`CgIur^YXvC`C9B2X;IO?;s;qLmQLOWUrcA@pxJUf>h;_#!s+OSV1GS=r`xGhxq zgKTSHy;BjKc-Ngeh9+L&{?rccJ+=Npho+vbVTseL_&BH9u#2NaOC9Hg6JgSY5pcR; z>$derPBRBS;6hcK zH{S~SE0D2%akwp1O@a_68`j%26o#kKqE9hqEh*^S9be>n6Th}&E32De;;tX!I=NX z)P{N5fJyg51c<>2V*Zm_b~3oj-B`<&2RFG zhyL(!9~{GaI2*QixVG{)c*miC)zw3EXolW<7B5E}$yj_ko1t>_g>uB0*;B6^DMyGo z+Xli-7uo;V4!6f3(@U_DWW`47n67;}%F%L1m52{I!gIoc`;oElM16kLW$TTD4s}tL zJU&2`3+0GL2$um+N)TgWd0@FTx|un;g2WbvmQ{o}2L@*qo% zB$>MM)UT|daYrA*C|*QxB0MUZ7dP0Zz>4^aUX8|^XTaEheeW0z<7U45co6(q?=&dX+~)O#u0Nr7`n=0+KdIIjdex|`@$LpDZ4^C@d?B+VTpo; z8NytO=5uDiz8lP4@PS;Kz|(aC!;14gaV| zlz6w`q8xC7Ab!(=ILgxxu5*XB=f8l20Iv!47QHBK$Yr@$Fd@o=Oi95e1- zIC35H6rZgT=nMOSq*8c5?jCT@;+jhna!rQ(aQWHYDo5CXe~%>#9WQ-L3B)T@1$i|8 z0s9^Q;P&FPc+>2KadAftmFVA~xkz&QQ;yO~LH2?qt3+|fLl^tPJor){^l#|b$X?(+ z+Jq78NtLBakzSr|xs!CidQAl7BLeH$(9hG2fh_`3TKb$+|nBz*I*3)>3w z*N;Z~cokNXOu_M#R5i~|JSFAb98W#3@l*?zpdU~D$?ZiA+kGb43*-Eop?HdNlvWC| z7bKZEo~pop1*u&y)(`69DQJ;VJoO{QRey2b3VIwUN8aA$@wn-&4Vwim^|T4AJLg^-W2uwBHw(WJF%h}O_QC+@&-$D5z2}>QCh=`t{AFQL zvOkM*e5+%)$Ggtf{{K$9^HrnVec5DBNwP{De-Y!R_Gd{|Q+B*mZ2d4tYtL)6CiLT? zT|xV@2<*&5ZePw`(qxt2`<)=}KlS^+C`V}}Li=I|FMCL`N*u3|eKD>7OF4d47u^Xl z2Xcvgq91%j{_hp5a^%xce7A?^SQ?)snK{0Lm`nQhPG0{trhS_lJvRN?CI48hpY9C3 z-TK*$?}RaR`tjXk&iC+qYm@jkJ-(wH`)pZwe`nXFL0jgo@6vl=%^qZbNiqe;cT&|< z*7#0ZKg{vn^BUg?C95Cb(HG=ww6ihEz8KdZXDGg-9Ho^A?F)|IA<4|~9lYx{b(Boy z@Uy!3PWagkitpSYzEklpaN2Zj=#=tnf9z)^$Cpu#BU1tm zvPv4?;XEPizr%66{;=X$oKWan!?C0;FfIgtIV2U{bPfgj;-EHejP^b6as5K*rnw7R z|CI1j_0nUg(!UXt#(x$6brQqhX=`{!(0f8Sgd^2FSsUa7+X1h`R!y87N-IZB9&k>M zfWr9VzlrBq8Yd)KC9-4DEkA#>a*+6dxSv~NK!4l4@hjWE`uf9}aF~w|od~-$&bJ}# z<2c`9-vB!p=owh_qXRh7SC}zUpI?h3Hu;!fEqs$DUMtRDP%%fG>w$Aa@SeryhTwP1 z^%STaB8)jogm0QwGiw+@Yyp=O)lW*ZSe(8v(#VT>Ay3HFY}i_Gt`;v%H;F6b;_r5< zlKrccV|K4oKb>w_7_w&OjiqZNPQ8Qn2j6d#WR*DnrqUV!)yb6cf>PByiT#qsxCy}3 zKmYs_UO_(srTYO8d>@f2{8ABqhwfmwM*NMMvK^IXTV=$;?Z_i>so`91U?xFbn z68YaN;H(sHXo;Bm{(fdxpKIHC9t@u4w)NUOu2*x7rLOGy>-1-;7@m!igOeo0`GxxZ zyK6Y#e_z>d65q!8aYOI#DaY6Yoqx~Fd?jGY#m^%SE&Mc*>?uiBiTyY+ZtDAcscOoO zmnZ9&DeL+njeX6tSDu&ID?(N z9I)19!gTlW-##*yyR!4w#>RKTTtfZ$ZawEabjwbY_%=PhqZ~)>4!N107#Ticbzs7u z7n`M`{SAhdBvWvFCsj?^@gi@0C#@gm`0jaqe=p3V*N^WuaQiamfob-|^!Sc)lvX0L zFC>{czLV|!eMR|MU3_QD;5`n-ci1nyk@J}_sM~jr(0lu&{ddOsKSS@&D98D0zUc7v zs1Xs1`uClF_`w_Fsr^BcRbv15wC~TPs`;n)6uzCm-LvYRHgZkU{2hT=`+t%8m}mU` z8FH!r{_G3RrR#`WUe2;|Njaw7@@e?TR3U@oPqQ4p7#IG5v6 zX3VK7E0>hx+wS55K(`4Ydmjwmac2c`InIVLl1#x|N>!sEF2CelzCZqSTn$;dq#Rf8JQ`9^Dfp7*aMRftQHOu<}ARihv-zv5hWX`A?0ZCSab z96g(!3b^R)(0S#Ad3KjxJUWv6I7y~pE~Tnb5SL$bE+gC9#?+COOUm(Lw<(SOrc zv7d+}Q!tlO)hLL|Z#b9ZeY?N_Z~5cQ$QNrCki8_y6wIYmH45T#C+BkGp&5VF zmz7J(aYNPFM{iti8=BwPxnrBw(;ASyB*_%arBpQv;&K<~vSEGiehp;hl5%W1ZJ3`` zR_D-_K_g-YB!$ExmpK2FBvUY#Qq?Gk%WpZCXQ!Op=_)Iil;gFe9>cB-+8Ocw>;l#B zvGbD2kCS8y=2EH}1#!8XbJ_deNVi6^a!EO^d$0ZNZA(&vrVgyJFYhPYpU7U4WD4d| zsu~4xxrcLEZ)NStjb-JMa=dpeq~EzYi^JA@f3NDN)h`_+E=e*4b17Agg1Fqvx%4`_ z{kEH|TvCp8HXVDndj2mFvv*}J`LIi;S;QqtreH3ms!!~pt)>Rg+TY|rTIz@#^5Z0# zg1MBcMnPO245p0LhIZjdr6Whm`kZ@6vSl#=kos!P3+xLRxT;W zy;laT@LKv_m+`}9?1(!vb0cv{k|~%=scIC&<#(LR$32^G^^}!M%JJ*BzRd2fo!)7> zM~7cW?OUNGE=e*4b17Agg19`yxeRhk_@I@nTvCpW0>2%8Ft%aX^n}O>nWuXRDhV~NsiAXX9b17Ag zg19`wxqPF}ve(iucth=$7 z>)ha_VQXzZwtDl|=@*Ghl1#x|N>!sEE{}087rosvOI|K1$D3<=wSO4bEa0Q$q`TvX zznn$!B}t}WE~Tnb5SPa}mmlPxk(o=%aoV6Mqs}a0p|k3}B$;T5u5<6Y2fplmcnflg?QxP!!CXpJqaZF%axVY+k9vf>_L6eEcXhx2ddoLM zzG~XtW?VjI3u~$ zT;h@>Q!tlO)hLL|^PEe&`731Rl5*VVu_Lzijr$?X)2_D;&)s~N;!BcD!CXpJqaZGS z;9OR!sEE`Q=&S|1tpmb~_oavZSrgx&Tlb33oO zf2YR@&ra7Uz9h*M%%xN{3gYqt=W_gx8e`<;l5%u)JN0UIOk9^~0oQAV{t?oHxFpFG z%%xN{3gYr2=Q4M}^$+Fcl5+gB{o%nAk1h$!_jz>o_Xp9